Planning a Distributed RMS Topology

Updated: November 16, 2006

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In some circumstances, you may need to deploy one or more licensing-only servers that are not members of the root cluster. You typically do this to support departments that require direct control over issuing both publishing and use licenses, such as a legal department with security requirements that necessitate departmental-level control. The root cluster provides the account certification service for the licensing servers. The combination of a root certification cluster and one or more licensing-only cluster is called a distributed topology.

Similar to the root certification cluster, the licensing-only cluster uses its own load-balancing service. Each licensing-only cluster uses a separate SQL Server instance to provide the configuration and logging databases for that particular cluster.

Although you can set up the RMS installation to run only the certification services from the root cluster, as well as run the entire licensing service from one or more licensing-only clusters, this is not the typical configuration. Generally, you would increase the number of physical servers that are in the root cluster to meet performance and redundancy requirements instead of deploying separate licensing-only clusters (unless you need departmental support for licensing). The following diagram illustrates this deployment.

Distributed topology

Building a distributed topology can increase administrative costs to your organization because a distributed topology is inherently more complex. If your organization has multiple licensing-only clusters and multiple forests, you may need to perform registry overrides on the RMS client computers to ensure that they make their licensing requests from the correct RMS server. Additionally, trust issues can occur across domains. This requires you to further configure your domains to enable the consumption of RMS-protected content.

Service Connection Points in a Distributed Topology

When you provision an RMS server, a cluster URL is added to the Active Directory forest in a service connection point (SCP). There is an SCP for the root cluster and for each licensing-only cluster that is provisioned in the forest. The SCP must be registered for the root cluster before you provision a licensing-only cluster. When you provision the licensing-only cluster, the subenrollment process uses that URL to find the root cluster on your network and obtain a server licensor certificate.

If you deploy a root cluster with multiple RMS servers, each server in the cluster must be able to be virtually addressed behind a shared URL.

There are a number of implementations of virtual addressing, such as round-robin DNS, the Network Load Balancing service, hardware solutions, and so on. Virtual addressing provides load balancing across the servers and also removes the dependency on any one server for licensing and publishing.

RMS uses the shared URL for its license-acquisition URL, as well as for the published value that client computers use when looking up their RMS cluster via the SCP in Active Directory or in the client computer's registry. No end-user computer requires direct access to any single server in a cluster.

Community Additions