AD RMS Databases

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

The AD RMS database is one of the most active components in an AD RMS infrastructure. AD RMS logging in particular generates a significant amount of activity on the SQL Server database, and the growth of the logging database can lead to resource allocation problems if not checked. In this section we present information on the AD RMS databases, their contents, and their growth potential. We also make recommendations for their maintenance.

AD RMS uses three databases in the database server:

  • The configuration database – The configuration database is a critical component of an AD RMS installation because it stores, shares, and retrieves all configuration data and other data that the service needs to manage account certification, licensing, and publishing services for a whole cluster. The way the configuration database is managed directly affects the security and availability of rights-protected content. Each AD RMS cluster has one configuration database. The configuration database for the root cluster contains a list of Windows user identities and their rights account certificates (RACs). If the “Use AD RMS centrally managed key storage” option is enabled in the AD RMS configuration, the RMS cluster key pair is encrypted, before it is stored in the database, and used to sign certificates and licenses granted by the server.

  • The directory services database contains information about users, identifiers (such as e-mail addresses), security ID (SID), group membership, and alternate identifiers. This information is a cache of directory services data, used by AD RMS, obtained via Lightweight Directory Access Protocol (LDAP) queries made to the Active Directory Domain Services (AD DS) global catalog by the AD RMS licensing service. It is used to improve performance and reduce the burden on the Active Directory infrastructure during licensing operations.

    For each root or licensing-only cluster, by default, AD RMS installs a logging database in the same database server instance that hosts the configuration database. AD RMS also creates a private message queue for logging in the Microsoft Message Queue on each AD RMS server. The AD RMS logging service transmits data from this message queue to the logging database. A big difference between RMS v1 and AD RMS is that the certificate XrML text is, by default, not included in AD RMS logs. This information typically makes up almost 80-90% of the logging database space in RMS v1, but it is not logged by default in AD RMS, thus significantly reducing logging volumes. However, logging of full certificate XrML text can be enabled via a registry key.