Configuring Roles

Configuring roles for your server Page 1 of 55
Configuring roles for your server

The Configure Your Server Wizard provides a central location from which you can install or remove the server roles
available on a server running Windows Server 2003. After installing a server role you can use Manage Your Server
to manage that role.
Manage Your Server provides a central location from which you can manage the server roles installed through the
Configure Your Server Wizard. Manage Your Server starts automatically the first time you log on to your server
computer with administrative credentials.
Server roles
Typical setup for a first server
File server role: Configuring a file server
Print server role: Configuring a print server
Application server role: Configuring an application server
Mail server role: Configuring a mail server
Terminal server role: Configuring a terminal server
Remote access/VPN server role: Configuring a remote access/VPN server
Domain controller role: Configuring a domain controller
DNS server role: Configuring a DNS server
DHCP server role: Configuring a DHCP server
Streaming media server role: Configuring a streaming media server
WINS server role: Configuring a WINS server
To remove a server role
Note
This feature is not included on computers running the Microsoft® Windows® Server 2003, Web Edition,
operating system. For more information, see Overview of Windows Server 2003, Web Edition.
Server roles
The Windows Server 2003 family provides several server roles. To configure a server role, install the server role by
using the Configure Your Server Wizard and manage your server roles by using Manage Your Server. After you
finish installing a server role, Manage Your Server starts automatically.
To determine which server role is appropriate for you, review the following information about the server roles that
are available with the Windows Server 2003 family:
File server role overview
Print server role overview
Application server role overview
Mail server role overview
Terminal server role overview
Remote access/VPN server role overview
Domain controller role overview
DNS server role overview
DHCP server role overview
Streaming media server role overview
WINS server role overview
File server role overview

File servers provide and manage access to files. If you plan to use disk space on this computer to store, manage,
and share information such as files and network-accessible applications, configure this computer as a file server.
After configuring the file server role, you can do the following:
Use disk quotas on volumes formatted with the NTFS file system to monitor and limit the amount of disk space
available to individual users. You can also specify whether to log an event when a user exceeds the specified
file://D:\Documents%20and%20Settings\Administrator\Local%20Settings\Temp\~hhDA... 10/28/2010
disk space limit or when a user exceeds the specified disk space warning level (that is, the point at which a user
is nearing his or her quota limit).
Use Indexing Service to quickly and securely search for information, either locally or on the network.
Search in files that are in different formats and languages, either through the Search command on the Start
menu or through HTML pages that users view in a browser.
For more information about implementing this server role, see File server role: Configuring a file server.
Print server role overview

Print servers provide and manage access to printers. If you plan to manage printers remotely, manage printers by
using Windows Management Instrumentation (WMI), or print from a server or client computer to a print server by
using a URL, configure this computer as a print server.
After configuring the print server role, you can do the following:
Use a browser to manage printers. You can pause, resume, or delete a print job, and view the printer and print
job's status.
Use the new standard port monitor, which simplifies installation of most TCP/IP printers on your network.
Use Windows Management Instrumentation (WMI), which is the management API created by Microsoft that
enables you to monitor and control all system components, either locally or remotely. The WMI Print Provider
enables you to manage print servers, print devices, and other printing-related objects from the command line.
With WMI Print Provider, you can use Visual Basic (VB) scripts to perform administrative printer functions. For
more information, see Windows Management Instrumentation Command-line (WMIC) tool.
Print from Windows XP clients to print servers running Windows Server 2003 by using a Uniform Resource
Locator (URL).
Connect to printers on your network by using Web point-and-print for single-click installation of a shared
printer. You can also install drivers from a Web site.
For more information about implementing this server role, see Print server role: Configuring a print server.
Application server role overview

An application server is a core technology that provides key infrastructure and services to applications hosted on a
system. Typical application servers include the following services:
Resource pooling (for example, database connection pooling and object pooling)
Distributed transaction management
Asynchronous program communication, typically through message queuing
A just-in-time object activation model
Automatic XML Web Service interfaces to access business objects
Failover and application health detection services
Integrated security
The Windows Server 2003 family includes an application server that contains all of this functionality and other
services for development, deployment, and runtime management of XML Web services, Web applications, and
distributed applications.
When you configure this server as an application server you will be installing Internet Information Services (IIS)
along with other optional technologies and services such as COM+ and ASP.NET. Together, IIS and the Windows
Server 2003 family provide integrated, reliable, scalable, secure, and manageable Web server capabilities over an
intranet, the Internet, or through an extranet. IIS is a tool for creating a strong communications platform of
dynamic network applications.
For more information about implementing this server role, see Application server role: Configuring an application
server.
Mail server role overview

To provide e-mail services to users, you can use the Post Office Protocol 3 (POP3) and Simple Mail Transfer
Protocol (SMTP) components included with the Windows Server 2003 family. The POP3 service implements the
standard POP3 protocol for mail retrieval, and you can pair it with the SMTP service to enable mail transfer. If you
plan to have clients connect to this POP3 server and download e-mail to local computers by using a POP3 capable
mail client, configure this server as a mail server.

After configuring the mail server role, you can do the following:
Use the POP3 service to store and manage e-mail accounts on the mail server.
Enable user access to the mail server so that users can retrieve e-mail from their local computer by using an
e-mail client that supports the POP3 protocol (for example, Microsoft Outlook).
For more information about implementing this server role, see Mail server role: Configuring a mail server.
Terminal server role overview

With Terminal Server, you can provide a single point of installation that gives multiple users access to any
computer that is running a Windows Server 2003 operating system. Users can run programs, save files, and use
network resources all from a remote location, as if these resources were installed on their own computer.
After configuring the terminal server role, you can do the following:
Confirm Internet Explorer Enhanced Security Configuration settings.
Centralize the deployment of programs on one computer.
Ensure that all clients use the same version of a program.
Important
In addition to configuring a terminal server, you must install Terminal Server Licensing and configure a Terminal
Server License Server. Otherwise, your terminal server will stop accepting connections from unlicensed clients
when the evaluation period ends 120 days after the first client logon. For more information about Terminal
Server Licensing, see Terminal Server Licensing.
For more information about implementing this server role, see Terminal server role: Configuring a terminal server.
Remote access/VPN server role overview

Routing and Remote Access provides a full-featured software router and both dial-up and virtual private network
(VPN) connectivity for remote computers. It offers routing services for local area network (LAN) and wide area
network (WAN) environments. It also enables remote or mobile workers to access corporate networks as if they
were directly connected, either through dial-up connection services or over the Internet by using VPN connections.
If you plan to connect remote workers to business networks, configure this server as a remote access/VPN server.
Remote access connections enable all of the services that are typically available to a LAN-connected user, including
file and print sharing, Web server access, and messaging.
After configuring the remote access/VPN server role, you can do the following:
Control how and when remote users access your network.
Provide network address translation (NAT) services for the computers on your network.
Create custom networking solutions using application programming interfaces (APIs).
For more information about implementing this server role, see Remote access/VPN server role: Configuring a
remote access/VPN server.
Domain controller role overview

Domain controllers store directory data and manage communication between users and domains, including user
logon processes, authentication, and directory searches. If you plan to provide the Active Directory directory
service to manage users and computers, configure this server as a domain controller.
Notes
You cannot add the domain controller role to a certification authority (CA). If your computer is already a CA, the
domain controller role is not available in the Configure Your Server Wizard.
Computers running Windows Server 2003, Web Edition, cannot function as domain controllers. For more
information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.
After configuring the domain controller role, you can do the following:
Store directory data and make this data available to network users and administrators. Active Directory stores
information about user accounts (for example, names, passwords, phone numbers, and so on), and enables
other authorized users on the same network to access this information.
Add additional domain controllers to an existing domain to improve the availability and reliability of network
services.
Improve network performance between sites by placing a domain controller in each site. With a domain
controller in each site, you can handle client logon processes within the site without using the slower network
connection between sites.
For more information about implementing this server role, see Domain controller role: Configuring a domain
controller.
DNS server role overview

The Domain Name System (DNS) is the TCP/IP name resolution service that is used on the Internet. The DNS
service enables client computers on your network to register and resolve user-friendly DNS names. If you plan to
make resources in your network available on the Internet, configure this server as a DNS server.
Important
If you plan to include computers on the Internet on your network, use a unique DNS domain name. For more
information about DNS namespace planning, see Namespace planning for DNS.
After configuring the DNS server role, you can do the following:
Host records of a distributed DNS database and use these records to answer DNS queries sent by DNS client
computers, such as queries for the names of Web sites or computers in your network or on the Internet.
Name and locate network resources using user–friendly names.
Control name resolution for each network segment and replicate changes to either the entire network or globally
on the Internet.
Reduce DNS administration by dynamically updating DNS information.
For more information about implementing this server role, see DNS server role: Configuring a DNS server.
DHCP server role overview

Dynamic Host Configuration Protocol (DHCP) is an IP standard designed to reduce the complexity of administering
address configurations by using a server computer to centrally manage IP addresses and other related
configuration details used on your network. If you plan to perform multicast address allocation, and obtain client IP
address and related configuration parameters dynamically, configure this server as a DHCP server.
After configuring the DHCP server role, you can do the following:
Centrally manage IP addresses and related information.
Use DHCP to prevent address conflicts by preventing a previously assigned IP address from being used again to
configure a new computer on the network.
Configure your DHCP server to supply a full range of additional configuration values when assigning address
leases. This will greatly decrease the time you spend configuring and reconfiguring computers on your network.
Use the DHCP lease renewal process to ensure that client configurations that need to be updated often (such as
users with mobile or portable computers that change locations frequently) can be updated efficiently and
automatically by clients communicating directly with DHCP servers.
For more information about implementing this server role, see DHCP server role: Configuring a DHCP server.
Streaming media server role overview

Streaming media servers provide Windows Media Services to your organization. Windows Media Services manages,
delivers, and archives Windows Media content, including streaming audio and video, over an intranet or the
Internet. If you plan to use digital media in real time over dial-up Internet connections or local area networks
(LANs), configure this server as a streaming media server.
After configuring the streaming media server role, you can do the following:
Provide digital video in real time over networks that range from low-bandwidth, dial-up Internet connections to
high-bandwidth, local area networks (LANs).
Provide streaming digital audio to clients and other servers across the Internet or your intranet.
For more information about implementing this server role, see Streaming media server role: Configuring a
streaming media server.
WINS server role overview

Windows Internet Name Service (WINS) servers map IP addresses to NetBIOS computer names and NetBIOS
computer names back to IP addresses. With WINS servers in your organization, you can search for resources by
computer name instead of IP address, which can be easier to remember. If you plan to map NetBIOS names to IP
addresses or centrally manage the name-to-address database, configure this server as a WINS server.
After configuring the WINS server role, you can do the following:
Reduce NetBIOS–based broadcast traffic on subnets by permitting clients to query WINS servers to directly
locate remote systems.
Support earlier Windows and NetBIOS–based clients on your network by permitting these types of clients to
browse lists for remote Windows domains without requiring a local domain controller to be present on each
subnet.
Support DNS–based clients by enabling those clients to locate NetBIOS resources when WINS lookup integration
is implemented. For more information, see WINS lookup integration.
For more information about implementing this server role, see WINS server role: Configuring a WINS server.
Typical setup for a first server

The following information describes how to install and configure the first server on a network by using the Typical
setup for a first server option in the Configure Your Server Wizard.
Important
Before you configure the first server on a network, see Checklist: Configuring the typical setup for a first server.
The typical setup for a first server will not run if any of the following conditions are met:
The computer is running Windows Server 2003, Datacenter Edition.
The computer is running Windows Server 2003, Web Edition.
The computer is joined to a domain.
The computer is already configured as a domain controller.
The computer is not a domain controller, but the Active Directory Installation Wizard has already been started.
The computer is a certification authority (CA).
The computer is already configured as a DNS server.
The computer is already configured as a DHCP server.
There are zero IP-enabled network adaptors.
There is only one IP-enabled network adaptor and the DHCP lease test succeeds.
The computer is already running Routing and Remote Access.
The computer does not have at least one NTFS partition.
The current session is a remote session.
Typical setup configuration process

The typical setup configuration process implements the following steps:
Installs Active Directory and promotes the computer to a domain controller.
When you promote a server to a domain controller, a domain is automatically created on the network. After you
promote a server to a domain controller, you can then promote other servers to domain controllers. For more
information, see Domain controllers.
When you configure your server using the typical setup for a first server, the local administrator's password is
automatically set as the Restore Mode Administrator password.
Sets up an application naming context in Active Directory on this domain controller for use by Telephony API
(TAPI) client applications. For more information, see Application directory partitions.
Installs Domain Name System (DNS) and creates a full domain name for your network.
DNS is a networking protocol for naming computers and network services that is organized into a hierarchy of
domains. TCP/IP networks, such as the Internet, use DNS naming to locate computers and services through
user-friendly names. When a user enters a DNS name in an application, DNS services can resolve the name to
other information associated with the name, such as an IP address.
For example, most users prefer a friendly name such as server1.example.microsoft.com to locate a computer
such as a mail server or Web server on a network. However, computers use numeric addresses to communicate
over a network. To make it easier to use network resources, DNS provides a way to map the user-friendly name
for a computer or service to its numeric address. For more information, see DNS domain names.
Changes the default NetBIOS name. You can change the default NetBIOS name on this page. For example, if
your Active Directory DNS domain name is yoursmallbusiness.local, the default NetBIOS domain name is
YOURSMALLBUSINE. You may want to change this to CORP or to your own abbreviation for your business name
for ease of use. For more information about NetBIOS, see NetBIOS name resolution.
Assigns a preferred DNS server with the same IP address that you specified for this server. For more
information, see How DNS query works.
Assigns a DNS forwarder. For more information, see Understanding forwarders.
Installs the DHCP Server service.
DHCP uses a client/server model. The network administrator establishes one or more DHCP servers that
maintain TCP/IP configuration information and provide it to clients. With a DHCP server installed and configured
on your network, DHCP–enabled clients can obtain their IP address and related configuration parameters
dynamically each time they start and join your network. DHCP servers provide this configuration in the form of
an address lease offer to requesting clients.
Assigns a static IP address, if one is not already assigned to the private network connection. For more
information, see Name resolution for TCP/IP.
Assigns a subnet mask (that is, if none has been configured on this server). By default, the Configure Your
Server Wizard assigns a subnet mask of 255.255.255.0. For more information, see Subnet masks.
Installs the Routing and Remote Access service (that is, if more than one network connection is detected).
Next steps: Typical setup for a first server

After you complete the Configure Your Server Wizard, the computer is ready for use as the server on your network.
It has been configured as a domain controller, a DNS server, a DHCP server, and possibly as a remote access/VPN
server. For more information about each of these roles, see
Remote access/VPN server role: Configuring a remote access/VPN server
The following table lists some of the additional tasks that you can perform on your server. To manage the new
services on this server, do the following:
To open Administrative Tools, click Start, click Control Panel, and then double-click Administrative Tools.
Note
If you demote this server so that it is no longer a domain controller, you must remove the TAPI application
partition by using the Tapicfg.exe utility. For more information, see To remove a TAPI application directory
partition.
Task Reference
Checklist: Installing a DNS server; To
Make additional configuration changes to the DNS server.
configure a new DNS server
Install additional domain controllers, if necessary. To create an additional domain controller
Configure additional options for the DHCP server. Checklist: Installing a DHCP server
(Optional) Monitor and measure various aspects of the DNS server
Monitoring DNS server performance
to prevent and troubleshoot performance degradation.
(Optional) Monitor and measure various aspects of the DHCP server Monitoring DHCP server performance; DHCP
to prevent and troubleshoot performance degradation. performance monitoring reference
Checklist: Creating an additional domain
(Optional) Install and configure additional domain controllers.
controller in an existing domain
(Optional) Select the appropriate security level for domain
Using the Active Directory Installation Wizard
administration.
File server role: Configuring a file server

A file server provides a central location on your network where you can store and share files with users across your
network. When users require an important file such as a project plan, they can access the file on the file server
instead of having to pass the file between their separate computers. If your network users will need access to the
same files and network-accessible applications, configure this computer as a file server.
This topic explains how to use both the Manage Your Server and the Configure Your Server Wizard to install and
configure a file server. When you have finished setting up a basic file server, you can complete additional tasks by
using Manage Your Server. After you complete the Configure Your Server Wizard, you will have a fully functioning
file server.
This topic covers:
Before you begin
Configuring your file server
Next steps: Completing additional tasks
Before you begin

Before you configure your computer as a file server, verify whether or not:
The operating system is configured correctly. In the Windows Server 2003 family, file services depend on the
appropriate configuration of the operating system and its services. If you have a new installation of a Windows
Server 2003 operating system, you can use the default service settings. No further action is necessary. If you
upgraded to a Windows Server 2003 operating system or you want to confirm that your services are configured
correctly for best performance and security, verify your service settings by comparing them to the table in
Default settings for services.
The computer is joined to an Active Directory domain as a member server. If you want to authenticate clients or
publish a shared folder to Active Directory, the file server must be joined to a domain. If you do not need to
perform either of these tasks, the file server does not need to be joined to a domain.
All available disk space is allocated. You can use Disk Management or DiskPart.exe to create a new partition out
of unallocated space. For more information see, To create a partition or logical drive.
All existing disk volumes use the NTFS file system. FAT32 volumes are not secure, and they do not support file
and folder compression, disk quotas, file encryption, or individual file permissions.
The following table lists the information that you need to know before you add a file server role.
Before adding a file

