Event ID 11 — AD RMS Cluster Configuration

  • Article

Applies To: Windows Server 2008 R2

Servers in an Active Directory Rights Management Services (AD RMS) cluster are configured to both send and receive requests from AD RMS clients, other servers in the AD RMS cluster, and the AD RMS databases.

Event Details

Product: Windows Operating System
ID: 11
Source: Active Directory Rights Management Services
Version: 6.1
Symbolic Name: ConfigurationErrorEvent
Message: An error occurred when the AD RMS cluster attempted to retrieve data from the configuration database or this computer's configuration storage.

Parameter Reference
Context: %1
RequestId: %2
%3
%4

Resolve

Fix AD RMS error conditions

To determine how to fix this error condition, examine the exception errors reported  in the event message text. The additional details are displayed as exception errors.

The event message can report the following exceptions:

  • ConfigSourcePolicyNameNotUniqueException
  • ConfigSourceMissingLicensorCertificateException
  • ConfigSourceConnectionStringNotFoundException
  • ConfigureSourceTrustedAuthorityDataIntegrityException
  • InvalidPrivateKeyPasswordException
  • BadPrivateKeyDataException
  • InvalidDatabaseConfigurationStringException

ConfigSourcePolicyNameNotUniqueException

This exception indicates that there is a duplicate configuration policy name in the AD RMS configuration database. The name of each configuration policy stored in the AD RMS configuration database must be unique.

To perform this procedure, you must be a member of the local System Administrators database role, or you must have been delegated the appropriate authority.

To check if there is a duplicate configuration policy name in the AD RMS configuration database:

  1. Log on to the AD RMS configuration database server.
  2. Click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  3. In the Server name box, type the name of the AD RMS configuration database server, and then click Connect.
  4. Expand Databases, and then click the AD RMS configuration database. By default, the name of this database is DRMS_Config*_clustername*_portnumber, where clustername is the name of the AD RMS cluster and portnumber is the TCP port in which the AD RMS Web services listens for requests.
  5. Click New Query.
  6. Type select * from drms_clusterpolicies, and then click Execute.
  7. Determine the entry that is not correct and delete it.

ConfigSourceMissingLicensorCertificateException

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

This exception indicates that the server licensor certificate (SLC) for this AD RMS cluster cannot be found. To resolve this error, you must restore the AD RMS configuration database from a previous backup.

To restore AD RMS configuration database from previous backup:

  1. Log on to the AD RMS configuration database server, click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. In the Server name box, type the name of the AD RMS configuration database server, and then click Connect.
  3. Right-click Databases, and then click Restore Database.
  4. In the To database box, select the AD RMS configuration database from the list.
  5. Click the From device option, and then click the browse button.
  6. Click Add.
  7. In the Locate Backup File window, select the database backup file, and then click OK two times.
  8. Select the Restore check box, and then click OK.

ConfigSourceConnectionStringNotFoundException

This exception indicates that the database connection string for the AD RMS configuration database in the registry on a server in the AD RMS cluster does not exist or is incorrect.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check the database connection string in the registry on a server in the AD RMS cluster:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Log on to a AD RMS server in the cluster, and then click Start.
  2. In the Start Search box, type regedit, and then press ENTER.
  3. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\2.0\ConnectionString.
  4. Right-click ConfigDatabaseConnectionString, and then click Modify.
  5. Change the data source to the name of AD RMS configuration database server.
  6. Change the database to the name of the AD RMS configuration database. By default, the name of the AD RMS configuration database is DRMS_Config_clustername_portnumber where clustername is the name of the AD RMS cluster and portnumber is the TCP port number used for AD RMS communication.
  7. Click OK.

ConfigureSourceTrustedAuthorityDataIntegrityException

To perform this procedure, you must be a member of the local System Administrators database role, or you must have been delegated the appropriate authority.

To check if there is a valid trusted certification authority in the AD RMS configuration database:

  1. Log on to the AD RMS configuration database server.
  2. Click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  3. In the Server name box, type the name of the AD RMS configuration database server, and then click Connect.
  4. Expand Databases, and then click the AD RMS configuration database. By default, the name of this database is DRMS_Config*_clustername*_portnumber, where clustername is the name of the AD RMS cluster and portnumber is the TCP port in which the AD RMS Web services listens for requests.
  5. Click New Query.
  6. Type select * from drms_TrustedCertificateAuthorities, and then click Execute.
  7. Verify that a valid trusted certification authority exists with the associated GUID.

InvalidPrivateKeyPasswordException

This exception indicates that the AD RMS cluster key password is missing from the registry. The cluster key password is encrypted and stored in the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\2.0\KeyProtection.

To perform this procedure, you must be a member of the local AD RMS Enterprise Administrators group, or you must have been delegated the appropriate authority.

To restore the AD RMS signing key password:

  1. Log on to a server in the AD RMS cluster.
  2. Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.
  3. In the console tree, expand Security Policies, and then click Change cluster key password.
  4. In the Cluster Key Password wizard, type the password for the cluster key in the Password box.
  5. In the Confirm password box, type the password again.
  6. Click Apply to complete the password reset.
  7. Repeat steps 1 - 6 on each server in the AD RMS cluster.

Caution: The cluster key password must be set to the password used by the AD RMS cluster before the registry key was deleted.

BadPrivateKeyDataException

This exception indicates that the cryptographic service provider (CSP) cannot find the key container specified in the AD RMS configuration database. This exception could also occur when importing a trusted publishing domain that a CSP to protect the cluster key.

To make it possible for the CSP to find the key container:

  • Consult with the CSP manufacturer to verify that the CSP is compatible with AD RMS.
  • Reinstall AD RMS cluster using compatible CSP.

InvalidDatabaseConfigurationStringException

This exception indicates that the database connection string for the AD RMS configuration database in the registry on a server in the AD RMS cluster does not exist or is incorrect.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check the database connection string in the registry on a server in the AD RMS cluster:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. Log on to a AD RMS server in the cluster, and then click Start.
  2. In the Start Search box, type regedit, and then press ENTER.
  3. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\DRMS\2.0\ConnectionString.
  4. Right-click ConfigDatabaseConnectionString, and then click Modify.
  5. Change the data source to the name of AD RMS configuration database server.
  6. Change the database to the name of the AD RMS configuration database. By default, the name of the AD RMS configuration database is DRMS_Config_clustername_portnumber where clustername is the name of the AD RMS cluster and portnumber is the TCP port number used for AD RMS communication.
  7. Click OK.

Verify

To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.

Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.

To verify that AD RMS is configured correctly, do the following:

  1. Log on to an AD RMS-enabled client computer.
  2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
  3. In the new document type This is a test document.
  4. Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
  5. Select the Restrict permissions to this document check box.
  6. Type another AD RMS user's e-mail address in the Read box, and then click OK.
  7. Send this file to the person who was granted access in step 6.
  8. Have this person open the document and verify that he or she cannot do anything else with the document such as print it.

AD RMS Cluster Configuration

Active Directory Rights Management Services