MTS and DCOM setup
Transcription
MTS and DCOM setup
MTS and DCOM setup Release 6.1 Copyright Release 6.1 © 2015 Pitney Bowes Software Inc. All rights reserved. This document may contain confidential and proprietary information belonging to Pitney Bowes Inc. and/or its subsidiaries and associated companies. Portrait Software, the Portrait Software logo, Portrait, and Portrait Software’s Portrait brand are the trademarks of Portrait Software International Limited and may not be used or exploited in any way without the prior express written authorization of Portrait Software International Limited. Acknowledgement of trademarks Other product names, company names, marks, logos and symbols referenced herein may be the trademarks or registered trademarks of their registered owners. Portrait Software Support If you need help with something that’s not covered by this documentation, try the Knowledge Base on our web site. http://support.portraitsoftware.com and follow the links to your product. You can also download other Portrait Software documentation from the site. If you don’t have a username and password—or you’ve forgotten them—please contact us through one of the channels below. If you find a problem with the use, installation, or documentation of this product, please contact us using any of the following methods: Email: [email protected] Phone • USA/Canada 1-800-335-3860 (toll-free) • Rest of world +44 800 840 0001 When you report a problem, it helps if you can tell us: • The name of the software application • The circumstances in which the problem arose • What error messages you saw (if any); • The version of the software that you were using. Pitney Bowes Software Inc. January 9, 2015 MTS and DCOM setup 2 Copyright Release 6.1 Contents Introduction ....................................................................................................................... 5 Related documents ........................................................................................................ 5 Software release ............................................................................................................ 5 Configure the Application server (Dialogue Server) .................................................... 6 Creating users and user groups .................................................................................... 6 Running with local users and groups .......................................................6 Running with domain users and groups ...................................................6 Configure Windows 2008 server ................................................................................... 7 Network COM+ access ..........................................................................7 Network DTC access .............................................................................8 Transaction timeout ............................................................................ 10 User and user group access ................................................................. 10 Server Components ............................................................................ 11 Configure Windows 2012 server ................................................................................. 12 Network COM+ access ........................................................................ 12 Network DTC access ........................................................................... 13 Transaction timeout ............................................................................ 15 User and user group access ................................................................. 15 Server Components ............................................................................ 16 Configure database access on application server ...................................................... 17 Dialogue Server and Database server on same physical server ................. 17 Dialogue Server and Database server on separate physical servers ........... 18 Connecting clients to Dialogue Server ........................................................................ 19 Clients and Dialogue Server on same windows domain ............................................. 19 Clients and Dialogue Server on different windows domains ....................................... 19 Scenario 1 – Client is member of a domain, Dialogue Server is not ........... 19 Scenario 2 – Dialogue Server is member of a domain, client is not ........... 19 Scenario 3 – Client and Dialogue Server is members of different domains . 20 Scenarios requiring special configuration .................................................................. 21 Configuring DTC to Work Through a Firewall ............................................................. 21 General ............................................................................................. 21 Setup of DTC ..................................................................................... 21 Setup of firewall ................................................................................. 22 Configuring DTC to work across non-domain environments ...................................... 22 Enable Network DTC Access on both servers .......................................... 22 Install the SQL Server Client Tools on both servers ................................. 22 Enable NETBIOS across all machines ..................................................... 