RMS FAQ: Deployment

Updated: November 22, 2006

Applies To: Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RMS Deployment FAQ

If the security principals used for RMS are global address list (GAL) members, is there any dependency on the version of Exchange?

RMS depends on Active Directory but not Exchange. However, Exchange 5.5 maintains its own directory and does not use Active Directory. Ensure that all of the user and group objects in Active Directory have a valid e-mail attribute that includes the fully qualified domain name. This is done automatically if you are using Exchange 2000 or later.

What role does SQL Server have in RMS?

RMS uses a database to store all service configuration data, information about principals in the system, all logging data, and to cache lookups during Active Directory and distribution list expansion. RMS has been fully tested with SQL Server 2000 and SQL Server 2005.

Does a user’s computer have to be joined to the same domain as the RMS server to use RMS?

The user’s computer does not have to be a member of the same domain as the RMS cluster, but the computer needs to be able to find the RMS cluster. The easiest way for client computers to find the RMS cluster is by using an Active Directory lookup through the service connection point (SCP). However, registry settings on the client can also be set to locate the RMS cluster without using an Active Directory lookup. The exact registry settings depend on the RMS-enabled application.

If a customer wishes to put the RMS Server in a perimeter network, which ports must be open on the internet-facing firewall and the intranet-facing firewall to communicate with RMS?

The internal users will need access to the RMS servers that issue rights account certificates (RACs) and use licenses. The RMS server listens by default on HTTP (TCP port 80) or HTTPS (TCP port 443), depending on whether your server is configured to use SSL, so these ports need to be open on the Internet-facing firewall. You will need to open up additional ports used by member servers in a domain on the Intranet-facing firewall.

How are subordinate servers in a licensing-only cluster enrolled and do I need to do anything to the clients to make them aware of this cluster?

When the first RMS server in the root cluster is created in an enterprise, it receives a server licensor certificate from the Microsoft Enrollment Service. When another RMS server is installed and provisioned, you can join it to the root cluster or enroll it as a server in a subordinate licensing-only cluster. If you choose to enroll it as a server in a subordinate licensing-only cluster, it sends an enrollment request to the RMS root cluster. RMS-enabled applications specify where a client application looks for the licensing-only cluster. Office 2003 is an example of an RMS-enabled application that, by default, looks to the root cluster. This behavior can be overridden with registry settings so that the application looks for the new subordinate licensing-only cluster.

What is the benefit of using subordinate licensing-only cluster?

One benefit is to isolate different departments within an organization. If a trusted publishing domain between RMS cluster is not established, content can only be consumed by users that have access to a given licensing server. In this way, a legal department could exclude all others from reading their RMS encrypted e-mail. Additionally, several options can be set on the licensing-only cluster, such as rights templates, logging, membership in the super users group, and exclusion policies.

What do I need to do to completely rollback an RMS installation?

To roll back an RMS installation cleanly, perform the following procedure.

To roll back an RMS installation

  1. Remove the service connection point (SCP) for your RMS cluster by using the RMS administration Web site.

  2. From the Global Administration page, click Remove RMS from this Web site to unprovision RMS on the server. You should first unprovision any subenrolled servers in licensing-only clusters and then unprovision the root cluster servers.

  3. In Control Panel, click Add or Remove Programs and remove Rights Management Services.

  4. On your database server, remove any remaining RMS databases.

  5. Remove the RMS service account from the list of authorized logons on your database servers and then remove the account from Active Directory itself.

  6. If the RMS clients are running Windows XP and Windows 2000, remove the RMS client from the client computers.

Once this procedure has been completed, you can no longer open rights-protected content. First, decommission RMS before rolling back an RMS installation if RMS was used to protect any valuable data.

After I have uninstalled the RMS client by using Add or Remove Programs, do I need to remove any other files?

Although it is not necessary, you can delete the lockbox from %systemroot%\system32.

Does RMS work with the FAT file system?

Yes, RMS does work on a computer using FAT, although NTFS file system is recommended.

What is the typical hardware configuration recommended for the database server used by RMS?

The logging database will grow quickly, especially in environments where RMS is heavily used. If you are considering using SQL Server for your database server, you should consider using SQL Server 2000 Enterprise Edition or SQL Server 2005 Enterprise Edition on Windows 2000 Advanced Server or Windows Server 2003, Enterprise Edition, configured in a cluster in an active-standby configuration. In this case, the recommended configurations are RAID-1 log disks and RAID-5 data disks and at least 512 MB of RAM. The minimum recommended CPU for this configuration is a Pentium III running at 1.4 GHz. On dedicated database servers, multiple CPUs are not required.

How does RMS usage of the global catalog for group expansion affect global catalog server performance?

The RMS server will cache any group expansion lists so this should not place a large load on the global catalog server. Frequent updates to group membership increases reliance on the global catalog server, although the time-out to acquire new group listings is configurable through the registry. Frequent expansion of large groups will degrade performance. For more information, see "Changing Active Directory Cache Settings "in "RMS: Operations" in this documentation collection.

Does RMS require any schema changes in Active Directory?

For RMS to successfully expand the group membership that is specified in the publishing license across forest boundaries, a contact object must exist in the local Active Directory forest that represents the group that is in the remote forest. RMS can query the attributes of the contact object and discover that this object represents a group that is in a different forest.

For RMS to do this, Active Directory requires the Exchange Server 2003 or later schema attribute msExchOriginatingForest. This attribute is installed by default in the Active Directory schema if you have one server running Exchange Server 2003 in the forest. You must have this attribute in the forest of each Active Directory schema that will be participating in RMS. If you are not using Exchange Server 2003, you can install the schema separately into your Active Directory structure by using the RMS Administration Toolkit.

Will the service connection point (SCP) be automatically replicated between the different domain controllers in the domain where the RMS server is installed?

After provisioning the first RMS server in a forest, it must be registered in Active Directory by using a domain account that has sufficient permissions to create a container object below the Services container in the Configuration container in Active Directory. The Enterprise Admins built-in security group is an example of an account with the required permissions. This creates the SCP. Because this is in the Services container, Active Directory replicates the information to all domain controllers in the forest.

If users do not have administrative rights on their machines, how can the RMS client be installed and configured?

The RMS client is a Windows Installer file, and can be distributed by using a software distribution infrastructure such as Systems Management Server 2003. It is also possible to distribute the RMS client by using a Group Policy object (GPO) that uses a service account with administrative rights. If the RMS client is running Windows Vista, a separate RMS client installation is no longer required as it is integrated into the operating system.

What is the scalability of RMS?

RMS is a stateless Web service and can be clustered and load balanced like any other Web site or service. RMS performance mostly depends on processor availability, so adding processors can improve performance.

Does RMS support hardware security modules (HSMs) to secure the RMS keys in hardware?

Yes, RMS works with CAPI compliant HSMs such as the nCipher HSM.

Community Additions