Comments
server role
Determine whether you Use disk quotas to track and control disk space usage for NTFS volumes on a per-
want to configure disk volume basis. Quotas prevent users from exceeding the designated disk space by
quotas. logging an event when a user exceeds a specified disk space limit.
Indexing Service creates indexes of the contents and properties of documents located
Determine whether you
on your local hard drive or on shared network drives. These indexes enable users to
want to use Indexing
perform faster, easier searches. Indexing Service can slow down the server, so use it
Service.
only if users frequently search the contents of files on this server.
Users view the shared resources on this file server based on file name. It is
Identify the folders that
recommended that you create share names that are easy to remember and indicative
you want to share on the
of the folder contents. For example, suppose users are provided with 2 gigabytes (GB)
computer, and specify a
each for storing their private information on the file server. You might name the top-
folder name and
level folder on your file server Personal Folders, and then name each of the subfolders
description.
according to the user's domain name.
Determine what type of Assign the most restrictive permissions that still allow users to perform required tasks.
permissions you want to Access control on the NTFS file system provides more security than share permissions
set on the folders. alone.
Configuring your file server

To configure a file server, start the Configure Your Server Wizard by doing either of the following:
From Manage Your Server, click Add or remove a role. By default, Manage Your Server starts automatically
when you log on. To open Manage Your Server, click Start, click Control Panel, double-click Administrative
Tools, and then double-click Manage Your Server.
To open the Configure Your Server Wizard, click Start, click Control Panel, double-click Administrative
Tools, and then double-click Configure Your Server Wizard.
On the Server Role page, click File server, and then click Next.
This section covers:
File Server Disk Quotas
File Server Indexing Service
Summary of Selections
Using the Share a Folder Wizard
Completing the Configure Your Server Wizard
Removing the file server role
File Server Disk Quotas

On the File Server Disk Quotas page, you can set up disk quotas, which track and control individual user's
disk space usage on NTFS volumes on a per-volume basis. The Configure Your Server Wizard automatically
applies disk quotas to new users of any NTFS file system, using whatever disk space quota is already applied.
You need to change the information on the File Server Disk Quotas page only if you want to prevent a server
from consuming a certain amount of disk space or if you have a limited amount of disk space. In most cases,
you can accept the default system settings.
If you want to log an event when a user exceeds the specified disk space limit or when a user exceeds the
specified disk space warning level (that is, the point at which a user is nearing his or her quota limit), you can
specify that on this page.
The following table describes the manual configuration options.
Settings Comments
If you want to enable disk quotas, so that you can limit and track disk space
usage on this file server, select this check box.
If you choose to enable disk quotas, you need to set the disk space limit. It is
Set up default disk recommended that you set moderately restrictive default limits for all user
quotas for new accounts, and then modify the limits to allow more disk space for users who work
users of this with large files. For example, users who work with scanned photographs or
server artwork might require large amounts of disk space.
You can also set the warning level so that users are notified when they exceed
the specified disk space limit. If you do not want to use a warning level, set this
number higher than the disk space limit.
Deny disk space to If you want to limit disk space usage on the file server, configure this setting. If
users exceeding you only want to track disk space usage on a per-user basis, leave this setting
disk space limit blank.
Log an event when If you want to log a system event when the user exceeds the disk space limit or
the user exceeds the warning level, configure these settings. You can view system events by using
any of the Event Viewer. To open Event Viewer, click Start, click Control Panel, double-
following click Administrative Tools, and then double-click Event Viewer.
After you finish, click Next.
File Server Indexing Service

On the File Server Indexing Service page, do one of the following:
If users will be searching the contents of the files on the server regularly, click Yes, leave Indexing Service
turned on.
If you want to conserve CPU and memory resources, click No, turn Indexing Service off. Indexing Service
can slow server performance.
Indexing Service provides a fast, easy, and secure way for users to search for information locally or on the
network. Users can search in files in different formats and languages, either through Search on the Start menu
or through HTML pages that they view in a browser.

On the Summary of Selections page, view and confirm the options that you have selected. If you selected File
server on the Server Role page, the following appears:
Install File Server Management
Run the Share a Folder Wizard to add new shared folders or share existing folders
To apply the selections shown on the Summary of Selections page, click Next.
Using the Share a Folder Wizard

After you click Next, the Configure Your Server Wizard starts the Share a Folder Wizard automatically, which
you use to configure shared folders. By sharing resources, you make them available for use by other users on
your network.
Important
Use caution when sharing folders that contain system files and resources. Verify that the folder or resource
that you specify does not contain information that you do not want users to access.
This section describes the following steps in the Share a Folder Wizard:
Folder Path
Name, Description, and Settings
Permissions
Sharing was Successful
Folder Path
On the Folder Path page, specify the path to the folder that you want to share. To search for a folder, click
Browse.
Name, Description, and Settings

On the Name, Description, and Settings page, specify the following information about the shared folder:
In Share name, type the name you want to use for the shared resource. The share name is required. Choose
a name that is short and descriptive, so that it is easy for users to identify.
In Description, type a description of the shared resource. The description is optional. If you are sharing
several resources, descriptions can help you organize and identify those resources. The description you type
appears in the Description column of File Server Management and Shared Folders.
In Offline setting, specify how you want to make the contents of the shared folder available to users when
they are not connected to the network. If you want users to have control over which files are available offline,
you can accept the default. To change the offline setting, click Change. Use the information in the following
table to determine what settings you want to use for your offline files.
Offline setting Comments
Only the files and
programs that users If you want to give users control over which files are available offline, click this
specify will be available option.
offline
If you want to allow all of the files that users open from the shared folder to be
All files and programs that automatically available offline, click this option. If you select the Optimized
users open from the share for performance check box, all programs will be automatically cached so that
will be automatically users can run them locally. This option is especially useful for file servers that
available offline host applications, because it reduces network traffic and improves server
scalability.
Files or programs from the
share will not be available If you want to prevent users from storing files offline, click this option.
offline
Permissions
On the Permissions page, specify the share permissions for the shared folder. To ensure that only authorized
users have access to the information in the folder, you must set permissions on the folder that you created.
Share permissions apply only to users who gain access to the resource over the network. They do not apply to
users who gain access to the resource from the computer where the resource is stored. Use the following table
to determine which share permissions are appropriate.
Share permission Comments

All users have read-only
To restrict all access to read-only, click this option.
access
If you want users to view files and run programs that are located in the
Administrators have full shared resource, click this option. Only members of the Administrators
access; other users have group are allowed to change, add, or delete files. Also, only members of
read-only access the Administrators group are allowed to change the NTFS file permissions
on the shared resource.
Administrators have full
If you want to restrict access to read and write for all users except
access; other users have
members of the Administrators group, click this option.
read and write access
If you want to grant or deny access to specific users or groups, click this
Use custom share and
option. You should assign the most restrictive permissions that still allows
folder permissions
users to perform necessary functions.
After you finish, click Finish.
Sharing was Successful

On the Sharing was Successful page, the Share a Folder Wizard displays a status and summary of your
selections. If you want to share another folder, click the When I click Close, run the wizard again to share
another folder check box. When you finish sharing folders, click Close.

After you complete the Share a Folder Wizard, the Configure Your Server Wizard displays the This Server Is
Now a File Server page. To review all of the changes made to your server by the Configure Your Server Wizard
or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your
Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server
Wizard, click Finish.

If you need to reconfigure your server for a different role, you can remove existing server roles. If you remove
the file server role, files and folders on this server are no longer shared and network users, programs, or hosts
that depend on those shared resources will be unable to connect to them.
To remove the file server role, restart the Configure Your Server Wizard by doing either of the following:
when you log on. To open Manage Your Server, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Manage Your Server.
On the Server Role page, click File server, and then click Next. On the Role Removal Confirmation page,
review the items listed under Summary, select the Remove the file server role check box, and then click
Next. On the File Server Role Removed page, click Finish.

After you complete the Configure Your Server Wizard and create shared resources on the computer, the computer
is ready for use as a basic file server that can store, manage, and share information such as files and network-
accessible applications. Up to this point, you have completed the following tasks:
If necessary, established disk space limits by enabling disk quotas.
If necessary, turned on Indexing Service.

Created shared folders and set share permissions for each folder.
The Configure Your Server Wizard automatically installs File Server Management, which you use to manage your
file server. To open File Server Management, click Start, click Control Panel, double-click Administrative Tools,
and then double-click File Server Management.
The following table lists some of the additional tasks that you can perform on your file server.
Task Purpose of task Reference

Best practices for
Secure the file server. To ensure that your file server is secure.
security
Implement Encrypting To strengthen security of the files and resources on the file Encrypting and
File System (EFS). server. decrypting data
To secure resources on the file server and prevent
Set permissions on To set permissions on a
unauthorized access. Access control on the NTFS file system
shared files and folders. shared resource
provides more security than share permissions alone.
To allow users to store local copies of shared resources, so that To configure offline
Make shared resources
they can access these resources when they are not connected settings for a shared
available offline.
to the network. resource
Enable shadow copies of To enable shadow copies of shared folders, which provide To enable Shadow
shared folders. point-in-time copies of files on network shares. Copies of Shared Folders
Set up a Distributed File To make it easier for users to access and manage files that are Checklist: Creating a
System (DFS). physically distributed across a network. distributed file system
Ensure that the file
To protect data from accidental loss if your system experiences
server is properly Back up data
hardware or storage media failure.
backed up.
To conserve storage space by compressing files, folders, and File compression
Use file compression.
programs. overview
Print server role: Configuring a print server

If you plan to use this computer to manage and share printers, configure this computer as a print server.
Note
This document explains how to use the Configure Your Server Wizard to quickly meet the most basic requirements
of a print server. When you are done setting up a basic print server, you can complete additional configuration
tasks, depending on how you want to use this print server.
This topic covers:
Before you begin
Configuring your print server
Before you begin

Before you configure your server as a print server, verify whether or not:
The operating system is configured correctly. In the Windows Server 2003 family, print services depend on the
Server 2003 operating system, you can use the default service settings. No further action is necessary. If you
upgraded to a Windows Server 2003 operating system or you want to confirm that your services are configured
correctly for best performance and security, verify your service settings by comparing them to the table in
The computer is joined to an Active Directory domain as a member server. If you want to restrict access to a
printer, so that some domain users can print to it and other users cannot, or you want the print server to
publish shared printers to Active Directory so that domain users can easily search for those printers, the print
server must be joined to a domain. If you do not need to perform either of these tasks, the print server does
not need to be joined to a domain.
All existing disk volumes use the NTFS file system. FAT32 volumes are less secure. For more information about
encrypting data stored on NTFS volumes, including spooled print jobs, see Storing Data Securely.
The following table lists the information that you need to know before you add a print server role.
Before adding a print server

Comments
role
You must have this information to select the correct client printer drivers for your
Determine the operating system client and server computers. After you add this role, the print server can
version of the clients that will automatically distribute these drivers to the clients. Additionally, the set of client
send jobs to this printer. operating systems determines which of these drivers you need to install on the
server during the print server role installation.
You need this information to choose the correct printer driver. The manufacturer
At the printer, print a
and model are usually enough to uniquely identify the printer and its language.
configuration or test page that
However, some printers support multiple languages, and the configuration
includes manufacturer, model,
printout usually lists them. Also, the configuration printout often lists installed
language, and installed options.
options, such as extra memory, paper trays, envelope feeders, and duplex units.
If the printer supports Plug and Play and connects to the print server using
infrared technology, a universal serial bus (USB) port, or an IEEE 1394 port, the
print server will configure itself automatically. You do not need to follow the
remaining steps.
Determine how the print server
Otherwise, if the printer is connected to the print server with a cable, note which
connects to the printer.
server port is used. For printers, LPT1 is the most commonly used port.
If the printer is located away from the print server and uses its own network
adapter to receive print jobs, determine the IP address of the network adapter on
the printer.
Most printers are supported by drivers on the installation CD for the Windows
(Optional) Determine whether Server 2003 operating system. To save time, you can often skip this step
you need a new or updated because the wizard that you will use to configure your print server provides
printer driver. compatibility information. If the wizard does not list a driver for your printer, you
can look for an update from the printer manufacturer or Windows Update.
Users running Windows-based client computers choose a printer by using the
printer name. The wizard that you will use to configure your print server provides
Choose a printer name.
a default name, consisting of the printer manufacturer and model. The printer
name is usually less than 31 characters in length.
A user can connect to a shared printer by typing this name, or by selecting it
Choose a share name. from a list of share names. The share name is usually less than 8 characters in
length for compatibility with MS-DOS and Windows 3.x clients.
These can help identify the location of the printer and provide additional
(Optional) Choose a location information. For example, the location could be "Second floor, copy room" and
description and a comment. the comment could be "Additional toner cartridges are available in the supply
room on floor 1."
Configuring your print server

To set up a print server, start the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Print server, and then click Next.
Printers and Printer Drivers
Using the Add Printer Wizard

Using the Add Printer Driver Wizard
Removing the print server role
Printers and Printer Drivers

On the Printers and Printer Drivers page, do one of the following:
If all of the clients on your network run Windows XP Home Edition, Windows XP Professional, or
Windows 2000, click Windows 2000 and Windows XP clients only.
If any of the clients run Windows XP 64-Bit Edition, Windows NT 4.0, Windows Millennium Edition,
Windows 98, or Windows 95, click All Windows clients.
On the Summary of Selections page, view and confirm the options that you have selected. If you selected
Windows 2000 and Windows XP clients only on the previous page, the following appears:
Add printers to this server using the Add Printer Wizard.
If you selected All Windows clients on the previous page, the following appears:
Add printers to this server using the Add Printer Wizard.
Add printer drivers to this server using the Add Printer Driver Wizard.
To apply the selections shown on the Summary of Selections page, click Next.
Using the Add Printer Wizard

After you click Next, the Configure Your Server Wizard runs the Add Printer Wizard once for each printer that
you want to add. If the wizard finishes and you choose to share at least one printer, your server can be used as
a print server. If you cancel the Add Printer Wizard, the Print Spooler service remains installed. If you cancel the
Add Printer Wizard and no printers are shared, the server does not add the print server role.
Important
If the printer you want to share supports Plug and Play, do not run the Add Printer Wizard. Plug and Play
printers complete the configuration steps in the Add Printer Wizard automatically. If the printer you want to
share supports Plug and Play, click Cancel.
This section describes the following steps in the Add Printer Wizard:
Local or Network Printer
New Printer Detection
Select a Printer Port
Specify a Printer
Install Printer Software
Use Existing Driver
Name Your Printer
Printer Sharing
Location and Comment
Print Test Page
Completing the Add Printer Wizard
Local or Network Printer

On the Local or Network Printer page of the Add Printer Wizard, choose one of the following options:
To configure this print sever to send print jobs directly to the printer, click Local printer attached to this
computer. Typically, print servers send print jobs directly to the printer. A printer with its own network
adapter is considered to be a local printer. If you want to send print jobs directly to a printer with its own
network adapter, click this option.
To configure this print server to forward print jobs to a second print server, click A network printer, or a
printer attached to another computer. For example, you can configure a print server at a branch office to
forward print jobs to a print server in the main office. You might do this if regulations require you to create
printouts of daily transaction logs and store them at the main office. If you want to do this, click this option.
Note
The A network printer, or a printer attached to another computer option is included here because
this dialog box is used on all computers running a Windows Server 2003 operating system so that users
can connect to a network printer. If you need to print from a computer that is not a print server, click A
network printer, or a printer attached to another computer.

After you click Next, one of the following wizard pages appears:
New Printer Detection
If you selected the Automatically detect and install my Plug and Play printer check box and the wizard
is unable to detect any Plug and Play printers, this page appears. Click Next.
To complete the steps on the Select a Printer Port page, see Select a Printer Port.
Select a Printer Port
If you selected Local printer attached to this computer, this page appears.
On the Select a Printer Port page, choose one of the following options:
If a cable connects the printer directly to a port on the print server, under Use the following port, click
the name of that port. LPT1 is the most commonly used port for this type of printer.
If the printer has its own network adapter and you want to send print jobs to the printer through the
network, click Create a new port, and then click the type of port that you want to create. If you do not
know what type of port to create, Standard TCP/IP Port is recommended.
If you click Standard TCP/IP Port, and then click Next, the Add Standard TCP/IP Printer Port Wizard
starts. In the Add Standard TCP/IP Printer Port Wizard, click Next. On the Add Port page, type the name
or IP address of the printer. The IP address is usually listed on the printer configuration page. As you type
the name or IP address, the wizard completes the Port Name field for you. Click Next.
The wizard attempts to connect to the printer. If the wizard is able to connect, the Completing the Add
Standard TCP/IP Printer Port Wizard page appears, and you can click Finish. If the wizard is not able
to connect, the Additional Port Information Required page appears. If you think that the address or
name you entered is not correct, click Back, retype the name or address, and then click Next.
If you are sure the address or name is correct, select one of the following device types to identify the
printer network adapter:
Standard is the default. If you click Standard, click the manufacturer and model of network adapter
from the Standard list.
If the printer network adapter uses nonstandard settings, click Custom and then click Settings. The
Configure Standard TCP/IP Port Monitor page appears. Specify the settings that are recommended
by the manufacturer of the printer network adapter, and then click OK.

