First Server in Root Cluster Enrollment

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Enrollment with the Microsoft Enrollment Service is required for the first server that is in a RMS deployment. This server, which creates the root cluster, can be automatically enrolled during provisioning if the server has an Internet connection or it can be enrolled manually if the server is part of a closed network. For more information about manual server enrollment, see "To Manually Enroll the First Server in a Root Cluster " in "RMS: Operations " in this documentation collection.

The enrollment request takes the following input parameters:

  • A 1024-bit public key. This public key is the RMS public key.

  • The version, name, and URL of the RMS root cluster to be enrolled.

The Microsoft Enrollment Service uses the information only to create the server licensor certificate, and stores the information only for revocation purposes.

The Microsoft Enrollment Service returns a certificate chain that contains the licensor certificate chain of the enrollment server, as well as a certificate that is signed by the enrollment server. The certificate contains the server public key that is signed with the enrollment private key and the version and URL of the enrolled server. The certificate grants the root cluster the right to issue server licensor certificates to servers in licensing-only clusters, as well as to issue rights account certificates, client licensor certificates, publishing, and use licenses.

The server licensor certificate is valid for one year. The validity period begins when the certificate is issued. At the end of the validity period, the certificate can be renewed. Certificates and licenses that are issued by the server are valid for seven years. The validity period begins when the certificate or license is issued.

Information about revoking the certificate is added to the server licensor certificate as it is specified in the enrollment request. The Microsoft Enrollment Service public key is added to the certificate as a revoking key. In addition, if a third-party revocation key is specified, it is also added to the certificate as a revoking key.