XP SP 2 DCOM Issues

[Jim Luth]

We have received some more feedback from Microsoft regarding this problem of DCOM registry corruption that leads to applications not running correctly and windows that do not dock to the task bar when minimized:

According to Microsoft the one known way to end up in this situation is to write 'bad' data to the registry keys that control the default DCOM security settings. Microsoft changed the format of the data in these keys with XP SP2, so applications which programmatically set the default DCOM permissions properly on a pre-Windows XP SP2 machine can cause DCOM to think it has been disabled when run on a machine with XP SP2. This will prevent all applications from accessing DCOM (including the OS and shell).

Similarly, using the pre-Windows XP SP2 code to change the DCOM permissions for individual applications will not work properly on SP2 machines (but will not cause the same system wide DCOM failure as when the changes are made to the default DCOM permissions).

The Data Access sample code has been updated to use the XP SP2 code recommended by Microsoft (the new sample code comes from the latest version of the DCOMPerm sample which is distributed as part of the Windows XP SP2 Platform SDK).

All vendors should review this code and see if they need to make changes to their own applications. Most importantly, vendors should make sure that they are not changing the machine default permissions.

In addition, the OPC XP SP2 white paper recommends changing the machine default DCOM permissions for XP SP2 (Step 7 in Configuring DCOM). The following comment should be added to that step:

If possible, DCOM permissions should be set for each OPC application separately and the machine default should be left unchanged. The process for changing the permissions for an individual application is the same as changing the machine defaults, except, you must select the application in the tree view under 'My Computer' node.

That said, you will have no choice but to modify the machine default permissions if you have an OPC client application which does not have an application id (i.e. it does not show up in DCOMCnfg).

[Mike]

I have read this thread with interest thinking I found a solution. No luck!!!

I have 2 XP SP2 machines that simply refuse to DCOM properly with each other. I have downloaded every document on OPC DCOM SP2 issues, done everything they suggest. I have done everything suggested on this thread. I have even disabled the firewall on both PC's. But I simply cannot get remote OPC connections to work, not even OPCENUM!!!

When an OPC client tries to enumerate OPC servers on a remote PC, OPCENUM on the remote server IS launched but the client simply gets a 0x8007005 - Access denied reply.

Remote OPC servers will also launch but the final connection does not happen.

What on earth do I have to do?

[Jim Luth]

Did the two machines communicate OK before you applied SP2, or are you trying this for the first time with SP2?

If the machines are in a Workgroup instead of a Domain, this thread may be of some use:

http://www.opcfoundation.org/forum/viewtopic.php?t=90

[Mike]

Jim,

They sure did. But ...... I have since downloaded DrDCom and autoconfig'd all nodes and servers and hey presto! it all works again.

Thanx for a great utility !!! We have a couple of SP2 PC's that suffer from the same symptoms and I will be DrDCOM'ing them all!!! Time to register DrDCOM !!!!

My feeling is that MS's SP2 version of DCOMCNFG sure stuffed something up. They need to come clean on this.

[aafg69]

Hi everyone, where can i get this utility you are naming?, i mean drDCOM

[Mike]

DrDCOM from http://www.iconics.com/support/free_tools.asp

[ColinBate]

Thanks to everyone who posed tips for the Win XP SP2 DCOM issue, I too fell fowl of this problem while setting up OPC across a network. Somehow I managed to lose administrator permissions on my Administrator account to every application that required it, consequently I could do nothing, not even change the DCOM setting with dcomcnfg.
I uninstalled SP2 and got it all back, but upon reinstallation it disappeared again.
Luckily I found the postings here, the deletion of the hklm\…\DefaultAccessPermission made no difference, so this was restored, however running a Win2000 version of dcomcnfg sorted the problem, it allowed me access and gave some message about invalid ACL’s and promptly rewrote them for me. After a reboot I've got administrator privelages again.
Thanks again to everyone who took the time to leave their experiences.

[Silo]

I just went to the link on ICONICS but couldn't find any version of Dr.DCOM for download. Is it avilable anywhere?

[Silo]

In case there's any other people who come across this when their nodes is screwed because of the old DCOMPERM corrupting the registry. I did the following and my machine seems to be OK.

1. Delete the HKLM\Software\Microsfot\Ole\DefaultAccessPermissions and DefaultLaunchPermissions keys
2. copy the new DCOMPERM.exe (from XP SP2) onto the node.
3. Run the DCOMPERM tool to add any user/group for default access and default launch permissions

If you use the W2K version of DCOMPERM, you will run into this corruption problem if any other applications try to use a XP SP2 compatible DCOMPERM on your machine.

[peratle]

Can OPC server/klient be used between to computers not part of a domain ?

Or in the the same workgroup ?

Is there a link how to set up accounts etc. ?

Regards
peratle

[Randy]

Yes, but you need to ensure accounts with exactly the same name and password exist on both machines.

[peratle]

[Randy]

No

[peratle]

The OPC client PC and the server PC are on different sides of a firewall.

What ports must be opened at the firewall for the OPC comm. ?

[Randy]

OPC has published a whitepaper that covers the XP SP2 firewall:

http://www.opcfoundation.org/Downloads.aspx?CM=1&CN=KEY&CI=282

Microsoft's thoughts on the topic:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp