How does client communicate with MSDTC Cluster?


Recently I got several calls from customers or internal about how MSDTC clients talks to MSDTC Cluster, this decides how to configure the firewall between them.


As we know, as a cluster resource, MSDTC has its virtual name and virtual IP address in a cluster group. When a MSDTC client tries to work with MSDTC Cluster through Firewall, the network admin team needs to open necessary ports range for MSDTC communication. MSDTC relies on RPC communication, so that we need to ensure below ports should be opened by default (its sample dynamic port
range is too limited, it is better from 5000~5200):


250367  Configuring Microsoft Distributed Transaction Coordinator (DTC) to work through a firewall;EN-US;250367


For Win2003, the “network DTC access” option is also fairly important on client and servers:


817064  How to enable network DTC access in Windows Server 2003;EN-US;817064


When we define the incoming rules with firewall, in addition to ports, we also need to make sure the IP rule is opening for MSDTC virtual IP address and physical IP address of cluster nodes. Because:


When a client application performs transaction requests to MSDTC server, actually there will be two MSDTC transaction managers work at the same time. One is on client side, another is on server side. The main difference on server side is it has a Resource Manager which is used for enlisting transactions and maintain the data. SQL is a type of Resource manager. When the two MSDTC transaction managers start communication, they always choose RPC (Remote Process Call) as the protocol. And the communication is not single direction from RPC client to RPC server, it is a bi-direction communication.

As for the reason of the RPC Reverse Binding uses physical IP, this is because when RPC is going to bind socket, it doesn’t explicitly use a dedicate IP address. It will choose the first bound IP address on the network interface. In common cluster environment, the physical IP address is always as the first bound IP address, we can see the same symptom even test cluster environments are different (in Microsoft Cluster or a third party cluster).


Therefore, when a client starts working with MSDTC cluster, it is very likely that we can see two RPC connections, one is from Client to MSDTC Cluster Virtual IP, another is from MSDTC Physical IP to Client. Such as:


A node(Active- -------+-----B Node (Passive-

  ^                                                          |

  |                                   msdtc cluster resource (Virtual IP:

 port(2215)                                       ^ (port: 5102)

  |                                                         |

  |                                                         |

  |                                                         |

  |                                                         V (port: 1321)

  +----------port(5078)--> Web Server (



From another KB, it delivered similar information, please check the “more information” section:



The firewall rules must include the following:

The IP network names and the addresses of both physical nodes on the cluster


311846 Description of names and IP addresses that an MSDTC client in a cluster environment must have;EN-US;311846




Freist Li

Comments (1)
  1. Kiran says:

    we do have a 3-node Active/Active/Active cluster and were leveraging one of the nodes for biztalk databases. As you know, BizTalk needs MSDTC access and we did open ports to MSDTC VIP and SQL VIP. But DTCPing and DTCTester failed as we didnt open RPC ports to the physical IPs of the SQL Clusters. Upon Opening…everything started working…which was opposed and challenged by our networking team as they dont see any traffic going over the phsyical IPs. can you plz explain why we need to open RPC ports for Physical IPs when MSDTC is not listening on these IPs…



Comments are closed.

Skip to main content