How to Configure MSDTC to Use a Specific Port in Windows Server 2012/2012R2

My name is Steven Graves and I am a Senior Support Escalation Engineer on the Windows Core Team.  In this blog, I will discuss how to configure MSDTC to use a specific port on Windows Server 2012/2012R2 as this has slightly changed from the way it is configured in Windows Server 2008 R2 in order to prevent overlapping ports.  As a reference, here is the blog for Windows 2008 R2.

How to configure the MSDTC service to listen on a specific RPC server port
https://blogs.msdn.com/b/distributedservices/archive/2012/01/16/how-to-configure-the-msdtc-service-to-listen-on-a-specific-rpc-server-port.aspx

Scenario

There is a web server in a perimeter network and a standalone SQL Server (or Clustered SQL Server instance) on a backend production network and a firewall that separates the networks. MSDTC needs to be configured between the web server and backend SQL Server using a specific port in order to limit the ports opened on the firewall between the networks.

So as an example, we will configure MSDTC to use port 5000.

There are two things that need to be configured on the frontend web server to restrict the ports that MSDTC will use.

• Configure the ports DCOM can use
• Configure the specific port or ports for MSDTC to use

Steps

1. On the web server launch Dcomcnfg.exefrom the Run menu.

2. Expand Component Services, right click My Computer and select Properties

3. Select the Default Protocols tab

4. Click Properties button

5. Click Add

6. Type in the port range that is above the port MSDTC will use. In this case, I will use ports 5001-6000.

7. Click OK back to My Computer properties window and click OK.  Here is the key that is modified in the Registry for the ephemeral ports.

8. Start Regedt32.exe

9. Locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC

10. Right click the MSDTC key, select New and DWord (32-bit) Value

11. Type ServerTcpPort for the key name

12. Right click ServerTcpPort key and select Modify

13. Change radio button to Decimal and type 5000 in the value data, click OK.  This is how the registry key should look

14. Restart the MSDTC Service (if stand-alone) or take the MSDTC Resource offline/online in Failover Cluster Manager if clustered.

To confirm MSDTC is using the correct port:

1. Open an Administrative command prompt and run Netstat –ano to get the port and the Process Identifier (PID)
2. Start Task Manager and select Details tab
3. Find MSDTC.exe and get the PID
4. Review the output for the PID to show it is MSDTC

Now DTC will be using the port specified in the registry and no other processes will try to use the same port thus preventing an overlap of ports.

Steven Graves
Senior Support Escalation Engineer
Microsoft Core Support

Comments

• Anonymous
  May 05, 2014
  nice information shared .... THANKS STEVEN !!!!
• Anonymous
  July 17, 2014
  Aren't changes necessary on SQL Server SO?
• Anonymous
  July 30, 2014
  Does port range for DCOM 5001-6000 need to be open on the firewall between web server and backend database server?
• Anonymous
  July 30, 2014
  I'm a bit confused:
  In previous article related to SQL2008, it indicates to support OLE Transaction communication between machines, you should (1) allow bi-directional TCP traffic in your firewall on port 135 for the endpoint mapper, and (2) the single specific ServerTcpPort port instead of a port range like we did in earlier operating systems.
  
  However, this article indicates that it's necessary for Win2012 to configure an RPC range we did in earlier operating systems.http://support.microsoft.com/kb/250367
  •Configure the ports DCOM can use: Port 5001-6000
  •Configure the specific port or ports for MSDTC to use: Port 5000
  •And to support OLE Transaction communication between machines allow bi-directional TCP traffic in your firewall for the endpoint mapper: Port 135.
  
