ACL Problem with the MSDTC service?

If you have a Resource Manager (for example SQL Server) that is failing to communicate with MSDTC (that you can see is started and working well), you maybe wondering the best way to troubleshoot such a problem?

One possible issue could be that the account under which the SQL Server (or other resource Manager) is running does not have permission on the MSDTC Service.

This can be checked in the ACL (Access Control List) using the tool named "subinacl" and downloaded from:
https://www.microsoft.com/downloads/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en

The command for checking the permissions on the msdtc service is:
 "subinacl.exe /Service msdtc"

This command should output a number of different accounts or account groups. You must identify the permission for the account that the problematic resource manager is running.

From the Subinacl Readme file you can see the possible Service Permission options:

PACE Description
-F -> Full Control
-R -> Generic Read
-W -> Generic Write
-X -> Generic eXecute
-L -> Read controL
-Q -> Query Service Configuration
-S -> Query Service Status
-E -> Enumerate Dependent Services
-C -> Service Change Configuration
-T -> Start Service
-O -> Stop Service
-P -> Pause/Continue Service
-I -> Interrogate Service 
-U -> Service User-Defined Control Commands

If you are missing a permission, normally the command to add the missing ACL is something like this:

subinacl /service msdtc /grant=<"DOMAIN\ACCOUNT" IN QUOTES>="QSETIL"

e.g.

subinacl /service msdtc /grant="Domain\SQLServiceAccount"="QSETIL"

 

Chris Forster