Select Server Roles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Server roles describe the main function or functions performed by a server in your organization. Server roles must have role-specific services enabled. Security Configuration Wizard (SCW) enables services that are necessary for the selected server to perform the server roles that you select on this page and disables and unnecessary services for those roles.

By selecting a role, you automatically select all of its dependent roles.

You can use the Back and Next buttons throughout SCW to look ahead or go back and change a setting. If a role you want is not installed, and it is not in the Security Configuration Database, then it will not appear in the All roles view or any other view.


  • It is not recommended to select the Routing and Remote Access Server (RRAS) role, Internet Security and Acceleration (ISA) role, and Internet Connection Sharing (ICS) task to be enabled on the same server when configuring the SCW policy. At most, one of the three roles should be selected to ensure conflicts do not arise with the resultant network security policy.

  • If an SCW security policy is applied to a server before Internet Information Services (IIS) is installed, the server will be configured with the Hypertext Transport Protocol (HTTP) Secure Sockets Layer (SSL) service disabled, as HTTP SSL is not required on a computer that is not a Web server. In order for IIS to be active, the HTTP SSL service must first be started, as IIS cannot run without the HTTP SSL service. The Administrator must first ensure that both the HTTP SSL and IIS services have been started in order for SCW to detect IIS.

  • To see services and other server roles that are required for a specific role, click the triangle next to the server role. SCW lists a description of the role, required services, and dependent server roles.

  • When you edit an existing policy, the settings are determined by the policy that is being edited, not by the state of the computer running SCW.

  • When you are using SCW to apply policy, a selected check box means the associated service will be enabled and ports may be opened. You may block them later in SCW. A cleared check box means the service will be disabled, and the ports will be blocked.

  • The role selections made here affect other choices throughout SCW. For example, if you chose a domain controller server role, only options that are appropriate for a domain controller appear later.

  • If you create a policy and select an uninstalled role, and you subsequently edit that policy and the role is still not installed, then the previously selected role will not be selected during edit mode. You will have to select that role again from the list of uninstalled roles if you want it to be selected. This design facilitates the common task of editing a policy that was originally created on a server that has since been reconfigured.

  • When the cluster server role is selected, SCW makes no changes to the startup mode for cluster-aware services.

  • When you configure servers in an environment where redirection is used, as in a server cluster, you should use IP addresses rather than Domain Name System (DNS) names to specify servers.

  • When you create a policy for servers that require the Distributed Transaction Coordinator (DTC) service, the Middle-Tier application server role should be selected on the Select Server Roles page of SCW.

You can change the view in which server roles are presented. By default, installed server roles are shown. These are server roles that the selected server can perform without installing additional components. If you are creating a new security policy, the roles that the server currently performs are selected by default. If you are editing an existing security policy, the roles enabled by the policy are selected by default. You can view all server roles in the Security Configuration Database by changing the view to All server roles. To enable the services that are necessary for the selected server to perform its installed server roles, select the appropriate server roles in the list. If you plan to install other server roles on the selected server or if you are going to apply this security policy to other computers that have slight differences in role configuration, in View, select All server roles and select the appropriate server roles.

For more information about the Security Configuration Database, see Security Configuration Database.