DTC Ping error: CID for both machines are the same

I have received the following error from DTC Ping while I was checking the DTC communication between two virtual servers, an application and SQL servers:

WARNING: the CID values for both test machines are the same while this problem won't stop DTCping test, MSDTC will fail for this

This error means that probably both of machines have been cloned from the same one. You can test a simple solution to eliminate this error message:

1. Stop the MS DTC service
2. Go to the command line and run: MSDTC -uninstall
3. Go to the command line and run: MSDTC -install
4. Start the MS DTC service

I have executed the steps just on application server and the error didn't appear again.

Continue Reading...

How to restrict RPC dynamic TCP/IP port allocation

MSDTC and DCOM use RPC (Remote Procedure Call) dynamic port allocation to randomly selects port numbers above 1024. This makes it difficult to configure your firewall.

To restrict dynamic port allocation to port 135, the RPC Endpoint Mapper, and to a range of dynamic ports you have to execute the following steps:

1. Select Start, Programs, Administrative Tools, Component Services.
2. Expand the Component Services node.
3. Expand the Computers node.
4. Right-click My Computer and press Properties.
5. Select the Default Protocols tab.
6. Select Connection-oriented TCP/IP and press the Properties button.
7. Press the Add button.
8. Type a port range (I used to use the ports from 5000, for example 5000-5200) into the Port range box, and press OK.
9. Insure that the Port range assignment and Default dynamic port allocation options are set to Internet range.
10. Press OK, OK, and OK.
11. Shutdown and restart your computer.

Continue Reading...

MS DTC Security Configuration

Microsoft Windows Server 2003 Service Pack 1 has introduced many security-related updates and changes, some of them affect to Microsoft Distributed Transaction Coordinator (DTC) service.

To open the configuration settings of the DTC service on a server you have to open the Component Services console (Control Panel, Administrative Tools, Component Services or you can type dcomcnfg.exe command from the Run window ), expand the Component Services and Computers nodes, right click on My Computer one and then select Properties.

On My Computer Properties window select the MSDTC tab and click on Security Configuration button to open the security settings window. On this new window you can see all options related to the security configuration of our DTC service. To communicate to machines across DTC service we need to implement the same security configuration on both boxes.

For two machines to communicate over MSDTC they should at-least have the following security options enabled. Without these three options, they won’t be able to participate in MSDTC transactions at all.

• Enable Network DTC Access

• Allow Inbound

• Allow Outbound

So now the question is around the security setting for the radio button which has one of the three options (Mutual Authentication Required, Incoming caller authentication Required, No Authentication Required). Here are the scenarios where they will work:

• Mutual Authentication Required (Most Secure)– will only work if the machines are in the same domain. This setting will not work on a Cluster.

• Incoming Caller Authentication Required – You can set this authentication level for machines in Cluster but they should be in the same domain.

• No Authentication Required (Least Secure) – works with almost everything. This is used specially for communicating with machines pre sp1 (Windows 2003) or to communicate two servers hosted in different domains that do not have a mutual trust configured or between computers that are members of a workgroup.

You can configure the security setting modifying the Registry entries directly, to do it follow the indications described on this MS article http://support.microsoft.com/kb/899191/en-us

Continue Reading...

DTC communication and configuration basics

DTC uses RPC to setup a communication between two machines in a 2 phase commit transaction, one of the most important things about this communication is that should be in bidirectional mode.

RPC communication follow this process:

1. The source server sends a TCP request over port 135 (RPC portmapper port)

2. The destination server replies back over port 135 with a port from its allowed TCP high range

3. The destination server sends a TCP 135 request to source

4. The source server replies back with a port in the allowable TCP high range

5. Now the computers participate in the transaction and use the TCP high range ports provided by both of them

TCP High Range

By default the high range is port 1024 and above, so RPC could use any port between 1024 and 65535. This is a problem if you have a firewall between servers and need to apply Firewall rules. Fortunately Microsoft provides a way to restrict the RPC port range:

You can configure it directly from Component Services console (Control Panel, Administrative Tools, Component Services or you can type dcomcnfg.exe command from the Run window), expand the Component Services and Computers nodes, right click on My Computer one and then select Properties. Click on Default Protocols tab, on DCOM Protocols section select Connection-oriented TCP/IP and click on Properties button.

On the Properties for COM Internal Services window, click on Add button and type the port range that you want to use (for development or staging environment you can use a range of 200 ports, for example, 5000-5200 and for production environments with a great number of transactions you can use a bigger range, for example, 5000-6000). Click OK and select Internet range option in both Port range assignment and Default dynamic port allocation sections.

Click OK, Apply and OK to close all windows.

You can configure it modifying some Registry entries too. Follow the instructions described on these Microsoft articles to do it http://support.microsoft.com/kb/154596/  and http://support.microsoft.com/kb/306843. The most important thing here is to no that the UseInternetPorts regkey must match on the source and destination.

Continue Reading...