The error “The partner transaction manager has disabled its support for remote/network transactions (Exception from HRESULT: 0x8004D025)” occurs when a distributed transaction is attempted between two servers, but the Microsoft Distributed Transaction Coordinator (MSDTC) on one or both machines is not configured to allow network transactions. This is a common issue with SQL Server linked servers, WCF services, and any application that spans transactions across multiple machines.
Understanding MSDTC and Distributed Transactions
The Microsoft Distributed Transaction Coordinator (MSDTC) is a Windows service that coordinates transactions spanning multiple resource managers, such as databases, message queues, and file systems across different servers. When an application needs to perform atomic operations across two or more SQL Server instances, MSDTC ensures that either all operations commit or all roll back.
Common scenarios that require MSDTC:
- Queries across SQL Server linked servers that modify data
- WCF services with
TransactionFlowenabled - COM+ applications with transaction support
- .NET applications using
TransactionScopeacross multiple databases - BizTalk Server orchestrations
Configuring MSDTC for Network Access
The fix must be applied on both the server initiating the transaction and the partner server (the remote machine).
Paso-by-Paso Configuración via Component Services
- Open Component Services by pressing
Win + R, typingdcomcnfg, and pressing Enter. - In the left pane, expand Component Services > Computers > My Computer > Distributed Transaction Coordinator.
- Right-click Local DTC and select Properties.
- Click the Seguridad tab.
- Configure the following settings:
| Setting | Required Value |
|---|---|
| Network DTC Access | Checked (enabled) |
| Allow Remote Clients | Checked |
| Allow Inbound | Checked |
| Allow Outbound | Checked |
| Mutual Authentication Required | Select based on your environment (see below) |
| No Authentication Required | Use only for troubleshooting or non-domain environments |
- Click Apply and then OK.
- When prompted, confirm that the MSDTC service will be restarted.
Authentication Options
The authentication level depends on your environment:
- Mutual Authentication Required: Both servers must be in the same Active Directory domain or in domains with a trust relationship. This is the most secure option.
- Incoming Caller Authentication Required: The calling server must authenticate, but the remote server does not need to authenticate back. Use this when servers are in different domains with one-way trust.
- No Authentication Required: No authentication is performed. Use this only for testing, workgroup environments, or when domain trust is not available.
Configuración via PowerShell
You can also configure MSDTC using PowerShell on Windows Server 2012 and later:
# View current MSDTC settings
Get-DtcNetworkSetting -DtcName "Local"
# Enable network access with mutual authentication
Set-DtcNetworkSetting -DtcName "Local" `
-AuthenticationLevel "Mutual" `
-InboundTransactionsEnabled $true `
-OutboundTransactionsEnabled $true `
-RemoteClientAccessEnabled $true `
-RemoteAdministrationAccessEnabled $true `
-XATransactionsEnabled $true `
-LUTransactionsEnabled $trueConfiguración via Registry
The MSDTC settings are stored in the registry under:
HKLM\SOFTWARE\Microsoft\MSDTC\SecurityKey values:
| Value Name | Type | Enabled Setting |
|---|---|---|
| NetworkDtcAccess | DWORD | 1 |
| NetworkDtcAccessAdmin | DWORD | 1 |
| NetworkDtcAccessClients | DWORD | 1 |
| NetworkDtcAccessInbound | DWORD | 1 |
| NetworkDtcAccessOutbound | DWORD | 1 |
| NetworkDtcAccessTransactions | DWORD | 1 |
After modifying registry values, restart the MSDTC service:
Restart-Service MSDTCConfiguring Firewall Rules for MSDTC
MSDTC requires specific ports to be open between servers participating in distributed transactions.
Required Ports
| Port | Protocol | Purpose |
|---|---|---|
| 135 | TCP | RPC Endpoint Mapper |
| Dynamic (1024-65535) | TCP | RPC dynamic port range for MSDTC |
Restricting MSDTC to a Specific Port Range
To avoid opening the entire dynamic port range, you can restrict MSDTC to a specific range:
- Open Component Services (
dcomcnfg). - Expand My Computer, right-click, and select Properties.
