System Configuration Concepts

This section provides a general overview of the initial system configuration tasks you must perform for the Component Services administrative tool after you have installed Windows. For detailed information about performing each task, see System Configuration Tasks.

Note   The Component Services administrative tool requires the Microsoft Distributed Transaction Coordinator (DTC) service to be running. If the DTC is stopped and you attempt to change any settings using the Component Services administrative tool, the DTC service is restarted. If you get errors when attempting to use the Component Services administrative tool, verify that the DTC is started and if not, restart it. For more information about starting and stopping the DTC, see Starting and Stopping the DTC.

Setting Control on the System Application

The System Application, located in the COM+ Applications folder of the Component Services administration tool, manages configuration and deployment within Component Services. To guard access to this important application, you must define who can administer the environment. This step is necessary for making any changes to your Component Services configuration, including installing an application or adding a computer.

The System Application uses role-based security with roles such as Administrator, Reader, Server Application, Any Application, and QC Trusted User. Members of the Administrator role have read and write access to the System Application. They can add, change, or delete any of the settings in the Component Services administrative tool. Only members of the Administrator role can install COM+ applications on the system. By default, the local Administrators group is the only member of this role. Only users who belong to the local Administrators group can be added to the Administrator role.

Warning   You must assign at least one user or group to the Administrator role; otherwise, no one can administer Component Services.

Members of the Reader role have read-only access to the System Application. They can view settings in the Component Services administrative tool, but they cannot change, add, or delete anything. By default, Everyone belongs to this role, meaning that anyone who has access to the computer can view the Component Services settings.

Note   For security reasons you might not want Everyone to be able to view the Component Services settings. If so, you should delete Everyone from the Reader role and add only those users who should be allowed read access to the Component Services settings. You must restart the computer for the changes to take effect.

Members of the Server Application role are allowed to run COM+ server applications, while members of the Any Application role are allowed to run both COM+ server and COM+ library applications. By default, Everyone belongs to each role.

Members of the QC Trusted User role are trusted to transmit messages for queued components on behalf of other users. By default, this role has no members.

Note   Members of the QC Trusted User role are allowed to specify an arbitrary identity, which means that a malicious member could execute a queued component call with elevated privileges. It is therefore recommended that the number of such users be kept to an absolute minimum. For more information about security considerations when using COM+ Queued Components, see Administering Queued Components.

For instructions on setting administrative security on the System Application, see Setting Administrative Security. For additional information about security, see Administering Application Security and Administering Trustworthy Computing.

Making Computers Visible to Component Services

Any computer you want to administer for Component Services should be added to the console tree of the Component Services administrative tool. Unless a computer is visible to the Component Services administrative tool, you cannot set security or install applications for it. For instructions on adding computers to Component Services, see Making Computers Visible to Component Services.

Configuring Distributed COM

The distributed COM (DCOM) wire protocol handles all network communication between COM components running on separate computers. You must enable DCOM for each computer with COM components that communicate with others across the network. Although disabling DCOM has no effect on communication between components on the same computer, all communication is disabled between components on separate computers. For instructions on enabling component communication across machine boundaries, see Enabling or Disabling Distributed COM.