Specify a Printer
If you selected A network printer, or a printer attached to another computer, this page appears.
On the Specify a Printer page, choose one of the following options to configure your print server to forward
print jobs to another print server:
If the print server that you want to connect to is available on the network, click Browse for a printer,
click Next, and then, under Shared printers, click the server and printer from the list.
If the print server that you want to connect to is temporarily unavailable on the network, click Connect to
this printer (or to browse for a printer, select this option and click Next), and then, in Name, type
the server and printer names.
If the print server that you want to connect to belongs to another organization and is available on the
Internet, click Connect to a printer on the Internet or on a home or office network.
Important
Use the options on this page only if you want your print server to forward print jobs to another print
server. If this is not what you want, click Back, click Local printer attached to this computer, click
Next, and then follow the steps in Select a Printer Port.

For this configuration path, you can skip some of the following steps in this document. To continue the
instructions for this configuration path, see Completing the Add Printer Wizard.
Install Printer Software

On the Install Printer Software page of the Add Printer Wizard, under Manufacturer, click the printer
manufacturer, and then, under Printers, click the printer model.
Note
Write down the manufacturer and model that you select, because you will need this information later if you
use the Add Printer Driver wizard to install printer drivers for other Windows-based clients.
If the manufacturer or model is not listed, try each of the steps outlined in the following table, in sequence, to
install the correct printer software.
Step Comments
Check the configuration
printout to confirm the exact
The Manufacturer and Printers lists show the official product names,
spelling of the name of your
which might be different from the names that you normally use.
printer manufacturer and
model.
Click Have Disk, locate the If you have printer driver files stored somewhere else, follow these
driver files, and then click steps. For example, the printer manufacturer might include a CD-ROM
OK. containing driver files in the packaging of the printer.
If you want to look for new or updated drivers that are available from
Microsoft as part of Windows Update, click this option. When you click
Windows Update, the Manufacturer and Printers lists change to
Click Windows Update.
show only the drivers that are available from Windows Update. If the
printer is not listed, return to the original list by clicking Back, and then
clicking Next.
Select the manufacturer and To determine which printers are compatible, consult the user guide for
model of a compatible your printer. Also, some manufacturers list compatibility information on
printer, and then click Next. their Web sites.
Use Existing Driver

If you add an additional printer that is the same manufacturer and model as one previously installed, the Use
Existing Driver page appears. Decide whether to keep the same driver or replace it with a new one. If you
select Replace existing driver, the wizard reinstalls the driver files.
Name Your Printer

On the Name Your Printer page of the Add Printer Wizard, the default name is the manufacturer and model of
the printer. You can change this name so that the printer is easier to use and administer. When using
applications, users often select a printer from a list that displays the names of the available printers. To help
users decide which printer to select, the application might also list the location or a comment.
Under Do you want to use this printer as the default printer?, click Yes or No. Your response applies only
when you print from an application that is running on this print server. Your response does not set this printer as
the one that clients use by default.
Printer Sharing
Important
You must share at least one printer for this server to act as a print server.
On the Printer Sharing page of the Add Printer Wizard, Share name is selected by default so that the printer
is shared. The default share name is the first 8 letters of the printer manufacturer and model, without spaces.
You can change this name so that the printer is easier to use and administer.
For compatibility with clients that run MS-DOS or earlier versions of Windows, type a share name that follows
these rules:
The share name contains only letters, digits, and the period (.).
The share name contains no more than eight letters and digits, and, optionally, followed by a period, which is
followed by no more than 3 letters and digits.
Location and Comment

On the Location and Comment page of the Add Printer Wizard, in Location, type a description of the print
server location, and then, in Comment, type a comment. This step is optional, but recommended because this
information makes it easier to use and administer your print server. Many applications display the comment or
the location when the user prints a document, so that the user can choose the most appropriate printer.
Print Test Page

On the Print Test Page page of the Add Printer Wizard, choose whether to print a test page to confirm that the
printer is ready to use.
Note
The test page does not print immediately when you click Next. Instead, it prints when you finish the wizard.
Completing the Add Printer Wizard

On the Completing the Add Printer Wizard page, the Restart the wizard to add another printer check
box is selected by default. If you leave it selected and click Finish, the wizard restarts to add another printer. If
you have finished adding all of the printers that you want to share on this server, clear this check box, and then
click Finish.
When you click Finish, the wizard installs the printer driver files. Then, if you chose to print a test page, the
wizard attempts to print that page. If the printer does not receive the test page, you might have selected an
incorrect port. However, if the printer receives the test page and prints it incorrectly, you might have selected an
incompatible manufacturer and model.
When you started the Configure Your Server Wizard to configure this server as a print server, you selected one
of the following options on the Printers and Printer Drivers page:
Windows 2000 and Windows XP clients only
All Windows clients
If you selected All Windows clients, the Add Printer Driver Wizard starts after you click Finish in the Add
Printer Wizard. You can use the Add Printer Driver Wizard to install client printer drivers onto the print server,
which can then automatically distribute them to clients.
Note
The Add Printer Driver Wizard does not communicate with the Add Printer Wizard. Therefore, the Add Printer
Driver Wizard does not automatically run once for each printer that you add, and it does not automatically
install drivers for the same manufacturer and model of printer. Instead, you must decide how many times to
run the Add Printer Driver Wizard, and each time it runs you must decide which manufacturer and model of
drivers to install.
Using the Add Printer Driver Wizard

If you selected All Windows clients on the Printers and Printer Drivers page of the Configure Your Server
Wizard, the Add Printer Driver Wizard starts after the Add Printer Wizard. If you cancel the Add Printer Driver
Wizard, the Print Spooler service remains installed, and any printers you have added remain, but the additional
client driver files are not installed on the server, and therefore the server cannot distribute those drivers to
clients.
This section describes the following steps in the Add Printer Driver Wizard:
Printer Driver Selection
Processor and Operating System Selection
Completing the Add Printer Driver Wizard
Printer Driver Selection

On the Printer Driver Selection page of the Add Printer Driver Wizard, select the manufacturer and model of a
printer that is shared on this print server, and then click Next.
Important
The Add Printer Driver Wizard does not automatically select a manufacturer and model for a printer that you
have already added. Instead, it selects the first manufacturer in the list, and the name of the first printer
model (in alphabetical order) made by that manufacturer. If possible, select the manufacturer and model of a
printer that you have added. If you select a different manufacturer or model, the wizard installs drivers that
might not work correctly with your printer.
Processor and Operating System Selection

On the Processor and Operating System Selection page of the Add Printer Driver Wizard, select the client
operating systems and processors.
Drivers for your server operating system are installed automatically when you add a printer. As a result, one of
the following is selected automatically and you cannot remove it: Windows 2000, Windows XP and Windows
Server 2003 for x86–based processors, or Windows XP and Windows Server 2003 for Itanium–based
processors.
Completing the Add Printer Driver Wizard

On the Completing the Add Printer Driver Wizard page, the Restart the wizard to add another printer
driver check box is selected by default. If you leave it selected and click Finish, the wizard restarts to add
another printer driver. If you have finished adding all of the printer drivers for all of the printers that you want to
share on this server, clear this check box, and then click Finish.

After you complete the Add Printer Wizard and, if necessary, the Add Printer Driver Wizard, the Configure Your
Server Wizard displays the This Server is Now a Print Server page. To review all of the changes made to
your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click
Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure
Your Server.log. To close the Configure Your Server Wizard, click Finish.

the print server role, each client that sent print jobs only to this print server will be unable to print until you
reconfigure the client to send print jobs to a different server. Also, each printer managed only by this print
server will be unable to receive print jobs until you reconfigure another print server to send print jobs to that
printer.
To remove the print server role, restart the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Print server, and then click Next. On the Role Removal Confirmation page,
review the items listed under Summary, select the Remove the print server role check box, and then click
Next. On the Print Server Role Removed page, click Finish.

After you complete the Configure Your Server Wizard, the server is ready for use as a print server. By following the
steps in this document, you have:
Added one or more printers.
Shared printers so that clients can send print jobs to the printers.
If necessary, added client print drivers.
You can use the Add Printer Wizard and Add Printer Driver Wizard to add more printers and client printer drivers.
These wizards are available through Manage Your Server.
The following table lists some of the additional tasks that you can perform on your print server.

To provide user access to installed printer options, such as an envelope
Set the configuration To set installable
feeder or extra memory, that are available on some printers. If your
to match installed options for a
printer provides additional features, you must update the configuration
options. printer
so that users can use these features.
To set the default configuration for clients when they connect to the To set printing
Set printing defaults.
printer. For example, you can set the default layout or paper source. defaults
To set or remove
Assign printer
To change the permissions that users have for a printer. permissions for a
permissions.
printer
Choose a separator To choose a
To define a page that appears at the beginning of each printout.
page. separator page
Configure network
To configure clients to connect to the printers that are shared on this Connect clients to
clients to use the
print server. a printer
printer.
To manage your print server more efficiently and effectively. For
Set advanced printer Use advanced
example, to schedule alternate printing times, to enable printer location
tasks. options
tracking, or to set different priority for different groups.
Publish a printer in To help domain users find printers shared by this print server quickly. To publish a printer
Active Directory. For this task, the print server must be a member server. in Active Directory
Application server role: Configuring an application server

An application server is a core technology that provides key infrastructure and services to applications hosted on a
system. Typical application servers include the following services:
Resource pooling (for example, database connection pooling and object pooling)
Distributed transaction management
Asynchronous program communication, typically through message queuing
A just-in-time object activation model
Automatic XML Web Service interfaces to access business objects
Failover and application health detection services
Integrated security
The Windows Server 2003 family includes all this functionality, in addition to services for development,
deployment, and runtime management of XML Web services, Web applications, and distributed applications.
This topic explains the basic steps that you must follow to configure an application server. This process involves
using the Configure Your Server Wizard to configure the server as an application server. When you have finished
setting up a basic application server, you can complete additional tasks by using Manage Your Server.
This topic covers:
Before you begin
Configuring your application server
Before you begin

Before you configure your computer as an application server, verify that:
and folder compression, disk quotas, file encryption, or individual file permissions. To find out the file system
type, in My Computer right-click the disk volume, and then click Properties.
Your computer has network connectivity and a static or dynamic IP address.
The following table lists the information that you need to know before you add an application server role.
Before adding an application server

Comments
role
IIS 6.0 is a full-featured Web server that provides the infrastructure
for .NET and existing Web applications and Web services.
Understand the following technologies
COM + is an extension to the Component Object Model (COM). COM+
that are installed automatically while
builds on COM's integrated services and features, making it easier for
configuring your application server:
developers to create and use software components in any language,
Internet Information Services (IIS) using any tool.
Application Server console The Application Server console provides a central location from which
COM+ you can administer your Web applications. To open the Application
Distributed Transaction Coordinator Server console, in Manage Your Server, click Manage this
(DTC) application server.
Distributed Transaction Coordinator (DTC) coordinates COM+
transactions.
Determine whether you would like to FrontPage Server Extensions enable users on a client computer to
install FrontPage Server Extensions. publish and administer Web sites on a server remotely over a network.
ASP.NET is a unified Web development platform that provides the
Determine whether you would like to run
services necessary for developers to build enterprise-class Web
ASP.NET applications on your server.
applications. You can enable ASP.NET for developing Web applications.
Configuring your application server

To configure an application server, start the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Application server (IIS, ASP.NET), and then click Next.
Application Server Options
Removing the application server role
Application Server Options

On the Application Server Options page, you can choose to install the following optional components with
your application server:
FrontPage Server Extensions—FrontPage Server Extensions enable multiple users to administer and
publish a Web site from a client computer, remotely. Select this option if you want to enable multiple-users to
simultaneously create Web sites, or enable users to create Web applications from their client computers,
remotely, over the Internet.
Enable ASP.NET—ASP.NET is a unified Web application platform that provides the services necessary to
build and deploy enterprise-class Web applications. ASP.NET offers a new programming model and
infrastructure for more secure, scalable, and stable applications that can target any browser or device. If your
Web site includes applications that have been developed by using ASP.NET, select this option. If you are not
sure that you need to enable ASP.NET, you can enable it later by using IIS Manager. This feature is not
available on Windows® XP 64-Bit Edition and the 64-bit versions of the Windows® Server 2003 family. For
more information, see Features unavailable on 64-bit versions of the Windows Server 2003 family. By
enabling ASP.NET, you can use your application server to host ASP.NET applications. Some of the features of
ASP.NET include the following:
ASP.NET can run side by side with Active Server Pages (ASP) code on Internet Information Services (IIS).
If you are already running ASP code you do not need to upgrade your ASP pages, and you can add
ASP.NET pages to your applications.
ASP.NET has enhanced performance.
ASP.NET supports many languages including Visual Basic .NET, C#, and JScript .NET.
On the Summary of Selections page, you can view and confirm the options that you have selected. If you
selected Application server (IIS, ASP.NET) on the Server Role page, the following appears:
Install Internet Information Services (IIS)
Enable COM+ for remote transactions
Enable Microsoft Distributed Transaction Coordinator (DTC) for remote access
If you selected FrontPage Server Extensions or ASP.NET, the following items also appear:
Install FrontPage Server Extensions
Enable ASP.NET
To apply the selections shown on the Summary of Selections page, click Next. When you click Next, the
Configuring Components page of the Windows Components Wizard appears, and then closes automatically.
You cannot click Back or Next on this page.

After the components are configured, the Configure Your Server Wizard displays the This Server is Now an
Application Server page. To review all of the changes made to your server by the Configure Your Server
Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure
Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your
Server Wizard, click Finish.
If the installation was not successful, the Cannot Complete page appears and IIS could not be installed. To
troubleshoot the installation, click Configure Your Server log.

If you need to reconfigure your server for a different role, you can remove existing server roles. By removing
the application server role, you will uninstall all application server components, such as the IIS. Your server will
no longer support serving Web pages, Web applications, or distributed applications.
To remove the application server role, restart the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Application server (IIS, ASP.NET), and then click Next. On the Role
Removal Confirmation page, review the items listed under Summary, select the Remove the application
server role check box, and then click Next. When you click Next, the Configuring Components page of the
Windows Components Wizard appears, and then closes automatically. You cannot click Back or Next on this
page. On the Application Server Role Removed page, click Finish.

After you complete the Configure Your Server Wizard and enable the features that you need to run your
applications, the computer is ready for use as a basic application server. Up to this point, you have completed the
following tasks:
Installed Internet Information Services (IIS), ASP.NET, and COM+.
If necessary, enabled FrontPage Server Extensions.
If necessary, enabled ASP.NET.
The following table lists some of the additional tasks that you might want to perform on your application server.

