Products: Itanium-based versions of Windows Server 2003

These products do not support most 16-bit applications.

Most 32-bit applications that use 16-bit Microsoft ACME Setup versions 2.6, 3.0, 3.01, and 3.1 and InstallShield versions 5.x install correctly.

No 32-bit applications that are installed by other 16-bit setup programs are supported. If you try to install one of these applications, the message "\Setup.exe is not a valid Win32 application" appears, and the setup program closes without installing or starting the application.

Products: Itanium-based versions of Windows Server 2003

These products do not support 32-bit device drivers. Applications that depend on 32-bit device drivers will not function correctly and might cause an error during installation or operation. Most 32-bit antivirus programs are affected and should not be installed on computers that are running these products.

If Windows does not start after you attempt to install a 32-bit driver, start the computer using the last known good configuration as follows:

To start the computer using the last known good configuration

1. Restart the computer.

2. When the message "Please select the operating system to start" appears, press F8.

3. Press an arrow key to highlight Last Known Good Configuration, and then press ENTER.

4. Press an arrow key to highlight an operating system, press ENTER, and follow the instructions.

   Note

   Completing this procedure provides a way to recover from problems such as a newly added driver that is incorrect for your hardware. It does not solve problems caused by drivers or files that are corrupted or missing. When you start the computer using the last known good configuration, only the information in the registry key HKLM\System\CurrentControlSet is restored. Any changes that you have made in other registry keys remain.

Products: Itanium-based versions of Windows Server 2003

The 64-bit version of Internet Explorer will not load 32-bit Web components from Microsoft, such as the MSN^® Money Ticker, or 32-bit Web components from companies other than Microsoft. To load these components, use the 32-bit version of Internet Explorer.

To open the 32-bit version of Internet Explorer, click Start, click All Programs, and then click Internet Explorer (32-bit).

Products: Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition (32-bit version only)

These products provide in-box support for Speech Application Programming Interface (SAPI) version 5.0 engines and programs. To avoid loss of functionality in Microsoft Agent applications that use SAPI version 4.0 speech input and/or output engines, you must install SAPI version 4.0a run-time support and then reinstall the SAPI version 4.0 speech engines, even if they were working with Microsoft Agent before you upgraded. To install SAPI version 4.0a run-time support, go to the Internet Explorer Components Gallery (http://go.microsoft.com/fwlink/?LinkID=3354).

Products: Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition (32-bit version only); Windows Server 2003, Datacenter Edition (32-bit version only)

You cannot install Exchange Server 2000 on a server that is running a Windows Server 2003 operating system.

For information about installation requirements for Exchange Server 2003 in domains running Windows Server 2003 operating systems, see the Microsoft Exchange Server Web site (http://go.microsoft.com/fwlink/?LinkID=309).

To simplify domain management, you should redirect the default locations for newly created user and computer accounts from the common name to organizational units within the domain. You must redirect these locations if you want to apply Group Policy settings. For details about how to redirect these locations, see article 324949, "Redirecting the Users and Computers Containers in Windows Server 2003 Domains" in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=4441).

Products: Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition

To modify the cluster security descriptor on a cluster that is running either of these products, you must use Cluster Administrator on a server that is running one of these products or that is running a product in the Windows 2000 Server family with Service Pack 2 or Service Pack 3. If you try to use a server that is running a product in the Windows 2000 Server family or a product in the Windows 2000 Server family with Service Pack 1, the following message appears when you try to save changes:

"Access to the cluster can be granted/denied only to domain users and groups. Please use the Security tab to remove the local users or groups."

For more information, see article 812875, "You Cannot Administer the Cluster Security Descriptor by Using the Cluster Administration Utility" in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=4441).

Products: Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition

If you upgrade a cluster from Microsoft Windows NT® Server 4.0 to one of the listed products, you cannot, by default, save changes to a cluster security descriptor.

If you are editing a descriptor using Cluster Administrator, the following error message appears when you try to save your changes:

"The SYSTEM account must always have access to the cluster. Please use the Security tab to add the SYSTEM account."

If you are editing a descriptor using the cluster.exe command-line utility, the following message appears when you try to save your changes:

"The SYSTEM account must always have access to the cluster. Please grant access to the SYSTEM account."

To resolve this issue, see article 812876, "Clusters That Are Upgraded from Windows NT 4.0 Do Not Contain the System SID in the Security Descriptor" in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=4441).

