Distributed Transaction Coordinator In Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Distributed Transaction Coordinator In Windows Server 2003

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2195

    Webmaster
    Keymaster

    What does Distributed Transaction Coordinator do?
    The Distributed Transaction Coordinator (DTC) servicecoordinates transactions that updatetwo or moretransaction-protected
    resources, such as databases, message queues, files systems,and so on.Thesetransaction-protected resources may be on a
    singlecomputer or distributed across many networked computers.
    Who does this feature apply to?
    Users of any computers that participatein DTC transactions,either directly or through other computers.
    System administrators of networks that use DTC components to perform transactions across networks.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Securing all network communication by default
    Detailed description
    In Windows Server 2003 Service Pack 1, DTC provides theadministrator with greater control over the network communication
    between computers. By default,all network communication is disabled.
    In order to manipulatethecommunication settings, the DTC security settings properties page has been enhanced.To seethe
    page, usethefollowing procedure:
    To open the DTC security settings properties page
    1. Open the Component Services snap-in Microsoft Management Console(MMC).
    2. In theconsoletree,click the Computers folder.
    3. In theresults pane, right click My Computerand then click Properties.
    4. Click the MSDTC tab,and then click Security Configuration.
    Thetable below defines the new fields in the property page,along with theregistry keys affected for the different settings. All
    theregistry keys related to MSDTC arelocated in thefollowing registry key:
    MyComputer\HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC
    Caution
    Incorrectly editing theregistry may severely damageyour system. Before making changes to theregistry,you should back
    up any valued data on thecomputer.Theseregistry keys might not besupported in futurereleases.
    Thefollowing tabletells you whereto find the MSDTC key specific values.
    Setting Description Corresponding registry value
    Network DTC
    Access
    Determines whether DTC on thelocal computer is allowed to access
    the network.This setting must beenabled in combination with one
    of the other settings to enable network DTC transactions.
    Default setting: Off
    Security\NetworkDtcAccess
    0 = Off
    1 = On
    Allow inbound Allows a distributed transaction that originates from a remote
    computer to run on this computer.
    Default setting: Off
    To enablethis setting you must set the
    following registry key values to 1:
    Security\NetworkDtcAccess
    Security\NetworkDtcAccessTransactions
    Security\NetworkDtcAccessInbound
    To disablethis setting,you only need to
    set thefollowing registry key valueto 0:
    Security\NetworkDtcAccessInbound
    Allow
    Outbound
    Allows thelocal computer to initiatea transaction and run it on a
    remotecomputer.
    To enablethis setting,you need to set the
    following registry key values to 1:
    Security\NetworkDtcAccess
    Security\NetworkDtcAccessTransactions
    Security\NetworkDtcAccessOutbound
    To disablethis setting,you only need to
    set thefollowing registry key valueto 0:
    Security\NetworkDtcAccessOutbound
    Mutual
    Authentication
    Required
    Adds support for mutual authentication in futureversions and is the
    highest secured communication mode. In thecurrentversions of
    Windows and Windows Server, it is functionally equivalent to the
    Incoming Caller Authentication Required setting.This is the
    recommended transaction modefor clients running Windows XP
    SP2 and servers running a member of the Windows Server 2003
    family.
    Warning
    You cannot usethe Mutual Authentication Required
    transaction mode with computers thatarein a clustered
    environment, or any computers thatare negotiating transactions
    with such computers. In that context,you can usetheIncoming
    Caller Authentication Required transaction modeinstead. In a
    clustered environment, thecomputer account for the Distributed
    Transaction Coordinator servicespecifies thecluster node’s host
    nameinstead of thetransaction node’s host name, which prevents
    theauthentication request from succeeding when the Mutual
    Authentication Required transaction modeis enabled.
