**NOTE ** – There might be better ways of doing this in newer versions then 2003 Group Policy but I never found a way. This post will go over how to turn on DTC only for the domain the computer resides as well as making the proper firewall rules on the client.
First thing you want to do is create a new Group Policy Object. For simplicity sake I am just going to call it “DTC”.
Edit DTC. Go to “Computer Configuration” – “Windows Settings” – “Scripts (Startup/Shutdown)” – “Startup”.
Were’s going to create two items. One will import a few registry settings. The second one will runs some commands that will open the firewall so that DTC will only be externally exesible if the computer is on the domain.
Click “Add” button in the “startup Scripts for DTC”.
Script name is “regedit.exe” and the script parameters is “/s msdtc.reg”. Click “OK”.
You’re going to add another script so click “add” again. This time the script name is “firewall.bat”. Click “OK”.
Now we need to create the files needed. On the “Startup Properties” window click “Show files”.
In the Window that opens you will need to create two files and name them “Firewall.bat” amd “msdtc.reg”.
The contents of the firewall.bat is:
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-In)" new enable=yes profile="domain"
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-Out)" new enable=yes profile="domain"
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC)" new enable=yes profile="domain"
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC-EPMAP)" new enable=yes profile="domain"
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-In)" new enable=yes profile="domain"
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-Out)" new enable=yes profile="domain"
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC)" new enable=yes profile="domain"
- netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC-EPMAP)" new enable=yes profile="domain"
The Contents of “msdtc.reg” is:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security]
"AccountName"="NT AUTHORITY\\NetworkService"
"DomainControllerState"=dword:00000000
"NetworkDtcAccess"=dword:00000001
"NetworkDtcAccessAdmin"=dword:00000000
"NetworkDtcAccessClients"=dword:00000001
"NetworkDtcAccessInbound"=dword:00000001
"NetworkDtcAccessOutbound"=dword:00000001
"NetworkDtcAccessTip"=dword:00000000
"NetworkDtcAccessTransactions"=dword:00000001
"XaTransactions"=dword:00000000
"name=NetworkDTCAccess"="Value=1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKeyCNG]
"77f3543b-7150-40c0-84da-f1048248b689"=hex:30,02,00,00,4b,53,53,4d,02,00,01,00,\
01,00,00,00,10,00,00,00,00,01,00,00,10,00,00,00,1f,da,f8,22,ed,6f,a9,a8,e4,\
97,34,38,51,20,e2,e6,00,00,00,00,00,00,00,00,00,00,00,00,3b,54,f3,77,0a,00,\
00,00,1f,da,f8,22,ed,6f,a9,a8,e4,97,34,38,51,20,e2,e6,a9,42,76,f3,44,2d,df,\
5b,a0,ba,eb,63,f1,9a,09,85,13,43,e1,52,57,6e,3e,09,f7,d4,d5,6a,06,4e,dc,ef,\
38,c5,3e,3d,6f,ab,00,34,98,7f,d5,5e,9e,31,09,b1,f7,c4,f6,36,98,6f,f6,02,00,\
10,23,5c,9e,21,2a,ed,1a,21,a3,3d,82,4e,55,3f,82,5e,76,63,1c,7f,5c,8e,e8,6b,\
ba,a1,6a,25,ef,9e,e8,7b,99,fd,f4,04,c5,73,5a,cd,35,1e,30,e8,da,80,d8,93,43,\
7d,2c,97,86,0e,52,89,9e,6f,62,61,44,ef,ba,f2,07,92,96,65,81,9c,04,85,40,ff,\
66,e4,04,10,dc,16,03,82,4a,73,82,1e,bd,96,32,29,db,72,36,39,07,64,35,bb,4d,\
17,b7,a5,1f,da,f8,22,ed,6f,a9,a8,e4,97,34,38,51,20,e2,e6,06,eb,05,86,08,d5,\
52,62,cd,3f,b9,d9,74,45,59,8f,ec,e2,c3,2e,e4,37,91,4c,29,08,28,95,5d,4d,71,\
1a,8e,aa,6f,b5,6a,9d,fe,f9,43,95,d6,6c,1e,d8,a7,76,bf,6f,43,60,d5,f2,bd,99,\
96,67,6b,f5,88,bf,cc,83,44,b4,ac,f9,91,46,11,60,07,21,7a,95,8f,9e,b6,16,92,\
e3,eb,02,03,a5,fa,62,04,84,80,f7,8b,1a,36,e1,e3,6c,ef,dc,e0,c9,15,be,e4,4d,\
95,49,6f,57,a3,a8,83,73,1b,c1,63,ba,0e,7f,87,f7,9b,36,e8,a0,38,9e,c3,32,fb,\
34,a0,88,f5,4b,27,7f,6e,7d,cf,df,56,e3,bd,96,32,29,db,72,36,39,07,64,35,bb,\
4d,17,b7,a5,00,00,00,00,a8,16,2c,01,ce,58,83,d2,6e,28,9a,7a,00,00,00,00,00,\
00,00,00,00,00,00,00,5b,00,00,00,16,c4,5a,19,00,00,00,80,09,00,31,75,00,00,\
00,00,e4,e2,2f,01,e4,e2,2f,01,00,00,00,00,a8,16,2c,01,9a,70,40,36,63,7a,9b,\
8d,00,00,00,00,00,00,00,00,00,00,00,00,5c,00,00,00,6f,c4,5a,19,00,00,00,80,\
f0,00,31,75,00,00,00,00,34,e4,2f,01,34,e4,2f,01,00,00,00,00,a8,16,2c,01,bb,\
44,ff,ff,59,83,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
Like any other Group Policy Object you must apply this object to a OU. The OU should contain the computers that will be needing these new settings. I will be including a zip file of these two files for download.
Leave a Reply