Windows Server® 2008 R2 includes Server Manager, a new tool with which administrators can either install or remove server roles, or manage those roles after they are installed. Server Manager provides centralized control of a server, regardless of the combination of roles installed.

Server Manager alleviates the need for administrators to use multiple tools in order to install, secure, and manage a server role. Server Manager installs server roles that are secure by default. With Windows Server 2008 R2 installed, there is no longer a need to run the Security Configuration Wizard (SCW) following a server role installation to configure services and ports for the role.

In this Section

Adding Roles to Your Server

In Windows Server 2008 R2, you can add roles to the server by using the Add Roles Wizard, Windows PowerShell cmdlets for Server Manager, or the Server Manager command-line tool, ServerManagerCmd.exe. You can start the Add Roles Wizard from either the Initial Configuration Tasks window or from Server Manager.

For more information about how to use Windows PowerShell cmdlets or ServerManagerCmd.exe, see the Server Manager Help.

Roles Available for Installation in This Release

The following roles are available for installation by opening the Add Roles Wizard, either from the Initial Configuration Tasks window, or from Server Manager.


The roles and features described in this topic may have been updated since this content was published. To check for updates, or learn more about managing roles and features described in this topic, see the Windows Server 2008 R2 TechCenter ( Some roles and features might not be available on specialized editions of Windows Server 2008 R2.

Role Name Description

Active Directory Certificate Services

Active Directory Certificate Services Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing certificates in software security systems that use public key technologies. You can use AD CS to create one or more certification authorities (CA) to receive certificate requests, verify the information in the requests and the identity of the requester, issue certificates, revoke certificates, and publish certificate revocation data.

Applications supported by Active Directory Certificate Services include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private networks (VPN), IP security (IPSec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Active Directory Domain Services

Active Directory Domain Services (AD DS) stores information about users, computers, and other devices on the network. AD DS helps administrators securely manage this information and facilitates resource sharing and collaboration between users. AD DS is also required to be installed on the network in order to install directory-enabled applications such as Microsoft Exchange Server and for applying other Windows Server technologies such as Group Policy.

Active Directory Federation Services

Active Directory Federation Services (AD FS) provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications that use a single user account. AD FS accomplishes this by securely federating, or sharing, user identities and permissions, in the form of digital claims, between partner organizations.

Active Directory Lightweight Directory Services

Organizations that have applications which require a directory for storing application data can use Active Directory Lightweight Directory Services (AD LDS) as the data store. AD LDS runs as a non-operating-system service. Therefore, AD LDS does not require deployment on a domain controller. Running as a non-operating-system service allows multiple instances of AD LDS to run at the same time on a single server, and each instance can be configured independently for servicing multiple applications.

Active Directory Rights Management Services (AD RMS)

Active Directory Rights Management Services is information protection technology that works with AD RMS -enabled applications to help safeguard digital information from unauthorized use. Content owners can define exactly how a recipient can use the information, such as who can open, change, print, forward, or take other actions with the information. Organizations can create custom usage rights templates such as "Confidential – Read-Only" that can be applied directly to information such as financial reports, product specifications, customer data, and e-mail messages.

Application Server

Application Server provides a complete solution for hosting and managing high-performance distributed business applications. Integrated services, such as the .NET Framework, Web Server Support, Message Queuing, COM+, Windows Communication Foundation, and Failover Clustering support improve productivity throughout the application life cycle, from design and development through deployment and operations.

Dynamic Host Configuration Protocol Server

The Dynamic Host Configuration Protocol (DHCP) allows servers to assign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients. Deploying DHCP servers on the network automatically provides computers and other TCP/IP based network devices with valid IP addresses and the additional configuration parameters these devices need./these are known as DHCP options, which allow them to connect to other network resources, such as DNS servers, WINS servers, and routers.

DNS Server

Domain Name System (DNS) provides a standard method for associating names with numeric Internet addresses. This lets users refer to network computers by using easy-to-remember names instead of a long series of numbers. Windows DNS services can be integrated with DHCP services, eliminating the need to add DNS records as computers are added to the network.

