MSDTC (Microsoft Distributed Transaction Coordinator) is a Windows service that coordinates transactions spanning multiple resource managers, such as databases, message queues, or file systems across different machines. It ensures that either all parts of a distributed transaction succeed or all parts roll back.

What port does MSDTC use?

By default, MSDTC uses RPC dynamic port allocation, starting with TCP port 135 for the RPC endpoint mapper, then negotiating an ephemeral port. You can restrict MSDTC to a specific port range for firewall purposes through the Component Services console or registry.

Do I need to enable MSDTC on both machines?

Yes. MSDTC network access must be enabled on every machine participating in the distributed transaction. If server A calls server B within a transaction, both A and B must have MSDTC configured for network access, and firewalls must allow traffic in both directions.

Why does MSDTC fail even after enabling network access?

The most common causes are: Windows Firewall blocking the DTC traffic, MSDTC not being enabled on all participating machines, name resolution issues between servers (MSDTC requires that machines can resolve each other by NetBIOS name), or the DTC service not being restarted after configuration changes.

Anleitung: Enable MSDTC Network Access (Distributed Transaction Manager)

The error message “Network access for Distributed Transaction Manager (MSDTC) has been disabled” appears when an application tries to start a distributed transaction but the MSDTC service is not configured to allow network communication. By default, Windows disables MSDTC network access for security reasons. This article explains what MSDTC does, how to enable network access step by step, and how to configure the necessary firewall rules.

What Is MSDTC?

MSDTC (Microsoft Distributed Transaction Coordinator) is a Windows service that manages transactions spanning multiple resource managers. A resource manager is any system that can participate in a transaction — typically a database, but also message queues (MSMQ), file systems (TxF), or other transactional resources.

MSDTC ensures atomicity across distributed operations: either every participating resource commits, or every resource rolls back. Without it, a failure partway through a multi-server operation could leave data in an inconsistent state.

Common Scenarios That Require MSDTC

Linked server queries in SQL Server — Executing queries that join tables across two different SQL Server instances within a single transaction.
Distributed database updates — An application updating records in two different databases on different servers as part of one business operation.
BizTalk Server — Orchestrations that interact with multiple databases or message queues.
COM+ applications — Components configured for automatic transactions that span multiple machines.
.NET TransactionScope — Code using System.Transactions.TransactionScope that involves multiple durable resource managers, which promotes a local transaction to a distributed transaction.
SSIS packages — SQL Server Integration Services packages that write to multiple destinations within a single transaction.

Schritt-by-Schritt: Enable MSDTC Network Access

MSDTC network access must be enabled on every machine participating in the distributed transaction. Repeat these steps on each server.

Schritt 1: Open Component Services

There are several ways to launch Component Services:

Press Win + R, type dcomcnfg, press Enter.
Or open Start Menu, search for Component Services.
Or run comexp.msc from the command line.

Schritt 2: Navigate to DTC Properties

In the Component Services console, expand the tree: Component Services > Computers > My Computer > Distributed Transaction Coordinator.
Right-click Local DTC and select Properties.

Schritt 3: Configure the Sicherheit Tab

Click the Sicherheit tab. Configure the following settings:

Enable the following checkboxes:

Network DTC Access — This is the master switch. Everything else is irrelevant if this is not checked.
Allow Remote Clients — Allows remote machines to initiate transactions coordinated by this DTC.
Allow Remote Administration — Optional. Only enable this if you need to manage DTC remotely.
Allow Inbound — Allows this machine to receive distributed transaction requests from other machines.
Allow Outbound — Allows this machine to send distributed transaction requests to other machines.

Transaction Manager Communication:

Select No Authentication Required for environments where both machines are in the same domain or workgroup and you want the simplest configuration.
Select Mutual Authentication Required if both machines are in the same Active Directory domain and you want the most secure option. This requires that both machines can authenticate each other via Kerberos.
Select Incoming Caller Authentication Required as a middle ground that requires authentication from inbound callers but does not require mutual authentication.

Recommended settings for a typical same-domain environment:

[x] Network DTC Access
[x] Allow Remote Clients
[ ] Allow Remote Administration
    Transaction Manager Communication:
    (*) Mutual Authentication Required
[x] Allow Inbound
[x] Allow Outbound
[ ] Enable XA Transactions (only if needed for XA/Java apps)
[ ] Enable SNA LU 6.2 Transactions (only if needed for mainframe)

Recommended settings for a workgroup or cross-domain environment:

[x] Network DTC Access
[x] Allow Remote Clients
[ ] Allow Remote Administration
    Transaction Manager Communication:
    (*) No Authentication Required
[x] Allow Inbound
[x] Allow Outbound

Schritt 4: Apply and Restart

Click OK to apply the settings.
When prompted, confirm that you want to restart the MSDTC service. Click Yes.
If not prompted, manually restart the service:

net stop msdtc
net start msdtc

Or via PowerShell:

Restart-Service -Name MSDTC -Force

Firewall Konfiguration for MSDTC

MSDTC uses RPC (Remote Procedure Call), which means it needs:

TCP port 135 — The RPC endpoint mapper
A range of dynamic RPC ports — By default, this is 49152-65535 on modern Windows

Opening this entire range is usually unacceptable in a production environment. You can restrict MSDTC to a specific port range.