Note

To upgrade from Windows NT Server 4.0 to a Windows Server 2003 operating system, Service Pack 5 or Service Pack 6a must be installed first.

To use Network Load Balancing Manager to manage servers through a firewall, you must set up your Distributed Component Object Model (DCOM) to use a specified range of ports and then configure the firewall to allow traffic through those ports as described in the white paper, "Using Distributed COM with Firewalls" on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkID=38001). You must also either allow ICMP Echo Requests to pass through the firewall or start Network Load Balancing Manager with the /noping option. (At a command prompt, type nlbmgr.exe /noping.) For more information about using the /noping option, see the topic "Nlbmgr" in Help and Support Center.

If you do not follow these procedures, the error message "The RPC server is unavailable" or "Host unreachable" will appear.

Products: Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition

Because of increased security measures, the World Wide Web Publishing Service (WWW service) is not enabled by default in these products after you upgrade from the Windows 2000 Server family with IIS 5.0 unless you have completed one of these steps described for IIS 6.0 in read1st.htm (on the operating system DVD) before upgrading. If you did not complete the steps described, you can enable and start the WWW service by using the Services snap-in:

To enable and start the WWW service by using the Services snap-in

1. Click Start, point to Administrative Tools, and then click Services.

2. In the list of services, right-click World Wide Web Publishing Service, and then click Properties.

3. On the General tab, in the Startup type list, click Automatic, and then click OK.

4. In the list of services, right-click World Wide Web Publishing Service, and then click Start.

Ensure that all unnecessary IIS features have been removed or disabled and that the enabled features are configured with the highest security settings that your organization can support.

For more information, see the topics "What’s Changed" and "Security Best Practices" in IIS 6.0 Help.

Products: Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition (32-bit version only); Windows Server 2003, Datacenter Edition (32-bit version only)

You cannot run SQLXML (XML support for Microsoft SQL Server 2000 databases) and Universal Description, Discovery, and Integration (UDDI) Services on the same computer because SQLXML requires Internet Information Services (IIS) 5.0 isolation mode and UDDI Services requires IIS 6.0 worker process isolation mode.

Do not install SQLXML and UDDI Services on the same computer.

The Windows Server 2003 operating systems do not support Active Server Pages that use the mail object Collaboration Data Objects for Windows NT Server (CDONTS.dll) if you perform a new installation. The Windows Server 2003 operating systems include Collaborative Data Objects for Windows 2000 (CDOSYS.dll), which replaces CDONTS.dll.

• If you upgrade to a Windows Server 2003 operating system, Active Server Pages will use the existing CDONTS.dll file.
  
  
• If you perform a new installation of a Windows Server 2003 operating system, you must copy CDONTS.dll from another computer to %windir%\system32 on the computer on which you performed the new installation.
  
  

Microsoft recommends that you upgrade your Active Server Pages to use the new object.

If you have configured a computer that is running a Windows Server 2003 operating system as a mail server, you should not stop and restart the Simple Mail Transfer Protocol (SMTP) virtual server that is specific to the server that is running the POP3 service from IIS Manager in the Microsoft Management Console. Instead, you should stop and restart the SMTP service, either by using Services Manager or by using command-line tools.

If you stop and restart the SMTP virtual server rather than the SMTP service, all e-mail from the Internet will generate and send a Non-Delivery Report (NDR), and all internal e-mail will be sent to the SMTP Badmail folder. The SMTP and POP3 services will appear to run correctly, and no error message will appear. To restore functionality, you must stop and restart the Internet Information Services (IIS) service as described in IIS 6.0 Help.

The default settings in Internet Explorer are more restrictive in the Windows Server 2003 operating systems than in earlier versions of Windows. When you upgrade, any settings that do not match the new default settings will be overwritten. These changes decrease the exposure of your servers to attacks that are launched through Web content. However, users will not be able to view many Web pages correctly when using the default security settings. For users to see these Web pages correctly, you must explicitly grant access. In addition, users will not be able to run executable files from Universal Naming Convention (UNC) shared folders until you have added the shared computer to the Local intranet security zone in Internet Explorer.

For more information about security settings in Internet Explorer, see the online Help for Internet Explorer Enhanced Security Configuration on a computer that is running a Windows Server 2003 operating system:

To view Help information about Internet Explorer Enhanced Security Configuration

1. Open Internet Explorer.

2. Click Help.

3. Click Enhanced Security Configuration.

Online Help includes instructions for changing the security settings in Internet Explorer. To change these settings, you must log on as a member of the Administrators group on the computer for which you want to change settings.

