Migrating a Pilot RMS Deployment to a Production Deployment

Updated: June 1, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Many organizations elect to deploy RMS in a pilot deployment before implementing the technology throughout the organization. The pilot program normally has a limited number of users and the servers may be maintained locally by a dedicated administrator instead of being part of a data center that is maintained by an IT group. When the organization implements RMS in the data center for all clients after the pilot is complete, new RMS root clusters are deployed to support the larger number of possible users.

However, RMS-protected content is tied to the RMS root cluster that was used to create it, so if a server is removed or replaced, steps must be taken so that content that was encrypted using the pilot RMS root cluster can be decrypted and licensed using the production RMS servers.

If you have deployed RMS as a pilot program and want to move the RMS root cluster into the production environment of your organization while maintaining the integrity of content that was protected by using the pilot RMS root cluster, you should create a migration plan that will ensure a smooth transition and provide the ability to roll back to the pilot program if necessary to recover data.

The following steps are provided as an example of some of the items that your migration plan should include; your deployment may have additional requirements.


Server Step Notes


Back up the RMS configuration database.

This allows you to restore the pilot server if necessary.

The configuration database includes the RMS private key.

Make sure you know the private key password.


If you used a Hardware Security Module (HSM) to protect the RMS private key, back up the configuration of the HSM as directed by its manufacturer.

You will be restoring the HSM on the new servers in cluster.

Make sure that you have all of the necessary components to install and configure the HSM available.


Export the Trusted Publishing Domain file.

This allows another RMS cluster to decrypt publishing licenses created by this cluster and issue use licenses to the protected content.

The trusted publishing domain includes the server licensor certificate, the RMS private key, and any rights policy templates that this cluster has established.

The trusted publishing domain file is an XML file that is encrypted by a strong password that you specify when you create the file. You must also have this password to import the trusted publishing domain file.


Export Trusted User Domain.

This allows another RMS cluster to grant use licenses to users whose rights account certificates (RACs) were granted by the pilot RMS server.

The trusted user domain is established by importing the server licensor certificate of this cluster into the other RMS cluster.


Prepare the new server to be the root cluster.

Make sure that it can access the database server, and that IIS and Message Queuing are installed.

If possible, use the same server name for this server.


If you use an HSM install the HSM and restore its configuration from the backup you created on the pilot server.

Establishes the credentials required to decrypt the RMS private key.


Install RMS.

RMS will verify that all of the prerequisite services are installed and configured correctly.


Provision RMS using a new private key. If you are using online enrollment, your cluster will be enrolled during the provisioning process by using the Internet to connect to the Microsoft Enrollment Service. If you do not have an Internet connection from this server, you need to use offline enrollment.

If this server name is different than the pilot server name, you can modify the cluster URL to be the same URL as the pilot server.

If you do not, you will need to set up an URL redirection from the previous cluster URL to the new cluster URL to enable users with pre-existing content to get use licenses.


If you are using offline enrollment, complete the manual enrollment process for the new RMS root cluster. For more information, see “To Manually Enroll a Root Cluster” in “RMS: Operations” in this documentation collection.

The RMS root cluster cannot be used until it has been enrolled.

Also, the RMS administration pages cannot be accessed until the server has been enrolled.


Import the trusted publishing domain file that you exported in step 3.

The RMS service account must have read permissions to the location where the file is stored to successfully import the file.


Re-sign each template that was imported with the trusted publishing domain.

The templates are signed with the server private key. Because this cluster has a new private key the templates must be re-signed to be valid. For more information, see “To Re-sign a Rights Policy Template” in “RMS: Operations” in this documentation collection.


Redistribute the templates to the client computers that took part in the pilot.

The old templates need to be removed and replaced with the templates signed by this cluster.


Import the trusted user domain file that you exported in step 4.

Enables old client licensor certificates and RACs to be used.

If user accounts are being moved between forests as part of this migration, note that the accounts must have matching SMTP proxies.

Once you have completed setting up the production server, verify that pilot users can still create and read previously protected mail. You can then add as many RMS servers to the root cluster as you need to support the number of users in your organization.