DCOM differs from COM in that it allows for creating objects distributed across a network, a
protocol for invoking that object’s methods, and secure access to the object. DCOM provides a
wrapper around COM, hence it is a backwards compatible extension. DCOM uses Remote
Procedural Calls (RPC) using Open Software Foundation’s Distributed Computing Environment.
These RPC are implemented over TCP/IP and named pipes. The protocol which is actually being
used is registered just prior to use, as opposed to being registered at initialization time. The reason
for this is that if a protocol is not being used, it will not be loaded.
In order to inform an object that the client is still alive, periodic pinging is used. Hence, when the
client has died and no ping has been received (to refresh it) before the expiration time, the server
object will perform some clean up tasks (including decrementing its reference count).
Since RPC across a network are typically slow (compared to processes residing on the same
machine), DCOM sends multiple requests in the same call. For example, in COM, the program
performs a QueryInterface, one interface at a time. In DCOM, multiple QueryInterfaces are all
clustered into one call.
This clustering optimization trick is also used when creating an instance of the object and serializing
it with data. Since these two operations usually occur together, DCOM allows one method which
will perform both operations in one call without waiting for an acknowledgment from the first
task before performing the second one.
Similarly, when a client pings its server object, he can do it in one call. Moreover, if there are
multiple clients sending pings to multiple servers, an optimization is made where the multiple
pings going to the same object are consolidated into just one ping. This is to cut down on the use
of precious bandwidth used only for pinging.
The client has the control to set the computer which will be responsible for the lifetime of the
object. That is to say, these objects are not created just somewhere where the system resources and
access privileges allow for it.
Call security is implemented in all four ways: authentication (to prevent false clients from
impersonating the true client), authorization (to insure that a client only does what it is authorized
to do), data integrity (to insure that data was not tampered with during transit) and data privacy (to
insure that only designated sources can read it). The security issues are handled as they are on
operating systems. The client gives the server various access privileges to access memory or disk