Internet Protocol
To ensure the security of this server, it is recommended that you
Security (IPSec);
implement security precautions, such as firewalls and Internet Protocol
Securing your
security (IPSec), before placing it in a production environment. An
Secure your network with Basic
application server may be targeted by attackers because of its exposure
application server. Firewall;
to the Internet and other networks. You can secure your applications by
Security in
using authentication protocols, access control, Secure Sockets Layer
Microsoft Internet
(SSL), and encryption.
Information Services
To set, view,
Secure your files To secure your Web site, applications, databases, and files use NTFS change, or remove
with NTFS. permissions. This is essential for a secure site. permissions on files
and folders
Configure Web
Using Web Interface
Interface for To manage your application server using a Web browser on a remote
for Remote
Remote computer.
Administration
Administration.
Web Site Setup in
Create a Web site. To create a Web site to host your Web applications. Microsoft Internet
Information Services
Create applications
To learn about the latest development tools from Microsoft that can
with the latest Microsoft Web site
help you develop new applications more quickly and efficiently.
development tools.
Creating ASP.NET
Create ASP.NET Web Application at
To create ASP.NET applications.
Web Applications. the Microsoft Web
site
ASP.NET Web
Secure your
Application Security
ASP.NET Web To ensure the security of your ASP.NET applications
at the Microsoft Web
applications.
site
Mail server role: Configuring a mail server

Configure this computer as a mail server to install E-mail Services, which provides e-mail transfer and retrieval
services. E-mail Services includes the POP3 service, which provides e-mail retrieval, and the SMTP service, which
provides e-mail transfer. Administrators can use the POP3 service to store and manage e-mail accounts on the mail
server. After configuring this computer as a mail server, users can connect to the mail server and retrieve e-mail to
their local computer using an e-mail client that supports the POP3 protocol, such as Microsoft Outlook.
This topic explains how to use the Configure Your Server Wizard to install and configure E-mail Services. After you
have completed the Configure Your Server Wizard, you must perform additional required steps to create mailboxes.
After you have completed the Configure Your Server Wizard and created the appropriate mailboxes, you will have a
fully-functioning mail server.
You can configure both member servers and stand-alone servers to be a mail server. However, the default
authentication method and the available authentication methods will vary. For more information about the default
authentication methods and the available authentication methods, see Before you begin and Configure POP3
Service.
This topic covers:
Before you begin

Configuring your mail server
Before you begin

Before you configure your computer as a mail server, verify whether or not:
The server on which you intend to install e-mail services has a working Internet connection.
There is an NTFS partition available. With an NTFS partition, you can take advantage of the increased security
provided by disk quotas. For more information about disk quotas, see Configuring disk quotas for the POP3
service.
You have a registered e-mail domain name. Contact your Internet Service Provider for assistance in registering
an e-mail domain name.
A Mail eXchanger (MX) record for your e-mail domain name exists and matches the name of your server.
Contact your Internet service provider (ISP) to create an MX record.
You have configured your server for static addressing. Contact your Internet Service Provider for the information
necessary to configure your server for static addressing. For more information on how to configure your mail
server with a static IP address, see To configure TCP/IP for static addressing.
The following table lists the information that you need to know to before you add a mail server role.
Before adding a mail

Comments
server role
A server in this role may be targeted by attackers because of its exposure to the Internet
Determine the and other networks. To ensure the security of this server, it is recommended that you
appropriate level of implement security precautions, such as firewalls and Internet Protocol security (IPSec),
security for this server. before placing it in a production environment. For more information, see Internet Protocol
security (IPSec) and Securing your network with Basic Firewall.
You must choose an authentication method before you create any e-mail domains on the
Determine the mail server. The authentication method can be changed only if there are no existing
appropriate e-mail domains on the mail server.
authentication method If the computer that you are configuring as a mail server is either a member server or a
for your configuration. domain controller, the authentication method setting defaults to Active Directory
authentication. Otherwise, the setting defaults to local Windows accounts authentication.
The e-mail domain must be a registered domain name and it must match the Mail
eXchanger (MX) record created by your ISP. If you do not already have an e-mail domain
Determine that you name, contact your ISP for assistance in registering a domain name.
have a registered
e-mail domain name. Note
The POP3 service supports top-level and third-level domain names. For example,
example.com and mailserver.example.com are both supported.
Configuring your mail server

To configure a mail server, start the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Mail server (POP3, SMTP), and then click Next.
Configure POP3 Service

Creating mailboxes
Removing the mail server role
Configure POP3 Service

On the Configure POP3 Service page, under Authentication method, click the appropriate method for your
deployment. The Windows Server 2003 family supports the authentication methods listed in the following table.
Use this
When
authentication method
Your mail server is not an Active Directory member server, and you want to
Local Windows accounts
store user accounts on the server on which the POP3 service is installed
Active Directory-
Your mail server is a domain controller or a member server
Integrated
Your mail server is not using Active Directory, or you do not want to have
Encrypted Password File
user accounts for the POP3 service on the local computer
The authentication methods that are available to you depend on the configuration of your server:
If the computer on which the POP3 service is running is a member server in an Active Directory domain, all
three authentication methods are available.
If the computer on which the POP3 service is running is a domain controller, the available authentication
methods are Active Directory integrated authentication and encrypted password file authentication.
Otherwise, the available authentication methods are local Windows accounts authentication and encrypted
password file authentication.
Under E-mail domain name, type your registered e-mail domain name. You can create additional e-mail
domains later by using the POP3 service snap-in or the Winpop command-line tool.
selected Mail server (POP3, SMTP) on the Server Role page, the following appears:
Install POP3 and Simple Mail Transfer Protocol (SMTP) to enable POP3 mail clients to send and
receive mail
To apply the selections shown on the Summary of Selections page, click Next. After you click Next, the

After the components are configured, the Configure Your Server Wizard displays the This Server is Now a Mail
Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to
ensure that a new role was installed successfully, click Configure Your Server log. The Configure Your Server
Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your Server
At this stage, you have a fully-functioning mail server, but you must also create mailboxes for all of the users in
the domain who will be sending or receiving e-mail. Without mailboxes, users cannot send or receive e-mail.
Creating mailboxes
To send and receive e-mail, each user must have a unique mailbox in the e-mail domain. You can create
mailboxes from either the POP3 service MMC snap-in or at the command line. This procedure uses the POP3
service MMC snap-in. For more information about creating mailboxes or administering the POP3 service at the
command line, see Winpop. For more information about creating mailboxes, see To create a mailbox.
Step Comments
To open the POP3 service snap-in, click Start, click Control Panel, double-click
Administrative Tools, and then double-click POP3 Service.
Notes
To perform this procedure, you must be a member of the Administrators group on

the local computer, or you must have been delegated the appropriate authority. If
Open the POP3 the computer is joined to a domain, members of the Domain Admins group might
service MMC be able to perform this procedure. As a security best practice, consider using Run as
snap-in. to perform this procedure.
If you are using Active Directory integrated authentication, you must log on to the
Active Directory domain, not the local computer, to perform this procedure.
In the console tree, select the e-mail domain that you specified in the Configure Your
Server Wizard (for example, example.com). Right-click the e-mail domain, point to
New, and then click Mailbox. Provide the following information:
Mailbox Name—the name of the mailbox. The maximum length for a mailbox
name is 20 characters for local Windows accounts authentication, and 64 characters
for encrypted password file authentication or Active Directory integrated
Create one or authentication. The minimum length is 1 character.
more Password—the password to access the mailbox.
mailboxes. Confirm Password—retype the password that was specified in Password.
If you are using Active Directory integrated authentication or local Windows accounts
authentication, select the Create associated user for this mailbox check box,
unless a user account already exists with the same name as the mailbox that you want
to create. If the check box is already selected, clear it only if an account already exists
with the same name as the mailbox that you want to create.

the mail server role, you will uninstall all mail server components, such as the POP3 service and SMTP service.
After the mail server components are uninstalled, users will no longer be able to send or receive e-mail using
that server. Any e-mail that is stored on the computer will not be affected by removing the mail server role and
will remain in the mail store.
To remove the mail server role, restart the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Mail server (POP3, SMTP), and then click Next. On the Role Removal
Confirmation page, review the items listed under Summary, select the Remove the mail server role check
box, and then click Next. After you click Next, the Configuring Components page of the Windows
Components Wizard appears, and then closes automatically. You cannot click Back or Next on this page. On the
Mail Server Role Removed page, click Finish.

After you complete the Configure Your Server Wizard and create mailboxes, the computer is ready for use as a mail
server. Up to this point, you have completed the following tasks:
Installed the POP3 service and the SMTP service.
Configured the POP3 service to use an authentication method.
Created an e-mail domain.
Created mailboxes.
The Configure Your Server Wizard automatically installs the POP3 service MMC snap-in, which you use to manage
your mail server. To open the POP3 service snap-in, click Start, click Control Panel, double-click Administrative
Tools, and then double-click POP3 Service.
The following table lists additional tasks that you might want to perform on your mail server.

Provide users with
the procedure to
configure their e- To connect to the mail server, the user's e-mail client must be
Configure e-mail clients
mail clients to use configured specifically for the mail server.
the mail server.
Disk quotas ensure that the mail store does not use an excessive
or unanticipated amount of disk space, which could adversely
affect the performance of the server on which the POP3 service is
Implement disk Configuring disk quotas
running. You must have an NTFS partition to implement disk
quotas. for the POP3 service
quotas. NTFS partitions allow for greater directory and folder
security, which better protects e-mail stored on the local hard
disk.
The POP3 service supports Secure Password Authentication (SPA)
for Active Directory integrated authentication and local Windows
accounts authentication. Secure Password Authentication requires To configure the mail
Configure your mail that all e-mail clients transmit both the user name and password server to require Secure
server to require using secure authentication. Secure Password Authentication is Password Authentication;
secure e-mail client more secure than the default of plaintext and, therefore, is To configure Outlook
authentication. recommended over plaintext. Secure Password Authentication Express for Secure
must be configured on both the server on which e-mail services Password Authentication
are running and on every e-mail client that will connect to the
mail server.
Terminal server role: Configuring a terminal server

Configure this computer as a terminal server by installing the Terminal Server component, which provides
centralized deployment of applications.
Using a terminal server, users in remote locations can run programs, save files, and use network resources as
though those resources were installed on the users' own computers. By installing programs on a terminal server,
you can ensure that all users are using the same version of a program. If you plan to use this computer to allow
multiple users to access a program at the same time from a single point of installation, configure this computer as
a terminal server.
However, if you plan to use this computer for remote administration on Windows Server 2003 operating systems,
you do not need to install Terminal Server. Instead, you can use Remote Desktop for Administration (formerly
Terminal Services in Remote Administration mode), which is installed by default on computers running one of the
Windows Server 2003 operating systems. After you enable remote connections, Remote Desktop for Administration
allows you to remotely manage servers from any client over a LAN, WAN, or dial-up connection. Up to two remote
sessions, plus the console session, can be accessed at the same time, without requiring Terminal Server Licensing.
For more information about Remote Desktop for Administration, see Remote Administration using Terminal
Services.
This topic explains how to use the Configure Your Server Wizard to install and configure a terminal server. After
you have completed the Configure Your Server Wizard, you must perform the following additional steps in order to
have a basic terminal server.
Configure a Terminal Server License Server on another server.
Important
This step is required. If you do not install Terminal Server Licensing, your terminal server will stop accepting
connections from unlicensed clients when the evaluation period ends, 120 days after the first client logon.
Install client access licenses (CALs) on the Terminal Server License Server.
Install programs on the terminal server.
Distribute the latest version of Remote Desktop Connection to clients running earlier versions of Remote
Desktop Connection for Windows.
Specify which users have permission to connect to the terminal server.
After you have completed both the Configure Your Server Wizard and these additional required tasks, you will have
a basic terminal server.
This topic covers:
Before you begin
Configuring your terminal server
Before you begin

Before you configure your computer as a terminal server, verify whether or not:
The operating system is configured correctly. In the Windows Server 2003 family, a terminal server depends on
the appropriate configuration of the operating system and its services. If you have a new installation of a
Windows Server 2003 operating system, you can use the default service settings. No further action is necessary.
If you upgraded to a Windows Server 2003 operating system or you want to confirm that your services are
configured correctly for best performance and security, verify your service settings with the table in Default
settings for services.
The computer is a server on a network or in a domain, but is not a domain controller. Installing Terminal Server
on a domain controller affects performance because of the additional memory, network traffic, and processor
time required to perform the tasks of a domain controller in a domain.
The computer meets processor and memory requirements for supporting multiple concurrent sessions where
different users are logged on. A terminal server requires a minimum of 128 MB RAM, plus additional RAM for
each user to support running each user's programs on the server. An additional 10 MB RAM is recommended for
each light user, who typically runs one program at a time, and up to 21 MB RAM for each power user, who
typically runs three or more programs at the same time. In addition, if you plan to install 16-bit applications on
the terminal server, be aware that they consume additional resources when they run in 32-bit environments
such as Windows Server 2003 operating systems.
There are no programs installed on the computer. You should add the Terminal Server role before you install the
programs that you want users to access. If there are programs already installed on the computer, you might
have to reinstall them to ensure that they work correctly in the Terminal Server environment.
No users are able to log on remotely to the computer. You should allow users to access the terminal server only
after you have installed programs, tested their installation, and performed any tuning necessary for the
programs to work in a multisession environment. For information on disabling terminal services connections
temporarily, see To disable Terminal Services connections.
All existing disk volumes use the NTFS file system. FAT32 volumes do not provide either the required level of
security for users in a multisession environment or the ability to set file permissions.
Configuring your terminal server

To configure a terminal server, start the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Terminal server, and then click Next.
Confirm Internet Explorer Enhanced Security Configuration Settings
Configuring a Terminal Server License Server
Installing client access licenses on the Terminal Server License Server
Installing programs on the terminal server
Deploying client software
Giving users permission to access the terminal server
Removing the terminal server role
Terminal server on the Server Role page, the following appears:
Install Terminal Server
To apply the selections shown on the Summary of Selections page, click Next. The following message
appears: "During this process, the Configure Your Server Wizard restarts your computer. Before continuing,
close any open programs." If you need to close open programs and you want to cancel the configuration of the
terminal server role at this time, you must click Cancel now. When you click Cancel, the Configure Your Server
Wizard displays the Cannot Complete page. To close the Configure Your Server Wizard, click Finish.
Otherwise, if you click OK, the Configure Your Server Wizard begins the configuration process.
Next, the Configure Your Server Wizard displays the message "Installing Terminal Server." The Configuring
Components page of the Windows Components Wizard appears, and then closes automatically. You cannot click
Back or Next on this page. Then, the Configure Your Server Wizard shuts down the computer and restarts it to
accept the configuration changes that make the computer a terminal server.
During the restart process, a dialog box displays progress messages, for example, "Windows is starting up" and
"Preparing network connections." Depending on the size of your network, preparing network connections could
take some time. When the Welcome to Windows dialog box appears, press CTRL+ALT+DEL. In the Log on to
Windows dialog box, in Password, type your password. To complete the process, wait for the Configure Your
Server Wizard to appear on the screen.

After your server restarts, the Configure Your Server Wizard displays the This Server is Now a Terminal
Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to
Next, you must complete the following steps so that your server is ready to function as a basic terminal server:
Configure a Terminal Server License Server.
Install client access licenses (CALs) on the Terminal Server License Server.
Install programs on the terminal server.
Deploy the Remote Desktop Connection .msi file to clients not running Windows XP or Windows Server 2003
operating systems.
Give users permission to access the terminal server.
A separate window displays checklists that provide information about these additional requirements. The same
information is covered in this document.
To run a terminal server, you need another computer that is configured to function as a Terminal Server License
Server. If a Terminal Server License Server is already installed, you can skip the steps for configuring a Terminal
Server License Server and installing CALs, and begin Installing programs on the terminal server. Otherwise, if
the Manage Your Server page displays a message indicating that a Terminal Server License Server was not
found, you must configure a Terminal Server License Server before you can use your terminal server.
Confirming Internet Explorer Enhanced Security Configuration settings

After you complete the Configure Your Server Wizard and install Terminal Server, you can configure Internet
Explorer Enhanced Security Configuration settings.
If you activate these settings, Internet Explorer applies the following security settings to a user who logs on as
an administrator:
High security settings to the Internet and Local intranet security zones
Medium security settings to the Trusted sites zone
By applying high security settings to the Internet and Local intranet security zones, you disable scripts, Microsoft
ActiveX® controls, and the Microsoft virtual machine (Microsoft VM) for HTML content in these zones. You also
prevent users from downloading files in these zones.
By applying medium security settings to the Trusted sites zone, you set standard browsing functionality. If you
use sites for administrative tasks and Web-based applications that an administrator cannot access after you
apply these settings, you can add the site addresses to the list of sites in the Trusted sites zone.
To review or change the Internet Explorer Enhanced Security Configuration settings, in Manage Your Server,
click Internet Explorer Enhanced Security Configuration.
In the Windows Server 2003 family, you can implement enhanced security settings for Internet Explorer for all
users and reduce the exposure of your server to Web sites that might pose a security risk. For more information,
see Internet Explorer Enhanced Security Configuration.
Configuring a Terminal Server License Server

Configure a Terminal Server License Server on a computer other than the one on which you have just configured
the terminal server role. A Terminal Server License Server manages licenses for Terminal Services client
connections. You are required to activate a Terminal Server License Server only once, after which the Terminal
Server License Server becomes the repository for terminal server client licenses. Until the registration process is
completed, your Terminal Server License Server can issue temporary licenses for clients.
Important
This step is required. If you do not configure a Terminal Server License Server, your terminal server will stop
accepting connections from unlicensed clients at the end of the evaluation period, which is 120 days from the
date of the first client logon.
The easiest and quickest way to activate a Terminal Server License Server is by using the Automatic method. To
use this method, the computer running the Terminal Services Licensing service must have a direct connection to
the Internet. For information on activation methods for computers that are not connected to the Internet, see To
activate a Terminal Server License Server by using a Web browser and To activate a Terminal Server License
Server by using the telephone.
The following table shows the steps you must take to configure and activate a Terminal Server License Server by
using the Automatic method.
Task Comments
Open Add or Remove Programs in Control Panel, and then click Add/Remove
Windows Components. In the Windows Components Wizard, select the Terminal
Server Licensing check box, and then click Next. If your network includes several
domains, or if you are installing the Terminal Server Licensing service on a member
server, choose Your entire enterprise. If you want to maintain a separate Terminal
Install the Server License Server for each domain, or if your network includes workgroups or
Terminal Windows NT 4.0 domains, choose Your domain or workgroup. If you want to change
Server the location of the license server database, specify a new location, and then click Next.
Licensing The Configuring Components page displays the progress of configuration changes. On
service. the Completing the Windows Components Wizard page, click Finish, and then click
Close.
Note
To open Add or Remove Programs, click Start, click Control Panel, and then double-
click Add or Remove Programs.
Open Terminal Server Licensing, right-click the Terminal Server License Server you
want to activate, and click Activate Server. The Terminal Server License Server
Activation Wizard starts. On the Connection method page, under Activation method,
click Automatic connection, and then click Next. On the Company Information page,
provide the following required information:
First name
Activate the Last name

