Home » Technology Fix It Guides » Windows Server Fix Guides

DistributedCOM DC Server Event ID 10016 DCDIAG Error [Fixed]

Photo of author

By Victor Ashiedu

Published

Read this guide to learn how to fix the dcdiag error message, “The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID” Event ID 10016 error.

Step 0: Review the Problem Background and Overview

I recently promoted a Windows Server 2019 Server as an additional DC in a domain. After promoting the server, I completed the following tasks:

  1. Confirmed that the server was added to its AD site
  2. Ran “repadmin /kcc” and verified that a replication connection was automatically generated.
  3. Verified that the server’s subnet is associated with its local AD site.

Finally, to ensure that there were no replication errors, I ran dcdiag (link opens in a new browser tab) and piped the result to a text file. When I reviewed the file, I found that the server failed the SystemLog test.

Further review of the dcsdiag file indicates that an event log was logged with the following details: “The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID.”

The source of this event in the System event log is DistributedCOM, with an Event ID of 10016. The error details are in the screenshot below.

I have explained the steps I took to fix the error message in the remaining sections of this article.

The first two steps below involve editing the Windows registry. As this may break your server, it is strongly recommended to take a snapshot of your server if it is a VM or back the server up if it is a physical server.

Step 1: Change the Ownership of the CLSID Registry Keys

  1. Get the offending application’s CLSID from the event error log. This is the sting of values next to the CLSID in the event error log. I have highlighted the application’s CLSID ID in the screenshot below:
Get the offending application's CLSID from the event error log. This is the sting of values next to the CLSID in the event error log. I have highlighted the application's CLSID ID in the screenshot below:
  1. Search for and open Regedit. Then, navigate to HKEY_Classes_Root\CLSID\<the CLSID string from 1 above>.
Since there are so many registry keys in the “HKEY_Classes_Root\CLSID\” registry path, the best way to locate the key you need is to copy the key from the event log, paste it after “\” on the and press the enter key.
Since there are so many registry keys in the "HKEY_Classes_Root\CLSID\" registry path, the best way to locate the key you need is to copy the key from the event log, paste it after "\" on the and press the enter key.
  1. Right-click the registry key and choose permissions.
Right-click the registry key and choose permissions.
  1. After that, click the Advanced button in the registry key’s permission properties page, then click the Change button next to the Owner.
After that, click the Advanced button in the registry key's permission properties page, then click the Change button next to the Owner.
  1. Then, enter Administrators in the Enter the object names to select box and click Check Names > OK.
Then, enter Administrators in the Enter the object names to select box and click Check Names > OK.
  1. Finally, check the Replace owners on sub containers and objects checkbox and click OK.
  1. Finally, grant the Administrators group Full Control and click OK to close the registry key’s permissions properties window. Do not close the registry editor yet, as you will need to in Step 3 below.
Finally, grant the Administrators group Full Control and click OK to close the registry key's permissions properties window. Do not close the registry editor yet, as you will need to in Step 3 below.

Step 3: Change the Ownership of the APPID Registry Keys

  1. Get the offending application’s APPID from the event error log. See mine in the screenshot below.
Get the offending application's APPID from the event error log. See mine in the screenshot below.
  1. Back in the registry editor, navigate to KEY_LocalMachine\Software\Classes\AppID\ registry key, enter the name of the APPID from your event log at the end of the above path, and press enter.
Back in the registry editor, navigate to KEY_LocalMachine\Software\Classes\AppID\ registry key, enter the name of the APPID from your event log at the end of the above path, and press enter.
  1. Right-click the APPID’s registry key and choose Permissions. Then, repeat steps 4, 5, 6, and 7 of the last section to make the Domain Administrators group the registry key owner—remember to grant the Administrators group Full Control.
Right-click the APPID's registry key and choose Permissions. Then, repeat steps 4, 5, and 6 of the last section to make the Domain Administrators' group the owner of the registry key.
  1. Close the registry editor.

