Event ID 217 — AD RMS Cluster Availability

Applies To: Windows Server 2008

An Active Directory Rights Management Services (AD RMS) cluster and its clients must have network access to publish and consume rights-protected content.

Event Details

Product: Windows Operating System
ID: 217
Source: Active Directory Rights Management Services
Version: 6.0
Symbolic Name: WebResourceForbiddenEvent
Message: The remote server refused to fulfill your request.

User Action
Restart each server in the Active Directory Rights Management cluster.

Parameter Reference
Context: %1
RequestId: %2
%3
%4

Resolve

Fix network connectivity issues

Use these sections to ensure that the AD RMS Web services are available.

To perform these procedures, you must be a member of the local **Administrators **group, or you must have been delegated the appropriate authority.

Ensure that the AD RMS Web services are available

To verify that the Verify that the AD RMS Web services are available:

  1. Log on to the AD RMS server as the AD RMS service account.
  2. Click Start, point to All Programs, and then click Internet Explorer.
  3. In the address bar, type http(s)://adrms_cluster_url/_wmcs/certification/certification.asmx, where adrms_cluster_url is the AD RMS cluster, and then press ENTER.
  4. Ensure that the CertificationWebService Web page opens in the Web browser.

Check IP address on AD RMS server

To check IP address on AD RMS server:

  1. Type ipconfig /all at a command prompt on the AD RMS server. Make sure that the AD RMS server has an IP address in the correct IP address range, and does not have an Automatic Private IP Addressing (APIPA) address (an IP address in the 169.254.x.x range).
  2. Type ping localhost to verify that TCP/IP is installed and correctly configured on the local computer. If the ping is unsuccessful, this may indicate a corrupt TCP/IP stack or a problem with the network adapter.
  3. Type ping ip address, where ip address is the IP address assigned to the computer. If you can ping the localhost address but not the local IP address, there may be an issue with the routing table or with the network adapter driver.
  4. Type ping dns server, where dns server is the IP address for the DNS server. If there is more than one DNS server on your network, you should ping each one. If you cannot ping the DNS servers, this indicates a potential problem with the DNS servers, or with the network between the AD RMS server and the DNS servers.
  5. Type nslookup adrms_cluster_url, where adrms_cluster_url is the name of the AD RMS cluster, and then press ENTER. If the nslookup command succeeds, restart each server in the AD RMS cluster. If the nslookup command fails, restart the DNS Server service on the DNS computer.

Ping AD RMS cluster DNS name

To ping AD RMS cluster DNS name:

  1. Log on to a server in the AD RMS cluster.
  2. At a command prompt, type **ping **<AD RMS cluster name>, where <AD RMS cluster name> is the DNS record that has been created for the AD RMS cluster.
  3. If the ping command is not successful and you are using a network load balancer, make sure that the network load balancer is operating correctly and is available on the network.

Troubleshoot DNS name resolution of AD RMS cluster

To troubleshoot DNS name resolution of AD RMS cluster:

  1. Log on to a server in the AD RMS cluster.
  2. At a command prompt, type nslookup <AD RMS cluster name>, where <AD RMS cluster name> is the DNS name that has been assigned to the AD RMS cluster, and then press ENTER.
  3. If the nslookup command fails, type ipconfig /flushdns from a command prompt. 

Check network load balancing on AD RMS cluster

To check network load balancing on AD RMS cluster:

  • Make sure that the network load balancer is operating correctly and is available on the network.
  • Make sure that all the AD RMS servers in the cluster are added to the network load balancing rotation.

To perform this procedure, you must be a member of the local **AD RMS Enterprise Administrators **group, or you must have been delegated the appropriate authority.

Check network proxy settings on AD RMS cluster

To check the network proxy settings on the AD RMS cluster:

  1. Open the Active Directory Management Services console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
  2. Right-click the AD RMS cluster, and then click Properties.
  3. Click the Proxy Settings tab.
  4. Select the This cluster uses a proxy server to access external networks check box.
  5. In the Address box, type the IP address or DNS name of the proxy server that you want to use.
  6. In the Port box, type the port number that the proxy server uses to connect to the Internet.
  7. If you do not use the proxy server to connect to local resources, select the Bypass proxy server for local addresses check box.
  8. If you have addresses that should not be using the proxy server at all, type them in the Do not use proxy server for address beginning with box.
  9. If appropriate, select the This proxy server requires authentication check box.
  10. In the Authentication type list, choose the appropriate authentication type: Basic, Digest, or Integrated Windows.
  11. In the User name box, type the user name that should be supplied in response to the challenge from the proxy server.
  12. In the Password and Confirm password boxes, type the password that should be supplied in response to the challenge from the proxy server.
  13. If your proxy server uses Integrated Windows authentication, in the Domain box, type the domain to which the user belongs.
  14. Click OK.

Verify

AD RMS allows the user to apply rights-protection to a document and specify a Windows Live ID user to consume the content. Use the first procedure, "Ensure that the AD RMS cluster can contact the Windows Live ID service," to ensure that the AD RMS cluster can access the Internet to establish this trust policy.

Use the second procedure, "Check for connectivity to the Microsoft Activation service," to ensure that the Windows Rights Management Services (RMS) client version 1.0 with no service packs can contact the Microsoft Activation service on the Internet.

Use the third procedure, "Ensure that the AD RMS cluster is available on the network," to ensure that AD RMS-enabled clients on an organization's network can access the AD RMS cluster.

To perform these procedures, you must be a member of the local Users group, or you must have been delegated the appropriate authority.

Ensure that the AD RMS cluster can contact the Windows Live ID service

To ensure that the AD RMS cluster can contact the Windows Live ID service:

  1. Log on to the AD RMS server as the AD RMS service account.
  2. Click Start, point to All Programs, and then click Internet Explorer.
  3. In the address bar, type https://certification.drm.microsoft.com, and then type ENTER.

Check for connectivity to the Microsoft Activation service

To check for connectivity to the Microsoft Activation Service:

  1. Log on to a client computer.

  2. Click Start, click All Programs, and then click Internet Explorer.

  3. In the address bar, type https://activation.drm.microsoft.com/activation/activation.asmx, and then press ENTER.

    If the URL resolves to a Web page with the title ActivationWebService Web Service, the activation URL is operating correctly.

    If the URL does not resolve, check to make sure that it is allowed through the network proxy and that the URL is not being blocked by a firewall.

Note: This is valid only for the RMS Client version 1.0 with no service packs. The RMS Client with Service Pack 1 and the RMS Client with Service Pack 2 do not connect to the Microsoft Activation Service.

Ensure that the AD RMS cluster is available on the network

To ensure that the AD RMS cluster is available on the network:

  1. Log on to an AD RMS-enabled client computer.
  2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
  3. In the new document type This is a test document.
  4. Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
  5. Select the Restrict permissions to this document check box.
  6. Type another AD RMS user's e-mail address in the Read box, and then click OK.
  7. Send this file to the person who was granted access in step 6.
  8. Have this person open the document and verify that he or she cannot do anything else with the document such as print it.

AD RMS Cluster Availability

Active Directory Rights Management Services