Active Directory Domain Services (AD DS) provides authentication for users of AD RMS. All of the user account requests received by the AD RMS cluster are recorded into the logging database if logging is enabled.

Deleting accounts from the configuration database

When you delete a user account from AD DS, the configuration database entry in the user key table for the user’s rights account certificate (RAC) is not automatically deleted. Because of this, the user key table can grow unbounded as new user keys are added, but old ones are not deleted.

There are two approaches that you can use to maintain the configuration database. First, you can create and run a stored procedure that deletes a user key identified by its security identifier (SID) when you remove the associated user account from AD DS.

Alternately, you can write a script that deletes user keys from the configuration database when their associated SIDs no longer exist in AD DS and run it periodically. Because this method creates a large load on both the database server and AD DS, you should schedule the running of your script during times of low activity.

Moving user accounts to another AD DS forest

When you set up and provision a root cluster in an organization, there can be only one root cluster for every Active Directory forest.

In general, when you move a user account from one domain to another domain in the same forest, a new SID is created for the user account in the new domain. Then, when a user attempts to acquire a new RAC from a server in the cluster, the user appears to be a new user because the SID is different. The cluster generates new keys for the user account and issues the new RAC by using the original e-mail address of the user. If the user attempts to use the new RAC with an existing use license, the SID and keys will not match. The user needs to acquire a new use license. This is also true for moving a user account to a domain that is in a different forest.

Additional references