RMS Administration Issues

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

After RMS is successfully provisioned on your server, you might encounter issues during day-to-day administration of RMS. You can use the information that is in the following sections to help you resolve some of these issues.

The following issues are discussed:

  • "SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site

  • Unable to Complete the Offline Enrollment Process

  • Log Files Are Not Created

  • Restoring the Configuration Database

  • Expired RMS Service Account Password

  • Restoring a Previous RMS Installation

  • Clients cannot open RMS-protected content due to expired permissions

  • "Access is Denied" error when RMS Attempts to Log Events to the Application Event Log

"SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site

If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible.

After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.

Unable to Complete the Offline Enrollment Process

If the enrollment request file is incomplete or modified before it is submitted to the Microsoft Enrollment Service Web site, you cannot complete the offline enrollment. The enrollment request file could have possibly been corrupted by a malicious program, user error, or system error.

Depending on what information is missing, the Microsoft Enrollment Service Web site could still accept the file and return a server licensor certificate or it could refuse to accept the request file and present an error.

If a server licensor certificate is returned, it will reflect the omissions or corruption present in the enrollment request file and RMS will present an error when you attempt to import the certificate.

If you are unable to complete the enrollment process, check that the computer with the Internet connection is free of viruses, re-export the enrollment request file from a server in the RMS cluster, and then use different media to transport it to the computer with the Internet connection. If you encounter the error again you should contact Microsoft Product Support Services.

Log Files Are Not Created

The RMS Logging Service requires both Message Queuing service and access to the logging database. If log files are not being created, this could mean that the components were not correctly configured or that communications between the components is being interrupted.

Test to ensure that the RMS server and the database server have network connectivity. If they do, use the following procedures to review the prerequisites for the RMS logging service and ensure that all of the software dependencies are correctly configured.

First, verify that the Message Queuing configuration is correct. Message Queuing must be installed with Active Directory Integration enabled.

To verify that Message Queuing has been installed and configured correctly

  1. In Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components to open the Windows Components Wizard.

  2. In the Windows Components Wizard, select the Application Server check box, and then click Details.

  3. Select the Message Queuing check box and then click Details.

  4. If the Active Directory Integration check box is selected, go on to the next test and verify that Message Queuing is running. If the check box is not selected, continue performing steps 5 through 9.

  5. Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration to open the Global Administration page.

  6. Next to the Web site on which RMS is provisioned, click Remove RMS from this Web site, and then click OK.

  7. From Add or Remove Programs in Control Panel, click Add/Remove Windows Components, click Application Server, and then click Message Queuing.

  8. To enable Active Directory Integration, click Details, select the Active Directory Integration check box and then click OK.

  9. Open the Global Administration page. Next to the name of the Web site on which you want to provision RMS, click Provision RMS on this Web site.

Second, verify that Message Queuing is running on your server.

To verify that Message Queuing is running on your server

  1. In Control Panel, click Administrative Tools, and then click Services.

  2. Scroll down through the list of services until you find the Message Queuing service.

  3. In the Status column, the service should be reported as Started; if it is not, right-click the service, and then click Start.

Third, verify that the logging service has permission to write events to the logging database. The RMS logging service runs by using the RMS service account. Verify that the RMS service account has a valid login to the database server and that it has been granted the permissions required to allow it to create databases and write information to the files.

Once all of these prerequisites have been met, stop and restart the RMS logging service by using the Services snap-in. After the RMS logging service restarts, log files should be created on the database server. If you are using SQL Server as your database server, the following procedure shows how to verify that log files are being created.

To verify that log files are being created on SQL Server

  1. In SQL Server Enterprise Manager, go to the logging database, expand Databases, and then expand the database that contains the RMS logging database.

  2. Click the logging database, click Tables, right-click DRMS_log_master, and then click Open table – return all rows. If log files are being created, you will see one or more log files.

Restoring the Configuration Database

RMS cannot operate without a functioning configuration database. If you have problems with the configuration database, such as database corruption or hard disk failure on the database server, you can restore RMS functionality if you restore a backup of the configuration database. To restore the RMS configuration database from a backup, you need the following information:

  • The name of the most recent backup of the database.

  • The name of the computer on which the backup database will be restored.

  • The account name and password that was originally used to provision RMS.

  • The password that was originally specified for software private key protection (if it was used).

Restoring from the backup database does not require either a new server licensor certificate or a new private key because RMS retains all settings (which it gets from the backup configuration database).

You can restore a backup database by using the following procedure.

To restore a backup database

  1. Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration to open the Global Administration page.

  2. Next to the Web site on which RMS is provisioned, click Remove RMS from this Web site, and then click OK.

  3. Restore the backup database files for your configuration database. If you backed up your logging database during your backup procedure and want to maintain continuity of data, restore the logging database as well.

