SQL Server Performance Forum – Threads Archive

Clustered DTC

Hi I suspect I configured the clustered DTC resource wrong.
We have (Virtual)SQL server 2000 running on a MSCS two node single quorum, Windows 2003 server EE. When creating the DTC resource I did not assign a MSDTC IP resource, it is in the same resource group as cluster IP and the quorum disk. The SQL server IP and disk is in the other group. Our application running on an other server in the same domain use COM+ and the DTC for transactions in some cases. This configuration worked fine for a couple of weeks. Suddenly the DTC was denied access to the cluster, the event security log stated bad user name or password. Some of the applications database access is made not using the DTC (we have some legacy COM+ componets and some .NET) using the same udl file with log in data usr, pwd) which still works fine. By installing SQL Enterprise manager on the connecting server and registring the server the application DTC calls became granted again. Applications installed on servers without the enterprise manager still can not log in. Since the problem not arises if I try to connect to other database servers in the domain (all non clustered) I suspect that the problem is at the SQL cluster.Microsoft recomends setting a registry key TurnOffRpcSecurity which seems a bit drastic, it did work before. We are not using Windows integrated log in, running the database connections as sa to eliminate insuffisient access rights to database until I have control of the situation. As you might have suspected this is a NLB web farm with a MSCS SQL server cluster which should be a rather common configuration.
Finally to my questions.
1. Any idea of why it worked and suddenly stopped work ? Changes in the domain? Lingering connections from installation of system with domain admin users? 2. Does the DTC have to have its own IP resource, if not does it matter if it uses the cluster IP or SQL server IP? 3. Which security settings and why should the DTC have in the com service manager/dtc registry? ( I still want to run DTC local on the application server). 4. We run MS SQL Reporting services webservices on the application servers that also connects to the database cluster, could there be any conflicts? Any ideas would be appriciated. Best Regards
Johannes

There could be many reasons for the DTC failures in Clustered environment. Microsoft recommends that you put MS DTC in its own group with its own physical disk resource, if it is possible. The DTC Cluster Resource will install in the first group that has a Physical Disk, and Network Name Resource. Failure to make those resources available, and online in a group other than the Cluster Group will cause the DTC Resource to be installed in the Cluster Group when you run the Comclust.exe command. Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided â€œAS ISâ€ with no rights for the sake of knowledge sharing.

1.
Many reasons exist. Name resolution could have stopped working between servers for example. It has to work between all involved servers, including to/from the node namas on the cluster, not only to/from the virtual sql server name. Multiple network cards can cause issues with this too. If there is a firewall specific ports need to be open and configured on the servers as well. 2.
It does not matter for functionallity. 3.
Se below link for Windows 2003 config. There are new DTC settings in Windows 2003 and it’s more locked down. HOWTO: Enable DTC Between Web Servers and SQL Servers Running Windows Server 2003http://support.microsoft.com/?kbid=555017 4.
It shoudln’t conflict with MSDTC. 5.
Other links that might help you: How To Use DTCTester Tool
http://support.microsoft.com/?kbid=293799 How To Troubleshoot MS DTC Firewall Issues (DTCping.exe utility)http://support.microsoft.com/?kbid=306843

Thanks for your tips.
I am certain article 555017 will solve my problem (basically what I did on one of the web servers) but since they are in the same domain I would prefer not to turn off rpc security for DTC and they do find each other via ping so NetBIOS update would not help me? The DTCTester tool was new for me I will try it when it is time for system maintenance, DTCPing reported no erros. Could you elaborate around name resolution stopped working? There are multiple network cards and I have noticed that when running the NLB in Unicast mode the webserver may stop answering ping on the name but I get the same error when running the NLB muliticast when at least ping replies correctly. Further the security event log indicates that the name resolution works but that the calling part (web server) not is trusted. On the other hand the service runs under NT AuthorityNetwork Service account, this account is also used by MS SQL reporting services (and the web server application pool) which was granted access all the time the DTC was denied access. Thanks again, I will report if I solve the issue but why this happend maybe can not be answered. best regards
Johannes

Someone could have changed something that affected name resoution in your environment. If you have multiple network cards, say one for frontend and one for backend (backup, monitoring) then make sure that the names resolve on the same network between all server. For example if you ping a server on frontend you want it to reply on frontend as well. You could most likely change this with the network card binding order or the order of dns suffixes on the network cards. Or in worst case hard code it in the hosts file on each machine. But run the DTCTester Tool on all involved machines to find the problem.

Hi I want to close this subject since we found the error. We could confim that the error was environment related, the AD was messed up. Replication was not running between the DC<img src=’/community/emoticons/emotion-7.gif’ alt=’:s’ /> and no DC had the correct picture over all servers, since no subnet was defined either for our servers (no site) name resolution was randomly sent to a DC that in some cases acknowledged that the server belogned to the domain, sometimes not. thanks for your support. Johannes <blockquote id="quote">quote:<hr height="1" noshade id="quote">Originally posted by Argyle Someone could have changed something that affected name resoution in your environment. If you have multiple network cards, say one for frontend and one for backend (backup, monitoring) then make sure that the names resolve on the same network between all server. For example if you ping a server on frontend you want it to reply on frontend as well. You could most likely change this with the network card binding order or the order of dns suffixes on the network cards. Or in worst case hard code it in the hosts file on each machine. But run the DTCTester Tool on all involved machines to find the problem. <hr height="1" noshade id="quote"></blockquote id="quote">

]]>