Fax Server

Fax Server sends and receives faxes, and lets you manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network.

File Services

File Services provides technologies for storage management, file replication, distributed namespace management, fast file searching, and streamlined client access to files, such as UNIX-based client computers.


Hyper-V provides the services that you can use to create and manage virtual computing environments and their resources. Virtual computers operate in an isolated operating environment. This lets you to run multiple operating systems at the same time. You can use a virtualized computing environment to improve the efficiency of your computing resources by using more of your hardware resources.

Network Policy and Access Services

Network Policy and Access Services delivers many different methods to give users local and remote network connectivity, to connect network segments, and to allow network administrators to centrally manage network access and client health policies. With Network Access Services, you can deploy VPN servers, dial-up servers, routers, and 802.11-protected wireless access. You can also deploy RADIUS servers and proxies, and use Connection Manager Administration Kit to create remote access profiles to let client computers to connect to the network.

Print and Document Services

Print and Document Services enables you to centralize print server and network printer management tasks. With this role, you can also receive scanned documents from network scanners, and route the documents to a shared network resource, a Windows SharePoint Services site, or to e-mail addresses.

Remote Desktop Services

Remote Desktop Services provides technologies that enable users to access Windows-based programs that are installed on a remote desktop server, or to access the Windows desktop itself, from almost any computing device. Users can connect to a remote desktop server to run programs and to use network resources on that server.

Web Server (IIS)

The Web Server (IIS) role in Windows Server 2008 R2 lets you share information with users on the Internet, an intranet, or an extranet. Windows Server 2008 R2 delivers IIS 7.5, a unified Web platform that integrates IIS, ASP.NET, and Windows Communication Foundation.

Windows Deployment Services

You can use Windows Deployment Services to install and configure remotely Windows operating systems on computers that have Pre-boot Execution Environment (PXE) boot ROMs. Administration overhead is decreased through the implementation of the WdsMgmt Microsoft Management Console (MMC) snap-in that manages all aspects of Windows Deployment Services. Windows Deployment Services also provides end-users an experience consistent with Windows Setup.

Windows Server Update Services

Windows Server Update Services allows network administrators to specify the Microsoft updates that should be installed, to create separate groups of computers for different sets of updates, and to obtain reports on the compliance levels of the computers and on the updates that must be installed.

The Add Roles Wizard

The Add Roles Wizard simplifies installing roles on the server, and allows you to install multiple roles at one time. You no longer have to open Add or Remove Windows Components multiple times to install all the roles, role services, and features that you want on the server. A single session in the Add Roles Wizard can complete the configuration of the server.

The Add Roles Wizard verifies that all the software components that are required by a role install with any role you select in the wizard. If it is necessary, the wizard prompts you to approve the installation of other roles, role services, or software components that are required by roles that you select.

Most roles and role services that are available for installation require you to make decisions during the installation process that determine how the role operates in your enterprise. For example, Active Directory Federation Services (ADFS) requires the installation of a certificate.

Before you install a role on the server, we recommend that you read documentation specific to the planning, deployment and operation of the role, available on the Windows Server 2008 R2 TechCenter (

To start the Add Roles Wizard
  • In the Roles Summary area of the Server Manager main window, click Add Roles.

    -- or --

    In the Customize this server area of the Initial Configuration Tasks window, click Add Roles.

    • The Initial Configuration Tasks window opens by default when a member of the Administrators group logs on to the computer.
    • Server Manager opens when the Initial Configuration Tasks window is closed. You can also open Server Manager by using shortcuts on the Start menu or in Administrative Tools.

Adding Features to Your Server

In Windows Server 2008 R2, you can add available features to the server by using the Add Features Wizard.

Adding Features to Your Server by Using the Add Features Wizard


The roles and features described in this topic may have been updated since this content was published. To check for updates, or learn more about managing roles and features described in this topic, see the Windows Server 2008 R2 TechCenter ( Some roles and features might not be available on specialized editions of Windows Server 2008 R2.

