In distributed environment, when we meet problems to call DCOM components or COM+ application, the first thing is to open the Components Manager to check or reconfigure COM+/DCOM settings. However, it is possible that when we open the Component Services, a “Red Arrow” displays on the “My Computer” node:
If we try to expand the “My Computer” node, various error messages can pop up.
To resolve such a kind of problem, we can follow below check list and most similar issues can be fixed by one of them:
1. Ensure the MSDTC service is in started status:
2. The Users group has permission to read subkeys under HKEY_CLASSES_ROOT\CLSID. If the Users group has no permission to read the subkeys, the COM+ System Application service may have difficulties to start and cause the same “Red Arrow” problem. To grand the Read permission to Users group, we can follow (should backup HKEY_CLASSES_ROOT\CLSID first):
a. Open Regedt32, locate HKEY_CLASSES_ROOT\CLSID
b. Select the CLSID, click Security -> Permission in the menu bar
c. In the Security tab, add USERS in the permission list, give it Read permission.
d. Click the Advanced button, select the “Replace permissions entries on all child objects with entries shown here that apply to child objects” option. Click Apply.
3. Everyone has Read permission on C:\Windows\Registration and its sub objects, we can use the command “”cacls” to configure this, refer to (the article is for WIn2003, but the NTFS file permission is required the same as Win2008/Win7):
909444 You may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC
4. Ensure the COM+ System Application service is in started status:
5. The MSDTC service allows Authenticated Users to query service status. To check this, we can run this command in the Command window:
sc sdshow msdtc
If the Authenticated Users group doesn’t have query permission on the MSDTC service object, this means most users have no permission to get the MSDTC service status, for example:
We need to run this command to grant enough permission for the Authenticated user, and then restart DLLHOST.exe (before do this, please backup the output information of “sc sdshow msdtc”):
sc sdset msdtc D:(A;;CCLCSWRPLOCRRC;;;S-1-2-0)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPLORC;;;NS)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Note: the key part is: (A;;CCLCSWLOCRRC;;;AU), Other strings is taken from the “sc sdshow msdtc” result. If your envionrment is Domain, should check with AD admin team that if any Group Policy restricted the MSDTC service object access permission. If yes, please ensure the “Authentication User” has “Read” permission on the service status. This requirement (giving Authentication user Read permission on MSDTC service object) is true for WIn2003/2008/7.
For more information about the Description of ACL, please refer to:
914392 Best practices and guidance for writers of service discretionary access control lists
Note: this permission change is for Service Object ACL, will not affect NTFS file properties.
This configuration point has been elaborated in our previous blogs before, please check:
6. If above steps don’t help, we need to check the Application and System event log. Sometime we will consider rebuilding the COM+ system. This step is somehow risky, if you have many COM+ applications installed before, after rebuilding the COM+ system will require you to reinstall those COM+ applications:
How to clean up a damaged COM+ catalog on Win2003
For more details on this rebuild, look at:
How to troubleshoot the “Red Arrow” issue in Component Services (II)
It’s better to consult with your Application team and Microsoft Support before you start this item.