MSDTC security settings getting reset on a cluster server if the DomainControllerState key value is set to 1.

  • Article

 

There are two Windows server 2003 SP2 nodes on the Veritas cluster and both of them are Domain Controllers. Under the registry hive HKLM\software\Microsoft\MSDTC\Security, the value of DomainControllerState is set to "1" (Node 1) and "2" (Node 2) respectively.

When we move over the resources from node1 to node2, all the MSDTC security settings are wiped out and Enable Network DTC access is unchecked along with the other options.

Now let’s say we enable all the security options on node2. Change the value of DomainControllerState key from 2 to 1, it also resets all the security options and they are all set to 0.

We do not see this problem on a VCS cluster where the DomainControllerState value = 0.

 

Cause

======================

This is expected and by design. DomainControllerState key is used to store the last known "Domain-Controller-State" of the machine where the DTC instance runs. When the DTC comes up, if it detects a change in the "Domain - Controller -State" (between the current DC state and the state in the registry - possibly because of a promotion or a demotion since the DTC was last run), it will revert to default security settings if the current state is not a DC (0) and "No network access" if the current state is PDC or BDC (1 or 2).

This feature protects against unknowingly opening network access on domain controllers through MSDTC, when they undergo promotions and demotions--MSDTC disables network access if the role of the machine is changed to either PDC or BDC. If the role is changed from a DC state to non-DC state, then DTC security settings are reverted to the default (Mutual Authentication Required etc.).

So when you move the resource from a PDC (1) node to a BDC(2) node, the DTC network access is disabled, because there was a change of domain controller state and the current state is a DC and we need to manually enable them if we need MSDTC running on the machine with a changed DC state.

 

Possible workaround/resolution

===================================

Remove the DC role from the cluster server.