Server services in AD RMS allows for AD RMS-enabled server applications to request rights account certificates (RACs) on behalf of other users. An example of an AD RMS-enabled server application is Microsoft Exchange Server 2007. There are a few things that you should be aware of when configuring server services:

  • Discretionary Access Control Lists (DACLs) on the AD RMS pipelines use the most secure settings by default. You must modify the DACL when using AD RMS server services.

  • If the AD RMS client is installed on a Windows Server 2003-based, Windows Server 2008, or Windows Server 2008 R2-based server and Internet Explorer Enhanced Security Configuration is enabled, you must add the AD RMS cluster URL to the Local Intranet security zone in Internet Explorer.

  • Many server services use advanced Active Directory Domain Services (AD DS) functionality that is only available if all AD DS domain controllers are running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. If you are using any server services, we recommend that all domain controllers are running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2, and that both the domain and forest AD DS functional levels are at least Windows Server 2003.

In a default AD RMS installation, the DACL of the AD RMS server certification pipeline is restricted, which means an application cannot obtain certificates and licenses for their users. However, if you have an AD RMS-enabled application for these computers, you can enable them to participate in your AD RMS system by configuring the DACLs on the AD RMS server certification pipeline.

AD RMS-enabled server applications can connect to the AD RMS server certification service by using the ServerCertification.asmx file.


If there is more than one AD RMS server in the AD RMS cluster, the DACL on the server certification service must be changed on each server in the cluster.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enable certification of server services
  1. Open Windows Explorer and navigate to the folder where Internet Information Services was installed. By default, the folder path is %systemdrive%\Inetpub\wwwroot\_wmcs\Certification.

  2. To enable server services to receive RACs, right-click the ServerCertification.asmx file, and then click Properties.

  3. On the Security tab, click Add, and then add the computer account object of the AD RMS-enabled server application and the AD RMS Service Group.

  4. In the Permissions lists for the groups, select the Allow check box for both Read and Read & Execute permissions, and then click OK.


    If several servers are hosting AD RMS-enabled server applications, consider creating a group, adding all of the computer objects to this group, and then adding the group to the DACL of the certification pipeline instead.

  5. Restart Internet Information Services by running IISRESET at a command prompt to implement the changes to the DACLs on the AD RMS Web services.

Additional reference