Jared Heinrichs

You are here: Home / Operating System / Group Policy / Using Group Policy to turn on Microsoft Distributed Transaction Coordinator (DTC) and firewall settings

By Leave a Comment

Using Group Policy to turn on Microsoft Distributed Transaction Coordinator (DTC) and firewall settings

**NOTE ** – There might be better ways of doing this in newer versions then 2003 Group Policy but I never found a way. This post will go over how to turn on DTC only for the domain the computer resides as well as making the proper firewall rules on the client.

First thing you want to do is create a new Group Policy Object. For simplicity sake I am just going to call it “DTC”.

image

Edit DTC. Go to “Computer Configuration” – “Windows Settings” – “Scripts (Startup/Shutdown)” – “Startup”.

image

Were’s going to create two items. One will import a few registry settings. The second one will runs some commands that will open the firewall so that DTC will only be externally exesible if the computer is on the domain.

Click “Add” button in the “startup Scripts for DTC”.

Script name is “regedit.exe” and the script parameters is “/s msdtc.reg”. Click “OK”.

image

You’re going to add another script so click “add” again. This time the script name is “firewall.bat”. Click “OK”.

image

Now we need to create the files needed. On the “Startup Properties” window click “Show files”.

image

In the Window that opens you will need to create two files and name them “Firewall.bat” amd “msdtc.reg”.

image

The contents of the firewall.bat is:

  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-In)" new enable=yes profile="domain"
  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-Out)" new enable=yes profile="domain"
  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC)" new enable=yes profile="domain"
  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC-EPMAP)" new enable=yes profile="domain"
  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-In)" new enable=yes profile="domain"
  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (TCP-Out)" new enable=yes profile="domain"
  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC)" new enable=yes profile="domain"
  • netsh advfirewall firewall set rule name="Distributed Transaction Coordinator (RPC-EPMAP)" new enable=yes profile="domain"

image

The Contents of “msdtc.reg” is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security]
"AccountName"="NT AUTHORITY\\NetworkService"
"DomainControllerState"=dword:00000000
"NetworkDtcAccess"=dword:00000001
"NetworkDtcAccessAdmin"=dword:00000000
"NetworkDtcAccessClients"=dword:00000001
"NetworkDtcAccessInbound"=dword:00000001
"NetworkDtcAccessOutbound"=dword:00000001
"NetworkDtcAccessTip"=dword:00000000
"NetworkDtcAccessTransactions"=dword:00000001
"XaTransactions"=dword:00000000
"name=NetworkDTCAccess"="Value=1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKeyCNG]
"77f3543b-7150-40c0-84da-f1048248b689"=hex:30,02,00,00,4b,53,53,4d,02,00,01,00,\
  01,00,00,00,10,00,00,00,00,01,00,00,10,00,00,00,1f,da,f8,22,ed,6f,a9,a8,e4,\
  97,34,38,51,20,e2,e6,00,00,00,00,00,00,00,00,00,00,00,00,3b,54,f3,77,0a,00,\
  00,00,1f,da,f8,22,ed,6f,a9,a8,e4,97,34,38,51,20,e2,e6,a9,42,76,f3,44,2d,df,\
  5b,a0,ba,eb,63,f1,9a,09,85,13,43,e1,52,57,6e,3e,09,f7,d4,d5,6a,06,4e,dc,ef,\
  38,c5,3e,3d,6f,ab,00,34,98,7f,d5,5e,9e,31,09,b1,f7,c4,f6,36,98,6f,f6,02,00,\
  10,23,5c,9e,21,2a,ed,1a,21,a3,3d,82,4e,55,3f,82,5e,76,63,1c,7f,5c,8e,e8,6b,\
  ba,a1,6a,25,ef,9e,e8,7b,99,fd,f4,04,c5,73,5a,cd,35,1e,30,e8,da,80,d8,93,43,\
  7d,2c,97,86,0e,52,89,9e,6f,62,61,44,ef,ba,f2,07,92,96,65,81,9c,04,85,40,ff,\
  66,e4,04,10,dc,16,03,82,4a,73,82,1e,bd,96,32,29,db,72,36,39,07,64,35,bb,4d,\
  17,b7,a5,1f,da,f8,22,ed,6f,a9,a8,e4,97,34,38,51,20,e2,e6,06,eb,05,86,08,d5,\
  52,62,cd,3f,b9,d9,74,45,59,8f,ec,e2,c3,2e,e4,37,91,4c,29,08,28,95,5d,4d,71,\
  1a,8e,aa,6f,b5,6a,9d,fe,f9,43,95,d6,6c,1e,d8,a7,76,bf,6f,43,60,d5,f2,bd,99,\
  96,67,6b,f5,88,bf,cc,83,44,b4,ac,f9,91,46,11,60,07,21,7a,95,8f,9e,b6,16,92,\
  e3,eb,02,03,a5,fa,62,04,84,80,f7,8b,1a,36,e1,e3,6c,ef,dc,e0,c9,15,be,e4,4d,\
  95,49,6f,57,a3,a8,83,73,1b,c1,63,ba,0e,7f,87,f7,9b,36,e8,a0,38,9e,c3,32,fb,\
  34,a0,88,f5,4b,27,7f,6e,7d,cf,df,56,e3,bd,96,32,29,db,72,36,39,07,64,35,bb,\
  4d,17,b7,a5,00,00,00,00,a8,16,2c,01,ce,58,83,d2,6e,28,9a,7a,00,00,00,00,00,\
  00,00,00,00,00,00,00,5b,00,00,00,16,c4,5a,19,00,00,00,80,09,00,31,75,00,00,\
  00,00,e4,e2,2f,01,e4,e2,2f,01,00,00,00,00,a8,16,2c,01,9a,70,40,36,63,7a,9b,\
  8d,00,00,00,00,00,00,00,00,00,00,00,00,5c,00,00,00,6f,c4,5a,19,00,00,00,80,\
  f0,00,31,75,00,00,00,00,34,e4,2f,01,34,e4,2f,01,00,00,00,00,a8,16,2c,01,bb,\
  44,ff,ff,59,83,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

Like any other Group Policy Object you must apply this object to a OU. The OU should contain the computers that will be needing these new settings. I will be including a zip file of these two files for download.

Leave a Reply

Your email address will not be published. Required fields are marked *

Try searching this site!