When a new AD RMS cluster is provisioned, a method to protect the AD RMS cluster key is chosen. If you chose the default option of using AD RMS cluster key protection, you specified a strong password that was used to encrypt the cluster key in the configuration database. The AD RMS cluster key is used to sign the certificates and licenses granted by the cluster. The cluster key is generated and the password specified during the initial configuration of the AD RMS server role.

If you are running AD RMS in a clustered environment, and you decided to reset the cluster key, it must be completed on every AD RMS server in the cluster. If you do not, those servers will not be able function as they will be unable to decrypt the cluster key in the configuration database.


This procedure applies only if you are using AD RMS to centrally manage the cluster key. If you are using either a hardware-based or software-based cryptographic service provider (CSP), consult the documentation of the CSP manufacturer.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To reset the cluster key password
  1. Log on to a server in the AD RMS cluster.

  2. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  3. In the console tree, expand Security Policies, and then click Change cluster key password.

  4. In the Cluster Key Password wizard, type the new password for the cluster key in the Password box.

  5. In the Confirm Password box, type the new password again.

  6. Click Apply to complete the password reset.

  7. Repeat steps 1–6 for each server in the AD RMS cluster.

Additional considerations

Additional reference