MSDTC must run under NT AUTHORITYNetworkService account

Starting with Windows XP and continuing with Windows Server 2003, the account under which MSDTC service runs must be "NT AUTHORITY\NetworkService" (https://msdn.microsoft.com/library/default.asp?url=/library/en-us/cossdk/htm/pgdtc_admin_7gkz.asp).

If you change the account to something else than NetworkService, your distributed transactions will fail because MSDTC will not be able to do mutual authentication with the other parties (transaction managers, resource managers, clients) involved in the transaction. In some cases, even the local transactions will fail.

 

If in NT4 or Windows 2000, you used to change the default MSDTC account to a domain account so that MSDTC can use Windows authentication when performing recovery with XA databases like Oracle, you can't do it anymore on XP and 2003 (at least not in a secure way). Instead you need to give to the NetworkService account from the machine where MSDTC is running, the permissions and roles needed to perform XA recovery on the XA database. The exact method of doing this is specific to each database but the simple story is that you need to add the "machine account" of the machine where MSDTC is running to the list of users that can do recovery on the XA database. Also, take a look at https://blogs.msdn.com/florinlazar/archive/2003/12/04/41370.aspx for more troubleshootings on MSDTC and XA.