Step 1: Decommission AD RMS Root Cluster

Updated: March 12, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

Decommissioning refers to the entire process of removing the AD RMS cluster and its associated databases from an organization. This process allows you to save rights-protected files as ordinary files before you remove AD RMS from your infrastructure so that you do not lose access to these files.

Decommissioning an AD RMS cluster is achieved by doing the following:

  • Enable the decommissioning service.

  • Modify permissions on the decommissioning pipeline.

  • Configure the AD RMS-enabled application to use the decommissioning pipeline.

The decommissioning service disables all other AD RMS services in the cluster. When the decommissioning service is enabled, AD RMS clients can request only a key to decrypt rights-protected content. The decommissioning service is enabled by using the Active Directory Rights Management Services console.

  1. Log on to ADRMS-SRV as cpandl\adrmsadmin.

  2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. Expand the AD RMS cluster, expand Security Policies, and then click Decommissioning.

  5. In the Actions pane, click Enable Decommissioning.

  6. Click Decommission.

    Once decommissioning has been enabled on the AD RMS cluster, it cannot be reversed.

  7. Click Yes, confirming that you want to decommission the AD RMS cluster.

After the decommissioning service is enabled on the AD RMS cluster, you must modify the permissions on the decommissioning pipeline so that AD RMS users can connect to it. By default, only the local SYSTEM account has access to the pipeline. You should give the AD RMS Service Group the Read & execute permission on the decommission folder. Then on the decommission.asmx file, you should give everyone the Read & execute permission. The decommission pipeline is located in the %systemroot%\inetpub\wwwroot\_wmcs folder, where %systemroot% is the volume on which Windows Server 2008 is installed.

  1. Log on to ADRMS-SRV as cpandl\administrator.

  2. Click Start, type %systemdrive%\inetpub\wwwroot\_wmcs in the Start Search box, and then press ENTER.

  3. Right-click the decommission folder, and then click Properties.

  4. Click the Security tab, click Edit, and then click Add.

  5. In the Select Users, Computers, or Groups box, type ADRMS-SRV\AD RMS Service Group, and then click OK.

  6. Click OK twice to close the decommission properties.

  7. Double-click the decommission folder, right-click decommission.asmx, and then click Properties.

  8. Click the Security tab, click Edit, and the click Add.

  9. In the SelectUsers, Computers, or Groups box, type Everyone, and then click OK. In the Windows Security dialog box, enter the name and password of the cpandl\administrator account.

  10. Click OK twice to close the properties sheet.

When the AD RMS cluster is operating in decommissioning mode, all users, whether or not they had rights to the original rights-protected content, can obtain a content key and gain full rights to the content.

Once the AD RMS cluster is in decommissioning mode, you must configure the AD RMS-enabled applications to obtain a content key from the decommissioning service and permanently decrypt the rights-protected content. The AD RMS client itself has no part in the decommissioning process.

  1. Log on to ADRMS-CLNT as cpandl\nhollida.

  2. Click Start, type regedit in the Start Search box, and then press ENTER.

    Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

  3. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM.

  4. Right-click DRM, point to New, and then click Key.

  5. Type Decommission as the name for the registry key, and then press ENTER.

  6. Right-click Decommission, point to New, and then click String Value.

  7. Type, and then press ENTER.

  8. Double-click the registry entry.

  9. In the Value data box, type, and then click OK.

  10. Close Registry Editor.

  11. Repeat steps 1-10 for Stuart Railson and Limor Henig.

Community Additions