Because of changes to default security settings in Internet Explorer, users might not be able to download updates from the Web to their computers. To download updates from the Microsoft Download Center, from the Web sites listed in Microsoft security bulletins, or from other download sites, users might need to add these sites to the Trusted Sites zone in Internet Explorer. If a Group Policy setting prevents users from adding sites to the Trusted Sites zone, administrators might need to configure another Group Policy setting to add the required sites.

For more information, see online Help for Internet Explorer Enhanced Security Configuration as described in the previous note.

Windows XP Professional x64 Edition and x64-based versions of Windows Server 2003 operating systems do not support most 16-bit applications.

Most 32-bit applications that use 16-bit Microsoft ACME Setup versions 2.6, 3.0, 3.01, and 3.1 and InstallShield versions 5.x install correctly.

32-bit applications that are installed by other 16-bit setup programs are not supported. If you try to install one of these applications (other than the supported installers mentioned in the previous paragraph), the message "\Setup.exe is not a valid Win32 application" appears, a message is logged in the system event log, and the Setup program closes without installing or starting the application. If this occurs, contact the application vendor to obtain a software update that is compatible with x64-based versions of Windows Server 2003 operating systems and Windows XP Professional x64 Edition.

For more information about this issue, see the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=4441).

Windows XP Professional x64 Edition and x64-based versions of Windows Server 2003 operating systems do not support 32-bit device drivers. Applications that depend on 32-bit device drivers will not function correctly and might cause an error during an installation or operation. Most 32-bit antivirus programs are affected and should not be installed on computers that are running these operating systems.

If an application attempts to install a 32-bit driver, the installation will fail, and the application will have the opportunity to handle the error. If an application registers a driver for automatic startup, meaning the driver should be installed when the system starts, the operating system will determine that the driver is an unsupported 32-bit driver, not install it, and continue installing the other drivers. The event log will record details of the failure, including the name of the unsupported driver and its location. If this occurs, contact the driver vendor for a software update that is compatible with Windows XP Professional x64 Edition and the x64-based versions of Windows Server 2003 operating systems.

If Windows does not start after you attempt to install a 32-bit driver, start the computer using the last-known good configuration.

To start the computer using the last-known good configuration

1. Restart the computer.

2. When the message "Please select the operating system to start" appears, press F8.

3. Press an arrow key to highlight Last Known Good Configuration, and then press ENTER.

4. Press an arrow key to highlight an operating system, press ENTER, and follow the instructions.

   Note

   This procedure gives you a way to recover from problems such as adding a new driver that is incorrect for your hardware. It does not, however, solve problems caused by drivers or files that are corrupted or missing. When you start the computer using the last-known good configuration, only the information in the registry key HKLM\System\CurrentControlSet is restored. Any changes that you have made in other registry keys remain.

For more information see the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=4441).

The Microsoft .NET Framework is included in all 32-bit versions of the Windows Server 2003 operating systems. It is not included in x64-based versions of Windows Server 2003 operating systems or Windows XP Professional x64 Edition.

The 32-bit version of .NET Framework 1.1 is supported by 64-bit versions of Windows Server 2003 operating systems and can be installed for 32-bit applications running on 64-bit versions of Windows operating systems (WOW64).

• To install .NET Framework 1.1, visit the Windows Update Web site (http://go.microsoft.com/fwlink/?LinkID=22377), or see "Microsoft .NET Framework Version 1.1 Redistributable Package" at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=38723).
  
  
• To install .NET Framework version 1.1 Service Pack 1 (SP1), see "Microsoft .NET Framework 1.1 Service Pack 1," at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=38723).
  
  

With an Input Method Editor (IME) program, you can use a standard keyboard to type complex characters and symbols, such as Japanese characters. The following two types of IMEs are currently available:

• 32-bit only IME: An IME that provides 32-bit IME capabilities but does not provide 64-bit IME capabilities.
  
  
• Combined 32-bit and 64-bit IME: An IME that provides both 32-bit and 64-bit IME capabilities.
  
  

You cannot type international characters using a 32-bit IME in a 64-bit application on 64-bit versions of Windows operating systems.

