Server Configuration for an AD RMS Infrastructure

Applies To: Windows Server 2008, Windows Server 2008 R2

In most cases, an AD RMS infrastructure is made up of the following components:

  • An AD RMS root certification and licensing server running Windows Server 2008 – This server has the AD RMS role installed and is used as the root of the AD RMS hierarchy. In most scenarios, this server issues client licensor certificates, issuance licenses, and end-user licenses. There can be only one root certification server per Active Directory forest.

  • A database server running SQL Server 2005 or SQL Server 2008 – This server stores all AD RMS data, including the AD RMS server certificate and private keys, and all of the licenses. It also stores logging data for the licensing and certification actions performed by the AD RMS servers in a cluster.

  • A server running Active Directory – AD RMS works in close relationship with Active Directory, and a properly configured server with domain controllers reachable from the AD RMS servers is necessary for AD RMS to work. Active Directory is used, among other things, to authenticate users of the AD RMS service, to perform group expansion for validating user permissions, as well as for service location.

  • Client computers running the AD RMS client software – Users that create and consume rights-managed documents do so from computers with the AD RMS client installed (the AD RMS client software is included with Windows Vista and Windows 7, but it must be installed on clients running earlier versions of Windows). These client computers must be able to contact the AD RMS certification and licensing server in order to receive issuance licenses and end-user licenses. The client runs the AD RMS client software with Information Rights Management (IRM) enabled applications, such as Microsoft® Office 2003 Professional, Microsoft Office 2007 (Ultimate, Professional Plus and Enterprise Editions), and Microsoft Internet Explorer. Optionally, the Rights Management Add-on for Internet Explorer can be used to view AD RMS-protected documents in Internet Explorer.

  • Typically, AD RMS servers are deployed in a redundant configuration, forming a cluster, so you can consider the AD RMS root certification server and AD RMS root certification cluster to be synonyms, for purposes of discussion. It performs the root certification role. All servers in an AD RMS cluster share the same database server. Thus, logging data, configuration data, and caching data are contained on a single database server for all the servers in an AD RMS cluster.

    There can be cases where a cluster of database servers may be required. But in this case, the database cluster is still shared by the AD RMS cluster, like in the scenario with a single database server.

Community Additions