Event ID 148 — AD RMS Decommissioning

  • Article

Applies To: Windows Server 2008 R2

Decommissioning in Active Directory Rights Management Services (AD RMS) is the process in which rights-protected content receives a key to automatically decrypt it. Decommissioning is used when an organization must retire an AD RMS cluster. Servers in the AD RMS cluster should remain in decommissioning mode and available on the network until all rights-protected content has been decrypted. While the AD RMS cluster is in decommissioning mode, no new content can be published as rights-protected.

Event Details

Product: Windows Operating System
ID: 148
Source: Active Directory Rights Management Services
Version: 6.1
Symbolic Name: ClusterNotDecommissionedEvent
Message: A decommission request was received but Active Directory Rights Management Services (AD RMS) is not in a decommissioned state and cannot honor the request. Restrict access to the AD RMS decommissioning pipeline.

Resolve

Remove domain users from the access control list on decommissioning pipeline

If AD RMS receives a decommissioning request and the AD RMS cluster is not in decommissioning mode, an error will be generated. To resolve this issue, you should restrict access to the decommissioning pipeline until you need to decommission the cluster.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To remove domain users from the access control list on the decommissioning pipeline:

  1. Log on to a server in the AD RMS cluster.
  2. Click Start, and then click Computer.
  3. Navigate to the IIS home directory. By default, the path to this directory is %systemdrive%:\inetpub\wwwroot where %systemdrive% is the partition on which Windows is installed.
  4. Double-click _wmcs.
  5. Double-click decommission.
  6. Right-click decommission.asmx, and then click Properties.
  7. Click the Security tab.
  8. Click Advanced, and then click Edit.
  9. Clear the Include inheritable permissions from this object's parent check box, and then click OK.
  10. Click Copy, and then click OK two times.
  11. Click Edit.
  12. Click Users, and then click Remove.
  13. Click OK.
  14. Repeat steps 1 - 13 for all servers in the AD RMS cluster.

Verify

To ensure that the AD RMS decommissioning pipeline is restricted you can open the decommissioning pipeline in a Web browser. Use these sections to ensure that the AD RMS decommissioning pipeline is restricted.

To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.

To check that the AD RMS decommissioning pipeline is restricted:

  1. Log on to an AD RMS-enabled client.
  2. Click Start, point to All Programs, and then click Internet Explorer.
  3. In the address bar, type http(s)://adrms_cluster_url/_wmcs/decommission/decommission.asmx, where adrms_cluster_url is the name of the AD RMS cluster, and then press ENTER.
  4. If the decommissioning pipeline is restricted, an error will appear on the Web page.

AD RMS Decommissioning

Active Directory Rights Management Services