You may notice that while working from a remote client the MMC console keeps disconnecting from the service due to inactivity.
The most usual symptom of this problem is a RPC_E_DISCONNECTED error message ('The object invoked has disconnected from its clients').
This occurs due to the DCOM Garbage Collection mechanism, which deletes inactive remote objects after 6-10 minutes of inactivity. And the DCOM Ping mechanism, which prevents the remote objects from being deleted while they are still being referenced.
DCOM Ping runs in context with the RPCSS service, which runs in svchost.exe host process. DCOM Ping aggregates information about all active remote object proxies in all processes, such as mmc.exe and arssvc.exe, and synchronizes the delta information every 2 minutes.
If the DCOM Ping is not supported by network/domain configuration, the connection will expire after 6-10 minutes of inactivity.
Why DCOM Ping may fail:
1) Name resolution problems:
In a multi-domain environment (or in a situation when a client is not joined to a domain) it is likely that DCOM Ping may not be able to resolve the remote computer’s name (a computer’s short name may be used by RPCSS to contact the remote RPCSS service, even if you’ve entered a fully-qualified name on the MMC).
2) Authentication problems:
DCOM Ping uses the security context of the client process to perform the DCOM Ping call, not the security context of the DCOM proxy nor the security context of the thread that created that proxy.
In a multi-forest environment without trust relationships (or in a situation when a client is not joined to a domain), DCOM Ping will fail unless anonymous authentication is allowed on the Administration Service’s computer.
3) Power-state changes (if a computer goes into Sleep/Hibernate modes)
WORKAROUNDS
1) Please make sure you can access the Administration Service by the computer’s short name (you don't need to actually use that name in the MMC, but RPCSS may use such name internally with DCOM Ping).
If the computer’s short name cannot be resolved, you may need to configure your network connection with the appropriate DNS domain suffix, or specify the short name/address in the HOSTS file on the client computer;
2) Do not use 'Connect as the following user' option in the MMC snap-in, this information is ignored by the DCOM Ping.
a) Instead, go to:
Control Panel > 'User Accounts' > 'Manage your credentials'
b) Then click on 'Add a Windows credential', then add the two entries with your domain user name and password:
b1) An entry for the full DNS name of the Administration Service’s computer;
b2) An entry for the short name of the Administration Service’s computer;
c)Then, log off and back on to Windows, launch the ActiveRoles Server MMC Console and use the 'Current user' option when connecting to the Administration Service.
The ‘User Accounts’ control panel settings will affect the security context of the entire mmc.exe process and will be taken into account when performing the DCOM Ping.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy