First Server Licensing-only Cluster Subenrollment
Updated: June 1, 2008
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
RMS servers added to a licensing-only cluster are automatically enrolled during provisioning in a process called subenrollment. When you add a new server to a licensing server cluster, however, the new server is not explicitly subenrolled because it uses the server licensor certificate and configuration database of the cluster.
Rather than sending the subenrollment request to the Microsoft Enrollment Service, the licensing server sends the request to the root cluster. The subenrollment request to add a server to a licensing-only cluster is identical to an enrollment request for the root cluster.
When the root cluster receives a subenrollment request, it validates that the request is properly formed, and then returns a certificate chain that contains the licensor certificate chain of the root cluster and a certificate that is signed by the root cluster. The certificate contains the server public key that is signed with the root cluster's private key. It grants the server in the licensing -only cluster the right to issue use and publishing licenses.
The server licensor certificate is valid for one year. The validity period begins when the certificate is issued. At the end of the validity period, the certificate can be renewed. Certificates and licenses that are issued by the server are valid for seven years. The validity period begins when the certificate or license is issued.
By default, the service that is required to process a sub-enrollment request on the root cluster, SubEnrollService.asmx, is configured to deny all access. You must change the DACLs on all RMS servers in the root cluster to permit RMS administrator access before a request can be processed.