Distributed Transaction Coordinator In Windows Server 2003

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Distributed Transaction Coordinator In Windows Server 2003

Viewing 0 reply threads
  • Author
    Posts
    • #2195
      Webmaster
      Keymaster

      What does Distributed Transaction Coordinator do?
      The Distributed Transaction Coordinator (DTC) servicecoordinates transactions that updatetwo or moretransaction-protected
      resources, such as databases, message queues, files systems,and so on.Thesetransaction-protected resources may be on a
      singlecomputer or distributed across many networked computers.
      Who does this feature apply to?
      Users of any computers that participatein DTC transactions,either directly or through other computers.
      System administrators of networks that use DTC components to perform transactions across networks.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      Securing all network communication by default
      Detailed description
      In Windows Server 2003 Service Pack 1, DTC provides theadministrator with greater control over the network communication
      between computers. By default,all network communication is disabled.
      In order to manipulatethecommunication settings, the DTC security settings properties page has been enhanced.To seethe
      page, usethefollowing procedure:
      To open the DTC security settings properties page
      1. Open the Component Services snap-in Microsoft Management Console(MMC).
      2. In theconsoletree,click the Computers folder.
      3. In theresults pane, right click My Computerand then click Properties.
      4. Click the MSDTC tab,and then click Security Configuration.
      Thetable below defines the new fields in the property page,along with theregistry keys affected for the different settings. All
      theregistry keys related to MSDTC arelocated in thefollowing registry key:
      MyComputer\HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC
      Caution
      Incorrectly editing theregistry may severely damageyour system. Before making changes to theregistry,you should back
      up any valued data on thecomputer.Theseregistry keys might not besupported in futurereleases.
      Thefollowing tabletells you whereto find the MSDTC key specific values.
      Setting Description Corresponding registry value
      Network DTC
      Access
      Determines whether DTC on thelocal computer is allowed to access
      the network.This setting must beenabled in combination with one
      of the other settings to enable network DTC transactions.
      Default setting: Off
      Security\NetworkDtcAccess
      0 = Off
      1 = On
      Allow inbound Allows a distributed transaction that originates from a remote
      computer to run on this computer.
      Default setting: Off
      To enablethis setting you must set the
      following registry key values to 1:
      Security\NetworkDtcAccess
      Security\NetworkDtcAccessTransactions
      Security\NetworkDtcAccessInbound
      To disablethis setting,you only need to
      set thefollowing registry key valueto 0:
      Security\NetworkDtcAccessInbound
      Allow
      Outbound
      Allows thelocal computer to initiatea transaction and run it on a
      remotecomputer.
      To enablethis setting,you need to set the
      following registry key values to 1:
      Security\NetworkDtcAccess
      Security\NetworkDtcAccessTransactions
      Security\NetworkDtcAccessOutbound
      To disablethis setting,you only need to
      set thefollowing registry key valueto 0:
      Security\NetworkDtcAccessOutbound
      Mutual
      Authentication
      Required
      Adds support for mutual authentication in futureversions and is the
      highest secured communication mode. In thecurrentversions of
      Windows and Windows Server, it is functionally equivalent to the
      Incoming Caller Authentication Required setting.This is the
      recommended transaction modefor clients running Windows XP
      SP2 and servers running a member of the Windows Server 2003
      family.
      Warning
      You cannot usethe Mutual Authentication Required
      transaction mode with computers thatarein a clustered
      environment, or any computers thatare negotiating transactions
      with such computers. In that context,you can usetheIncoming
      Caller Authentication Required transaction modeinstead. In a
      clustered environment, thecomputer account for the Distributed
      Transaction Coordinator servicespecifies thecluster node’s host
      nameinstead of thetransaction node’s host name, which prevents
      theauthentication request from succeeding when the Mutual
      Authentication Required transaction modeis enabled.
