Setting Properties on Objects in the AD RMS Drive Namespace

  • Article

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Setting properties on objects in the drive namespace is similar to using a wizard to specify configuration settings when installing a server role. Before you can finish the installation by running the Install-ADRMS cmdlet, you must provide necessary information about the initial configuration of the server role. The following table lists the required settings and the properties that represent those settings in the drive namespace.

Setting name Property name Location

Setting the configuration database

UseWindowsInternalDatabase

<drive>:\ClusterDatabase

Setting the service account

ServiceAccount

<drive>:\

Setting the cluster key storage

UseCentrallyManaged or UseCSP

<drive>:\ClusterKey

Setting the cluster Web site

WebSiteName

<drive>:\ClusterWebSite

Setting the cluster address

ClusterURL

<drive>:\

Setting the SLC name

SLCName

<drive>:\

Registering the SCP

RegisterSCP

<drive>:\

Note

  • The RegisterSCP property is available only when you are installing a root cluster.

  • Depending on how you set these properties, additional property settings may be required. For example, if you set the UseWindowsInternalDatabase property to False, you must also specify the name of a remote database server and database instance.

    • The following sections describe the configuration settings you must specify by setting properties on objects in the Windows PowerShell drive namespace.

    Setting the configuration database

    When installing the AD RMS server role on the first server in a cluster, you must specify the location of the database that will be used to store configuration and other data. You can choose to use the Windows Internal Database on the server, or you can designate a database instance on a remote database server. You must use a separate database server if you intend to add servers to the cluster or to add identity federation support.

    Specifying the Windows Internal Database

    By default, the first server in an AD RMS cluster uses the Windows Internal Database as its configuration database. You can use the following command to verify that the drive namespace is configured to use the Windows Internal Database:

    Get-ItemProperty -Path <drive>:\ClusterDatabase -Name UseWindowsInternalDatabase

    If the UseWindowsInternalDatabase property is set to False, you can use the following procedure to configure the server to use the Windows Internal Database.

    Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

    To use the Windows Internal Database

    • At the wps command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterDatabase -Name UseWindowsInternalDatabase -Value $true

    Specifying a Remote Database

    You must use a database instance on a remote server if you plan to add servers to the cluster, or if you plan to use identity federation support.

    If you are using a named instance for the AD RMS configuration database, the SQL Server Browser service must be started on the database server before installing AD RMS. Otherwise, the AD RMS installation will not be able to locate the configuration database and the installation will not succeed.

    To perform this procedure, you must be logged on with a user account that is a member of the Administrators group of this server and that has the right to create a new database on the remote server.

    To use a remote database instance

    • At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterDatabase -Name ServerName -Value <db_server>

      where <drive> is the name of the Windows PowerShell drive and <db_server> is the name of the remote server hosting the database.

    Unless you specify a named instance, the AD RMS server is configured to use the default database instance hosted by the specified server. If you want to use a named instance, use the following procedure to set the InstanceName property of the \ClusterDatabase container after setting the ServerName property.

    To use a named database instance

    1. To enumerate the database instances hosted by the database server, at the Windows PowerShell command prompt, type:

      Get-ChildItem -Path <drive>:\ClusterDatabase\DatabaseInstance

      where <drive> is the name of the Windows PowerShell drive.

    2. To specify the database instance to be used by the cluster, at the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterDatabase -Name InstanceName -Value <db_instance>

      where <drive> is the name of the Windows PowerShell drive and <db_instance> is the name of the database instance hosted by the remote database server.

    Back to top

    Setting the service account

    During installation, AD RMS creates the AD RMS Service Group on the local computer and grants it appropriate permissions on all of the resources that are required for AD RMS to operate. When you install the AD RMS server role, you must define a domain account for use as the AD RMS service account. That account is made a member of the AD RMS Service Group, and it is granted the permissions that are associated with this group. During routine operations, AD RMS runs under the AD RMS service account.

    Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

    To set the AD RMS service account

    1. At the Windows PowerShell command prompt, type:

      $svcacct = Get-Credential

      A dialog box appears.

    2. In the dialog box, type the account domain and name (in the form <domain>\<account>) and password.

    3. At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ -Name ServiceAccount -Value $svcacct

      where <drive> is the name of the Windows PowerShell drive.

    Back to top

    Setting the cluster key storage

    You can protect the AD RMS cluster key by using a hardware- or software-based cryptographic service provider (CSP) or by storing the cluster key in the AD RMS configuration database. When using AD RMS to centrally manage the cluster key from the AD RMS configuration database, you should use a strong cluster key password. If you are upgrading from RMS to AD RMS and using a hardware-based CSP, ensure that the drivers are compatible with Windows Server 2008 R2 before proceeding with the upgrade.

    Note

    If there are multiple servers in the AD RMS cluster, and you are using either a software- or hardware-based CSP to protect the cluster key, you must manually move the cluster key to the other computers before installing AD RMS. Consult the CSP documentation for procedures on moving the cluster key.

    Using a centrally managed cluster key

    By default, the first server in an AD RMS cluster uses centrally managed key storage. However, if you choose to use this method to store the cluster key, you must provide a cluster key password before installing the AD RMS server role on the first server in the cluster. You can use the following command to verify that the drive namespace is configured to use the centrally managed cluster key storage:

    Get-ItemProperty -Path <drive>:\ClusterKey -Name UseCentrallyManaged

    Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

    To set the centrally managed cluster key password

    1. At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterKey -Name UseCentrallyManaged -Value $true

      where <drive> is the name of the Windows PowerShell drive.