22 Disable RPC Security for MSDTC Service on both servers ......................... 23 MTS and DCOM setup 3 Copyright Release 6.1 Configure DTC on a Windows Server cluster ............................................................. 24 Cloning Windows DTC Servers ................................................................................... 24 Essential test Utilities .................................................................................................... 25 MTS and DCOM setup 4 Introduction Release 6.1 Introduction This document is written to lead a team through the steps of configuring com+ for servers and clients running Portrait Dialogue. The audiences for this guide are business application specialists, IT specialists, and infrastructure specialists who are deploying a solution based on Portrait Dialogue application server. Related documents Portrait Dialogue 6.1 release notes, available on the installation CD. Software release Portrait Dialogue 6.1 MTS and DCOM setup 5 Configure the Application server (Dialogue Server) Release 6.1 Configure the Application server (Dialogue Server) Before you install and configure Dialogue Server, you must configure the required software. This includes creating users and user groups with special permissions, configuring and enables network COM+ access and network DTC access, and finally configure database access to support transactions. Creating users and user groups o Network COM+ access o Allow the Dialogue Server to be used to host COM+ components for distributed applications. Network DTC access o Create system user for COM+ components and services. Allow DTC process to participate in network transactions. Database support for transactions o Allow Dialogue Server and DBMS to communicate using transactions. Creating users and user groups Before deploying you should create a service and system user, and a user group for ease of administrating access to the Applications from clients. Running with local users and groups This scenario is most common for test and demonstration purposes. 1. Create one local user account with administrator rights. Ex: MhSystemUser 2. Create one local user group. Ex: MhUsers Running with domain users and groups This scenario is most common for production purposes. 1. Create one domain user account with local administrator rights. Ex: YourDomain\MhSystemUser. 2. Create one domain user group. Ex: YourDomain\MhUsers MTS and DCOM setup 6 Configure the Application server (Dialogue Server) Release 6.1 Configure Windows 2008 server Enabling network COM+ access and network DTC access on a windows 2008 server Network COM+ access By default, Microsoft Network COM+ access is disabled in the Windows Server 2008. You can only use COM+ locally on these products. Open “Server Manager” from “Administrative Tools”, click on the “Application Server” node and make sure the “COM+ Network Access” role service is installed. Open “Component services” from “Administrative tools” and right click on the “My Computer” node and choose “Properties” in the Tree. On the Default Properties flip: Make sure the “Enable Distributed COM on this computer” is enabled MTS and DCOM setup 7 Configure the Application server (Dialogue Server) Release 6.1 On the MSDTC flip make sure “Use local coordinator” is enabled Network DTC access By default, network DTC access is disabled on the Windows Server 2008. When you do not enable network DTC access on the server, applications can only use transactions that stay on the local computer. For example, transactions cannot flow from a local computer to a database that runs on a separate computer if network DTC access is disabled. MTS and DCOM setup 8 Configure the Application server (Dialogue Server) Release 6.1 Open “Server Manager” from “Administrative Tools”, click on “Application Server” and make sure the “Distributed Transactions” role service is installed. To enable, open “Component services” from “Administrative tools”, open the “My Computer” node, then the “Distibuted Transaction Coordinator” node and right click on the “Local DTC” node. Then choose “Properties” in the Tree. On the MSDTC flip click on the Security Configuration button: Make sure the “Network DTC Access” is enabled. Also check that “Allow Inbound” and “Allow Outbound” is enabled. (Authentication choices are discussed later in this document.) MTS and DCOM setup 9 Configure the Application server (Dialogue Server) Release 6.1 Transaction timeout By default, transaction timeout is set to 60 second on the Windows Server 2008. Since Portrait Dialogue transactions often run for a longer time, this value should be changed to 0 which means transactions will never time out. To set the transaction timeout value, open “Component services” from “Administrative tools” and right click on “My Computer” node and choose “Properties” in the Tree. On the Options flip set Transction timeout to 0. User and user group access Make sure to add the user group you created in chapter 0 to the local user group “Distributed COM Users” MTS and DCOM setup 10 Configure the Application server (Dialogue Server) Release 6.1 Server Components After you have installed Dialogue Server successfully a com+ application named “MH Dialog Server” is installed under Com+ applications in Component services. To verify the installation please check the following: Verify that the com+ components appear in the left window as shown below Right click on the node “MH Dialog Server” and choose “Properties”. On the Security tab make sure the “Enforce access checks for this application” is NOT checked MTS and DCOM setup 11 Configure the Application server (Dialogue Server) Release 6.1 On the Identity tab make sure the account for the application is the user account you created in chapter 0 Configure Windows 2012 server Enabling network COM+ access and network DTC access on a windows 2012 server Network COM+ access By default, Microsoft Network COM+ access is disabled in the Windows Server 2012. You can only use COM+ locally on these products. Open “Server Manager”, select “Local Server” node, scroll down to “Roles and features” and make sure the “COM+ Network Access” role service is installed. MTS and DCOM setup 12 Configure the Application server (Dialogue Server) Release 6.1 Open “Component Services”, right click on the “My Computer” node and choose “Properties” in the Tree. On the Default Properties flip: Make sure the “Enable Distributed COM on this computer” is enabled On the MSDTC flip make sure “Use local coordinator” is enabled Network DTC access By default, network DTC access is disabled on the Windows Server 2012. When you do not enable network DTC access on the server, applications can only use transactions that stay on the local computer. For example, transactions cannot flow from a local computer to a database that runs on a separate computer if network DTC access is disabled. MTS and DCOM setup 13 Configure the Application server (Dialogue Server) Release 6.1 Open “Server Manager”, select “Local Server” node, scroll down to “Roles and features” and make sure the “Distributed Transactions” role service is installed. To enable, open “Component Services”, open the “My Computer” node, then the “Distibuted Transaction Coordinator” node and right click on the “Local DTC” node. Then choose “Properties” in the Tree. On the MSDTC flip click on the Security Configuration button: Make sure the “Network DTC Access” is enabled. Also check that “Allow Inbound” and “Allow Outbound” is enabled. (Authentication choices are discussed later in this document) MTS and DCOM setup 14 Configure the Application server (Dialogue Server) Release 6.1 Transaction timeout By default, transaction timeout is set to 60 second on the Windows Server 2012. Since Portrait Dialogue transactions often run for a longer time, this value should be changed to 0 which means transactions will never time out. To set the transaction timeout value, open “Component services” and right click on “My Computer” node and choose “Properties” in the Tree. On the Options flip set Transction timeout to 0. User and user group access Make sure to add the user group you created in chapter 0 to the local user group “Distributed COM Users” MTS and DCOM setup 15 Configure the Application server (Dialogue Server) Release 6.1 Server Components After you have installed Dialogue Server successfully a com+ application named “MH Dialog Server” is installed under Com+ applications in Component Services. To verify the installation please check the following: Verify that the com+ components appear in the left window as shown below Right click on the node “MH Dialog Server” and choose “Properties”. On the Security tab make sure the “Enforce access checks for this application” is NOT checked On the Identity tab make sure the account for the application is the user account you created in chapter 0 MTS and DCOM setup 16 Configure the Application server (Dialogue Server) Release 6.1 Configure database access on application server Portrait Dialogue support running on multiple DBMS systems. Currently supported DBMS systems are: Microsoft SQL Server Oracle DBMS system The Dialogue Server connects to the DBMS system using the system standard OLEDB driver. In addition this communication must support distributed transactions. The support for transactions is handled different on MS and Oracle systems. The Dialogue Server and the database server can be set up on the same physical server, also referred to as a “stand alone system” or on two separate servers both setups require support for transactions to be able to communicate successfully. Dialogue Server and Database server on same physical server Checkpoints when running a “stand alone system” Microsoft SQL Server: Make sure you have installed the client tools. This is normally done during a standard setup of the database server. As long as you have configured the server as described in in this document. no more configuration is required. Oracle DBMS system: Make sure you have installed the following. Oracle Provider for OLE DB driver. Oracle Services for Microsoft Transaction Server. Both of these packages are part of the client setup. Also make sure you apply the latest patches for these components. To verify that these components are installed you can run the “Oracle universal installer” and press the “Installed products” button. MTS and DCOM setup 17 Configure the Application server (Dialogue Server) Release 6.1 Dialogue Server and Database server on separate physical servers Checkpoints when running Dialogue and Database Servers on two different servers. If the servers are separated with a firewall or is located on different domains special setup is required. This is explained in detail in chapter 3 of this document. Microsoft SQL Server: Make sure you have installed the client tools on the application server, and have configured the application server as described in chapter 0. Also make sure that you have enabled “network COM+ access” and “network DTC access” on the database server. Oracle DBMS system: Make sure you have installed oracle client on the application server including the following components. 