Adding Features to Your Server by Using the Add Features Wizard

You can add the following features by using the Add Features Wizard.

Feature Description

.NET Framework 3.5.1

The .NET Framework 3.5.1 builds incrementally on the features added in the .NET Framework 3.0, such as enhancements to Windows Workflow Foundation (WF), Windows Communication Foundation (WCF), Windows Presentation Foundation (WPF) and Windows CardSpace.

Background Intelligent Transfer Service

Background Intelligent Transfer Service (BITS) asynchronously transfers files in the foreground or background, throttles the transfers to preserve the responsiveness of other network applications, and automatically resumes file transfers after network connection failures or computer restarts.

BitLocker Drive Encryption

BitLocker Drive Encryption helps protect data on lost, stolen or inappropriately decommissioned computers by encrypting the volume and checking the integrity of early boot components. Data is only decrypted if those components are successfully verified and the encrypted drive is located in the original computer. Integrity checking requires a compatible trusted platform module (TPM).


BranchCache, available on both Windows Server 2008 R2 and Windows 7, enables client computers in a branch office to retrieve content securely and locally, instead of retrieving it from a central office server. Because branch offices are typically connected over slower WAN links, BranchCache reduces WAN traffic, and increases application responsiveness on the client computer.

Connection Manager Administration Kit

Connection Manager Administration Kit (CMAK) generates Connection Manager profiles.

Desktop Experience

Desktop Experience includes features of Windows® 7, such as Windows Media Player, desktop themes, and photo management. Desktop Experience does not enable any of the Windows 7 features by default. You must manually enable them.

Direct Access Management Console

Direct Access Management Console provides direct access setup and monitoring.

Failover Clustering

Failover Clustering allows multiple servers to work together to provide high availability of services and applications. Failover Clustering is frequently used for file and print services, database and mail applications.

Group Policy Management

Group Policy Management makes it easier to deploy, manage, and troubleshoot Group Policy implementations. The standard tool is Group Policy Management Console (GPMC), a scriptable Microsoft Management Console (MMC) snap-in that provides a single administrative tool for managing Group Policy across the enterprise.

Ink and Handwriting Services

Ink and Handwriting Services, new for Windows Server 2008 R2, provides support for handwriting recognition in multiple languages, together with support for using a pen or stylus with a pressure-sensitive computing interface, such as a tablet computer.

Internet Printing Client

Internet Printing Client enables users to connect and print to printers on the local network or over the Internet by using Internet Printing Protocol (IPP). You can use the Internet Printing Client and IPP to connect to the shared printer by using a Web browser (if the print server has the Internet Printing role service installed), or by using the Network Printer Installation Wizard.

Internet Storage Name Server

Internet Storage Name Server (iSNS) provides discovery services foriSCSI storage area networks. iSNS processes registration requests, deregistration requests, and queries from iSNS clients.

LPR Port Monitor

Line Printer Remote (LPR) Port Monitor allows users who have access to UNIX-based computers to print on devices attached to them.

Message Queuing

Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging between applications. Message Queuing also accommodates message delivery between applications that run on different operating systems, use dissimilar network infrastructures, are temporarily offline, or that are running at different times.

Multipath I/O

Multipath I/O (MPIO), together with the Microsoft Device Specific Module (DSM) or a third-party DSM, provides support for using multiple data paths to a storage device on Windows.

Network Load Balancing

Network Load Balancing (NLB) distributes traffic across several servers, by using the TCP/IP networking protocol. NLB is especially useful for ensuring that stateless applications, such as a Web server that is running IIS, are scalable by adding additional servers as the load increases.

Peer Name Resolution Protocol

Peer Name Resolution Protocol (PNRP) allows applications to register on and resolve names from your computer, so that other computers can communicate with these applications.

Quality Windows Audio Video Experience (qWave)

Quality Windows Audio Video Experience (qWave) is a networking platform for audio and video (AV) streaming applications on IP-based home networks. qWave improves AV streaming performance and reliability by ensuring network quality-of-service for AV applications. It provides admission control, run time monitoring and enforcement, application feedback, and traffic prioritization. On Windows Server platforms, qWave provides only rate-of-flow and prioritization services.

