Recently we experienced a range of MSDTC errors on upgrading to Windows 2003,
running separate web and database servers. The DTC would run fine to
Windows 2000 servers and locally (to itself), but no between Win2003 servers.
The following items summarize the checks made to finally resolve our issues.
NOTE - It is highly recommend that you reboot both servers between each DTC
change and test thoroughly after.
Microsoft support tend to use three core utilities for debugging MSDTC
transactions and associated errors:
1) DTCPing - download from and documented at
2) DTCTester - download from and documented at
3) NetMon - found on Windows setup disks or resource kit
Check 1 - DTC Security Configuration
This is a mandatory check on both W2003 boxes if MSDTC service is intended to
In administrative tools, navigate down through Component Services ->
Computers, and right-click on My Computer to get properties. There should be an
MSDTC tab, with a "Security Configuration" button. Click on that, and make sure
network transactions are enabled.
Check 2 - Enable network DTC access installed?
Navigate via the Control Panel and Add/Remove Programs, Add/Remove Windows
Components, select Application Server and click details. Ensure the Enable
network DTC access is checked, verify if you also require COM+ access.
Check 3 - Firewall separates DB and Web Server?
MSDTC needs to establish a 2-way connection layered on MSRPC (in which
dynamic ports allocation is used). Please follow 250367 to configure MSDTC over
http://support.microsoft.com/?id=250367, also refer to article
On both DB server and Web server. Reboot is required.
Check 4 - Win 2003 only - Regression to Win 2000
Ensure checks 1 and 2 are complete before reviewing this scenario. Once
done, run through the following items as discussed on this support document:
If you have success, add in/alter the following registry key, where 1 is ON:
HKLM\Software\Microsoft\MSDTC\FallbackToUnsecureRpcIfNecessary, DWORD, 0/1
Apply of all server involved in the DTC conversation. You need to restart the
Check 5 - Win 2003 only - COM+ Default Component Security
New COM+ containers created in COM 1.5 (Windows 2003) will have the
"enforce access checks for this application" enabled.
Uncheck this option is you are experiencing component access errors, or
cannot instantiate object errors on previously running DLL's. Upgraded
operation systems and their containers will not have this option checked.
Also refer to MS support article
Microsoft Support Services.