Deployment Architecture

Unable to start Splunk Forwarder on Domain Controller with a Domain User

Path Finder


After installing Splunk 7.0.1 across the server environment with it running as a specified domain user account, in which for every server other than the DCs it runs fine with Local Admin rights. But this isn't really doable on a DC because a DC's local admin is actually the AD Domain Admin group, so added the required permissions to the DCs' GPO as provided by the Doco:

But even with these rights configured, and forcing a GP update and checking rsop to confirm it has been applied, keep getting within the Event Viewer under System the Event Code 10016 with a source of: DistributedCOM.

The error message reads along the lines of:

The application specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user SID {...} from address LocalHost (via LRPC) running in the application container not avilable SID. This security permission can be modified using Component Services administrative tool.

Looking at one MS link at they say to change the permissions in Register for the Keys and Component Services for the specified application Register states, otherwise to ignore these errors as they don't "adversely affect functionality"... This is not something the client wants to do on their DCs. Strange thing is I haven't had this issue before within other Splunk environments.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...