Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that must be met:

• Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) domain as the user accounts that will be consuming rights-protected content.
  
  
• Create a domain user account with no additional permissions to be used as the AD RMS service account.
  
  
• Select the user account for installing AD RMS with the following restrictions:
  
  
  • The user account installing AD RMS must be different than the AD RMS service account.
    
    
  • If you are registering the AD RMS service connection point (SCP) during installation, the user account installing AD RMS must be a member of the AD DS Enterprise Admins group, or equivalent.
    
    
  • If you are using an external database server for the AD RMS databases, the user account installing AD RMS must have the right to create new databases. If Microsoft SQL Server 2005 or Microsoft SQL Server 2008 is used, the user account must be a member of the System Administrators database role, or equivalent
    
    
  • The user account installing AD RMS must have access to query the AD DS domain.
    
    
• Reserve a URL for the AD RMS cluster that will be available throughout the lifetime of the AD RMS installation. Ensure that the reserved URL is different from the computer name.
  
  

In addition to pre-installation requirements for AD RMS, we strongly recommend the following:

• Install the database server used to host the AD RMS databases on a separate computer. See System requirements for information about database servers that Windows Server 2008 R2 supports.
  
  
• Install the AD RMS cluster using a secure sockets layer (SSL) certificate. This certificate should be issued from a trusted root certification authority.
  
  
• Create a DNS alias (CNAME) record for the AD RMS cluster URL and a separate CNAME record for the computer hosting the AD RMS configuration database. In the event that the AD RMS servers are retired, lost due to a hardware failure, or the computer's name is changed, a CNAME record can be updated without having to publish all rights-protected files again.
  
  
• If you are using a named instance for the AD RMS configuration database, the SQL Server Browser service must be started on the database server before installing AD RMS. Otherwise, the AD RMS installation will not be able to locate the configuration database and the installation will not succeed.
  
  

If you are upgrading from any version of Rights Management Services (RMS) to AD RMS, do the following:

• Back up the RMS databases and store in a secure location.
  
  
• If your RMS cluster was configured to use the local SYSTEM account as the service account for the cluster, you must change the service account from the local SYSTEM account to a domain user account before upgrading from RMS to AD RMS.
  
  
• If you used the offline enrollment option to provision RMS, ensure that the enrollment is complete before upgrading to AD RMS.
  
  
• If you have been using MSDE to host your RMS databases, you must upgrade the databases to Microsoft SQL Server 2005 or later before you upgrade the RMS cluster to AD RMS. An upgrade from versions of RMS by using the MSDE database is not supported.
  
  
• If you have been using Microsoft SQL Server 2000 to host your RMS databases, you must upgrade the databases to Microsoft SQL Server 2005 or later before you upgrade the RMS cluster to AD RMS.
  
  
• Flush the RMS Message Queuing queue to ensure that all messages are written to the RMS logging database.
  
  

The following are a list of things that should be considered before installing AD RMS:

• Self-signed certificates should be used only in a test environment. For pilot and production environments, we recommend using an SSL certificate issued by a trusted certification authority.
  
  
• The Windows Internal Database with AD RMS is intended for use only in test environments. Because the Windows Internal Database does not support remote connections, it is not possible to add another server to the AD RMS cluster in this scenario.
  
  
• If an SCP already exists in the Active Directory forest for which you are installing AD RMS, ensure that the cluster URL in the SCP is the same as the cluster URL for the new installation. If they are not the same, you should not register the SCP during AD RMS installation.
  
  
• When installing AD RMS, localhost is not a supported cluster URL.
  
  
• When specifying the AD RMS service account during installation, make sure that a smart card has not been inserted into the computer. If a smart card is attached to the computer, you will get an error message that the user account installing AD RMS does not have access to query AD DS.
  
  
• When joining a new server to an existing AD RMS cluster, the SSL certificate should exist on the new server before the AD RMS installation starts.
  
  
• AD RMS does not support Kerberos authentication by default. For information about steps you must take to configure the server to support Kerberos authentication, see Enable support for Kerberos authentication.
  
  
• Windows Server 2008 R2 does not support Windows Rights Management Services (RMS) Client version 1. Support for this version of the client has ended with the release of the latest service pack for RMS Client version 1. To continue being able to create and access AD RMS-protected content, clients running RMS Client version 1 must install the latest service pack from http://go.microsoft.com/fwlink/?LinkId=140054.
  
  

The following are a list of things that should be considered before installing AD RMS with identity federation support:

• A federated trusted relationship must be configured before you install Identity Federation Support. During the installation of the Identity Federation Support role service, you are asked to specify the URL of the federation service.
  
  
• Active Directory Federation Services (AD FS) requires secure communication between AD RMS and the AD FS resource server. In order to use federation support with AD RMS, AD RMS must be installed using a secure cluster address.
  
  
• The AD RMS service account must have the Generate Security Audits privilege. This privilege is granted by using the Local Security Policy console.
  
  
• The AD RMS extranet cluster URLs must be accessible to the federated account partner.
  
  

The following table describes the minimum hardware requirements and recommendations for running Windows Server® 2008 R2 servers with the AD RMS server role.

The following table describes the software requirements for running Windows Server 2008 R2 servers with the AD RMS server role. For requirements that can be met by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.