Deployment Architecture

Unable to start Splunk Forwarder on Domain Controller with a Domain User

lmaclean
Path Finder

Hi,

After installing Splunk 7.0.1 across the server environment with it running as a specified domain user account, in which for every server other than the DCs it runs fine with Local Admin rights. But this isn't really doable on a DC because a DC's local admin is actually the AD Domain Admin group, so added the required permissions to the DCs' GPO as provided by the Doco: https://docs.splunk.com/Documentation/Splunk/7.0.1/Installation/ChoosetheuserSplunkshouldrunas

But even with these rights configured, and forcing a GP update and checking rsop to confirm it has been applied, keep getting within the Event Viewer under System the Event Code 10016 with a source of: DistributedCOM.

The error message reads along the lines of:

The application specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user SID {...} from address LocalHost (via LRPC) running in the application container not avilable SID. This security permission can be modified using Component Services administrative tool.

Looking at one MS link at they say to change the permissions in Register for the Keys and Component Services for the specified application Register states, otherwise to ignore these errors as they don't "adversely affect functionality"... This is not something the client wants to do on their DCs. Strange thing is I haven't had this issue before within other Splunk environments.

https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/error-event-id-10016-distri...

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...