1. Oracle Provider for OLE DB driver. 2. Oracle Services for Microsoft Transaction Server. Both of these packages are part of the client setup. Also make sure you apply the latest patches for these components. To verify that these components are installed you can run the “Oracle universal installer” and press the “Installed products” button. No special configuration is required for the database server. MTS and DCOM setup 18 Connecting clients to Dialogue Server Release 6.1 Connecting clients to Dialogue Server The Win32 clients Visual Dialogue, Dialogue Admin and Process monitor communicate with the Dialogue Server through DCOM. This communication requires special user permissions on the Dialogue Server. Make sure the Dialogue Server is working correctly before attempting to connect with remote clients. You can test your server by running Dialogue Admin locally on the server. If the clients and the Dialogue Server are separated with a firewall special setup is required. This is explained in detail later in this document. DTC uses Remote Procedure Call (RPC) dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers above 1024 and port 135 (the RPC endpoint mapper port). Clients and Dialogue Server on same windows domain This is the most common setup and require minimal configuration. Simply add the windows users to the domain group “YourDomain\MhUsers” created in chapter 0. Please note that special settings for Global Policy, firewalls etc. in your domain can prevent you form connecting successfully. If you cannot connect after giving your windows user account the rights described here, verify that your domain policies are not preventing DCOM communication between your computer and the Dialogue Server. Clients and Dialogue Server on different windows domains This setup requires more configurations on client and server. If you “google” this topic you find thousands of newsgroup articled about this problem. It is possible to configure this by change security settings on your machines, but these changes will have impact on overall security, and is therefore not recommended. We recommend creating local users on application server to get this to work. Three different scenarios are described below. Scenario 1 – Client is member of a domain, Dialogue Server is not Create a local windows user account on the Dialogue Server with the same username and password as the client domain users. Add this user to the group “MhUsers” on the Dialogue Server created in chapter 0. Scenario 2 – Dialogue Server is member of a domain, client is not Create a local windows user account on the Dialogue Server with the same username and password as the client local users. Add this user to the domain group “YourDomain\MhUsers” on the Dialogue Server created in chapter 0. MTS and DCOM setup 19 Connecting clients to Dialogue Server Release 6.1 Scenario 3 – Client and Dialogue Server is members of different domains In this scenario you have two options: 1. Create a local windows user account on the Dialogue Server with the same username and password as the client domain users (from the other domain). Add this user to the domain group “YourDomain\MhUsers” on the Dialogue Server created in chapter 0. 2. Establish a trusted relationship between the domains and add users to the domain group “YourDomain\MhUsers” on the Dialogue Server created in chapter 0. MTS and DCOM setup 20 Scenarios requiring special configuration Release 6.1 Scenarios requiring special configuration Configuring DTC to Work Through a Firewall This scenario applies to both client – Dialogue Server, and Dialogue Server – database server communication. The server – database server communication is only applicable when you use Microsoft SQL Server, and NOT when you use Oracle DBMS. You can configure DTC to communicate through firewalls, including network address translation firewalls. DTC uses Remote Procedure Call (RPC) dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers above 1024. By modifying DTS setup, you can control which ports RPC dynamically allocates for incoming communication. You can then configure your firewall to confine incoming external communication to only those ports and port 135 (the RPC Endpoint Mapper port). You must provide one incoming dynamic port for DTC. You may need to provide additional incoming dynamic ports for other subsystems that rely on RPC. General DTC requires that you are able to resolve computer names by way of NetBIOS or DNS. You can test whether or not NetBIOS can resolve the names by using ping and the server name. The client computer must be able to resolve the name of the server, and the server must be able to resolve the name of the client. If NetBIOS cannot resolve the names, you can add entries to the LMHOSTS files on the computers. To configure client – server communication you only need to change DTC settings on the Application server. For Application server – database server communication you need to change DTC settings on both servers. Setup of DTC To control RPC dynamic port allocation