Windows 7 / Windows Server 2008 R2: Distributed Scan Management

Windows 7 / Windows Server 2008 R2: Distributed Scan Management

  • Comments 5
  • Likes

Vista Pearl Happy Sunday, everyone!  Welcome to Day Eleven of our Windows 7 & Windows Server 2008 R2 Launch Series.  Today, we’re going to wrap up our look at Printing and Document Services with an overview of Distributed Scan Management (DSM).  As more scanner devices become network enabled, and automated document workflow processes become more common, administrators need a way to manage these devices on their network.  In previous versions of Windows, we did not offer any solutions to manage network scanners, so administrators were forced to used a mish-mash of applications from different hardware vendors to manage the network scanners.  In addition, the scanners were not really part of the document workflow process – the administrators would have to start a separate process for document workflows after they acquired the image from the scanner.

In Windows Server 2008 R2, there is a new centralized management interface for network scanners.  It also provides a way to start document workflow processes – in turn ensuring that scanners are an integral part of the document lifecycle.  Integration with Active Directory provides administrators with more control and monitoring capability within the organization.  So without further ado, let’s dive right in …

When you install the Distributed Scan Server role service, it installs the Scan Management Console and the Distributed Scan Server service.  The diagram below outlines the basic relationship between DSM components and process flow:

image 

The Scan Management Console is used to detect and monitor network scanners, and create and manage post-scan processes (PSP) in Active Directory.  PSP’s contain scanner settings and instructions on how to route or store scanned documents.  The Scan Management Console can also monitor scan activity logs for scan servers in the enterprise.  Users can authenticate at a network scanner via a smart card or other Active Directory-enabled means.  The scanner presents the user with a set of PSP’s that have been defined for them or for groups to which they belong.  The user picks the appropriate PSP based on the scanner settings and the document routing / storage they desire.  The scanner scans the document using the PSP’s settings and presents the workflow specifications and the scanned document to the scan server for processing.  The scan server carries out the processing specified in the PSP – routing the electronic version of the scanned document to any or all of the following:

  • SharePoint site
  • Network File Share
  • As an email to user or group via an SMTP server

There are some requirements to be aware of when selecting scanners.  In order for them to be detected and managed by the Scan Management Console the scanners must support Web Services for Devices.  In order to use the PSP’s that have been defined and stored in Active Directory, the scanners must also be classified as “Enterprise WSD Scanners”.  If you’re not familiar with WSD, Web Services for Devices allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol.  WSD-based devices and clients communicate over the network using a series of SOAP (Simple Object Access Protocol) messages over UDP and HTTP(S).  WSD for Devices provides a network plug-and-play experience that is similar to installing a USB device.  Web Services for Devices also defines a security profile that may be extended to provide additional protection and authentication using device-based certificates.

There are some requirements to be aware of when installing Distributed Scan Server on a Windows Server 2008 R2 system:

  • The server must be a member of an Active Directory domain
  • The Windows Server 2008 R2 schema extension must be applied to the AD schema for the forest
  • The server must have sufficient disk space to store scanned documents prior to processing
  • An authentication certificate for the scan server machine

The authentication certificate is used for two things – for secure connections to devices using SSL and for secure connections to clients connecting to the server from the Scan Management Console on another machine.  The certificate can be issued from an internal certificate authority, a public certificate authority or it can be a self-signed certificate.

When DSM is installed on the Scan Server, a new local security group, Scan Operators, is created.  Members of this group will be able to monitor scanners and scan servers, as well as having the ability to create, modify, delete, and view PSP’s.  By default, only the local Administrator account belongs to this group.  Domain Administrators and other accounts with Local Administrator privileges already have sufficient permissions to manage scanning objects without being explicitly added to this group.  In addition to this group, a new domain account will need to be created in AD for the Distributed Scan Server service to run under on all Scan Servers.  This account requires Read access to all of the individual PSP’s and the parent container in AD.  It also requires Read access to the temporary folder on each Scan Server where documents will be held until they are processed.

OK – let’s walk through the installation sequence for a Distributed Scan Server:

  1. Create the Distributed Scan Server service account in AD
  2. Run the Add Roles Wizard – the Distributed Scan Server Role Service is under Print and Document Services
  3. Specify the Domain Account you created in Step 1
  4. Specify the Temporary Folder Settings – this must be a local folder, you cannot use a UNC path or a drive letter mapped to a UNC path.  If you do, you will get an error.  The default value of the size limit for the per-user temporary folder is 100MB.  If you plan to increase this, consider the number of users that will be scanning documents, the type of documents being scanned (CAD files may be very large), the density (DPI) of the documents, the amount of available disk space and the throughput capability of the post-scan document processes
  5. (Optional) Specify the name or IP Address of an SMTP server.  In order for the Distributed Scan Server service to send emails using the specified SMTP server, SMTP must either be configured to allow anonymous connections or to explicitly allow the service account to send and / or relay messages
  6. Specify the Authentication Certificate that will be used to encrypt SSL traffic

On Windows 7 client systems, you can add the Scan Management Console (SMC) so that scanners, servers and PSP’s can be managed from a client machine.  The Scan Management feature is under Printing and Document Services as shown below.  The SMC is not available on previous versions of Windows.  Scanners, scan servers and post-scan processes can only be managed from Windows 7 or Windows Server 2008 R2 (or later).

image

OK – I think will just about do it for this post.  We’ve also reached the end of our Printing posts for this Launch Series.  Tomorrow, Dane Smart will kick off our look at Remote Desktop Services with an overview of What’s New in RDS.  See you tomorrow!

Additional Resources:

- CC Hameed
Share this post :


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • This post has me doing some research.  I loaded a 2008R2 server and added the role to get this up and running but I seem to be having several issues.  One of the issues I am having is finding out what is a "Enterprise WSD Scanners".  We have a lot of devices but I can not find out if any of our scanners are compatible.  I also seem to be having Certificate issues on the server even though I chose not to use one in the setup.  I did originally use the server Cert that was recommended.

  • @Donald - take a look at this document on TechNet for more information on scanner requirements: http://technet.microsoft.com/en-us/library/dd871131.aspx

    - CC

  • Thanks that document gave me a little more information but I was hoping to get a list of devices that qualify.  I have been reading a lot of the msdn site documents and the technet documents but I had not got to the one you listed.

  • @Donald - One way to find a list of such devices is to search the Windows Catalog:

    http://www.windowsservercatalog.com/

    I think most of the devices that are classified as Enterprise WSD Scanners are relatively new. It is possible that unless your device is quite new that it does not support it. If you go to the manufacturer's website and look up the device and it does not explicitly say that it is a Enterprise WSD Scanner, then it most likely is not. There is no logo program for this that I know of.

    As to the certificate issue, there are 2 kinds of certificates that can be in use with Distributed Scan Management - machine certificates and user certificates. Generally, machine certificates are used for the Distributed Scan Mgmt server to communicate with a WSD device that is using https. The user certificate is used when a user needs to connect to a device to view or manage it, or to connect to another Scan Server. The user certificate is not turned off when DSM is installed even if you say "no" to using a certificate. To take the user certificate out of the picture to make sure it is not causing problems, I recommend running the Scan Server Configuration Wizard and choosing to turn it off there. The wizard can be launched from the Print and Document Services node in the Server Manager console. Look under Advanced Tools on the details pane.

    - CC (thanks to Jim Martin for the additional info)

  • Hmmm, I have spent a good amount of time searching, and it doesn't appear to me that any of these Enterprise WSD Scanners actually exist out there.  Does anyone have any recommendations for such a product?