Terminal Company name
Server Country or region
License
Server.
Confirm that the information you typed is correct, and then click Next. On the next
Company Information page, you can provide the following optional information:
Email address
Organizational unit
Company address
City
State or province
Postal code
Confirm that the information you typed is correct, and then click Next. On the
Completing the Terminal Server License Server Activation Wizard page, under
Status, the following message appears: "Your license server has been successfully
activated." If you want to install client licenses now, click Next. If you want to postpone
the installation of client licenses, clear the Start Terminal Server Client Licensing
Wizard now check box, and then click Finish.
Note
To open Terminal Server Licensing, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Terminal Server Licensing.
Installing client access licenses on the Terminal Server License Server

After you activate a Terminal Server License Server, the next step is to install client access licenses (CALs) on
the Terminal Server License Server.
Important
Your Terminal Server License Server can issue temporary licenses that allow clients to use a terminal server
for the duration of the evaluation period, which is 120 days from the first client logon. If you do not install
CALs on your Terminal Server License Server, unlicensed clients will not be able to connect to your terminal
server after the evaluation period has passed.
CALs are digitally-signed certificates that each client stores locally. All CALs are installed on a Terminal Server
License Server. When a client logs on to a terminal server for the first time, the terminal server recognizes that
the client has not been issued a CAL and locates a Terminal Server License Server to issue a new CAL to the
client. For information about specific license requirements, see the Microsoft Web Site.
(http://www.microsoft.com/)
Before you install CALs, you must have your licensing agreement numbers ready, and know which method you
used to purchase them.
The easiest and quickest way to install CALs on a Terminal Server License Server is by using the Automatic
method. To use this method, the computer running the Terminal Services Licensing service must have a direct
connection to the Internet. For information on installing CALs for computers that are not connected to the
Internet, see To install client license key packs by using a Web browser and To install client license key packs by
using the telephone.
The following table shows the steps you must take to install CALs on a Terminal Server License Server by using
the Automatic method.
Task Comments
On the Terminal Server License Server, open Terminal Server Licensing. Verify that
the installation method for the Terminal Server License Server is set to Automatic by
right-clicking the Terminal Server License Server for which you want to install CALs, and
then clicking Properties. If necessary, on the Installation Method tab, change the
installation method to Automatic connection, and then click OK.
In the Terminal Server Licensing console tree, right-click the Terminal Server License
Install CALs Server on which you want to install CALs, click Install Licenses, and then click Next.
on the The Terminal Server CAL Installation Wizard starts. On the Licensing program page,
Terminal choose the license program under which you purchased your licenses, and then click
Server Next. On the License Code page, type the license code for each license you have
License purchased, and then click Add after each entry. After you have typed all of the license
Server. codes, click Next. The Completing the Terminal Server CAL Installation Wizard
page displays a message that the CALs were successfully installed. To close the wizard,
click Finish.
Note
To open Terminal Server Licensing, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Terminal Server Licensing.
Installing programs on the terminal server

At this stage, you have accomplished the following tasks:
Completed the Configure Your Server Wizard and configured the terminal server role on your server.
Installed Terminal Server Licensing on another computer.

Activated the Terminal Server License Server.
Installed CALs on the Terminal Server License Server.
Now you are ready to install programs on the terminal server. Add or Remove Programs in Control Panel is
the preferred method for program installation, and you should use this method whenever possible. This section
describes how to use Add or Remove Programs to install programs on a terminal server.
There are other program installation methods, such as the change user command, Windows Installer packages
(.msi files), and Group Policy Software Installation. For more information about the change user command, see
To install a program by using the change user command. For more information about using Windows Installer,
see Assigned and published programs. For more information about Group Policy, see Group Policy.
For improved performance and reduced network traffic, install programs on the local drive of the terminal server
instead of on a file server. Ensure that you have enough space to install programs on NTFS file system drives
instead of on FAT32 drives. NTFS drives allow you to set file permissions, which you cannot do on FAT32 drives.
If you are installing published programs, you must use another installation method, such as Group Policy
Software Installation.
For performance and security reasons, you should use 32-bit programs whenever possible. Most 32-bit programs
use the registry to read and write program settings and need to write only to specific registry values. Running
16-bit programs can reduce the number of users a processor supports by 40 percent and increase the memory
required for each user by 50 percent. In addition, some 16-bit programs must be able to write to the directory
where the program's .ini file is stored.
RAM and CPU requirements increase approximately linearly with the number of sessions running. To reduce RAM
and CPU requirements, consider restricting user or group access to certain program types, disabling unnecessary
program features, or installing programs on separate terminal servers.
Some programs have known installation issues in a multisession environment. For information about programs
that require installation scripts in order to work correctly in a multisession environment, see Optimizing
Applications for Windows 2000 Terminal Services and Windows NT Server 4.0, Terminal Server Edition at the
Microsoft Web site. (http://www.microsoft.com/)
Application compatibility considerations

You should install programs from the console session of the terminal server. You can install programs from a
remote console session, but this is not the preferred method for installing programs.
Some programs require an application compatibility script to be run after the program is installed. The scripts
are stored in the systemroot\Application Compatibility Scripts\Install directory on the terminal server.
You should be aware of the implications of the security mode in which the terminal server operates. There are
two security modes:
Full security provides the most secure environment for users connecting to a terminal server. To run in this
mode, applications must be written to run in the security context of an ordinary user. For Windows
Server 2003 operating systems and Windows 2000, full security is the default.
Relaxed security enables you to run programs that otherwise might not work at all in the more rigorous Full
security mode. However, in Relaxed security mode (also known as Windows NT 4.0/Terminal Server Edition
permissions compatibility mode), any user on the system can change files and registry settings in many
places throughout the system, although others users' data files might not be visible. A malicious user could
exploit this situation by replacing a known and trusted program with a program of the same name but some
harmful intent. If the operating system on your terminal server was installed using the Upgrade method, the
security mode might be set to Relaxed security. When in doubt, you should choose Full security, test your
applications in that mode, and change the security mode only if your test results indicate the need to do so.
The following table shows the steps you must take to install programs on a terminal server, using Add or
Remove Programs.
Task Comments
Ensure that no Send a message to all users who are logged on to the terminal server. Program
users are logged installation often requires restarting the computer, and their sessions will be
on to the disconnected. You should not allow users to access the terminal server until programs
terminal server. have been installed and tested.
Disable
Terminal
Services Right-click My Computer, click Properties, click the Remote tab, and then clear the
connections Allow users to connect remotely to this computer check box.

temporarily.
Open Terminal Services Configuration. In the console tree, click Server Settings,
right-click Permission Compatibility, and then click Properties. In the Permission
Specify Full Compatibility dialog box, click Full Security, and then click OK.
Security as the Note
security mode. To open Terminal Services Configuration, click Start, click Control Panel, double-
click Administrative Tools, and then double-click Terminal Services
Configuration.
Ensure that you are logged on as a member of the Administrators group on the
terminal server. Open Add or Remove Programs in Control Panel, and then click
Add New Programs. Click CD or Floppy. Insert the CD or floppy disk into the
appropriate drive, and then click Next. Verify that the installation file is specified
Install programs correctly in the Open box on the Run Installation Program page, and then click
from a CD or Finish. Follow the instructions in the program's installation wizard. After the program
floppy disk. is installed, edit and run any applicable scripts to tailor the program for a multisession
environment.
Note
To open Add or Remove Programs, click Start, click Control Panel, and then
double-click Add or Remove Programs.
Ensure that event logging is enabled by opening Services in Administrative Tools.

Create a temporary user account that mimics the settings of the user or users who
will access the program, and use the account to log on to the terminal server. Start
the program and step through some basic tasks. Then, use Event Viewer to
determine which files or directories need Write access and which registry keys require
Read access by the user for correct operation. Note that this process might not find
all files, directories, and registry keys for which the application requires access in all
user scenarios. The only way to ensure that you have accounted for all access
Test the requirements is to perform tasks manually.
installation.
Some programs enable users to start other programs. For example, Microsoft Access
has a toolbar that can be used to start other Microsoft Office programs. If you want
users to have access only to specified programs when they log on to the terminal
server, you should disable toolbar access from within programs that you install on the
terminal server.
Note
To open Event Viewer, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Event Viewer.
Use a text editor such as Notepad to modify any scripts, and then run the scripts to
Tune programs
tune any programs that require it. To obtain the scripts, see Optimizing Applications
for multisession
for Windows 2000 Terminal Services and Windows NT Server 4.0, Terminal Server
use.
Edition at the Microsoft Web site. (http://www.microsoft.com/)
Run application
Navigate to the systemroot\Application Compatibility Scripts\Install directory on the
compatibility
terminal server and run scripts for any programs that require them.
scripts.
Right-click My Computer, click Properties, click the Remote tab, and then check
the Allow users to connect remotely to your computer check box.
Enable remote Note
connections on Depending on your desktop settings, My Computer might not appear on your
the terminal desktop. To show or hide desktop icons, right-click somewhere on the desktop,
server. click Properties, click the Desktop tab, click Customize Desktop, and then,
under Desktop icons, select the check box next to the icon you want to display,
or clear the check box next to the icon you want to hide.
Deploying client software

Remote Desktop Connection, formerly known as the Terminal Services Client, is installed automatically on
computers running Windows XP and Windows Server 2003 operating systems. For performance and security
reasons, computers running earlier versions of Microsoft Windows, including Windows 2000 Server,
Windows 2000 Professional, Windows NT 4.0, Windows 98, and Windows 95, should have the latest version of
Remote Desktop Connection installed.
There are several ways to deploy the client software:
Share the Msrdpcli.msi file and use Microsoft IntelliMirror to distribute it to workstations running
Windows 2000.
Download Remote Desktop Connection directly from the Microsoft Web site.
(http://www.microsoft.com/downloads)
Place the .msi file in a shared folder residing on a server on the network.
This topic describes how to install the client software from a shared folder residing on a server on the network.
Before you deploy the client software, decide whether you want the software to be installed for the use of a
single user or for anyone who uses the client computer. You will make this choice during the deployment
process.
The following table shows the steps you must take to deploy the latest version of Remote Desktop Connection to
clients running earlier versions of either Windows or Remote Desktop Connection.
Task Comments
On the computer running a Windows Server 2003 operating system, open Windows
Explorer. Navigate to the systemroot\System32\Clients\Tsclient\win32 folder, right-click
Share the the win32 folder, click Sharing and Security. On the Sharing tab, click Share this
client setup folder, and then click OK.
folder. Note
To open Windows Explorer, click Start, point to All Programs, point to
Accessories, and then click Windows Explorer.
On the client computer, click Start, click Run, and then, in Open, type
\\ServerName\win32, where ServerName is the name of the computer where the
shared folder is located. Double-click the msrdpcli.msi file to start the InstallShield
Install Wizard for Remote Desktop Connection, and then click Next. Read the License
Remote Agreement, click I accept the terms in the license agreement, and then click Next.
Desktop Type your name and organization in the Customer Information page, click Anyone
Connection. who uses this computer (all users), and then click Next. On the Ready to Install
the Program page, either click Back to review or change any of your installation
settings, or click Install to begin the installation. To complete the installation, click
Finish.
Giving users permission to access the terminal server

By default, on Windows Server 2003 operating systems, members of the Administrators and Remote Desktop
Users groups can use Terminal Services connections to connect to a remote computer. The Remote Desktop
Users group is not populated by default, so you must decide which users and groups should have permission to
log on remotely, and then manually add them to this group.
Important
You must use the Remote Desktop Users group to grant selected users and groups the necessary permission
to make Terminal Services connections to remote computers.
Membership in the Remote Desktop Users group does not also put the user into the local Users group.
Depending on the contents of your local Users group, you might need to add the user to that group also.
Before you give users permission to access the terminal server, you must:
Check the membership of the Administrators group to ensure that you know who has access to the terminal
server.
Decide which users should have permission to access the terminal server.
Determine which users must also be added to the local Users group.
The following table shows the steps you must take to give users permission to access the terminal server.
Task Comments
Open Computer Management (Local), and in the console tree, click Local Users
and Groups. In the details pane, double-click the Groups folder, double-click
Remote Desktop Users, and then click Add. In the Select Users dialog box, click
Add users to the
Locations to specify the search location. To specify the types of objects that you
Remote Desktop
want to search for, click Object Types. In this case, you want to search for Users or
Users group.
Groups. Type the name that you want to add in the Enter the object names to
select (examples) box, and then click Check Names. When the name is located,
click OK.
Note
To open Computer Management, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Computer Management.
Open Computer Management (Local), and in the console tree, click Local Users
and Groups. In the details pane, double-click the Groups folder, double-click Users,
and then click Add. In the Select Users dialog box, click Locations to specify the
Add users to the search location. To specify the types of objects that you want to search for, click
local Users Object Types. In this case, you want to search for Users or Groups. Type the name
group, if they that you want to add in the Enter the object names to select (examples) box,
are not already and then click Check Names. When the name is located, click OK.
members.
Note
To open Computer Management, click Start, click Control Panel, double-click
Administrative Tools, and then double-click Computer Management.

the terminal server role, you will need to reinstall all software, review and update any file or registry permissions
for which you changed default values, and review and update any software restriction policies that were used to
control programs running on the terminal server.
To remove the terminal server role, restart the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Terminal server, and then click Next. On the Role Removal Confirmation
page, review the items listed under Summary, select the Remove the terminal server role check box, and
then click Next. The following message appears: "During this process, the Configure Your Server Wizard restarts
your computer. Before continuing, close any open programs." If you need to close open programs and you want
to cancel the removal of the Terminal Server role at this time, you must click Cancel now. When you click
Cancel, the Configure Your Server Wizard displays the Cannot Complete page. To close the Configure Your
Server Wizard, click Finish. Otherwise, if you click OK, the Configure Your Server Wizard begins the removal
process.
Next, the Configure Your Server Wizard displays the "Removing Terminal Server" message. The Configuring
Components page of the Windows Components Wizard appears, displays messages about the configuration
changes being made to the computer, and then closes. The Configure Your Server Wizard shuts down the
computer and restarts it to accept the configuration changes that remove this role.
During the restart process, a dialog box displays progress messages, for example, "Windows is starting up" and
"Preparing network connections." Depending on the size of your network, preparing network connections could
take some time. When the Welcome to Windows dialog box appears, press CTRL+ALT+DEL. In the Log on to
Windows dialog box, in Password, type your password. To complete the process, wait for the Configure Your
Server Wizard to appear on the screen. On the Terminal Server Role Removed page, click Configure Your
Server log to see a record of your changes, and then click Finish.
After you remove the terminal server role, you should:
Reinstall all software.
Review any file or registry permissions for which you changed default values and, if necessary, make
changes.
Review any software restriction policies used to control programs running on the terminal server and, if
necessary, make changes.

After you complete the Configure Your Server Wizard and associated tasks, the computer is ready for use as a
basic terminal server that can accept multiple connections from remote clients. Up to this point, you have
completed the following tasks:
Run the Configure Your Server Wizard.

Activated a Terminal Server License Server.
Installed CALs on the Terminal Server License Server.
Installed applications on the terminal server.
Deployed the Remote Desktop Connection .msi file to clients not running Windows XP or Windows Server 2003
operating systems.
Configured user permissions for user access to the terminal server.
The following table lists some additional tasks you might want to perform on your terminal server.

Manage Terminal
Services To enable, disable, rename, or delete a connection. Manage Terminal Services connections
connections.
To grant terminal server access only to selected
users and groups.
Specify connection Managing Terminal Services Users;
permissions. To identify which users and groups are permitted to Managing permissions on connections
perform a given task or tasks on the terminal
server.
Configure terminal
server settings
To configure settings such as Active Desktop,
using either Group
temporary folders, and session limits for individual Configure server settings
Policy or Terminal
users.
Services
Configuration.
To allow users to create a Remote Desktop
Deploy Remote
connection within Internet Explorer, even though
Desktop Web About Remote Desktop Web Connection
the Remote Desktop Connection client is not
Connection.
installed on their computers.
Using Software Restriction Policies in
Control programs
Windows XP and the Windows
running in a To protect terminal servers and users from
Server 2003 family to Protect Against
terminal server unknown, or possibly malicious, programs.
Unauthorized Software at the Microsoft
session.
Web site. (http://www.microsoft.com/)
To ensure that users are transparently reconnected
to the original server hosting their disconnected
Terminal Server sessions. This task applies to
terminal servers that are part of a cluster of
terminal servers, and requires that a server running
Configure Session
either Windows Server 2003, Enterprise Edition, or Load balancing and terminal servers
Directory settings.
a Windows Server 2003, Datacenter Edition, is
visible on the network, and has the Session
Directory service enabled. This session directory
server should not be the server on which the
Terminal Server role is configured.
Remote access/VPN server role: Configuring a remote

access/VPN server
You can configure a server that allows remote users to access resources on your private network over dial-up or
virtual private network (VPN) connections. This type of server is called a remote access/VPN server. Remote
access/VPN servers can also provide network address translation (NAT). With NAT, the computers on your private
network can share a single connection to the Internet. With VPN and NAT, your VPN clients can determine the IP
addresses of the computers on your private network, but other computers on the Internet cannot.
This topic explains the basic steps for configuring a remote access/VPN server using Manage Your Server, the
Configure Your Server Wizard, and the Routing and Remote Access Server Setup Wizard. After you finish
configuring a basic remote access/VPN server, you can complete additional configuration tasks, depending on how
you want to use the remote access/VPN server.
This topic covers:
Before you begin
Configuring your remote access/VPN server

Before you begin

Before you configure your server as a remote access/VPN server, you should verify whether or not:
The operating system is configured correctly. In the Windows Server 2003 family, remote access/VPN depend
on the appropriate configuration of the operating system and its services. If you have a new installation of a
product in the Windows Server 2003 family, you can use the default service settings. No further action is
necessary. If you upgraded to a product in the Windows Server 2003 family or you want to confirm that your
services are configured correctly for best performance and security, verify your service settings by comparing
them to the table in Default settings for services.
Your server is correctly configured for optimal security for your network needs. Because your remote
access/VPN server will connect your private network, the Internet, and your remote clients, you must make sure
the server is secure. The security of your private network depends on the security of your remote access/VPN
server. For more information, see Security information for remote access.
This computer has two network interfaces, one that connects to the Internet and one that connects to the
private network. The connection to the Internet must be a dedicated connection with enough bandwidth that
VPN users can connect to your private network and users on your private network can connect to the Internet.
The connection to computers on your private network must be made through a hardware device, such as a
network adapter.
All needed network protocols have been installed for your network interfaces. For more information, see
Network interfaces.
The following table lists the information that you need to know before you configure a remote access/VPN server.
Before adding a remote

Comments
access/VPN server role
Determine which network
During configuration, you will be asked to choose which network interface
interface connects to the Internet
connects to the Internet. If you specify the incorrect interface, your remote
and which network interface
access/VPN server will not operate correctly.
connects to your private network.
Determine whether remote clients If you have a DHCP server on your private network, the remote access/VPN
will receive IP addresses from a server can lease 10 addresses at a time from the DHCP server and assign those
Dynamic Host Configuration addresses to remote clients. If you do not have a DHCP server on your private
Protocol (DHCP) server on your network, the remote access/VPN server can automatically generate and assign
private network or from the IP addresses to remote clients. If you want the remote access/VPN server to
remote access/VPN server that assign IP addresses from a range that you specify, you must determine what
you are configuring. that range should be.
Determine whether you want
connection requests from VPN
clients to be authenticated by a Adding a RADIUS server is useful if you plan to install multiple remote
Remote Authentication Dial-In access/VPN servers, wireless access points, or other RADIUS clients to your
User Service (RADIUS) server or private network. For more information, see Internet Authentication Service.
by the remote access/VPN server
that you are configuring.
If a DHCP server is on the same subnet as your remote access/VPN server,
DHCP messages from VPN clients will be able to reach the DHCP server after
Determine whether VPN clients the VPN connection is established. If a DHCP server is on a different subnet
can send DHCP messages to the than your remote access/VPN server, make sure that the router between
DHCP server on your private subnets can relay DHCP messages between clients and the server. If your
network. router is running a Windows Server 2003 operating system, you can configure
the DHCP Relay Agent service on the router to forward DHCP messages
between subnets.
Before users can connect to the network, they must have user accounts on the
remote access/VPN server or in Active Directory. Each user account on a stand-
Verify that all users have user alone server or a domain controller contains properties that determine whether
accounts that are configured for that user can connect. On a stand-alone server, you can set these properties by
dial-up access. right-clicking the user account in Local Users and Groups and clicking
Properties. On a domain controller, you can set these properties by right-
clicking the user account in the Active Directory Users and Computers console
and clicking Properties. For more information, see Dial-in properties of a user
account and Active Directory Users and Computers.
Configuring your remote access/VPN server

To configure a remote access/VPN server, start the Configure Your Server Wizard by doing either of the following:
when you log on.
On the Configuration Options page, click Custom configuration and click Next. On the Server Role page,
click Remote access/VPN server, and then click Next.
This section describes the steps in the Routing and Remote Access Server Setup Wizard for configuring a remote
access/VPN server that is not part of an Active Directory domain or part of a network with DNS or DHCP servers. If
you follow these steps, you will configure a remote access/VPN server that provides both dial-up and VPN access
for remote access clients, provides NAT for computers on your private network, generates and assigns IP addresses
for remote access clients, and locally authenticates connection requests.
Using the Routing and Remote Access Server Setup Wizard
Completing configuration in Routing and Remote Access
Removing the remote access/VPN server role
clicked Remote access/VPN server on the Server Role page, the following line appears:
Run the Routing and Remote Access Server Setup Wizard to set up routing and VPN
To apply the selections shown on the Summary of Selections page, click Next. The Configure Your Server
Wizard starts the Routing and Remote Access Server Setup Wizard. If you cancel the Routing and Remote
Access Server Setup Wizard, your remote access/VPN server will not be configured, the Routing and Remote
Access service will not be started, and the Configure Your Server Wizard will display the Cannot Complete
page.
When you complete the Routing and Remote Access Server Setup Wizard and the Configure Your Server Wizard,
the Routing and Remote Access service is started automatically.
Using the Routing and Remote Access Server Setup Wizard

After you choose the remote access/VPN role and confirm your Summary of Selections by clicking Next in the
Configure Your Server Wizard, the Routing and Remote Access Server Setup Wizard starts.
This section describes the following steps in the Routing and Remote Access Server Setup Wizard:
Configuration
VPN Connection
IP Address Assignment
Name and Address Translation Services
Address Assignment Range
Managing Multiple Remote Access Servers
Completing the Routing and Remote Access Server Setup Wizard
Configuration
On the Configuration page, click Virtual Private Network (VPN) access and NAT, and click Next.
Important
This document describes the Virtual Private Network (VPN) access and NAT configuration only. If you
decide to choose a different configuration, review the documentation for Routing and Remote Access before
you complete the Routing and Remote Access Server Setup Wizard. This document will not help you complete
any other role than Virtual Private Network (VPN) access and NAT. For more information about other
configurations, see Common configurations for remote access servers.
VPN Connection
On the VPN Connection page, click the network interface that connects this computer to the Internet. The
network interface that you choose will be configured to receive connections from VPN clients. Any interface that
you do not choose will be configured as a connection to your private network.
In Network Interfaces, the Enable security on the selected interface by setting up Basic Firewall check
box will already be selected. Do not clear this check box. This option configures Basic Firewall, a dynamic packet
filtering service that helps protect your private network from unsolicited network traffic.
IP Address Assignment
On the IP Address Assignment page, the Automatically option is selected automatically. Do not change the
selection. This selection configures your server to generate and assign IP addresses to remote clients.
Name and Address Translation Services

On the Name and Address Translation Services page, the Enable basic name and address services
option is selected automatically. Do not change the selection. This selection configures your server to
automatically assign IP addresses to any computer on your private network that requests one. The selection also
configures your server to forward name resolution requests to a DNS server on the Internet.
Address Assignment Range

The Address Assignment Range page displays the range of addresses that is defined for assignment to any
computer on your network that requests one. This range is generated based on the IP address of the network
adapter you chose on the VPN Connection page. Review the information presented.
Managing Multiple Remote Access Servers

On the Managing Multiple Remote Access Servers page, the No, use Routing and Remote Access to
authenticate connection requests option is selected automatically. Do not change the selection. This
selection configures your server to authenticate connection requests locally by using Windows authentication,
Windows accounting, and locally stored remote access policies.
Completing the Routing and Remote Access Server Setup Wizard

On the Completing the Routing and Remote Access Server Setup Wizard page, review the summary
information. Verify that:
The correct network interface is configured to provide VPN access.
Dial-up and VPN clients are assigned to your private network for addressing.
Client connections are accepted and authenticated using remote access policies for this remote access/VPN
server.
NAT is configured for the correct network interface.
Clients will be assigned IP addresses from the correct range.
If any of the summary information is incorrect, click Back, and then change the information.
If you click Finish, you will not be able to open the Routing and Remote Access Server Setup Wizard again,
unless you either remove the remote access/VPN server role from within the Configure Your Server Wizard or
disable Routing and Remote Access from the Routing and Remote Access snap-in.
After you have ensured that the summary information is correct, click Finish. A message will appear informing
you that, to support the relaying of DHCP messages from remote access clients to a DHCP server, you must
open Routing and Remote Access on the remote access/VPN server and configure DHCP Relay Agent with the IP
address of a DHCP server. Click OK. The Routing and Remote Access service will be started automatically, and
the Configure Your Server Wizard will reappear.

After you complete the Routing and Remote Access Server Setup Wizard, the Configure Your Server Wizard
displays the This Server is Now a Remote Access/VPN Server page. To review all of the changes made to
your server by the Configure Your Server Wizard or to ensure that a new role was installed successfully, click
Configure Your Server log. The Configure Your Server Wizard log is located at systemroot\Debug\Configure
Your Server.log. To close the Configure Your Server Wizard, click Finish.
You are now ready to complete configuration for your remote access/VPN server in Routing and Remote Access.
Completing configuration in Routing and Remote Access

To open Routing and Remote Access, click Manage this remote access/VPN server from Manage Your
Server. You can also open Routing and Remote Access from Administrative Tools. To open Administrative Tools,
click Start, click Control Panel, and then double-click Administrative Tools.
In Routing and Remote Access, double-click the server you have just configured, and then click Remote Access
Policies. The default remote access policy is set to deny all access to everyone. Your users will not be able to
connect to your remote access/VPN server until you edit the default policy to allow access or replace the default
policy with your own policies. Review the default policy by double-clicking it, and then edit it to specify the
access that you want to allow your users.
If this server has been previously configured as a remote access/VPN server or if IAS has been configured on
this server, the remote access policy or policies that appear in Routing and Remote Access might be configured
differently from the default remote access policy. Carefully review all of your remote access policies to ensure
that you have allowed and denied remote access according to your network needs. Be sure that you are not
accidentally allowing or denying more remote access to your network than you intend.
For more information, see Add a remote access policy, Introduction to remote access policies, and To re-create
the default remote access policy.
After you have configured remote access policies, you have completed all necessary configuration for a remote
access/VPN server on a network without a DHCP server. If your network uses a DHCP server, you must also
configure the DHCP Relay Agent before configuration is complete. In Routing and Remote Access, double-click
IP Routing, right-click DHCP Relay Agent, and click Properties. Type the IP address of the DHCP server for
your network in Server address, click Add, and then click OK.

If you need to reconfigure your server for a different role, you can remove existing server roles. When you
remove the remote access/VPN server role, your server will no longer provide dial-up or VPN access for remote
access clients. Additionally, your server will no longer provide NAT for computers on your private network.
Remote users will not be able to connect to your private network, and the computers on your private network
might not be able to connect to the Internet. Basic Firewall will no longer protect the computers on your private
network. After removing the remote access/VPN server role, consider adding another firewall to protect the
computers on your private network, if your network does not already have one. Test your private network to
make sure computers on the private network have the level of access to the Internet required by your business
needs. Reconfigure remote access policies in IAS to deny all remote access attempts.
To remove the remote access/VPN server role, restart the Configure Your Server Wizard by doing either of the
following:
On the Server Role page, click Remote access/VPN server, and then click Next. On the Role Removal
Confirmation page, review the items listed under Summary, select the Remove the remote access/VPN
server role check box, and then click Next. In the dialog box that asks you to confirm that you want to disable
the router and remove the remote access configuration, click Yes. On the Remote Access/VPN Server Role
Removed page, click Finish.

After you complete the Configure Your Server Wizard and complete configuration in Routing and Remote Access,
your server is ready for use as a remote access/VPN server that provides both VPN access and NAT. Up to this
point, you have completed the following:
Started the Routing and Remote Access service.
Configured your server to accept VPN and dial-up connections.
Configured your server to provide NAT for your private network.
Configured remote access policies to allow users to connect to the server running Routing and Remote Access.
If the network uses a DHCP server, configured the DHCP Relay Agent to forward DHCP messages from remote
access clients to the DHCP server.
If you have completed all of these tasks, you have created a basic remote access/VPN server that will allow remote
computers to connect to your server with a dial-up or a VPN connection and provide network address translation
(NAT) for your private network.
The following table lists additional tasks that you might want to perform on your remote access/VPN server.

Configure static packet
To add static packet filters to better protect your network. To add local host filters
filters.
Configure services and To choose which services on your private network you
To configure services and ports
ports. want to make available for remote access users.
To configure the level of event details that you want to
Adjust logging levels To log details for a routing
log. You can decide what information you want to track
for routing protocols. protocol
your log files.
Configure the number
To add or remove VPN ports. To add PPTP or L2TP ports
of VPN ports.
Create a Connection
To manage the client connection experience for your users Connection Manager
Manager profile for
and simplify troubleshooting client connections. Administration Kit
your users.
Certificate Services; Computer
Add Certificate To configure and manage a certification authority (CA) on
certificates for L2TP/IPSec VPN
Services. a server for use in a public key infrastructure (PKI).
connections
To protect your remote users and your private network by
Increase remote Security information for remote
enforcing the use of secure authentication methods,
access security. access
requiring higher levels of data encryption, and more.
To protect your remote users and your private network by
Increase VPN security. requiring the use of secure routing and tunneling Security information for VPN
protocols, configuring account lockout, and more.

Domain controllers store data and manage user and domain interactions, including user logon processes,
authentication, and directory searches. If you plan to use this server to provide the Active Directory directory
service to network users and computers, configure this server as a domain controller.
To configure a server as a domain controller, install Active Directory on the server. There are four options available
in the Active Directory Installation Wizard. You can create an additional domain controller in an existing domain, a
domain controller for a new child domain, a domain controller for a new domain tree, or a domain controller for a
new forest. If you are not sure which role you need, read about each role by clicking the role option.
Notes
If you have already installed a domain controller role and you want to view next steps, in the list below, click
the domain controller configuration that you installed, and then click Next steps: Completing additional
tasks.
the domain controller role, you will uninstall Active Directory from this server. After Active Directory has been
uninstalled, this server will no longer participate in replication of directory objects and domain-based user
authentication requests. For more information, see the sections below.
Click the type of domain controller role that you want to create:
i Creating an additional domain controller for an existing domain
j
k
l
m
n
j Creating a domain controller for a new forest
k
l
m
n
j Creating a domain controller for a new child domain
k
l
m
n
j Creating a domain controller for a new domain tree
k
l
m
n

Domain Name System (DNS) servers host records of a distributed DNS database and use the records they host to
resolve DNS name queries sent by DNS client computers, such as queries for the names of Web sites or computers
in your network or on the Internet. If you plan to use this computer to answer DNS queries for computers in your
network, then add the DNS server role.
This topic explains the basic steps that you must follow to configure a DNS server for either a small organization or
a branch office in a large organization. For both scenarios, this topic explains the basic steps you must follow to
configure a DNS server and configure it with a DNS zone for your network. This topic will also cover how to forward
queries for external resources to a DNS server either run by an Internet service provider (ISP), as in the case of a
small organization, or run by the central office of a large organization, as in the case of the branch office.
This process involves using the Configure Your Server Wizard, the Configure a New DNS Server Wizard, and
Manage Your Server to configure the server as a DNS server. When you have finished setting up a DNS server, you
can complete additional configuration tasks, depending on how you want to use the DNS server.
Note
A DNS server is not usually necessary in a small business because the Windows Internet Name Service (WINS)
name resolution method is used to locate network resources, and resources on the Internet are located using
the DNS servers run by an ISP. However, as more networks are becoming integrated with the Internet, DNS is
becoming more common in small networks.
Using DNS in your network does not necessarily require that you administer a DNS infrastructure. If you have a
small network in which information is maintained dependably, then you can choose to have your DNS
namespace administered by a different organization that specializes in DNS administration, such as your
government or an ISP. In this case, the different organization will host and administer your DNS information for
you or integrate your computers with an existing DNS server hosted in its network.
This topic covers:

Before you begin
Configuring your DNS server
Before you begin

Before you configure your computer as a DNS server, verify whether or not:
The operating system is configured correctly. In the Windows Server 2003 family, the DNS Server service
depends on the appropriate configuration of the operating system and its services, such as TCP/IP. If you have
a new installation of a Windows Server 2003 operating system, then you can use the default service settings. No
further action is necessary. If you upgraded to a Windows Server 2003 operating system, or if you want to
verify that your service settings are configured correctly for the best performance and security, then see Default
settings for services.
All available disk space is allocated. You can use Disk Management or DiskPart.exe to create a new partition
from unallocated space. For more information, see To create a partition or logical drive.
The following table lists the information that you need to know before you add a DNS server role.
For all organizations

