Enrolling the First Server in the Root Cluster

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Each RMS installation must include at least one server in the root cluster, and can optionally include additional server. The root cluster can be used for both certification and licensing in the RMS implementation. The first server in the root cluster must enroll with the Microsoft Enrollment Service to obtain a root server licensor certificate. This certificate serves as the basis of the trust hierarchy in an RMS implementation.

A root server licensor certificate can be obtained using either of the following methods. You can select which one to use when you complete the provisioning information for your RMS root cluster:

  • Online enrollment. If your server has the ability to connect to the Internet, you can obtain a server licensor certificate automatically during provisioning. This is the default method.

  • Offline enrollment. If your server is isolated from the Internet, you can enroll manually after the provisioning process is complete. To do this, you export an enrollment request from this server to a file that you can transport to another computer with Internet connectivity and then submit the enrollment request to the Microsoft Enrollment Service in order to obtain a server licensor certificate. If offline enrollment is chosen at provisioning time, RMS will complete the provisioning process, but will not be functional until the server licensor certificate obtained from the enrollment request has been imported. For more information, see "To Manually Enroll the First Server in the Root Cluster" later in this subject.

The enrollment request includes the following information:

  • Revocation information. Whether the RMS installation will use standard or custom (third-party) revocation. If third-party Microsoft revocation is being used, the public key of the revocation authority is included.

  • Certificate Public Key. The public key of the server licensor certificate. This public key is generated on the RMS server and is sent to the Microsoft Enrollment Service for obtaining the server licensor certificate.

  • SKU. The official RMS SKU title.

  • Version. The RMS assembly version number.

  • URL. The RMS root cluster URL.

When the Microsoft Enrollment Service provides a response to the enrollment request, it returns the following information to the RMS server in XML format:

  • Server Licensor Certificate.

  • Certificate chain of signing authorities.

The same information is transferred whether the RMS root cluster is enrolled by using the online or offline method. No additional information is gathered when either method is used.

If you are using the offline enrollment process, a few considerations should be made:

  • If the computer submitting the enrollment request has the Internet Explorer Enhanced Security Configuration enabled, make sure to add the URL of the Enrollment Service Web site to the Trusted Sites zone to allow the download of the server licensor certificate. This URL is https://go.microsoft.com/fwlink/?LinkId=25828.

  • Make sure that the computer you use to submit the enrollment request to the Microsoft Enrollment Service has all of the latest certificates updates installed. The Microsoft Enrollment Services SSL certificate is the GTE Cyber Trust Root CA, which is trusted by default on all computers running Windows Server 2003.

  • Make sure that RMS clients do not attempt to connect to the RMS server for licenses until after enrollment has occurred. If clients attempt to connect to an RMS server that is not enrolled, the Web services will enter an error condition that renders them unusable. If you cannot ensure that clients will not attempt to connect to the RMS server, you should reset IIS after completing enrollment to clear any error conditions that could have been created.