3.12.2019

Fix MSDTC for VRA Install Wizard Validation

Did you use a template to create the IaaS servers for VRA? This is a quick post on how to resolve the errors from the VRA validator step. Perhaps like you I had some trouble locating a concise KB article or post on an easy way to resolve these issues.

Reset the CID/SID of the Server

Log into the IaaS and DB servers as Administrator.

Opening REGEDIT can show what the CID/SID values are. This is located:
HKEY_CLASSES_ROOT\CID\(CID)\Description\(Default)

Open a powershell prompt as administrator and run the command:

Uninstall MSDTC
msdtc -uninstall

Reboot
shutdown -r -t 0

Re-install MSDTC (login with same permissions as above)
msdtc –install

Warning: The msdtc command does not give any return response when running this command.

Open the Firewall

Enable the firewall rules for WMI and DTC on both computers by using the Netsh utility. This

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
netsh advfirewall firewall set rule group="Distributed Transaction Coordinator" new enable=yes


Testing

Basic checking can be done by opening the Component Services MMC. You should see something similar.
Component Services MMC for MS DTC


Run the DTCtester to test the state of MSDTC. Below are some example tests that can be run to test local and both local and remote DTC connectivity.

Test MSDTC on the local computer
Test-Dtc -LocalComputerName "$env:COMPUTERNAME" -Verbose

Test MSDTC on the local computer and a remote computer
Test-Dtc -LocalComputerName "$env:COMPUTERNAME" -RemoteComputerName "remote-server" -ResourceManagerPort 17100 -Verbose

Test MSDTC on a local computer that blocks inbound transactions
Test-Dtc -LocalComputerName "$env:COMPUTERNAME" -RemoteComputerName "remote-server" -ResourceManagerPort 17100 -Verbose

Test MSDTC on a local computer that blocks outbound transactions
Test-Dtc -LocalComputerName "$env:COMPUTERNAME" -RemoteComputerName "remote-server" -ResourceManagerPort 17100 -Verbose


This is the result if the first test partially fails. The 3 local and remote tests will also show the CIDs for the communicating systems. Referring to the REGEDIT above will display the UIS and the XA values that are contained in the CID subkeys.. From this output you will be able to determine if the CIDs are unique as another method to validate the registry values.

PS C:\Windows\system32> Test-Dtc -LocalComputerName "$env:COMPUTERNAME" -Verbose
VERBOSE: ": Firewall rule for "RPC Endpoint Mapper" is enabled."
VERBOSE: ": Firewall rule for "DTC incoming connections" is enabled."
VERBOSE: ": Firewall rule for "DTC outgoing connections" is enabled."
VERBOSE: IN-SQL02: AuthenticationLevel: Mutual
VERBOSE: IN-SQL02: InboundTransactionsEnabled: False
WARNING: "IN-SQL02: Inbound transactions are not allowed and this computer cannot participate in network transactions."
VERBOSE: IN-SQL02: OutboundTransactionsEnabled: False
WARNING: "IN-SQL02: Outbound transactions are not allowed and this computer cannot participate in network transactions."
VERBOSE: IN-SQL02: RemoteClientAccessEnabled: False
VERBOSE: IN-SQL02: RemoteAdministrationAccessEnabled: False
VERBOSE: IN-SQL02: XATransactionsEnabled: False
VERBOSE: IN-SQL02: LUTransactionsEnabled: True


This is the result when things look good for the installer to proceed.

PS C:\Windows\system32> Test-Dtc -LocalComputerName "$env:COMPUTERNAME" -Verbose
VERBOSE: ": Firewall rule for "RPC Endpoint Mapper" is enabled."
VERBOSE: ": Firewall rule for "DTC incoming connections" is enabled."
VERBOSE: ": Firewall rule for "DTC outgoing connections" is enabled."
VERBOSE: IN-SQL02: AuthenticationLevel: Mutual
VERBOSE: IN-SQL02: InboundTransactionsEnabled: True
VERBOSE: IN-SQL02: OutboundTransactionsEnabled: True
VERBOSE: IN-SQL02: RemoteClientAccessEnabled: True
VERBOSE: IN-SQL02: RemoteAdministrationAccessEnabled: True
VERBOSE: IN-SQL02: XATransactionsEnabled: False
VERBOSE: IN-SQL02: LUTransactionsEnabled: True


Summary

This is only one example of how to resolve these errors. If you used a template and a customization spec as you deploy while selecting "Generate New Security ID (SID)" your experience might be different.