Additional servers can be joined to a cluster at any time. You can join servers to an AD RMS installation by using any one of the following methods:

  • Join one or more AD RMS servers to a root cluster.

  • Join one or more AD RMS servers to a licensing-only cluster.

Joining servers to a root cluster

For most purposes, joining one or more AD RMS servers to a root cluster is the best way to increase the availability and redundancy of your deployment. A root cluster can contain one or many servers that provide all services to AD RMS clients.

During installation and provisioning, you can choose the option to join a server to a cluster. When you do this, the new AD RMS server is automatically configured as a member of the cluster.

In addition to this provisioning step, if you are creating a cluster for the first time, you must also set up software or hardware with clustering and load balancing as needed. If you have already implemented a cluster, you must configure your load balancing software or hardware to work with the new cluster member.

Joining servers to a licensing-only cluster

Unlike the root cluster, which provides all of the AD RMS services, servers in a licensing-only cluster provides only licensing and publishing services.

Licensing-only clusters are optional and are most often deployed to address specific licensing requirements, such as the following:

  • To support unique rights-management requirements of a department. For instance, a group within your organization may have a different set of rights policy templates that should not be shared with the rest of the organization. Because only one root cluster is allowed in a forest, setting up a separate root cluster is not possible unless a new forest is created. In this case, you could set up a licensing-only cluster that is dedicated to this group’s needs, and then set up rights policy templates separately for that licensing-only cluster.

  • To support rights management for external business partners as part of an extranet that requires strong separation and tracking of resources for specific business partners.


If you are using a software or hardware-based cryptographic service provider (CSP) to protect the AD RMS cluster key, you should import this key container before joining the server to an AD RMS cluster.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To join an AD RMS server to an existing cluster
  1. Log on to the server that you want to join to an existing AD RMS cluster.

  2. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

  3. In the Roles Summary box, click Add Roles.

  4. Read the Before You Begin section, and then click Next.

  5. On the Select Server Roles page, select the Active Directory Rights Management Services box check box.

  6. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next.

  7. Read the AD RMS introduction page, and then click Next.

  8. On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.

  9. Select the Join an existing AD RMS cluster option, and then click Next.

  10. Type the name of the database server in the Database server box, choose the appropriate database server instance from the Select or enter database server instance box, type the name of the AD RMS configuration database in the Enter database name box, click Validate, and then click Next.

  11. If you are using AD RMS to centrally manage the cluster key, confirm that the database is correct, type the cluster key password in the Password box, type the cluster password again in the Confirm Password box, and then click Next.

  12. Read the Introduction to Web Server (IIS) page, and then click Next.

  13. Keep the Web server default check box selections, and then click Next.

  14. Click Install to join this computer to the existing AD RMS cluster. It can take up to 60 minutes to complete the installation.

  15. Click Finish.

  16. Log off the server, and then log back on to update the permissions granted to the logged on user account. The user account that is logged on when the AD RMS server role is provisioned is automatically made a member of the AD RMS Enterprise Administrators group.

Additional considerations

Additional reference