For example, if you select a 32-bit-only IME as your default keyboard layout, and you open a 64-bit application (such as Notepad or WordPad), the 32-bit IME will fail to install. This will prevent you from typing international characters in that application until you manually switch to one of the combined 32-bit and 64-bit IMEs provided with the 64-bit versions of your Windows operating system. Therefore, we recommend that you use a combined 32-bit and 64-bit IME on 64-bit versions of Windows.

To set a combined 32-bit and 64-bit IME keyboard layout

1. Open Control Panel, and then click Regional and Language Options.

2. On the Languages tab, click Details.

3. In the Text Services and Input Languages dialog box, click Add.

4. In the Add Input Language dialog box, select the Keyboard layout/IME check box.

5. In the drop-down box, select a combined 32-bit and 64-bit IME (one of the IMEs included in Windows), and then click OK.

If you have a combined 32-bit and 64-bit IME as your default keyboard layout, you can use it on both 32-bit and 64-bit applications. When you want to use 32-bit IME on 32-bit applications, you can manually switch to 32-bit IME by using the keyboard shortcut, CTRL+SHIFT, or by choosing from the language bar on your desktop.

32-bit-only IMEs do not work with the Log On to Windows dialog box because it is a 64-bit user interface. If you have chosen a 32-bit IME as the default keyboard layout for the default user profile, you cannot use the IME in the Log On to Windows dialog box to type international characters until you manually switch to a combined 32-bit and 64-bit IME by using the keyboard shortcut, ALT+SHIFT.

The following table lists the combined 32-bit and 64-bit IMEs that are installed by default and their corresponding languages.

Combined 32-bit and 64-bit IMEs installed by default	Language
Microsoft IME Standard 2002 version 8.1	Japanese
Microsoft Natural Input 2002 version8.1	Japanese
Korean Input System (IME 2002)	Korean
Microsoft Pinyin IME version 3.0	Simplified Chinese
Microsoft New Phonetic IME 2002a	Traditional Chinese
Chinese (Simplified) - NeiMa	Simplified Chinese
Chinese (Simplified) - QuanPin	Simplified Chinese
Chinese (Simplified) - ShuangPin	Simplified Chinese
Chinese (Simplified) - ZengMa	Simplified Chinese
Chinese (Traditional) - Alphanumeric	Traditional Chinese
Chinese (Traditional) - Array	Traditional Chinese
Chinese (Traditional) - Big5 Code	Traditional Chinese
Chinese (Traditional) - ChangJie	Traditional Chinese
Chinese (Traditional) - DaYi	Traditional Chinese
Chinese (Traditional) - Phonetic	Traditional Chinese
Chinese (Traditional) - Quick	Traditional Chinese
Chinese (Traditional) - Unicode	Traditional Chinese

For more information about this issue, see article 892075, "Characters for some languages do not work correctly when you type them in a 64-bit program on a computer that is running a 64-bit version of Windows Server 2003," in the Microsoft Knowledge Base.

After installation, you will see "Service Pack 2" listed on the General tab of System Properties. There is not a Service Pack 1 (SP1) for this operating system. Instead, SP2 is the first service pack that is available for 64-bit versions of Windows Server 2003 or Windows XP. This is because the features and functionality that are in Service Pack 1 (for the 32-bit and Itanium-based versions of Windows Server 2003) were included in the first release of 64-bit versions of Windows operating systems.

Note

To open System Properties, right-click My Computer, and click Properties.

This note pertains to the following operating systems:

• Windows Server 2003, Standard x64 Edition
  
  
• Windows Server 2003, Enterprise x64 Edition
  
  
• Windows Server 2003, Datacenter x64 Edition
  
  

The x64-based versions of the Windows Server 2003 operating systems introduce enhanced default security settings for the DCOM protocol. Specifically, these changes introduce more precise rights that allow an administrator independent control over local and remote permissions for launching, activating, and accessing Component Object Model (COM) servers.

Windows Server 2003 Certificate Services provides enrollment and administration services that use the DCOM protocol. Certificate Services provides several DCOM interfaces that you can use to enable these services. For proper access and usage of these services, Certificate Services assumes that its DCOM interfaces are set to allow remote activation and access permissions. However, due to the enhanced default security settings for DCOM introduced in these products, you might need to update these settings to ensure that the services are available. The following information explains how to do so.