Remote Assistance

Remote Assistance enables you (or a support person) to offer assistance to users who have computer issues or questions. Remote Assistance lets you view and share control of the user’s desktop in order to troubleshoot and fix the issues. Users can also ask for help from friends or co-workers.

Remote Differential Compression

The Remote Differential Compression (RDC) feature is a set of APIs that applications can use to determine whether a set of files have changed, and if that is the case, to detect which sections of the files contain the changes.

Remote Server Administration Tools

Remote Server Administration Tools enables remote management of Windows Server 2008 and Windows Server 2008 R2 from a computer running Windows Server 2008 R2 by allowing you to run some of the management tools and snap-ins for roles, role services, and features on a remote computer.

RPC Over HTTP Proxy

RPC Over HTTP Proxy is a proxy that is used by objects that receive remote procedure calls (RPC) over HTTP. This proxy allows clients to discover these objects even if the objects are moved between servers or if they exist in discrete areas of the network, usually for security reasons.

Services for Network File System

Services for Network File System (NFS) is a protocol that acts as a distributed file system, allowing a computer to access files over a network as easily as if they were on its local disks. This feature is available for installation in Windows Server 2008 R2 for Itanium-based Systems only; in other versions of Windows Server 2008 R2, Services for NFS is available as a role service of the File Services role.

Simple TCP/IP Services

Simple TCP/IP Services supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Simple TCP/IP Services is provided for backward compatibility and should not be installed unless it is required.

SMTP Server

Simple Mail Transfer Protocol (SMTP) Server supports the transfer of e-mail messages between e-mail systems.

SNMP Services

Simple Network Management Protocol (SNMP) is the Internet standard protocol for exchanging management information between management console applications—such as HP Openview, Novell NMS, IBM NetView, or Sun Net Manager—and managed entities. Managed entities can include hosts, routers, bridges, and hubs.

Storage Manager for SANs

Storage Manager for Storage Area Networks (SANs) helps you create and manage logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems that support Virtual Disk Service (VDS) in your SAN.

Subsystem for UNIX-based Applications

Subsystem for UNIX-based Applications (SUA), together with a package of support utilities available for download from the Microsoft Web site (, enables you to run UNIX-based programs, and compile and run custom UNIX-based applications in the Windows environment.

Telnet Client

Telnet Client uses the Telnet protocol to connect to a remote telnet server and run applications on that server.

Telnet Server

Telnet Server allows remote users, such as those running UNIX-based operating systems, to perform command-line administration tasks and run programs by using a telnet client.

Trivial File Transfer Protocol Client

Trivial File Transfer Protocol (TFTP) Client is used to read files from, or write files to, a remote TFTP server. TFTP is primarily used by embedded devices or systems that retrieve firmware, configuration information, or a system image during the boot process from a TFTP server.

Windows Biometric Framework

Windows Biometric Framework (WBF) allows fingerprint devices to be used to identify and verify identities, and to log on to Windows. WBF includes sub features that are required to let you use fingerprint devices.

Windows Internal Database

Windows Internal Database is a relational data store that can be used only by Windows roles and features, such as AD RMS, Windows Server Update Services, and Windows System Resource Manager.

Windows Process Activation Service

Windows Process Activation Service (WAS) generalizes the IIS process model, removing the dependency on HTTP. All the features of IIS that were previously available only to HTTP applications are now available to applications hosting Windows Communication Foundation (WCF) services by using non-HTTP protocols. IIS 7.5 also uses WAS for message-based activation over HTTP.

Windows Server Backup Features

Windows Server Backup Features allow you to back up and recover your operating system, applications, and data. You can schedule backups to run one time each day or more frequently, and can protect the complete server or specific volumes.

