Understanding System Configuration
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
This topic provides a general overview of the initial system configuration tasks that you perform with Component Services after you install the operating system.
The Component Services snap-in requires the Microsoft Distributed Transaction Coordinator (DTC) service to be running. If the DTC is stopped and you attempt to change any settings by using the Component Services snap-in, the DTC service starts again. If error messages appear when you attempt to use the Component Services snap-in, verify that the DTC is started. If the DTC is not started, start it again in the Services MMC snap-in. To open the Services snap-in, click Start , point to Administrative Tools , and then click Services .
Setting control on the system application
The System Application folder is located in the COM+ Applications folder of the Component Services snap-in. The System Application manages configuration and deployment in Component Services. To guard access to this important application, you must define who can administer the environment. This step is necessary for making any changes to your Component Services configuration, including installing an application or adding a computer.
The System Application uses role-based security with roles such as Administrator, Reader, Server Application, Any Application, and QC Trusted User. Members of the Administrator role have Read and Write access to the System Application. They can add, change, or delete any of the settings in the Component Services snap-in. Only members of the Administrator role can install COM+ applications on the system. By default, the local Administrators group is the only member of this role. Only users who belong to the local Administrators group can be added to the Administrator role.
You must assign at least one user or group to the Administrator role; otherwise, no one can administer Component Services.
Members of the Reader role have read-only access to the System Application. They can view settings in the Component Services snap-in, but they cannot change, add, or delete anything. By default, Everyone belongs to this role, meaning that anyone who has access to the computer can view the Component Services settings.
For security reasons you might not want members of the Everyone group to be able to view the Component Services settings. If so, you should delete Everyone from the Reader role and add only those users to whom you want to assign Read access to the Component Services settings. You must restart the computer for the changes to take effect.
Members of the Server Application role are allowed to run COM+ server applications, while members of the Any Application role are allowed to run both COM+ server and COM+ library applications. By default, Everyone belongs to each role.
Members of the QC Trusted User role are trusted to transmit messages for queued components on behalf of other users. By default, this role has no members.
Members of the QC Trusted User role are allowed to specify an arbitrary identity, which means that a malicious member could execute a queued component call with elevated privileges. It is therefore recommended that the number of such users be kept to an absolute minimum.
To set administrative security on the System Application, see Set Administrative Security.
Making computers visible to Component Services
You can manage COM+ applications and their transactions remotely, but first you must make the remote computer visible to Component Services. Add any computer that you want to administer to the console tree of the Component Services snap-in. To add computers to Component Services, see Make Computers Visible to Component Services.
The DCOM wire protocol handles all network communication between Component Object Model (COM) components running on separate computers. You must enable DCOM for each computer with COM components that communicate with other components across the network. Although disabling DCOM has no effect on communication between components on the same computer, all communication is disabled between components on separate computers when DCOM is disabled. To enable component communication across computer boundaries, see Enable or Disable DCOM.