Before adding a DNS
Comments
server role
If you are going to deploy Active Directory, then the DNS servers used to support
Determine if you are adding
Active Directory will be installed and configured automatically by the Active Directory
the DNS server role to
Installation Wizard. For more information, see Typical setup for a first server and
support Active Directory.
Domain controller role: Configuring a domain controller.
Inventory the security DNS was originally designed as an open protocol and is therefore vulnerable to
policies of your network and attackers. Windows Server 2003 DNS provides features for a very secure DNS
company to see how they infrastructure. To configure DNS to support these security policies, have your
can be maintained when company's security policies available when designing and deploying your DNS server,
broadcasting DNS data over zones, and resource records. For more information, see Security information for
the Internet. DNS.
Review the DNS checklist. Review the information in Checklist: Installing a DNS server.
For a small organization
Before adding a DNS
Comments
server role
Choosing the first DNS domain name for your company involves selecting a domain
name that is unique within the DNS namespace of the Internet.
Choose the first DNS domain If your organization has a Web site, use your existing Web site name as a starting
name for your company. point for your DNS domain name. If the name of your Web site is
www.humongousinsurance.com, create the first domain name as an extension of this
name using the subdomain name corp, for example, corp.humongousinsurance.com.
In order for your DNS deployment to work over the Internet, both the IP addresses
Check with your ISP to and DNS domain name used by your network must be registered with an authorized
determine that your network Internet registrar. These organizations are responsible for assigning IP addresses and
Internet Protocol (IP) DNS domain names and keeping public records of the assignments.
addresses are registered If you are connected to the Internet, then your company's network is most likely a
with an Internet registrar. subnet of your ISP's network. In this case, the IP addresses of the subnet will have
been registered with the Internet registrar.
Register the DNS domain name you will use for your company even if you are
deploying DNS in a private network. If you do not register the name and later
attempt to use it on the Internet, or connect to a network that is connected to the
Internet, you might find that the name is unavailable because some other company
Register your DNS domain has registered the name. You can also have your ISP register your DNS domain
name with an Internet name for you.
registrar. When deciding on your DNS domain name, search the Internet to see what domain
names are available using one of the Web sites provided by an authorized Internet
registration authority. To search the Internet for available domain names, see the
Internet Network Information Center (InterNIC) Web site. Web addresses can
change, so you might be unable to connect to the Web site or sites mentioned here.
Understand that the name of
the first DNS zone this DNS When you configure the DNS server role, you will define the first DNS zone that this
server will host is the same DNS server will host using the domain name of the DNS domain of your network,
as the DNS domain name such as corp.humongousinsurance.com.
you registered.
Obtain the IP address of one
or more DNS servers hosted You will configure the DNS server with a forwarder to send queries for names that
by your ISP to use as a are not in your network to a DNS server at your ISP.
forwarder.
For a branch office in a large organization
Before adding a DNS
Comments
server role
The first DNS domain name for your branch office is a subdomain of a domain used
Obtain the DNS domain in the network at your central office. For example, if your central office uses the
name for your network from domain name corp.humongousinsurance.com, the DNS domain name for your branch
your central office. office could be seattle.corp.humongousinsurance.com. Always confirm that your DNS
domain name has been properly delegated from the central office.
Configuring your DNS server

To configure a DNS server, start the Configure Your Server Wizard by doing either of the following:
To open the Configure Your Server Wizard, click Start, point to All Programs, point to Administrative Tools,
and then click Configure Your Server Wizard.
On the Server Role page, click DNS server, and then click Next.
Setting a static DNS server IP address
Using the Configure a DNS Server Wizard
Removing the DNS server role
DNS Server on the Server Role page, the following appears:
Install DNS Server
Run the Configure a DNS Server Wizard to configure DNS
If the Summary of Selections page lists these two items, click Next. If the Summary of Selections page
does not list these two items, click Back to return to the Server Role page, click DNS server, and then click
Next.
Setting a static DNS server IP address

After you click Next, the Configure Your Server Wizard installs the DNS Server service. During the installation of
the DNS Server service, the Configure Your Server Wizard determines whether the IP address for this server is
static or is configured automatically. DNS servers are located by DNS clients by using static IP addresses, and an
IP address that is automatically configured can cause problems for DNS clients when the IP address changes.
If this server is currently configured to obtain its IP address automatically, the Configuring Components page
of the Windows Components Wizard appears, and prompts you to configure this server with a static IP address.
In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click
Properties. In the Internet Protocols (TCP/IP) Properties dialog box, click Use the following IP
address, and then type the static IP address, subnet mask, and default gateway for this server. In Preferred
DNS server, type the IP address of this server. In Alternate DNS server, type the IP address of the DNS
server hosted by your ISP or central office. When you finish setting up the static addresses for your DNS server,
click OK, and then click Close.
Notes
For a small organization, the static IP address for this server will be used to register the DNS domain name
for your company with an authorized Internet registrar. The Internet registrar will map the DNS domain name
for your company with the IP address so that computers on the Internet looking for computers in your
network will know the IP address of the DNS server for your network.
For a branch office, the static IP address for this server will be used in the domain name delegation
configured on a DNS server at the central office of your organization. Computers in your organization and on
the Internet looking for computers in your network will use the IP address of the DNS server for your
network. For this reason, it is very important that you do not change the IP address of this server after you
have added the DNS server role.
Using the Configure a DNS Server Wizard

After you click Close, the Configure a DNS Server Wizard starts. If you cancel the Configure a DNS Server
Wizard, the DNS Server service remains installed, but it cannot distribute IP addresses to clients until you create
a scope. If you choose to create a scope later, you can do so using the DNS console.
This section describes the following steps in the Configure a DNS Server Wizard:
Select Configuration Action
Primary Server Location
Zone Name
Dynamic Update
Forwarders
Completing the Configure a DNS Server Wizard
Select Configuration Action

On the Select Configuration Action page, select Create a forward lookup zone, and then click Next.
Primary Server Location

To specify that this DNS server will host a DNS zone that contains DNS resource records for your network
resources, on the Primary Server Location page, select This server maintains the zone, and then click
Next.
Zone Name
On the Zone Name page, in Zone name, specify the name of the DNS zone for your network, and then click
Next. The name of the zone is the same as the name of the DNS domain for your small organization or branch
office.
Dynamic Update
On the Dynamic Update page, click Allow both nonsecure and secure dynamic updates, and then click
Next. This will automate the update of the DNS resource records for the resources in your network.
Forwarders
On the Forwarders page, click Yes, it should forward queries to DNS servers with the following IP
addresses, and then click Next. By selecting this configuration, you forward all DNS queries for DNS names
outside of your network to a DNS server at either your ISP or central office. Type one or more IP addresses used
by DNS servers run by either your ISP or central office.
Completing the Configure a DNS Server Wizard

On the Completing the Configure a DNS Server Wizard page of the Configure a DNS Server Wizard, you can
click Back to change any of the settings. To apply your selections, click Finish.

After you complete the Configure a DNS Server Wizard, the Configure Your Server Wizard displays the This
Server is Now a DNS Server page. To review all of the changes made to your server by the Configure Your
Server Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The
Configure Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the
Configure Your Server Wizard, click Finish.

the DNS server role from this server you should configure the TCP/IP settings of this server, and any clients
using this server as their DNS server, with the IP address of a different DNS server.
To remove the DNS server role, restart the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click DNS server, and then click Next. On the Role Removal Confirmation page,
review the items listed under Summary, select the Remove the DNS server role check box, and then click
Next. After you click Next, the Configuring Components page of the Windows Components Wizard appears,
and then closes automatically. You cannot click Back or Next on this page. On the DNS Server Role Removed
page, click Finish.
After you complete the Configure Your Server Wizard and the Configure a New DNS Server Wizard, your server is
ready for use as a DNS server. Up to this point, you have completed the following tasks:
Set the DNS server to use a static IP address.
Configured the DNS zone for your network.
Configured the DNS server to forward all DNS queries for DNS names outside your network to a DNS server at
your ISP or central office.
When you complete the Configure Your Server Wizard, it automatically installs the DNS console, which you use to
manage your DNS server. To open DNS, click Start, click Control Panel, double-click Administrative Tools, and
then double-click DNS.
The following table lists some of the additional tasks that you might want to perform on your DNS server.
Tasks Purpose of task Reference

Configure the computers in
To connect your DNS clients to the DNS server and dynamically To configure TCP/IP
your network to use this
update the zone with the DNS resource records required for to use DNS;
DNS server as their
name resolution. Dynamic update
preferred DNS server.
To secure your DNS server from external queries. For example,
If this server is a a server acting as proxy server can have two network adapters,
multihomed computer, one for the intranet and one for the Internet. If that server is To restrict a DNS
configure the DNS Server also running the Windows Server 2003 DNS Server service, you server to listen only
service to respond to can configure the service to only use the intranet network on selected
queries on the local network adapter. By configuring this server to respond only to queries addresses
IP address only. on the local network IP address, you will secure the server from
unwanted Internet queries.
Verify the server To ensure that the DNS configuration performed using the Verifying server
configuration. Configure a New DNS Server Wizard is correct. configuration
To verify DNS server
Verify DNS server
To verify that the DNS server is able to resolve DNS queries for responsiveness
responsiveness using the
resources in your network. using the nslookup
nslookup command.
command
Verify that a resource To verify that the computers that use the DNS server can be To verify A resource
records exist in DNS. located on the network. records exist in DNS

DHCP servers centrally manage IP addresses and related information and provide it to clients automatically. This
allows you to configure client network settings at a server, instead of configuring them on each client computer. If
you want this computer to distribute IP addresses to clients, then configure this computer as a DHCP server.
This topic explains the basic steps that you must follow to configure a DHCP server. When you have finished setting
up a basic DHCP server, you can complete additional configuration tasks, depending on how you want to use the
DHCP server.
This topic covers:
Before you begin
Configuring your DHCP server
Before you begin

Before you configure your computer as a DHCP server, verify that:
You are familiar with DHCP concepts such as scopes, leases, and options. For more information, see DHCP
terminology.
The operating system is configured correctly. In the Windows Server 2003 family, DHCP depends on the
Server 2003 operating system, then you can use the default service settings. No further action is necessary. If
you upgraded to a Windows Server 2003 operating system, or if you want to confirm that your services are
configured correctly for best performance and security, then verify your service settings using the table in

This computer has a static IP address. For more information, see To configure TCP/IP for static addressing.
When you add the DHCP server role, you create one scope that defines the range of IP addresses that the DHCP
server allocates to the clients on one subnet. You need to create one scope for each subnet that has clients that
you want to manage using DHCP. The following table lists the information that you need to know before you add
the DHCP server role, so that you can create the first scope. You need to collect the same information for each
additional scope.
Before adding a DHCP server

Comments
role
Security issues might affect the way you deploy DHCP servers. For more
Review DHCP security issues. information about DHCP security best practices, see Security information for
DHCP.
Use the entire range of consecutive IP addresses that make up the local IP
subnet. In many cases, a private address range is the best choice. For more
Identify the range of IP
information and a list of all the IP address ranges approved for use on private
addresses that the DHCP server
networks, see RFC 1918, "Address Allocation for Private Internets", at the
should allocate to the clients.
Internet Engineering Task Force Web site. Web addresses can change, so you
might be unable to connect to the Web site or sites mentioned here.
Determine the correct subnet When the DHCP server leases an IP address to a client, the server can specify
mask for the clients. additional configuration information, including the subnet mask.
Identify any IP addresses that
For example, a server or a network-connected printer often has a static IP
the DHCP server should not
address, and the DHCP server must not offer this IP address to clients.
allocate to clients.
The default is eight days. In general, the duration of the lease should be equal to
the average time that the clients on this subnet are active. For example, the
Decide the duration of the lease
ideal duration may be longer than eight days if the clients are desktop computers
of the IP addresses.
that are rarely turned off, or it may be shorter than eight days if the clients are
mobile devices that frequently leave the network or are moved between subnets.
(Optional) Identify the IP
address of the router (default
When the DHCP server leases an IP address to a client, the server can specify
gateway) that the clients should
additional configuration information, including the IP address of the router.
use to communicate with clients
on other subnets.
(Optional) Identify the name of
additional configuration information, including the name of the DNS domain to
the DNS domain of the clients.
which the clients belong.
(Optional) Identify the IP When the DHCP server leases an IP address to a client, the server can specify
address of the DNS server that additional configuration information, including the IP address of the DNS server
the clients should use. that the clients should contact to resolve the name of another computer.
(Optional) Identify the IP
additional configuration information, including the IP address of the WINS server
address of the WINS server that
that the clients should contact to resolve the NetBIOS name of another
the clients should use.
computer.
Configuring your DHCP server

To configure a DHCP server, start the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click DHCP server, and then click Next.
Using the New Scope Wizard

Removing the DHCP server role
DHCP Server on the previous page, the following appears:
Install DHCP Server
Run the New Scope Wizard to configure a new DHCP scope
Using the New Scope Wizard

After you click Next, the Configure Your Server Wizard installs the DHCP Server service, and then starts the
New Scope Wizard to collect information and add the DHCP server role. If you cancel the New Scope Wizard, the
DHCP Server service remains installed, but it cannot distribute IP addresses to clients until you create a scope. If
you choose to create a scope later, you can do so using the DHCP console.
This section describes the following steps in the New Scope Wizard:
Scope Name
IP Address Range
Add Exclusions
Lease Duration
Configure DHCP Options
Router (Default Gateway)
Domain Name and DNS Servers
WINS Servers
Activate Scope
Completing the New Scope Wizard
Scope Name
On the Scope Name page, in Name, type a name for the scope that you are creating. In Description, type a
description (this is optional). Most networks have several subnets, and each subnet requires its own scope, so a
DHCP server usually manages multiple scopes. Choose a name and description that help you distinguish
between the various scopes.
IP Address Range
On the IP Address Range page, define the range of IP addresses in this scope by typing the IP addresses at
the start and the end of that range. The wizard uses the IP addresses that you type to determine the correct
subnet mask. The correct subnet mask automatically appears in Subnet mask.
In the unusual case where the clients on this subnet need to use a subnet mask other than the one that the
wizard provides, you must type it in Subnet mask, or type the number of bits of the subnet mask in Length.
Add Exclusions
On the Add Exclusions page, you can define the IP addresses that the DHCP server should not allocate to
clients. For example, the DHCP server itself has a static IP address that must not be allocated to clients. The
same is true of the default gateway and of various network devices, such as network-connected printers. You
must exclude these IP addresses so that the DHCP server does not allocate them to clients.
It is recommended that you exclude more IP addresses than you currently need because it is easier to truncate
an exclusion range than it is to expand it. Exclude IP addresses from the beginning or the end of the range of
possible IP addresses, not from the middle. For example, if the range of IP addresses on this subnet is from
10.0.0.1 to 10.0.0.255, and you want to exclude ten IP addresses, then define the exclusion range as either of
the following:
10.0.0.1 to 10.0.0.10
10.0.0.245 to 10.0.0.255
For each range of IP addresses that you want to exclude, type the IP address at the beginning of the range in
Start IP address, type the IP address at the end of the range in End IP address, and then click Add.
This step eases client administration, but it is optional. If you leave all fields of this page blank and click Next,
clients will still be able to obtain IP addresses from the DHCP server.
Lease Duration
On the Lease Duration page, you can define how long a client can use an IP address from this scope.
The DHCP server leases IP addresses to its clients. Each lease has an expiration date and time. The client must
renew the lease if it is going to continue to use that IP address. The default duration of the lease is eight days.
Configure DHCP Options

On the Configure DHCP Options page, you can specify whether to configure DHCP options.
It is recommended that you accept the default, Yes, I want to configure these options now, and click Next,
even if you do not want to configure the options. If you choose No, I will configure these options later, then
the following occurs:
The New Scope Wizard creates the scope but does not activate it, and you must use the DHCP console to
activate the scope in order for clients to receive IP addresses from this scope. For information about how to
activate a scope using the DHCP console, see To activate a scope.
You will not see the next four wizard pages described below. Continue reading at Completing the New Scope
Wizard.
Router (Default Gateway)

On the Router (Default Gateway) page, you can specify the routers (also known as default gateways) that
clients should use. You can add as many IP addresses as there are routers on this subnet.
Domain Name and DNS Servers

On the Domain Name and DNS Servers page, you can specify the name of the domain that clients on this
subnet should use when they resolve DNS names.
You can also specify the DNS server that clients should use to resolve DNS names. You can type the IP address
of that DNS server, or you can type its name and click Resolve, and the wizard will determine the IP address for
you. You can add several DNS servers.
WINS Servers
On the WINS Servers page, you can specify the WINS server that clients should communicate with to register
and resolve NetBIOS names. You can type the IP address of that WINS server, or you can type its name and
click Resolve, and the wizard will determine the IP address for you. You can add several WINS servers.
Activate Scope
On the Activate Scope page, you can activate the scope or choose to activate it later. In most cases, you
should accept the default and activate the scope now. If you choose to activate the scope later, you can do so
using the DHCP console. You must activate the scope to allow clients on the subnet of this scope to obtain IP
addresses from the DHCP server.
Completing the New Scope Wizard

On the Completing the New Scope Wizard page, you can click Back to change any of the settings. To apply
your selections, click Finish.