Windows Server Migration Tools

Windows Server Migration Tools lets an administrator migrate some server roles, features, operating system settings, shares, and other data from computers that are running certain editions of Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 to computers that are running Windows Server 2008 R2. For more information about Windows Server Migration Tools and migrating roles, features, or other data to Windows Server 2008 R2, see the Windows Server Migration Portal (

Windows System Resource Manager

Windows System Resource Manager (WSRM) is a Windows Server operating system administrative tool that can control how CPU and memory resources are allocated. Managing resource allocation improves system performance and lowers the risk that applications, services, or processes will interfere with one another to reduce server efficiency and system response.

WinRM IIS Extension

Windows Remote Management (WinRM) IIS Extension enables a server to receive a management request from a client computer by using the WS-Management protocol. WinRM is the Microsoft implementation of the WS-Management protocol. This helps secure communication between local and remote computers by using Web-based services.

Windows Internet Name Service Server

Windows Internet Name Service (WINS) Server provides a distributed database for registering and querying dynamic mappings of NetBIOS names for computers and groups used on the network. WINS maps NetBIOS names to IP addresses and solves the problems arising from NetBIOS name resolution in routed environments.

Windows Internal Database

Windows Internal Database is a relational data store that can be used only by Windows roles and features, such as Active Directory Rights Management Services (AD RMS), Windows Server Update Services, and Windows System Resource Manager.

Windows PowerShell Integrated Scripting Environment (ISE)

Windows PowerShell ISE is a graphical host application for Windows PowerShell. Windows PowerShell ISE lets you run commands, and write, edit, run, test, and debug scripts in an environment that displays syntax in colors and that supports Unicode.

Windows TIFF iFilter

Windows Tagged Image File Format (TIFF) iFilter uses optical character recognition (OCR) software to enable users to search for TIFF documents based on textual content in the images.

Wireless LAN Service

Wireless LAN (WLAN) Service configures and starts the WLAN AutoConfig service, regardless of whether the computer has any wireless adapters. WLAN AutoConfig enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to a wireless network.

XPS Viewer

An XML Paper Specification (XPS) document is a document format that you can use to view, save, share, digitally sign, and protect your document’s content. You can use XPS viewer to view, search, set permissions for, and digitally sign XPS documents.

Open the Add Features Wizard in one of the following two ways.

To start the Add Features Wizard
  • In the Features Summary area of the Server Manager main window, click Add Features.

    -- or --

    In the Customize this server area of the Initial Configuration Tasks window, click Add Features.

    • The Initial Configuration Tasks window opens by default when a member of the Administrators group logs on to the computer.
    • Server Manager opens when the Initial Configuration Tasks window is closed. You can also open Server Manager by using shortcuts on the Start menu or in Administrative Tools.

Enabling Remote Desktop

The Enable Remote Desktop command in the Initial Configuration Tasks window opens the System Properties dialog box and displays the Remote tab.

Remote Desktop allows other users on a network to connect to the computer by providing the computer's name or IP address, and typically, logon credentials. Connected users see the remote computer's desktop and can use its installed programs as if they are working on a local computer. The Enable Remote Desktop command is provided in the Initial Configuration Tasks window to reduce the number of deployment steps required by administrators who are configuring Remote Desktop Services in their enterprise.

Click Help me choose on the Remote tab for full descriptions of the options available for enabling Remote Desktop.

Configuring the Windows Firewall

The Configure Windows Firewall command in the Initial Configuration Tasks window opens the Windows Firewall dialog box.

In Windows Server 2008 R2, Windows Firewall is turned on by default. By default, roles, role services, and features are installed with appropriate Windows Firewall settings. You only have to configure specific Windows Firewall settings for roles, role services, and features installed on the computer if specific conditions in your enterprise require modifications to default settings.

Windows Firewall settings can be accessed in the Initial Configuration Tasks for any of the following scenarios.

  • When administrators must change firewall settings for other applications that are installed on the server

  • When their enterprise has unique firewall configuration needs

  • When they do not require Windows Firewall because they use either different firewall software, or a hardware solution

To change Windows Firewall settings, you must be a member of the Administrators group on the local computer.