Windows 7 / Windows Server 2008 R2: Distributed Scan Management

Published Mar 16 2019 02:55 AM 1,178 Views
First published on TECHNET on Oct 11, 2009

Happy Sunday, everyone!  Welcome to Day Eleven of our Windows 7 & Windows Server 2008 R2 Launch Series.  Today, we’re going to wrap up our look at Printing and Document Services with an overview of Distributed Scan Management (DSM).  As more scanner devices become network enabled, and automated document workflow processes become more common, administrators need a way to manage these devices on their network.  In previous versions of Windows, we did not offer any solutions to manage network scanners, so administrators were forced to used a mish-mash of applications from different hardware vendors to manage the network scanners.  In addition, the scanners were not really part of the document workflow process – the administrators would have to start a separate process for document workflows after they acquired the image from the scanner.

In Windows Server 2008 R2, there is a new centralized management interface for network scanners.  It also provides a way to start document workflow processes – in turn ensuring that scanners are an integral part of the document lifecycle.  Integration with Active Directory provides administrators with more control and monitoring capability within the organization.  So without further ado, let’s dive right in …

When you install the Distributed Scan Server role service, it installs the Scan Management Console and the Distributed Scan Server service.  The diagram below outlines the basic relationship between DSM components and process flow:

The Scan Management Console is used to detect and monitor network scanners, and create and manage post-scan processes (PSP) in Active Directory.  PSP’s contain scanner settings and instructions on how to route or store scanned documents.  The Scan Management Console can also monitor scan activity logs for scan servers in the enterprise.  Users can authenticate at a network scanner via a smart card or other Active Directory-enabled means.  The scanner presents the user with a set of PSP’s that have been defined for them or for groups to which they belong.  The user picks the appropriate PSP based on the scanner settings and the document routing / storage they desire.  The scanner scans the document using the PSP’s settings and presents the workflow specifications and the scanned document to the scan server for processing.  The scan server carries out the processing specified in the PSP – routing the electronic version of the scanned document to any or all of the following:

  • SharePoint site

  • Network File Share

  • As an email to user or group via an SMTP server

There are some requirements to be aware of when selecting scanners.  In order for them to be detected and managed by the Scan Management Console the scanners must support Web Services for Devices.  In order to use the PSP’s that have been defined and stored in Active Directory, the scanners must also be classified as “Enterprise WSD Scanners”.  If you’re not familiar with WSD, Web Services for Devices allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol.  WSD-based devices and clients communicate over the network using a series of SOAP (Simple Object Access Protocol) messages over UDP and HTTP(S).  WSD for Devices provides a network plug-and-play experience that is similar to installing a USB device.  Web Services for Devices also defines a security profile that may be extended to provide additional protection and authentication using device-based certificates.

There are some requirements to be aware of when installing Distributed Scan Server on a Windows Server 2008 R2 system:

  • The server must be a member of an Active Directory domain

  • The Windows Server 2008 R2 schema extension must be applied to the AD schema for the forest

  • The server must have sufficient disk space to store scanned documents prior to processing

  • An authentication certificate for the scan server machine

The authentication certificate is used for two things – for secure connections to devices using SSL and for secure connections to clients connecting to the server from the Scan Management Console on another machine.  The certificate can be issued from an internal certificate authority, a public certificate authority or it can be a self-signed certificate.

When DSM is installed on the Scan Server, a new local security group, Scan Operators, is created.  Members of this group will be able to monitor scanners and scan servers, as well as having the ability to create, modify, delete, and view PSP’s.  By default, only the local Administrator account belongs to this group.  Domain Administrators and other accounts with Local Administrator privileges already have sufficient permissions to manage scanning objects without being explicitly added to this group.  In addition to this group, a new domain account will need to be created in AD for the Distributed Scan Server service to run under on all Scan Servers.  This account requires Read access to all of the individual PSP’s and the parent container in AD.  It also requires Read access to the temporary folder on each Scan Server where documents will be held until they are processed.

OK – let’s walk through the installation sequence for a Distributed Scan Server:

  1. Create the Distributed Scan Server service account in AD

  2. Run the Add Roles Wizard – the Distributed Scan Server Role Service is under Print and Document Services

  3. Specify the Domain Account you created in Step 1

  4. Specify the Temporary Folder Settings – this must be a local folder, you cannot use a UNC path or a drive letter mapped to a UNC path.  If you do, you will get an error.  The default value of the size limit for the per-user temporary folder is 100MB.  If you plan to increase this, consider the number of users that will be scanning documents, the type of documents being scanned (CAD files may be very large), the density (DPI) of the documents, the amount of available disk space and the throughput capability of the post-scan document processes

  5. (Optional) Specify the name or IP Address of an SMTP server.  In order for the Distributed Scan Server service to send emails using the specified SMTP server, SMTP must either be configured to allow anonymous connections or to explicitly allow the service account to send and / or relay messages

  6. Specify the Authentication Certificate that will be used to encrypt SSL traffic

On Windows 7 client systems, you can add the Scan Management Console (SMC) so that scanners, servers and PSP’s can be managed from a client machine.  The Scan Management feature is under Printing and Document Services as shown below.  The SMC is not available on previous versions of Windows.  Scanners, scan servers and post-scan processes can only be managed from Windows 7 or Windows Server 2008 R2 (or later).

OK – I think will just about do it for this post.  We’ve also reached the end of our Printing posts for this Launch Series.  Tomorrow, Dane Smart will kick off our look at Remote Desktop Services with an overview of What’s New in RDS.  See you tomorrow!

Additional Resources:

- CC Hameed

Share this post :


Version history
Last update:
‎Mar 16 2019 02:55 AM
Updated by: