Before you install AD RMS
Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that must be met:
- Install the AD RMS server as a member
server in the same Active Directory Domain Services (AD DS)
domain as the user accounts that will be consuming rights-protected
- Create a domain user account with no
additional permissions to be used as the AD RMS service
- Select the user account for installing
AD RMS with the following restrictions:
- The user account installing AD RMS must
be different than the AD RMS service account.
- If you are registering the AD RMS
service connection point (SCP) during installation, the user
account installing AD RMS must be a member of the AD DS
Enterprise Admins group, or equivalent.
- If you are using an external database server
for the AD RMS databases, the user account installing
AD RMS must have the right to create new databases. If
Microsoft SQL Server 2005 or Microsoft SQL Server 2008 is
used, the user account must be a member of the System
Administrators database role, or equivalent
- The user account installing AD RMS must
have access to query the AD DS domain.
- The user account installing AD RMS must be different than the AD RMS service account.
- Reserve a URL for the AD RMS cluster
that will be available throughout the lifetime of the AD RMS
installation. Ensure that the reserved URL is different from the
In addition to pre-installation requirements for AD RMS, we strongly recommend the following:
- Install the database server used to host the
AD RMS databases on a separate computer. See System requirements for information about database
servers that Windows Server 2008 R2 supports.
- Install the AD RMS cluster using a
secure sockets layer (SSL) certificate. This certificate should be
issued from a trusted root certification authority.
- Create a DNS alias (CNAME) record for the
AD RMS cluster URL and a separate CNAME record for the
computer hosting the AD RMS configuration database. In the
event that the AD RMS servers are retired, lost due to a
hardware failure, or the computer's name is changed, a CNAME record
can be updated without having to publish all rights-protected files
- If you are using a named instance for the
AD RMS configuration database, the SQL Server Browser service
must be started on the database server before installing
AD RMS. Otherwise, the AD RMS installation will not be
able to locate the configuration database and the installation will
Before you upgrade from RMS to AD RMS
If you are upgrading from any version of Rights Management Services (RMS) to AD RMS, do the following:
- Back up the RMS databases and store in a
- If your RMS cluster was configured to use the
local SYSTEM account as the service account for the cluster, you
must change the service account from the local SYSTEM account to a
domain user account before upgrading from RMS to AD RMS.
- If you used the offline enrollment option to
provision RMS, ensure that the enrollment is complete before
upgrading to AD RMS.
- If you have been using MSDE to host your RMS
databases, you must upgrade the databases to Microsoft SQL
Server 2005 or later before you upgrade the RMS cluster to
AD RMS. An upgrade from versions of RMS by using the MSDE
database is not supported.
- If you have been using Microsoft SQL
Server 2000 to host your RMS databases, you must upgrade the
databases to Microsoft SQL Server 2005 or later before you
upgrade the RMS cluster to AD RMS.
- Flush the RMS Message Queuing queue to ensure
that all messages are written to the RMS logging database.
Important considerations for installing AD RMS
The following are a list of things that should be considered before installing AD RMS:
- Self-signed certificates should be used only
in a test environment. For pilot and production environments, we
recommend using an SSL certificate issued by a trusted
- The Windows Internal Database with
AD RMS is intended for use only in test environments. Because
the Windows Internal Database does not support remote connections,
it is not possible to add another server to the AD RMS cluster
in this scenario.
- If an SCP already exists in the Active
Directory forest for which you are installing AD RMS, ensure
that the cluster URL in the SCP is the same as the cluster URL for
the new installation. If they are not the same, you should not
register the SCP during AD RMS installation.
- When installing AD RMS, localhost is not
a supported cluster URL.
- When specifying the AD RMS service
account during installation, make sure that a smart card has not
been inserted into the computer. If a smart card is attached to the
computer, you will get an error message that the user account
installing AD RMS does not have access to query
- When joining a new server to an existing
AD RMS cluster, the SSL certificate should exist on the new
server before the AD RMS installation starts.
- AD RMS does not support Kerberos
authentication by default. For information about steps you must
take to configure the server to support Kerberos authentication,
support for Kerberos authentication.
- Windows Server 2008 R2 does not
support Windows Rights Management Services (RMS) Client version 1.
Support for this version of the client has ended with the release
of the latest service pack for RMS Client version 1. To continue
being able to create and access AD RMS-protected content,
clients running RMS Client version 1 must install the latest
service pack from http://go.microsoft.com/fwlink/?LinkId=140054.
Important considerations for installing AD RMS with identity federation support
The following are a list of things that should be considered before installing AD RMS with identity federation support:
- A federated trusted relationship must be
configured before you install Identity Federation Support. During
the installation of the Identity Federation Support role service,
you are asked to specify the URL of the federation service.
- Active Directory Federation Services
(AD FS) requires secure communication between AD RMS and
the AD FS resource server. In order to use federation support
with AD RMS, AD RMS must be installed using a secure
- The AD RMS service account must have the
Generate Security Audits privilege. This privilege is
granted by using the Local Security Policy console.
- The AD RMS extranet cluster URLs must be
accessible to the federated account partner.
The following table describes the minimum hardware requirements and recommendations for running Windows Server® 2008 R2 servers with the AD RMS server role.
One Pentium 4 3 GHz processor or higher
Two Pentium 4 3 GHz processors or higher
512 MB of RAM
1024 MB of RAM
40 GB of free hard disk space
80 GB of free hard disk space
The following table describes the software requirements for running Windows Server 2008 R2 servers with the AD RMS server role. For requirements that can be met by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.
Windows Server 2008 R2
NTFS file system is recommended
Internet Information Services (IIS)
ASP.NET must be enabled.
Active Directory or AD DS
AD RMS must be installed in an Active Directory domain in which the domain controllers are running Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, Windows Server® 2008 or Windows Server 2008 R2. All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory.
AD RMS requires a database server, such as Microsoft SQL Server 2005, and stored procedures to perform operations. The AD RMS server role on Windows Server 2008 R2 does not support Microsoft SQL Server 2000.