Restricting MSDTC to a Specific Port Range

Open Component Services (dcomcnfg).
Navigate to Component Services > Computers > My Computer.
Right-click My Computer and select Properties.
Go to the Default Protocols tab.
Select Connection-oriented TCP/IP and click Properties.
Click Add and define a port range. For example:
- Port range start: 5000
- Port range end: 5100
- Use the default settings for port range type.
Click OK on all dialogs.
Restart the MSDTC service.

Alternatively, configure the RPC port range via the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

Ports (REG_MULTI_SZ): 5000-5100
PortsInternetAvailable (REG_SZ): Y
UseInternetPorts (REG_SZ): Y

After setting the registry values, restart the machine for the changes to take effect.

Creating Windows Firewall Rules

# Allow RPC Endpoint Mapper
New-NetFirewallRule -DisplayName "MSDTC - RPC Endpoint Mapper" `
    -Direction Inbound -Protocol TCP -LocalPort 135 `
    -Action Allow -Profile Domain

# Allow MSDTC restricted port range
New-NetFirewallRule -DisplayName "MSDTC - RPC Dynamic Ports" `
    -Direction Inbound -Protocol TCP -LocalPort 5000-5100 `
    -Action Allow -Profile Domain

# Allow the DTC process itself (alternative approach)
New-NetFirewallRule -DisplayName "MSDTC - Process" `
    -Direction Inbound -Program "%SystemRoot%\System32\msdtc.exe" `
    -Action Allow -Profile Domain

Or using netsh:

netsh advfirewall firewall add rule name="MSDTC - RPC Endpoint Mapper" ^
    dir=in action=allow protocol=TCP localport=135

netsh advfirewall firewall add rule name="MSDTC - RPC Dynamic Ports" ^
    dir=in action=allow protocol=TCP localport=5000-5100

netsh advfirewall firewall add rule name="MSDTC - Process" ^
    dir=in action=allow protocol=TCP program="%SystemRoot%\System32\msdtc.exe"

Windows also includes a predefined firewall rule group for DTC:

netsh advfirewall firewall set rule group="Distributed Transaction Coordinator" new enable=yes

Configuring MSDTC via PowerShell (Windows Server 2012+)

On Windows Server 2012 and later, you can configure DTC settings directly through PowerShell:

# View current DTC settings
Get-DtcNetworkSetting -DtcName Local

# Enable network access with mutual authentication
Set-DtcNetworkSetting -DtcName Local `
    -AuthenticationLevel Mutual `
    -InboundTransactionsEnabled $true `
    -OutboundTransactionsEnabled $true `
    -RemoteClientAccessEnabled $true `
    -RemoteAdministrationAccessEnabled $false `
    -XATransactionsEnabled $false `
    -LUTransactionsEnabled $false `
    -Confirm:$false

Verifying MSDTC Communication

Test with DTCPing

Microsoft provides a tool called DTCPing for testing MSDTC connectivity between two machines.

Download DTCPing from Microsoft (search for “DTCPing download” on microsoft.com).
Copy DTCPing.exe to both machines.
Run DTCPing on both machines simultaneously.
On each machine, enter the NetBIOS name of the other machine and click Ping.
A successful test will show “successfully completed” for both the RPC test and the DTC transaction test.

Test with a Simple SQL Query

If MSDTC is needed for linked server queries, test with:

-- On the server initiating the distributed query
SET XACT_ABORT ON;
BEGIN DISTRIBUTED TRANSACTION;
    SELECT * FROM [LinkedServer].[DatabaseName].[dbo].[TableName];
COMMIT TRANSACTION;

If this succeeds without the “MSDTC has been disabled” error, network access is properly configured.

Check the MSDTC Service Status

Get-Service -Name MSDTC | Select-Object Name, Status, StartType

The service should be Running and set to Automatic startup.

Fehlerbehebung Häufige Probleme

Name Resolution

MSDTC requires that all participating machines can resolve each other by NetBIOS name (not just IP address). Verify this:

ping SERVERNAME
nslookup SERVERNAME

If name resolution fails, add entries to the hosts file on each machine:

C:\Windows\System32\drivers\etc\hosts

Add a line like:

192.168.1.100    SERVERNAME

Clustered MSDTC

On Windows Failover Clusters, DTC can run as a clustered resource. In this case, configure the clustered DTC instance, not the Local DTC on each node. Open the Failover Cluster Manager, locate the DTC resource, and configure its security properties there.

MSDTC and Windows Firewall Rules After Updates

Windows Updates can occasionally reset firewall rules or re-enable the Windows Firewall. After major updates, verify that your DTC firewall rules are still in place:

Get-NetFirewallRule | Where-Object { $_.DisplayName -like "*DTC*" -or $_.DisplayName -like "*MSDTC*" } | Select-Object DisplayName, Enabled, Direction, Action

Event Log Entries

When MSDTC fails, check these event logs:

Application log — Look for events with source “MSDTC”.
System log — Look for events related to RPC or service failures.

Get-EventLog -LogName Application -Source MSDTC -Newest 20

The “MSDTC encountered an error” After Enabling Network Access

If you enabled network access but still see transaction errors:

Verify that MSDTC is enabled on all machines involved (not just one side).
Confirm that firewalls allow traffic in both directions between the machines.
Restart the MSDTC service on all machines after making changes.
Confirm name resolution works in both directions.
If using Mutual Authentication, verify that both machines are in the same Active Directory domain and their clocks are synchronized (Kerberos requires time sync within 5 minutes by default).