Known issues with RMS to AD RMS upgrade

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2

Upgrade from RMS to AD RMS

The following list contains known issues when upgrading from RMS on Windows Server 2003 to AD RMS on Windows Server 2008 or Windows Server 2008 R2:

  • AD RMS requires that the service account be a domain user account. If RMS has been using the local SYSTEM account for the service account, you must specify a domain user account during the upgrade to AD RMS.

  • You should clear the RMS MSMQ message queue before upgrading to Windows Server 2008 or Windows Server 2008 R2.

  • If RMS was provisioned using a hardware security module (HSM), you must reinstall the HSM drivers after the upgrade to Windows Server 2008 or Windows Server 2008 R2 is complete, but before you start the upgrade to AD RMS.

  • If you are using a port other than 80 to host your RMS cluster, the AD RMS Upgrade Wizard will bind two ports to this Web site during the upgrade. You must remove the incorrect binding and restart Internet Information Services before the AD RMS cluster can service requests.

  • Custom access control lists (ACLs) that are applied to the Admin and GroupExpansion virtual directories are not migrated during the upgrade. If you have a custom ACL on either of these directories, you must set them up manually after the upgrade.

  • After completing the upgrade to AD RMS, you may receive the following error when opening the Active Directory Rights Management Services console:

    A connection with the specified AD RMS cluster could not be established. Cannot read configuration file due to insufficient permissions.

    You must restart Internet Information Services (IIS) to correct this error.

  • If you are upgrading an RMS cluster that is installed on a domain controller, you must add the AD RMS Service Group to the IIS_WPG group on the domain controller. Membership in the IIS_WPG group is required for running the AD RMS application pool (_DRMSAppPool1).

  • If you deployed RMS on a domain controller and protected the RMS key by using a software- or hardware-based cryptographic storage provider instead of having RMS centrally manage the private key, you cannot upgrade the cluster to AD RMS on that domain controller. You must first join a Windows Server 2008– or Windows Server 2008 R2–based member server to the RMS cluster to upgrade this cluster to an AD RMS cluster. We recommend that you remove RMS from the domain controller after the RMS cluster has been upgraded to AD RMS.

  • An upgrade of an RMS cluster that is installed on a domain controller that uses a hardware-based CSP will not succeed because the AD RMS Service Group is created as a domain group on the domain controller and not as a local group. You must first join a Windows Server 2008– or Windows Server 2008 R2–based member server to the RMS cluster to upgrade this cluster to an AD RMS cluster. We recommend that you remove RMS from the domain controller after the RMS cluster has been upgraded to AD RMS.

  • If RMS is installed but not provisioned and you upgrade to Windows Server 2008 or Windows Server 2008 R2, the upgrade link still appears in Server Manager. If you click this link and RMS was not provisioned, the upgrade fails.