      AllowOnlySecureRpcCalls = 1
      FallbackToUnsecureRPCIfNecessary = 0
      TurnOffRpcSecurity = 0
      Incoming
      Caller
      Authentication
      Required
      Requires thelocal DTC to communicate with a remote DTC using
      only encrypted messages and mutual authentication.This setting is
      recommended for servers running Windows Server 2003 thatare
      operating in a cluster.
      Only Windows Server 2003 and Windows XP SP2 support this
      feature, so you should only usethis if you know that the DTC on the
      remotecomputer runs either the Windows Server 2003 or
      Windows XP SP2 operating system.
      AllowOnlySecureRpcCalls = 0
      FallbackToUnsecureRPCIfNecessary = 1
      TurnOffRpcSecurity = 0
      No
      Authentication
      Required
      Provides system compatibility between previous versions of the
      Windows operating system.When enabled,communication on the
      network between DTCs can fall back to a non-authentication or
      non-encrypted communication if a securecommunication channel
      cannot beestablished.This setting should be used if the DTC on the
      remotecomputer runs a Windows 2000 operating system or a
      Windows XP operating system earlier than SP2.This setting is also
      useful when the DTCs thatareinvolved arelocated on computers
      thatarein domains that do not havean established trust
      relationship or if thecomputers are part of a Windows workgroup.
      AllowOnlySecureRpcCalls = 0
      FallbackToUnsecureRPCIfNecessary = 0
      TurnOffRpcSecurity = 1
      Why is this change important? What threats does it help mitigate?
      Thesechanges areimportant in order to secureany communication coming into or going out from thecomputer. By default,
      after installing Windows Server 2003 Service Pack 1, thecomputer will notaccept or issueany network trafficand therefore
      will beless vulnerableto network attacks.
      Additionally, the online network protocol has been upgraded to supporta moresecurely encrypted and mutually authenticated
      communication mode.This helps to ensurethatattackers can not intercept or take over communications between DTCs.
      What works differently?
      After installing Windows Server 2003 Service Pack 1,all network communication coming out of or getting into DTC is disabled.
      For example, if a COM+ objectattempts to updateaSQL database on a remotecomputer using a DTC transaction, the
      transaction fails. Conversely, if your computer is hosting aSQL databasethat components from remotecomputers try to
      access using a DTC transaction, their transactions fail.
      How do I fix these issues?
      If your transactions fail because of network connectivity,you can use MSDTC security properties,as described previously in
      this document, select the Network DTC Access check box,and then select the Allow Inbound and Allow Outbound check
      boxes,as appropriate.
      If you want to changethesesetting programmatically as part of your Windows Server 2003 Service Pack 1 deployment,you
      can directly changetheregistry values that correspond to your desired setting as described in thetablein “Securing all
      network communication by default,” earlier in this document. After you havechanged theregistry settings,you must restart
      the MSDTC service.
      If you are using Windows Firewall to protect thecomputers in your organization,you mustadd MSDTC into theexception list
      in the Windows Firewall settings.To do so, usethefollowing steps:
      1. In Control Panel, open Windows Firewall.
      2. Click theExceptions tab,and then click Add Program.
      3. Click Browse,and then add c:\windows\system32\msdtc.exe.
      4. In Programs and Services, select the Msdtc.exe check box,and then click OK.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      Setting name Location Previous
      default value
      Default
      value
      Possible
      values
      NetworkDtcAccess HKEY_LOCAL_MACHINE \SOFTWARE
      \Microsoft \MSDTC \Security
      1 0 0,1
      NetwordDtcAccessTransactions HKEY_LOCAL_MACHINE \SOFTWARE
      \Microsoft \MSDTC \Security
      1 0 0,1
      NetworkDtcAccessInbound HKEY_LOCAL_MACHINE \SOFTWARE
      \Microsoft \MSDTC \Security
      n/a 0 0,1
      NetworkDtcAccessOutbound HKEY_LOCAL_MACHINE \SOFTWARE
      \Microsoft \MSDTC \Security
      n/a 0 0,1
      AllowOnlySecureRpcCalls HKEY_LOCAL_MACHINE \SOFTWARE
      \Microsoft \MSDTC
      n/a 1 0,1
      FallbackToUnsecureRPCIfNecessary HKEY_LOCAL_MACHINE \SOFTWARE
      \Microsoft \MSDTC
      n/a 0 0,1
      TurnOffRpcSecurity HKEY_LOCAL_MACHINE \SOFTWARE
      \Microsoft \MSDTC
      n/a 0 0,1

Viewing 0 reply threads
  • You must be logged in to reply to this topic.