Step 4: Grant the User Account Permission to the Service’s DCOM Config

  1. Search for and open administrative Tools. Then, locate and open the component services – you can search for it.
Search for and open administrative Tools. Then, locate and open the component services - you can search for it
  1. Then, expand Component services > Computer > My Computer and click DCOM Config.
Then, expand Component services > Computer > My Computer and click DCOM Config.
  1. After that, expand DCOM Config, look for the corresponding service in the error viewer, right-click on it, and then choose Properties.
If you receive the warning message in the screenshot below, select Yes. The app IDs that begin with “{” will be toward the end, so you must scroll down the DCOM Config list to see the one you’re looking for.
If you receive the warning message in the screenshot below, select Yes.
After that, expand DCOM Config, look for the corresponding
After that, expand DCOM Config and look for the corresponding service in the error viewer, right-click on it, and then choose Properties.
  1. On the Properties window, select the Security tab, then in the Access Permission section, select Customize, then click the Edit button.
On the Properties window, select the Security tab, then in the Access Permission section, select Customize, then click the Edit button.
  1. After that, click the Add button.
After that, click the Add button. Then, in the Enter the object name to select field, enter Local Service, click Check Names, and OK.
  1. Then, click the Locations button next to From this location, select the name of the local server and click OK.
Then, click the Locations button next to From this location, select the name of the local server and click OK.
  1. After that, in the Enter the object name to select field, enter the name of the account displayed in the event log error (NT SERVICE\OCAUM) see the first screenshot below) – then, click Check Names, and OK.
After that, in the Enter the object name to select field, enter the name of the account displayed in the event log error (NT SERVICE\OCAUM
After that, in the Enter the object name to select field, enter the name of the account displayed in the event log error (NT SERVICE\OCAUM, see the screenshot below) then, click Check Names, and OK.
  1. Finally, grant the account Local and Remote access, then click OK and OK.
Finally, grant the account Local and Remote access, then click OK, and OK.
Finally, confirm that the Local Service is granted Full Control, then click OK, and OK.

Step 5: Rerun DCDIAG to Confirm that the SystemLog Test Passed

  1. Clear the System event log by right-clicking it and choosing Clear log. Save a copy of the log in the process if you require it for further troubleshooting.
Clear the System event log by right-clicking it and choosing Clear log. Save a copy of the log in the process if you require it for further troubleshooting.
  1. After that, rerun dcdiag to confirm that the SystemLog test passed.

Conclusion

Fixing the “The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID” Event ID 10016 error is as simple as granting the account in the event log error permission to the COM Server application.

In this “fix it” guide, I walked you through the steps to complete this task using a real-life error I encountered after promoting a Windows Server 2019 server to a DC.

I hope this article met your expectations. Let me know by responding to our “Was this page helpful?” request below.

About the Author

Photo of author

Victor Ashiedu

Victor is the founder of InfoPress Media, publishers of Ilifeguides and Itechguides. With 20+ years of experience in IT infrastructure, his expertise spans Windows, Linux, and DevOps. Explore his contributions on Itechguides.com for insightful how-to guides and product reviews.

Related Articles

How to Fix a Tombstoned Domain Controller

How to Fix a Tombstoned Domain Controller

Attribute Editor Tab Missing in ADUC [Fixed] - featured image

Attribute Editor Tab Missing in ADUC [Fixed]

Steps to Fix "Windows has Detected an IP Address Conflict"

Windows has Detected an IP Address Conflict Error [Fixed]

Get in Touch

We're committed to writing accurate content that informs and educates. To learn more, read our Content Writing Policy, Content Review Policy, Anti-plagiarism Policy, and About Us.

However, if this content does not meet your expectations, kindly reach out to us through one of the following means:

  1. Respond to "Was this page helpful?" above
  2. Leave a comment with the "Leave a Comment" form below
  3. Email us at [email protected] or via the Contact Us page.

Leave a comment