    AllowOnlySecureRpcCalls = 1
    FallbackToUnsecureRPCIfNecessary = 0
    TurnOffRpcSecurity = 0
    Incoming
    Caller
    Authentication
    Required
    Requires thelocal DTC to communicate with a remote DTC using
    only encrypted messages and mutual authentication.This setting is
    recommended for servers running Windows Server 2003 thatare
    operating in a cluster.
    Only Windows Server 2003 and Windows XP SP2 support this
    feature, so you should only usethis if you know that the DTC on the
    remotecomputer runs either the Windows Server 2003 or
    Windows XP SP2 operating system.
    AllowOnlySecureRpcCalls = 0
    FallbackToUnsecureRPCIfNecessary = 1
    TurnOffRpcSecurity = 0
    No
    Authentication
    Required
    Provides system compatibility between previous versions of the
    Windows operating system.When enabled,communication on the
    network between DTCs can fall back to a non-authentication or
    non-encrypted communication if a securecommunication channel
    cannot beestablished.This setting should be used if the DTC on the
    remotecomputer runs a Windows 2000 operating system or a
    Windows XP operating system earlier than SP2.This setting is also
    useful when the DTCs thatareinvolved arelocated on computers
    thatarein domains that do not havean established trust
    relationship or if thecomputers are part of a Windows workgroup.
    AllowOnlySecureRpcCalls = 0
    FallbackToUnsecureRPCIfNecessary = 0
    TurnOffRpcSecurity = 1
    Why is this change important? What threats does it help mitigate?
    Thesechanges areimportant in order to secureany communication coming into or going out from thecomputer. By default,
    after installing Windows Server 2003 Service Pack 1, thecomputer will notaccept or issueany network trafficand therefore
    will beless vulnerableto network attacks.
    Additionally, the online network protocol has been upgraded to supporta moresecurely encrypted and mutually authenticated
    communication mode.This helps to ensurethatattackers can not intercept or take over communications between DTCs.
    What works differently?
    After installing Windows Server 2003 Service Pack 1,all network communication coming out of or getting into DTC is disabled.
    For example, if a COM+ objectattempts to updateaSQL database on a remotecomputer using a DTC transaction, the
    transaction fails. Conversely, if your computer is hosting aSQL databasethat components from remotecomputers try to
    access using a DTC transaction, their transactions fail.
    How do I fix these issues?
    If your transactions fail because of network connectivity,you can use MSDTC security properties,as described previously in
    this document, select the Network DTC Access check box,and then select the Allow Inbound and Allow Outbound check
    boxes,as appropriate.
    If you want to changethesesetting programmatically as part of your Windows Server 2003 Service Pack 1 deployment,you
    can directly changetheregistry values that correspond to your desired setting as described in thetablein “Securing all
    network communication by default,” earlier in this document. After you havechanged theregistry settings,you must restart
    the MSDTC service.
    If you are using Windows Firewall to protect thecomputers in your organization,you mustadd MSDTC into theexception list
    in the Windows Firewall settings.To do so, usethefollowing steps:
    1. In Control Panel, open Windows Firewall.
    2. Click theExceptions tab,and then click Add Program.
    3. Click Browse,and then add c:\windows\system32\msdtc.exe.
    4. In Programs and Services, select the Msdtc.exe check box,and then click OK.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    Setting name Location Previous
    default value
    Default
    value
    Possible
    values
    NetworkDtcAccess HKEY_LOCAL_MACHINE \SOFTWARE
    \Microsoft \MSDTC \Security
    1 0 0,1
    NetwordDtcAccessTransactions HKEY_LOCAL_MACHINE \SOFTWARE
    \Microsoft \MSDTC \Security
    1 0 0,1
    NetworkDtcAccessInbound HKEY_LOCAL_MACHINE \SOFTWARE
    \Microsoft \MSDTC \Security
    n/a 0 0,1
    NetworkDtcAccessOutbound HKEY_LOCAL_MACHINE \SOFTWARE
    \Microsoft \MSDTC \Security
    n/a 0 0,1
    AllowOnlySecureRpcCalls HKEY_LOCAL_MACHINE \SOFTWARE
    \Microsoft \MSDTC
    n/a 1 0,1
    FallbackToUnsecureRPCIfNecessary HKEY_LOCAL_MACHINE \SOFTWARE
    \Microsoft \MSDTC
    n/a 0 0,1
    TurnOffRpcSecurity HKEY_LOCAL_MACHINE \SOFTWARE
    \Microsoft \MSDTC
    n/a 0 0,1

You must be logged in to reply to this topic.