- Go to the Default Protocols tab.
- Select Connection-oriented TCP/IP and click Properties.
- Click Add and specify a port range (for example, 5000-5100).
- Remove the default dynamic range.
- Restart the MSDTC service.
Then create firewall rules for the restricted range:
# Allow RPC Endpoint Mapper
New-NetFirewallRule -DisplayName "MSDTC - RPC Endpoint Mapper" `
-Direction Inbound -Protocol TCP -LocalPort 135 -Action Allow
# Allow MSDTC restricted port range
New-NetFirewallRule -DisplayName "MSDTC - Custom Port Range" `
-Direction Inbound -Protocol TCP -LocalPort 5000-5100 -Action Allow
# Allow the MSDTC executable
New-NetFirewallRule -DisplayName "MSDTC" `
-Direction Inbound -Program "%SystemRoot%\System32\msdtc.exe" -Action AllowSQL Server Linked Server Considerations
When using SQL Server linked servers with distributed transactions:
- Ensure MSDTC is configured on both the local and remote SQL Server machines.
- Verify that the linked server is configured to allow RPC and RPC Out:
-- Check linked server settings
EXEC sp_helpserver;
-- Enable RPC and RPC Out for a linked server
EXEC sp_serveroption @server = 'LinkedServerName', @optname = 'rpc', @optvalue = 'true';
EXEC sp_serveroption @server = 'LinkedServerName', @optname = 'rpc out', @optvalue = 'true';- Test the distributed transaction:
-- Test distributed transaction to linked server
BEGIN DISTRIBUTED TRANSACTION;
SELECT * FROM [LinkedServerName].[DatabaseName].[dbo].[TableName];
COMMIT TRANSACTION;WCF Distributed Transaction Configuración
For WCF services that use distributed transactions, the service binding must enable transaction flow:
<bindings>
<wsHttpBinding>
<binding name="TransactionalBinding" transactionFlow="true">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>The service operation must be decorated with the appropriate attributes:
[ServiceContract]
public interface IOrderService
{
[OperationContract]
[TransactionFlow(TransactionFlowOption.Mandatory)]
void ProcessOrder(Order order);
}
[ServiceBehavior(TransactionIsolationLevel = IsolationLevel.Serializable,
TransactionTimeout = "00:02:00")]
public class OrderService : IOrderService
{
[OperationBehavior(TransactionScopeRequired = true,
TransactionAutoComplete = true)]
public void ProcessOrder(Order order)
{
// Transaction-scoped operations
}
}Solución de Problemas
Verify MSDTC Communication
Use the DTCPing utility (available from Microsoft) to test MSDTC connectivity between two servers. Run it on both machines simultaneously and verify that transactions complete successfully.
Check the MSDTC Log
Enable MSDTC tracing for detailed diagnostics:
- Open Component Services.
- Navigate to Local DTC > Properties > Tracing tab.
- Enable trace output and set the appropriate trace level.
- Reproduce the error and review the trace logs.
Problemas Comunes Checklist
- MSDTC network access is not enabled on one or both servers.
- Firewall between servers is blocking port 135 or the dynamic RPC ports.
- The servers are in different domains without proper trust configuration.
- The MSDTC service is not running on one of the servers.
- Antivirus or security software is interfering with MSDTC communication.
- The MSDTC cluster resource name does not match (in clustered environments).
Resumen
The HRESULT 0x8004D025 error is resolved by enabling MSDTC network access on both the local and partner servers through Component Services. Configure the Seguridad tab to allow Network DTC Access, inbound and outbound transactions, and the appropriate authentication level. Open the necessary firewall ports (TCP 135 and the RPC dynamic range or a custom restricted range) between the servers. For SQL Server linked servers, ensure RPC and RPC Out are enabled. Apply the configuration on every server participating in the distributed transaction.