Decommission AD RMS

  • Article

Applies To: Windows Server 2008

Before you remove the Active Directory Rights Management Services (AD RMS) role from a server, you should first decommission AD RMS. When you decommission AD RMS, the behavior of the AD RMS cluster is changed such that it can now provide a key that decrypts the rights-protected content that it had previously published. This key allows the content to be saved without AD RMS protection. This can be useful if you have decided to stop using AD RMS protection in your organization, or still need the information.

You should enable decommissioning on each server in the cluster long enough for users to have the opportunity to save their content without AD RMS protection and for your network and system administrators to disable any AD RMS-enabled clients from using the service.

After you enable decommissioning, the Active Directory Rights Management console will only show the Decommissioning server information page in the results pane; no further administration is supported.

Warning

When you decommission a server, it cannot be restored to its previous AD RMS configuration. This process cannot be reversed. Once you have decommissioned AD RMS, you must completely remove AD RMS by using Server Manager before you attempt to install another instance of AD RMS.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To decommission AD RMS

  1. Log on to the server on which you want to decommission AD RMS.

  2. Modify the access control list (ACL) on the decommissioning.asmx file by granting the Everyone group Read & Execute permissions. The default location for this file is %systemdrive%\inetpub\wwwroot\_wmcs\decommission.

  3. Open the Active Directory Rights Management Services console and add the AD RMS cluster.

  4. Expand the AD RMS cluster, expand Security Policies, and then select Decommissioning.

  5. Select the Enable Decommissioning option in the Actions pane.

  6. Click Decommission.

  7. When prompted, click Yes to confirm that you want to permanently decommission the AD RMS installation.

  8. Repeat steps 1–7 for all AD RMS servers in the cluster.

  9. Inform your users that you are decommissioning the AD RMS installation and advise them to connect to the cluster to save their content without AD RMS protection. Alternatively, you could delegate a trusted person to decrypt all rights-protected content by temporarily adding that person to the AD RMS super users group.

  10. After you believe that all of the content is unprotected and saved, you should export the server licensor certificate, and then uninstall AD RMS from the server.

Additional references