open “Component services”. Right click on “My Computer” choose “Properties”. On the “Default Protocols” tab make sure the TCP/IP protocol is in top of the list. Click on this and add the port range as shown below: MTS and DCOM setup 21 Scenarios requiring special configuration Release 6.1 Microsoft recommends that you open up ports from 5000 and up, and that you open a minimum of 15 to 20 ports. You must reboot the server for applying these settings. Setup of firewall The firewall must be open in both directions for the specified ports (tcp/ip) and for port 135 (UDP). Configuring DTC to work across non-domain environments This chapter applies to scenarios like: The Application server (Dialogue Server) is member of a domain, but the SQL server is not. Both the Application server and database server are none member of a domain. The servers are member of different domains with no trust relationship established. Enable Network DTC Access on both servers Please see chapter 1 on how to do this. Install the SQL Server Client Tools on both servers The SQL Client Tools can be found on the SQL Server CD. During Setup, ensure that the MSDTC option is checked. Enable NETBIOS across all machines Alternatively, you can add entries in the HOSTS file (c:\windows\system32\drivers\etc) so that the machines can be pinged by server name. See the comments in the HOSTS file for more information on how to accomplish this. DTC requires that you are able to resolve computer names by way of NetBIOS or DNS. You can test whether or not NetBIOS can resolve the names by using ping and the server name. The client computer must be able to resolve the name of the server, and the server must be able to resolve the MTS and DCOM setup 22 Scenarios requiring special configuration Release 6.1 name of the client. If NetBIOS cannot resolve the names, you can add entries to the LMHOSTS files on the computers. Disable RPC Security for MSDTC Service on both servers Select the “No Authentication Required” in Security Configuration. “No Authentication Required” explained by Microsoft: You can use No Authentication Required to resolve a situation where the Distributed Transaction Coordinator services are running on computers that are in domains that do not have a trust relationship established. Additionally, you can use No Authentication Required to resolve a situation where the Distributed Transaction Coordinator services are running on computers that are members of a workgroup. “No Authentication Required” affects the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC Value name: AllowOnlySecureRpcCalls Value type: REG_DWORD Value data: 0 Value name: FallbackToUnsecureRPCIfNecessary Value type: REG_DWORD Value data: 0 Value name: TurnOffRpcSecurity Value type: REG_DWORD Value data: 1 Note On a server cluster, these registry entries are located in the shared cluster registry. You must reboot the server for applying these settings. MTS and DCOM setup 23 Scenarios requiring special configuration Release 6.1 Configure DTC on a Windows Server cluster If your application server and / or database server is installed on a cluster special setup is required for Microsoft Distributed Transaction Coordinator. Please read the following MS articles thoroughly: http://technet.microsoft.com/en-us/library/cc755269.aspx http://msdn.microsoft.com/en-us/library/dd897479.aspx Cloning Windows DTC Servers Often IT departments use cloning tools to roll out new servers. If you clone a server you should always make sure the machines have unique identities. If they have the same identity the DTC services are unable to communicate. You will get the following error in the event log: The local MS DTC detected that the MS DTC on “CLONED SERVER” has the same unique identity as the local MS DTC. This means that the two MS DTC will not be able to communicate with each other. This problem typically occurs if one of the systems were cloned using unsupported cloning tools. MS DTC requires that the systems be cloned using supported cloning tools such as SYSPREP. Running 'msdtc uninstall', do a reboot and then 'msdtc -install' from the command prompt will fix the problem. Note: Running 'msdtc -uninstall' will result in the system losing all MS DTC configuration information. Note: On Windows 2008 Server with UAC enabled, the commands must be run as administrator. MTS and DCOM setup 24 Essential test Utilities Release 6.1 Essential test Utilities Microsoft support tends to use three core utilities for debugging MSDTC transactions and associated errors: 1. DTCPing - download from and documented at http://support.microsoft.com/kb/306843/enus Use the DTCPing tool to verify distributed transaction support across firewalls or against networks. The DTCPing tool must be installed on both the client and server computer and is a good alternative to the DTCTester utility when SQL Server is not installed on either computer. 2. DTCTester - download from and documented at http://support.microsoft.com/kb/293799/en-us Use the DTCTester tool to verify distributed transaction support across firewalls or against networks. The DTCTester utility uses ODBC to verify transaction support against a SQL Server database and therefore requires that SQL Server is installed on one of the computers being tested. 3. NetMon - found on Windows setup disks or resource kit MTS and DCOM setup 25 Essential test Utilities Release 6.1 MTS and DCOM setup 26