    2. To securely store the cluster key password in a variable, at the Windows PowerShell command prompt, type:

      $password = Read-Host -AsSecureString -Prompt “Password:”

    3. Type the cluster key password, and then press the ENTER key.

    4. At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterKey -Name CentrallyManagedPassword -Value $password

      where <drive> is the name of the Windows PowerShell drive.

    Using a CSP to store the cluster key

    When you configure the server to use a CSP to protect the cluster key, you must specify the key container name. You should also ensure that a new key pair will be created when the server is installed. To list the CSPs that are available on the server, at the Windows PowerShell command prompt, type:

    Get-ChildItem -Path <drive>:\ClusterKey\CSP -Name

    Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

    To specify a CSP to store the cluster key

    1. To enable CSP key protection and specify the CSP to be used, at the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterKey -Name UseCSP -Value $true

      Set-ItemProperty -Path <drive>:\ClusterKey -Name CSPName -Value <CSP>

      where <drive> is the name of the Windows PowerShell drive and <CSP> is the name of the CSP to be used to protect the store key.

    2. Do one of the following:

      • To ensure that a new key pair will be created for the CSP when AD RMS is installed, at the Windows PowerShell command prompt, type:

        Set-ItemProperty -Path <drive>:\ClusterKey -Name CreateNewKeyPair -Value $true

      • To reuse an existing CSP key pair, at the Windows PowerShell command prompt, type:

        Set-ItemProperty -Path <drive>:\ClusterKey -Name UseExistingKeyPair -Value $true

        Set-ItemProperty -Path <drive>:\ClusterKey -Name KeyContainerName -Value <KeyPairName>

        where <drive> is the name of the Windows PowerShell drive and <KeyPairName> is the name of a CSP key pair in the CSP container specified in the previous step.

    Back to top

    Setting the cluster Web site

    Before completing the installation of the AD RMS server role, you must specify the Web site where the AD RMS Web services will be installed if you are not using the default Web site. If you have installed the Internet Information Services (IIS) 6 Management Compatibility Service, you can get a listing of the Web sites hosted on the server by typing at a Windows PowerShell command prompt:

    Get-ChildItem -Path <drive>:\ClusterWebSite

    where <drive> is the name of the Windows PowerShell drive.

    Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

    To specify the cluster Web site

    • At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterWebSite -Name WebSiteName -Value “<web_site>

      where <drive> is the name of the Windows PowerShell drive and <web_site> is the name of the Web site to be used to host the AD RMS Web services.

    Back to top

    Setting the cluster address

    AD RMS clients use the cluster address to communicate with the cluster over the network. As a best security practice, you should specify an SSL-encrypted connection (that is, a connection that uses https://) as the AD RMS cluster address. If you specify an SSL-encrypted connection, you must configure the server with a valid certificate for SSL encryption.

    Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

    To specify the cluster address

    • At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ -Name ClusterURL -Value “``http[``s] ://<cluster_url>:<port>

      where <drive> is the name of the Windows PowerShell drive, <cluster_url> is the URL of the AD RMS cluster, and <port> is the number of the port used to access the cluster URL.

    For example, to set the property on a drive named RC to specify an unencrypted connection to a URL named Cluster1 on the default port, type:

    Set-ItemProperty -Path RC:\ -Name ClusterURL -Value “https://Cluster1:80”

    To specify an encrypted connection to the same URL, type:

    Set-ItemProperty -Path RC:\ -Name ClusterURL -Value “https://Cluster1:443”

    Back to top

    Setting the SLC name

    When the AD RMS server role is installed and configured on the first server in the cluster, AD RMS generates a unique SLC for itself called self-enrollment that establishes its identity and that has a validity time of 250 years. This enables the archiving of rights-protected data for an extended period of time.

    Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

    To specify the SLC name

    • At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ -Name SLCName -Value “<SLC_name>

      where <drive> is the name of the Windows PowerShell drive and <SLC_Name> is the name you want to use to identify the SLC that will be created.

    Back to top

    Registering the SCP

    By default, the service connection point (SCP) for AD RMS is registered in Active Directory Domain Services when you install the AD RMS server role on the first server in a root cluster. The SCP identifies the connection URL for the service to the AD RMS-enabled clients in your organization. After you register the SCP in Active Directory Domain Services (AD DS), clients will be able to discover the AD RMS cluster to request use licenses, publishing licenses, and rights account certificates (RACs). If you do not register the SCP when you install the first server in the root cluster, you can register the SCP from the cluster Properties sheet in the Active Directory Rights Management Services console.

    Note

    If you are registering an SCP from an AD RMS cluster in a child domain, you might receive an error stating that SCP registration failed. In many cases, the registration was successful, but the registration first takes place in the top-level domain and it takes time to replicate to the child domain where the AD RMS cluster checks for the SCP object. If this happens, allow enough time for the SCP to be replicated to all global catalog servers before attempting to re-register the SCP.

    To verify that the drive namespace is configured to register the SCP, at the Windows PowerShell command prompt, type:

    Get-ItemProperty -Path <drive>:\ -Name RegisterSCP

    If the RegisterSCP property is set to False, you can use the following procedure to register the SCP when the AD RMS server role is installed.

    Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

    To register the SCP

    • At the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ -Name RegisterSCP -Value $true

      where <drive> is the name of the Windows PowerShell drive.

    Back to top

    See Also

    Concepts

    Installing an AD RMS Cluster
    Creating an AD RMS Cluster Windows PowerShell Drive
    Running the Install-ADRMS Cmdlet