Enabling network DTC access fails on a Domain Controller server

For a personal lab I did a few days ago, I noticed a bug when trying to enable Microsoft Network Distributed Transaction Coordinator Access (Network DTC Access) on a server which is a Domain Controller.

I installed Windows Server 2003 on a machine and promoted the server to be a Domain Controller. As it was a lab, I re-used the same server to host SQL Server 2005 and wanted to enable Network DTC access.

I enabled Network DTC access and Network COM+ access doing the standard following procedure:
1. Open the Control Panel and open “Add or Remove Programs”. Once open, click “Add/Remove Windows Components”.
2. Once the Windows Components Wizard open, select “Application Server” and click on de “Details” button.
3. Select the check boxes in front of “Enable network COM+ access” and “Enable network DTC access”. Click “OK
4. Back in the Windows Components Wizard window; click “Next” and then “Finish”.

Everything seemed to be fine and no error message was displayed. Nevertheless, warning messages could be seen in the Windows Event Log:

MSDTC Warning message when trying to enable Network DTC accessThe main message saying:
MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:9351, Pid: 3368
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe

Going back to the “Add/Remove Windows Components”, I could see that the Network COM+ access was enabled but Network DTC access was not, the check box was unselected:

Network DTC access can't be enabled on Domain Controller
I rebooted the machine, tried to enable Network DTC access again but it still did not work and the same error kept appearing in the Event Log.

I checked if MS DTC was running with the correct Windows Account as I read that sometimes MSDTC could be running under the Service Account “Local System” instead of “NT AUTHORITY\NetworkService” but MSDTC was running with the correct account:

MSDTC run under NetworkService Windows Service Account

Solutions:
(updated 27th of August 2007)

I found 2 solutions to solve this issue:

1. Un-install and re-install MS DTC manually using the following procedure:
– Open a command prompt.
– Stop the MSDTC Windows Service by running the command: net stop msdtc.
– Uninstall MSDTC by running the command: msdtc –uninstall.
– Delete the following registry hives out of the registry if they exist:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Msdtc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC
– Reboot the machine.
– Open the command prompt and run msdtc –install (this will recreate the MSDTC’s registry keys with proper value).
– Go to the “Add/Remove Windows Components” and enable Network DTC access.

2. Use the following trick.
– Start Administrative Tools -> Component Services.
– Navigate the tree view on the left to:
   Console Root -> Component Services -> Computers -> My Computer
– Right click on “My Computer” and select Properties.
– Select the MSDTC Tab
– Under Transaction Configuration near the bottom, click “Security Configuration
– On the Security Configuration screen, click “OK“, don’t change anything.
– Back on the My Computer Properties screen, click “OK” again.
– Right click on “My Computer” in the tree view and click on “Stop MS DTC
– Right click on “My Computer” in the tree view and click on “Start MS DTC
– Close the Component Services snap-in.
– Go to the “Add/Remove Windows Components” and enable Network DTC access.
Note that we haven’t changed any settings! It works nevertheless meaning that something must have changed behind the scene.

Conclusion:
Using either of these solutions, MS DTC Network Access will be really enabled and no warning message signaling a problem will appear in the Windows Event Log anymore.