Microsoft KB Archive/903944

= The Microsoft Distributed Transaction Coordinator service must run under the NT AUTHORITY\NetworkService Windows account in Windows Server 2003 and in Windows XP =

Article ID: 903944

Article Last Modified on 11/16/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Professional x64 Edition

-





Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



INTRODUCTION
This article discusses the Microsoft Windows account that the Microsoft Distributed Transaction Coordinator (MSDTC) service must run under in Microsoft Windows Server 2003 and in Microsoft Windows XP.



MORE INFORMATION
Starting in Windows XP and then continuing in Windows Server 2003, the MSDTC service must run under the NT AUTHORITY\NetworkService Windows account.

If you change the account to an account other than the NetworkService account, the distributed transaction fails. The transaction fails because the MSDTC service cannot do mutual authentication together with other parties that are involved in the transaction. Local transactions that use the MSDTC service may also fail.

Note Other parties can be transaction managers, resource manager, or clients.

In both Microsoft Windows NT 4.0 and Microsoft Windows 2000, you can change the default MSDTC service account to a domain account. You may change the account to perform Windows authentication when you are performing an XA recovery operation on an XA database such as an Oracle database.

However, in both Windows Server 2003 and Windows XP, you cannot change the account. Instead, you must give the permissions and the roles that are required to perform an XA recovery operation to the NetworkService account on the computer where the MSDTC service is running.

The exact method of setting up an XA recovery operation is specific to each XA database. Typically, you have to add the computer account of the computer where the MSDTC service is running to the list of users who can perform an XA recovery operation on the XA database. Additionally, because the NetworkService account is a restricted account, you must provide the NetworkService account access to the folder where the XA DLL is located.

To change the account that the MSDTC service runs under back to the NetworkService account, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.  Click Start, click Run, type regedit, and then click OK. Locate and then click the following subkey:

If the following entries exist, go to step 6:  TurnOffRpcSecurity AllowOnlySecureRpcCalls FallbackToUnsecureRPCIfNecessary </li> Create the TurnOffRpcSecurity entry: <ol style="list-style-type: lower-alpha;"> On the Edit menu, point to New, and then click DWORD Value.</li> Type TurnOffRpcSecurity, and then press ENTER.</li></ol> </li> Create the AllowOnlySecureRpcCalls entry: <ol style="list-style-type: lower-alpha;"> On the Edit menu, point to New, and then click DWORD Value.</li> Type AllowOnlySecureRpcCalls, and then press ENTER.</li></ol> </li> Create the FallbackToUnsecureRPCIfNecessary entry: <ol style="list-style-type: lower-alpha;"> On the Edit menu, point to New, and then click DWORD Value.</li> Type FallbackToUnsecureRPCIfNecessary, and then press ENTER.</li></ol> </li> Set the DWORD value for the TurnOffRpcSecurity entry: <ol style="list-style-type: lower-alpha;"> Right-click TurnOffRpcSecurity, and then click Modify.</li> In the Edit DWORD Value dialog box, type the value 1, and then click OK.</li></ol> </li> Set the DWORD value for the AllowOnlySecureRpcCalls entry: <ol style="list-style-type: lower-alpha;"> Right-click AllowOnlySecureRpcCalls, and then click Modify.</li> In the Edit DWORD Value dialog box, type the value 0, and then click OK.</li></ol> </li> Set the DWORD value for the FallbackToUnsecureRPCIfNecessary entry: <ol style="list-style-type: lower-alpha;"> <li>Right-click FallbackToUnsecureRPCIfNecessary, and then click Modify.</li> <li>In the Edit DWORD Value dialog box, type the value 0, and then click OK.</li></ol> </li></ol>

After you have made the registry changes, you must restart the MSDTC service. To restart the MSDTC service, follow these steps:
 * 1) Click Start, click Run, type cmd, and then click OK.
 * 2) Type net stop msdtc, and then press ENTER.
 * 3) Type net start msdtc, and then press ENTER.
 * 4) Open the Component Services Microsoft Management Console (MMC) snap-in. To do this, click Start, click Run, type dcomcnfg.exe, and then click OK.
 * 5) Expand Component Services, expand Computers, and then expand My Computer.
 * 6) Right-click My Computer, and then click Properties.
 * 7) Click the MSDTC tab, and then click Security Configuration.
 * 8) Change the account in DCT Logon Account to NT AUTHORITY\NetworkService . If a password is needed, enter a blank password.
 * 9) Click OK two times.

<div class="references_section">