User Tools

Site Tools


win:msdtc

Microsoft Distributed Transaction Coordinator (MS-DTC)

Enabling DTC Network access

See the following KB article for enabling Network access to MS-DTC:

HowTo

  1. Click Start, point to Control Panel, point to Administrative Tools, and then click Component Services.
  2. Expand Component Services, expand Computers, right-click My Computer, and then click Properties.
  3. Click the MSDTC tab, and then click Security Configuration.
  4. Under Security Settings, note the settings, and then click to select the Network DTC Access check box.
  5. Click Yes when you receive the following message:
  6. MS DTC service will be stopped and restarted. All dependent services will be stopped. Please press yes to proceed.
  7. Click OK two times.
  8. Click Security Configuration, and then under Security Settings, specify the security settings.
  9. Click OK.

msdtc security

Resolve issues with MS-DTC on Clusters after DCPromo

The problem affects systems with the following setup:

  • MS-DTC cluster service
  • Windows Service Pack >= 1
  • Cluster Nodes act as Domain Controller

As part of SP1 changes the security of the registry keys under HKLM\Software\Microsoft\MSDTC is tightened to give NetworkService write access to only very specific subkeys.

MSDTC has a feature that when it is upgraded to a domain controller it will automatically shut off network transactions. In W2k3 RTM the code that did this only modified registry keys under HKLM\Software\Microsoft\MSDTC\Security which was one of the subkeys that were left writeable by NetworkService. A different set of changes for SP1 modified the same code path to attempt to change the RPC Authentication level that MSDTC requires. The RPC Authentication level is stored under HKLM\Software\Microsoft\MSDTC. This fails and produces a warning in the event log.

The original intent of the DC Upgrade/Downgrade code was to turn off network transactions.

What to do to resolve the issue

On all cluster nodes

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then right-click the following registry subkey:
    1. HKEY_LOCAL_MACHINE\Cluster\Resources\<MSDTC resource GUID>
  3. Click Permissions, and then click NETWORK SERVICE.
  4. In the Allow column of the Permissions for NETWORK SERVICE box, click to select the Full Control check box, and then click OK.

On the node where MS-DTC resource is running (assuming node #1)

  1. Click Start, point to Control Panel, point to Administrative Tools, and then click Component Services.
  2. Expand Component Services, expand Computers, right-click My Computer, and then click Properties.
  3. Click the MSDTC tab, and then click Security Configuration.
  4. Under Security Settings, note the settings, and then click to select the Network DTC Access check box.
  5. Click Yes when you receive the following message:
  6. MS DTC service will be stopped and restarted. All dependent services will be stopped. Please press yes to proceed.
  7. Click OK two times.
  8. Click Security Configuration, and then under Security Settings, specify the security settings.
  9. Click OK.

Failover the MSDTC Resource to the other node ( assuming node #2 ) and there repeat the steps #1 - #9

Testing

  • Failover the MSDTC Resource ( assuming back to node #1 ) and check the Application Log for Startup parameters.
  • Failover the MSDTC Resource ( assuming back to node #2 ) and check the Application Log for Startup parameters.
  • Then move the MSDTC resource to the node where you have planned it to be running normally.

Troubleshooting MS-DTC

Test transactions

Use the DTCTester Tool to verify the MS-DTC functionality from a remote server.

Configure a DSN

  1. Start > Programs > Administrative Tools > Data Sources (ODBC)
  2. Select the tab “System DSN” and add a new DSN pointing to the MS-DTC Resource (i.e. Cluster NetBios name)

It's important to use a host name / netbois name and not the IP address, because this is a requirement for MS-DTC.

Execute DTCTester from the command line

You require a user with access to SQL Server

Command usage:

dtctester <dsn name> <user name> <password>

Example of running the tool against a Cluster with MS-DTC and SQL Server:

> dtctester.exe dtctest commerce_sa secret_password
Executed: dtctester.exe
DSN:  dtctest
User Name: commerce_sa
Password: secret_password
tablename= #dtc25503
Creating Temp Table for Testing: #dtc25503
Warning: No Columns in Result Set From Executing: 'create table #dtc25503 (ival int)'
Initializing DTC
Beginning DTC Transaction
Enlisting Connection in Transaction
Executing SQL Statement in DTC Transaction
Inserting into Temp...insert into #dtc25503 values (1)
Warning: No Columns in Result Set From Executing: 'insert into #dtc25503 values (1) '
Verifying Insert into Temp...select * from #dtc25503 (should be 1): 1
Press enter to commit transaction.
 
Commiting DTC Transaction
Releasing DTC Interface Pointers
Successfully Released pTransaction Pointer.
Disconnecting from Database and Cleaning up Handles

Verify Cluster Configuration

Use the dsinfo.exe tool to collect information on all clutser nodes and check and compare the settings:

/srv/wiki.niwos.com/data/pages/win/msdtc.txt · Last modified: 2009/08/15 18:59 (external edit)