What is the Microsoft Distributed Transaction Coordinator?
The Microsoft Distributed Transaction Coordinator (MS DTC) is a service available in all operating systems supported by Identity Broker. This service permits the coordination of atomic transactions across multiple servers. It is disabled by default.
Why should Identity Broker be configured to use it?
Identity Broker is capable of using the Microsoft .NET
TransactionScope object in order to define atomic data transactions. Having the transactions permits Identity Broker to ensure a transaction is successful with all data connections before allowing it to be committed, for connected systems that subscribe to the Microsoft Distributed Transaction Coordinator. Since Microsoft .NET Framework v2.0, Microsoft have recommended the use of this object for transaction management. The object can transparently elevate a transaction to the MS DTC server.
How is it configured?
Each server that is involved in Identity Broker data transactions must have MS DTC enabled. In cases where Identity Broker's database is stored on a SQL Server instance on the same server as Identity Broker, that means MS DTC is only required on that machine, and there are no communication issues. When SQL Server is on another server, or in a cluster, then MS DTC must be enabled on both the Identity Broker server and the SQL Server server or cluster, and that the appropriate firewall rules must be in place.
Enabling MS DTC in Identity Broker
MS DTC is disabled by default. To enable, edit the
Unify.Framework.Data.DataEnginePlugInKey.extensibility.config.xml file to add the enableTransactions attribute to the dataConnection element so that it looks like the following:
<dataConnection name="sql" repository="Unify.IdentityBroker" connectionString="...removed..." enableTransactions="true"/>
Enabling MS DTC in Windows
In order to enable MS DTC, you must be able to create a desktop session on the target server(s) as a local administrator.
Open the Local Services control panel snap-in and locate Distributed Transaction Coordinator as shown in the screenshot below.
If the service is not started, start it now. It may be prudent to make the service start automatically to ensure it is available if the server needs to be restarted.
Configuring MS DTC
- Open the Component Services snap-in.
To open Component Services, click Start. In the search box, type dcomcnfg, and then press ENTER.
- Expand the console tree to locate the DTC (for example, Local DTC) for which you want to enable Network MS DTC Access.
- On the Action menu, click Properties.
- Click the Security tab and make the following changes:
- In Security Settings, select the Network DTC Access check box.
- In Transaction Manager Communication, select the Allow Inbound and Allow Outbound check boxes.
- Click OK.
- Restart the machine.
- Repeat the steps above for all machines involved.
Configuring a firewall for MS DTC
Due to the large number of firewalls on the market, it will not be attempted to provide a guide on how to configure each of them to to allow MS DTC. If using Windows Server firewall, add the pre-determined exception for Distributed Transaction Coordinator on each server. Refer to the official TechNet topic Enable Firewall Exceptions for MS DTC for more information.
As with any service, there are vunerabilities. TechNet provides a guide on Configuring Security for Distributed Transactions and Enable Network Access Securely for MS DTC. There are no recommended settings for security as this will be determined by enterprise policy.
Customer support service by UserEcho