The operating system applies the following DCOM security settings:

• The DCOM Computer Restriction Settings are set so that the Everyone security group is allowed local and remote access, local launch, and local activation permissions.
  
  
• The CertSrv Request DCOM interface is set so that the Everyone security group is allowed local and remote access, local launch, and local activation permissions.
  
  

Important

Any changes made to the CertSrv Request DCOM interface security settings prior to this installation will be lost. The installation procedure resets all prior security settings on the CertSrv Request DCOM interface and replaces them with the settings listed and described in this section.

During the installation process, Certificate Services automatically updates the DCOM security settings as follows:

CertSrv Request DCOM interface

The Everyone security group is granted local and remote-access permissions.

• The Everyone security group is granted local and remote-activation permissions.
  
  
• The Everyone security group is not granted local or remote-launch permissions.
  
  

DCOM Computer restriction settings

A new security group, CERTSVC_DCOM_ACCESS, is created.

• If the certification authority is installed on a member server, CERTSVC_DCOM_ACCESS is a machine local group, and the Everyone security group is added to it.
  
  
• If the certification authority is installed on a domain controller, CERTSVC_DCOM_ACCESS is a domain local group. The Domain Users and Domain Computers security groups from the certification authority’s domain are added to it.
  
  
• The CERTSVC_DCOM_ACCESS security group is allowed local and remote-access permissions.
  
  
• The CERTSVC_DCOM_ACCESS security group is allowed local and remote-activation permissions.
  
  
• The CERTSVC_DCOM_ACCESS security group is not allowed local or remote-launch permissions.
  
  

If the certification authority is installed on a domain controller, and the enterprise consists of more than one domain, Certificate Services cannot automatically update the DCOM security settings for enrollees from outside of the certification authority’s domain, and they will be denied enroll access to the certification authority. To remedy this, you must manually add them to the CERTSVC_DCOM_ACCESS security group. Because the CERTSVC_DCOM_ACCESS security group is a domain local group, only domain groups can be added to it. For example, if users and computers from a domain called OtherDomain need to enroll with the certification authority, you must manually add the OtherDomain\Domain Users and OtherDomain\Domain Computers groups to the CERTSVC_DCOM_ACCESS security group.

If, after this installation, any enrollees that should be authorized by the certification authority are being denied, you can have Certificate Services update the DCOM security settings again by running the following commands at a command prompt:

certutil –setreg SetupStatus –SETUP_DCOM_SECURITY_UPDATED_FLAG

net stop certsvc

net start certsvc

DCOM_SECURITY_UPDATED_FLAG is an internal Certificate Services registry flag that indicates that the DCOM security settings were updated completely and successfully. Certificate Services checks this flag each time it is started. The commands just listed reset the flag, and then stop and start Certificate Services. This causes Certificate Services to update the DCOM security settings again.

You cannot use some National Semiconductor Corporation (NSC) Infrared Data Association (IrDA) devices to transfer data. Affected devices include NSC IrDA devices with Plug and Play ID 6001. For these devices, the default IrDA infrared transceiver selected for the NSC IrDA device might not match the actual hardware. This causes data transfers to fail.

You might be able to work around this problem by using Device Manager to choose an alternate transceiver value. However, this approach does not guarantee that the device will work.

To assign an alternate transceiver value

1. Click Start, click Run, and then type: devmgmt.msc.

2. Under Infrared Devices, right-click the NSC IrDA device, and then click Properties.

3. Click the Details tab, and then, in the property pull-down menu, select Hardware Ids.

4. If "NSC6001" appears in Value, this issue applies to you, so you should proceed with the remaining steps.

5. Click the Advanced tab.

6. In Property, select Infrared Transceiver A, in Value, select the value you want, and then click OK.

7. Attempt to use the infrared device. If the device does not work, repeat this procedure and select a different transceiver value at Step 6.

If this procedure does not resolve your problem, contact your OEM to obtain an updated basic input/output system (BIOS) for your computer.

This information applies to:

• Windows Server 2003, Standard x64 Edition
  
  
• Windows Server 2003, Enterprise x64 Edition
  
  
• Windows Server 2003, Datacenter x64 Edition
  
  

The Windows Server 2003 Administration Tools Pack installs server management tools on client computers and servers for remote administration. The Windows Server 2003 Help documentation incorrectly refers to the Administration Tools Pack installer file as Adminpak.msi. The actual file name is Wadminpak.msi.