  So is it still necessary then for MSDTC on Windows 2012 to configure & open RPC bi-directional between client & server for RCP port range 5001-6000?
  Regards,
• Anonymous
  July 31, 2014
  Thank you for information
  As programmer I need to configure MSDTC from my application installer or from the application itself
  Because of that I wrote a class library in C# to configure MSDTC grammatically.
  
  http://www.codeproject.com/Articles/729805/MSDTC-Manager
  
  hope sharing it will be usefull for some people.
  Thank you
• Anonymous
  April 10, 2015
  This works great. We have DTC running on IIS app server and SQL server. We configure both to use same dedicated port and the problem was resolved. Don't forget to add inbound exception to firewall for the specified port on ALL applicable Servers, because that is not clear in this article Otherwise, this article is well written and helpful.
• Anonymous
  June 17, 2015
  Thank you for the great article. When I try configuring the ServerTcpPort that just seems to affect the Local DTC service. Is there a similar registry key for the clustered instance?
• Anonymous
  December 03, 2015
  Can Steven Graves please clarify: "Windows Server 2012/2012R2 as this has slightly changed from the way it is configured in Windows Server 2008 R2 in order to prevent overlapping ports"
  
  What is meant by overlapping ports? Why is that an issue in Windows 2012 but not 2008R2?
  
  In windows 2008 R2 SQL clusters, we never had to configure a port for MSDTC to Listen on. We would setup the DCOM range and the firewall exceptions for the range, including an exception for 135 (RPC Endpoint Mapper) on all nodes in the SQL cluster and our application servers.
  
  Our current configuration is a Windows 2012 SQL Cluster, and Windows 2008R2 Application Servers (don't ask me why the difference in OS's, it is what it is). Now, we find that we must set the ServerTcpPort in the registry, and we gave it 5000 ONLY on the Windows 2012 Machines for the SQL Cluster, and added a firewall exception for this.
  
  Our Information Security Office would like to understand why, and I cannot offer a full explanation, other than "we would have port overlapping"? Overlapping with what? Why? Why is this specific to Windows 2012??
  
  THANKS!!
• Anonymous
  January 12, 2016
  Thanks for the information, John.
  However, fully backing Justin Sharp and others asking for more details on the topic. Could you please elaborate, and comment on the "what and why" questions?
  
• Anonymous
  January 22, 2016
  This blog was written for a specific scenario for MSDTC where the customer already had MSDTC configured to use port 5000 on 2008R2 and they wanted to keep using port 5000 on 2012R2. The port conflict happened in 2012R2 because Winint.exe grabbed the first RPC dynamic port, which was 5000, the same port MSDTC was configured to use. Sorry for the confusion with using "overlapping port" but "port conflict" may make more sense.
  We did not make any changes to SQL for this to work.
  Yes, you may need change firewall rules but that will depend on the environment.
  • Anonymous
    May 02, 2016
    To resolve/avoid above mentioned port conflict issue on MS Windows Server 2012 R2, I did following in addition to above mentioned:1. Launch the Regedt32.exe2. Go to HKLM\SOFTWARE\Microsoft\Rpc\Internet3. Change the "Ports" value from "5000-5020" to "4990-5000" 4. and also Set the "(Default)" value to 49905. Quit the RegEdt32.exe6. Restart the serverOn boot, RPC will start assigning tcp ports to services (wininiet.exe, svchost.exe, etc) from tcp/4990 port and will assign tcp/5000 port to MSDTC.Though I have successfully verified MSDTC operations using DTCPing; but I have a question will this workaround good to go for production environment/setup as well?
• Anonymous
  May 02, 2016
  To resolve/avoid the MSDTC port conflict issue on MS Windows Server 2012 R2, I did following in addition to above mentioned:1. Launch the Regedt32.exe2. Go to HKLM\SOFTWARE\Microsoft\Rpc\Internet3. Change the “Ports” value from “5000-5020″ to “4990-5020″4. and also Set the “(Default)” value to 49905. Quit the RegEdt32.exe6. Restart the serverOn boot, RPC will start assigning tcp ports to services (wininiet.exe, svchost.exe, etc) from tcp/4990 port onward and will assign tcp/5000 port to MSDTC.Though I have successfully verified MSDTC communication using DTCPing. But will this workaround good to go for production environment/setup as well?
• Anonymous
  July 19, 2018
  I have a Windows 10 machine, trying to connect with an SQL Server through a firewall. I have configured the port range as described above to 5000-5500, but in the TCPViewer, I see that MSDTC tries to connect to the SQL Server through the port 63591, and it does not succeed, the State of the connection is SYN_SENT.Why does MSDTC use port 63591, which is not in the range 5000-5500? Is there something special to be done on Windows 10?