    • If this system is being restored after a total system failure, restore the registry by using your system state backup before restoring the backup database files.

  4. If the database that is being restored is for a single server root cluster, modify the following registry key before attempting to reprovision the service:

    • On computers running the 32-bit version of Windows Server 2003

      HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\1.0\

    • On computers running the 64-bit version of Windows Server 2003

      HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\DRMS\1.0\

    Add the following entry as a string value and leave the value blank:

    GicURL

    This overrides the Active Directory discovery of the root cluster server and allows you to gain access to the root cluster provisioning pages.

  5. If you used a hardware security module to secure the RMS private key, restore the backup security world so that the keys can be retrieved.

  6. Use one of the following steps:

    • To restore the database for a single server in a cluster click Provision RMS on this Web site next to the Web site on which you want to provision RMS.

      -or-

    • To restore the database for a cluster, click Add this server to a cluster next to the Web site on which you want to provision RMS.

  7. Specify the RMS service account that was used to provision the server originally.

  8. Specify the backup configuration database (including the database name and the name of the computer where the database resides) that you want to use.

  9. Specify the same password that you used to provision this server originally.

  10. Click Submit.

The provisioning process will start and RMS will be re-provisioned on the server.

For more information, see "System Recovery Planning and Backing Up and Restoring the RMS System" in "RMS: Planning and Architecture" in this documentation collection.

Expired RMS Service Account Password

If RMS stops operating, it could be because the RMS service account password has expired. Look in IIS Manager. If the RMS application pools are stopped and you cannot restart them, the RMS service account password might be expired.

If your RMS service account password expires, you must change the password on each RMS server that uses the account with the expired password, and then restart IIS. For more information, see "Changing the RMS Service Account Password" in " RMS: Operations " in this documentation collection.

Restoring a Previous RMS Installation

If your RMS server hardware or software fails, you can restore an RMS server by using the previously installed configuration database to provision a new server instance.

Note

This procedure applies only if the server that is running RMS fails. If the server that is running your configuration database fails, see "Restoring the Configuration Database" earlier in this subject. If your RMS server is also your database server, you will have to restore the entire server from a backup copy.

Use the following procedure to point to the same configuration database that was used for the original installation.

To restore a previous RMS installation

  1. Log on to the computer that you want to configure as an RMS server using an account with administrative privileges. Ensure that this computer meets the minimum system requirements for RMS. For more information about system requirements for RMS, see "Hardware Requirements" for RMS in "RMS: Planning and Architecture " in this documentation collection.

  2. If you are using a hardware security module to protect the RMS private keys, ensure that it is correctly configured by using the same setting and security world that was used with the previous RMS installation.

  3. Install RMS on the computer.

  4. After completing the RMS installation, click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration to open the Global Administration page.

  5. Next to the Web site on which you want to provision RMS, click Add this server to a cluster.

  6. In the RMS service account area, type the RMS service account name, in the form domain_name\user_name, and the password of the RMS service account under which RMS will run for most routine operations. This must be a domain account.

  7. In the Configuration database area, specify the name of the database server and the name of the configuration database for of the original RMS installation that you want to recover.

  8. In the Private key protection area, select the mechanism used by this cluster for protecting the private key. If you used software-based private key protection, you must provide the private key password that was used to encrypt the private key when this cluster was originally provisioned.

  9. Click Submit.

Clients cannot open RMS-protected content due to expired permissions

If a user’s permissions have expired, the user cannot consume rights-protected content. If the system clock on the RMS server is ahead of the system clock on the RMS client, a user might also not be able to consume rights-protected content even when the permissions have not expired. Because the system clock on the two computers is not synchronized, the following error might appear when the client computer attempts to open the content:

You do not have permission to open this message because your permission has expired. Do you want to open it using a different set of credentials?

Both the client license and the content license are valid, but the time differential causes the client to interpret the content license as not valid and returns this error to the user. This can cause a user to believe that they have an issue with their RMS account certificate or with rights granted to the document. Once the clock on the client has reached the validity time range of the content publishing license, the user will be able to open the content.

As a best practice, you should have the both the clients and the servers in the RMS system synchronize to the same time service.

"Access is Denied" error when RMS Attempts to Log Events to the Application Event Log

By default, components such as RMS that are run from an ASP page are created under the IUSR_COMPUTERNAME account. This account is a member of the Guests group, and the security privileges that are needed to write to the application event log prevent Guest accounts from writing data to the event log.

To work around this problem, you can use the registry editor to modify the registry key that controls this behavior.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Set the following registry key to 0 instead of 1, and then restart your computer for the changes to take effect.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application

Name: RestrictGuestAccess

Type: REG_DWORD

Note

This enables all Guest accounts to write to the Application Event Log.

For more information about the cause of this error, see the article about enabling logging from ASP pages in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=44167).