After you complete the New Scope Wizard, the Configure Your Server Wizard displays the This Server is Now a
DHCP Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to

the DHCP server role, you must reconfigure clients to obtain IP addresses from another DHCP server. Also, if you
want clients to continue using the IP addresses distributed by this server, you must configure another DHCP
server to distribute those addresses.
To remove the DHCP server role, restart the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click DHCP server, and then click Next. On the Role Removal Confirmation page,
review the items listed under Summary, select the Remove the DHCP server role check box, and then click
Next. After you click Next, the Configuring Components page of the Windows Components Wizard appears,
and then closes automatically. You cannot click Back or Next on this page. On the DHCP Server Role
Removed page, click Finish.

After you complete the Configure Your Server Wizard, the computer is ready for use as a basic DHCP server that
can manage IP addresses and related information. Up to this point, you have installed the DHCP Server service and
created one scope that manages IP addresses and related information for the clients on one subnet. If you want to
manage clients on other subnets, you must create additional scopes. If you have not activated the scope, then you
must activate the scope to allow clients on the subnet of this scope to obtain IP addresses from the DHCP server.
When you complete the Configure Your Server Wizard, it automatically installs the DHCP console, which you use to
manage your DHCP server. To open DHCP, click Start, click Settings, click Control Panel, double-click
Administrative Tools, and then double-click DHCP.
The following table lists some of the additional tasks that you might want to perform on your DHCP server.

To activate scopes that you created with the New Scope Wizard
Activate existing scopes. To activate a scope
that are not currently active.
Authorize the DHCP server To detect unauthorized DHCP servers and prevent them from Authorizing DHCP
in Active Directory. starting or running on your network. servers
Add support for a routed To enable the DHCP server to act as a relay agent, which Configure the DHCP
network. forwards DHCP messages between subnets. Relay Agent

Assign a server-based To simplify administration by setting default values that all new To assign a server-
scope option. scopes will inherit. based option
Change or view scope To change or view
To change or view the properties of an existing scope.
properties. scope properties
To create a new
Create new scopes. To create scopes that support clients on other subnets.
scope
To define an IP address that the DHCP server should not
To add a client
Add a client reservation. allocate to a client because another client is permanently using
reservation
it.
Streaming media server role: Configuring a streaming

media server
You can use Windows Media Services to stream audio and video content to clients over the Internet or an intranet.
Clients might be computers or devices that play back the content using a player, such as Windows Media Player, or
they might be computers running Windows Media Services (called Windows Media servers) that proxy, cache, or
redistribute your content. Clients can also be custom applications that have been developed with the Windows
Media Software Development Kit (SDK).
If you want this computer to provide audio and video content streams to clients and to other Windows Media
servers, then configure this computer as a streaming media server.
Notes
This feature is not available on Windows® XP 64-Bit Edition and the 64-bit versions of the Windows®
Server 2003 family. For more information, see Features unavailable on 64-bit versions of the Windows
Server 2003 family.
This topic explains the basic steps that you must follow to configure a streaming media server. When you have
finished the basic steps, you can complete additional configuration tasks, depending on how you want to use the
streaming media server.
This topic covers:
Before you begin
Configuring your streaming media server
Before you begin

Before you configure your computer as a streaming media server, verify whether or not:
The operating system is configured correctly. In the Windows Server 2003 family, Windows Media Services
depends on the appropriate configuration of the operating system and its services. If you have a new
installation of a Windows Server 2003 operating system, you can use the default service settings. No further
action is required. If you upgraded to a Windows Server 2003 operating system, or if you want to confirm that
your services are configured correctly for best performance and security, then verify your service settings using
the table in Default settings for services.
Configuring your streaming media server

To configure a streaming media server, start the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click Streaming media server, and then click Next.
Completing the streaming media server role configuration
Removing the streaming media server role
Streaming media server on Server Role page, the following appears:
Install Windows Media Services
After you click Next on the Summary of Selections page, the Configure Your Server Wizard installs Windows
Media Services. Unlike many other services, Windows Media Services installs without any input from the
administrator.

After the components are configured, the Configure Your Server Wizard displays the This Server is Now a
Streaming Media Server page. To review all of the changes made to your server by the Configure Your Server
Wizard or to ensure that a new role was installed successfully, click Configure Your Server log. The Configure
Your Server Wizard log is located at systemroot\Debug\Configure Your Server.log. To close the Configure Your
Server Wizard, click Finish.
Completing the streaming media server role configuration

After you complete the Configure Your Server Wizard, the computer is ready for use as a basic streaming media
server that can provide content to clients and to other streaming media servers. Additional configuration is
usually required, and the specific steps depend on your requirements. This section explains the basic decisions
you must make in order to configure the streaming media server.
Note
If you have installed Windows Media Services on this computer, you can view Windows Media Services Help.
To open Windows Media Services Help, click Start, click Run, and then type hh wmserver.chm.
The streaming media server role supports many scenarios, which Windows Media Services Help describes in
detail. For more information, see Scenarios in Windows Media Services Help. Most scenarios require you to
reconfigure an existing publishing point or create a new one. You need to make one decision, and possibly two,
and the results determine which of the three main publishing point configurations you should use. The following
table shows how the decisions relate to configurations.
Use this publishing point

If you And you want to use
configuration
Want clients to control
One server connection per client On-demand, unicast
playback
Do not want clients to control
One server connection per client Unicast broadcast
playback
Do not want clients to control One server connection, shared by
Multicast broadcast
playback all clients
Control of playback
Control of playback means that the client should be able to start, stop, pause, rewind, and fast-forward. With
on-demand, unicast, the client controls playback, and the user experience is similar to playing a movie from a
VCR or a DVD player. This type of playback requires an on-demand publishing point. An on-demand publishing
point distributes pre-recorded content, such as audio and video files. When you add the streaming media server
role, the wizard creates an on-demand publishing point named <Default>. You can distribute your media files
at this publishing point, or you can create a publishing point. The configuration steps for an on-demand
publishing point are similar to those presented in Stream Windows Media files on-demand in Windows Media
Services Help. If you choose to use an on-demand publishing point, you must use unicast delivery.
If the client does not control playback, the user experience is similar to viewing a television program. This type
of playback requires a broadcast publishing point. This type of publishing point distributes pre-recorded and live
content. When you add the streaming media server role, the wizard creates a broadcast publishing point named
Sample_Broadcast that contains sample content. You should leave this sample intact and create a new
broadcast publishing point. If you choose to create a broadcast publishing point, see Server connections.
For more information about on-demand and broadcast publishing point types, see About publishing point types
in Windows Media Services Help.
Server connections
With unicast broadcast, the server creates a separate connection to each client. As a result, unicast delivery can
consume a large amount of network bandwidth. For example, delivering the same content to 100 clients
simultaneously consumes 100 times as much network bandwidth as delivering the content to one client.
However, unicast delivery does not require any configuration of network routers and switches. The steps to
configure a publishing point this way are similar to those presented in Use your server to publish live content
from Windows Media Encoder in Windows Media Services Help. For more information about unicast delivery, see
Delivering content as a unicast stream in Windows Media Services Help.
With multicast broadcast, the server does not create a connection to any client. Instead, the server delivers the
content to a Class D Internet Protocol (IP) address on the network, and any client on the network can receive it.
This conserves network bandwidth. For example, a multicast delivery to 100 clients consumes only as much
bandwidth as delivery to one client. However, many networks by default do not support multicast delivery. To
support multicast delivery, the network routers and switches between the server and the clients must be
configured to transmit Class D IP addresses and interpret multicast information packets. The steps to configure a
publishing point this way are similar to those presented in Use your server to broadcast a stream published by
Windows Media Encoder in Windows Media Services Help. For more information about multicast delivery, see
Delivering content as a multicast stream in Windows Media Services Help.

the streaming media server role, clients will no longer be able to connect to the publishing points of this server,
and encoders will no longer be able to send media streams through the server. All content stored or distributed
only on this server will become unavailable.
To remove the streaming media server role, restart the Configure Your Server Wizard by doing either of the
following:
On the Server Role page, click Streaming media server, and then click Next. On the Role Removal
Confirmation page, review the items listed under Summary, select the Remove the streaming media
server role check box, and then click Next. After you click Next, the Configuring Components page of the
Windows Components Wizard appears, and then closes automatically. You cannot click Back or Next on this
page. On the Streaming Media Server Role Removed page, click Finish.

Up to this point, you have installed Windows Media Services. The installation added Windows Media Services to
your server, installed the Help files, and created two publishing points that contain sample content.
The following table lists some of the additional tasks that you might want to perform on your streaming media
server.
Tasks Purpose of task Reference
Configure security To control access to the streaming Configuring security options in Windows Media Services
options. media server and its content. Help

Click Start, click Run, and then type
To become more familiar with Windows
Take the tour. %systemroot%\system32\windows
Media Services capabilities.
media\server\admin\mmc\hta\tour_.hta
To become more familiar with
Review streaming streaming media concepts such as
Understanding terminology in Windows Media Services
media terms and unicast and multicast, on-demand and
Help
concepts. broadcast, archiving, publishing points,
and announcing content.
Determine how
many streaming To plan ahead for the number of Setting up a streaming media system, Planning your
media servers you servers you need to install. capacity in Windows Media Services Help
need.
To prevent problems when Windows
Identify port Using HTTP streaming and other services on the same
Media Services attempts to use the
conflicts. computer in Windows Media Services Help
same TCP port as a Web server.
Review
instructions for
To ensure that you understand how to
upgrading an Upgrading Windows Media Services in Windows Media
upgrade other servers running earlier
earlier version of Services Help
versions of Windows Media Services.
Windows Media
Services.
The Windows Audio service is disabled
by default on a new installation of
Windows Server 2003, Datacenter
Enable the Edition, or Windows Server 2003,
Windows Audio Enterprise Edition. This does not To enable or disable a service for a hardware profile
service. prevent the server from streaming
audio to clients, but you should enable
audio in order to test content playback
on the server.
Start the Windows
Click Start, click Run, and then type
Media Services To configure your streaming media
%systemroot%\system32\windows
management server.
media\server\admin\mmc\wmsadmin.msc
interface.
To configure your streaming media
server to stream content over an
intranet or the Internet. Before you
Manage your
begin streaming content, you must Managing your Windows Media server in Windows
streaming media
configure settings for your server Media Services Help
server.
running Windows Media Services, add
and configure publishing points, and
set up your content.
Log data and To record the activity of the clients that Logging data and events in Windows Media Services
events. connect to your content. Help
Content management methods and
priorities will differ from one project to
Manage and another based on a variety of factors, Content management and production in Windows
produce content. such as audience demographics, Media Services Help
content type, available equipment, and
deployer experience.
Decide how to To determine whether to configure the
obtain content encoder to push a stream to the Sourcing from an encoder in Windows Media Services
from the Windows server, or to configure the server to Help
Media Encoder. pull a stream from the encoder.
To store the most recently streamed
content for use by other clients seeking
the same material. During live
Implement a
broadcasts, cache/proxy servers can Implementing a cache/proxy system in Windows Media
cache/proxy
perform a task called stream splitting Services Help
system.
which allows many unicast clients to
receive content while only a single
stream is sent from the origin server.
WINS server role: Configuring a WINS server

Windows Internet Name Service (WINS) servers dynamically map IP addresses to computer names (NetBIOS
names). This allows users to access resources by computer name instead of by IP address. If you want this
computer to keep track of the names and IP addresses of other computers in your network, configure this
computer as a WINS server.
This topic explains the basic steps that you must follow to configure a WINS server. When you have finished setting
up a basic WINS server, you can complete additional configuration tasks, depending on how you want to use the
WINS server.
This topic covers:
Before you begin
Configuring your WINS server
Before you begin

Before you configure your computer as a WINS server, verify that:
You are familiar with WINS concepts such as NetBIOS names, WINS server, WINS clients, and replication
partners. For more information, see Understanding WINS.
The operating system is configured correctly. In the Windows Server 2003 family, WINS depends on the
appropriate configuration of the operating system and its services. If you have a new installation of a product in
the Windows Server 2003 family, you can use the default service settings. No further action is necessary. If you
upgraded to a product in the Windows Server 2003 family, or if you want to confirm that your services are
configured correctly for best performance and security, then verify your service settings using the table in
You know how many WINS servers you need to install and where to locate each server on your network. When
you add the WINS server role, you configure this server to maintain a database of computer names and IP
addresses. In a large network, you may need to add the WINS server role to additional servers in order to
ensure that client computers always have access to at least one WINS server. For more information, see
Planning WINS networks.
This computer has a static IP address. For more information, see To configure TCP/IP for static addressing.
Configuring your WINS server

To configure a WINS server, start the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click WINS server, and then click Next.
Removing the WINS server role
WINS server on the previous page, the following appears:
Install WINS
You cannot click Back or Next on this page. The Configure Your Server Wizard installs the WINS Server service.
Unlike many other services, the WINS service installs without any input from the administrator.
If you cancel Configure Your Server, then WINS Server service is not installed. To install it later, restart Manage
Your Server and add the WINS role.

After the components are configured, the Configure Your Server Wizard displays the This Server is Now a
WINS Server page. To review all of the changes made to your server by the Configure Your Server Wizard or to

the WINS server role, and this server is the only WINS server that clients can use to register and resolve
computer names, you need to add the WINS role to another server. Also, if this server is configured to replicate
WINS database information with other WINS servers, then you must reconfigure replication on those other WINS
servers.
To remove the WINS server role, restart the Configure Your Server Wizard by doing either of the following:
On the Server Role page, click WINS server, and then click Next. On the Role Removal Confirmation page,
review the items listed under Summary, select the Remove the WINS server role check box, and then click
Next. On the WINS Server Role Removed page, click Finish.

After you complete the Configure Your Server Wizard, the computer is ready for use as a basic WINS server that
can keep track of server IP addresses and provide this information when a client requests it. Up to this point, you
have installed the WINS Server service on one server. If you want to support WINS clients on a complex network,
you may need to install additional WINS servers on other subnets.
The following table lists some of the additional tasks that you might want to perform on your WINS server.

View WINS name Finding and
records registered Verify that the WINS server is functioning correctly. viewing WINS
at the server. records
WINS uses several default server configuration parameters that determine
how NetBIOS name records are managed in the WINS server database.
Modify WINS server These parameters are usually acceptable. You may want to modify them in Modifying server
defaults. special circumstances, such as when a host name change must be made, or defaults
when you renumber the network so that clients and servers use a different
set of IP addresses.
Configure
Configuring WINS
replication settings WINS servers replicate database changes to each other so that each WINS
replication;
on primary and server has the same information about the servers on the network and the
Configure
secondary WINS IP address of each.
replication
servers.
To remove a server role
1. Open Manage Your Server.

2. Under Managing Your Server Roles, click Add or remove a role.
3. In the Configure Your Server Wizard, on the Preliminary Steps page, click Next.
4. On the Server Role page, click the role that you want to remove, and then click Next.
5. On the Role Removal Confirmation page, select the Remove the server role check box, and then click
Next.
6. On the Server Role Removed page, click Finish.
Important
When you remove a server role, you might break dependencies that exist between the server role and other
programs. Be sure to test removing the server role in a test environment before doing so on your network.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you
must have been delegated the appropriate authority. If the computer is joined to a domain, members of the
Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run
as to perform this procedure.
To open Manage Your Server, click Start, click Control Panel, double-click Administrative Tools, and then
double-click Manage Your Server.
For more information about removing specific server roles and any dependencies that might be affected, see the
following:
Removing the domain controller role

Configuring Roles

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Configuring Roles

Caricato da

Copyright:

Formati disponibili

Configuring roles for your server Page 1 of 55

Configuring roles for your server

File server role overview

Print server role overview

Application server role overview

Mail server role overview

mail client, configure this server as a mail server.

Terminal server role overview

Remote access/VPN server role overview

Domain controller role overview

DNS server role overview

DHCP server role overview

Streaming media server role overview

WINS server role overview

Typical setup for a first server

Typical setup configuration process

Next steps: Typical setup for a first server

File server role: Configuring a file server

Before you begin

Before adding a file

Configuring your file server

File Server Disk Quotas

File Server Indexing Service

or through HTML pages that they view in a browser.

Using the Share a Folder Wizard

Name, Description, and Settings

After you finish, click Next.

Share permission Comments

Sharing was Successful

Completing the Configure Your Server Wizard

Removing the file server role

Next steps: Completing additional tasks

If necessary, turned on Indexing Service.

Task Purpose of task Reference

Print server role: Configuring a print server

Before you begin

Before adding a print server

Configuring your print server

Using the Add Printer Wizard

Printers and Printer Drivers

After you finish, click Next.

Using the Add Printer Wizard

Local or Network Printer

After you finish, click Next.

After you finish, click Next.

After you finish, click Next.

Install Printer Software

Use Existing Driver

Name Your Printer

After you finish, click Next.

Location and Comment

Print Test Page

After you finish, click Next.

Completing the Add Printer Wizard

Using the Add Printer Driver Wizard

Printer Driver Selection

Processor and Operating System Selection

Completing the Add Printer Driver Wizard

Completing the Configure Your Server Wizard

Removing the print server role

Next steps: Completing additional tasks

Task Purpose of task Reference

Application server role: Configuring an application server