Setting Properties on Objects in the AD RMS Drive Namespace

Published: July 8, 2009

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Setting properties on objects in the drive namespace is similar to using a wizard to specify configuration settings when installing a server role. Before you can finish the installation by running the Install-ADRMS cmdlet, you must provide necessary information about the initial configuration of the server role. The following table lists the required settings and the properties that represent those settings in the drive namespace.

 

Setting name Property name Location

Setting the configuration database

UseWindowsInternalDatabase

<drive>:\ClusterDatabase

Setting the service account

ServiceAccount

<drive>:\

Setting the cluster key storage

UseCentrallyManaged or UseCSP

<drive>:\ClusterKey

Setting the cluster Web site

WebSiteName

<drive>:\ClusterWebSite

Setting the cluster address

ClusterURL

<drive>:\

Setting the SLC name

SLCName

<drive>:\

Registering the SCP

RegisterSCP

<drive>:\

noteNote
  • The RegisterSCP property is available only when you are installing a root cluster.

  • Depending on how you set these properties, additional property settings may be required. For example, if you set the UseWindowsInternalDatabase property to False, you must also specify the name of a remote database server and database instance.

The following sections describe the configuration settings you must specify by setting properties on objects in the Windows PowerShell drive namespace.

When installing the AD RMS server role on the first server in a cluster, you must specify the location of the database that will be used to store configuration and other data. You can choose to use the Windows Internal Database on the server, or you can designate a database instance on a remote database server. You must use a separate database server if you intend to add servers to the cluster or to add identity federation support.

By default, the first server in an AD RMS cluster uses the Windows Internal Database as its configuration database. You can use the following command to verify that the drive namespace is configured to use the Windows Internal Database:

Get-ItemProperty -Path  <drive> :\ClusterDatabase -Name UseWindowsInternalDatabase

If the UseWindowsInternalDatabase property is set to False, you can use the following procedure to configure the server to use the Windows Internal Database.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  • At the wps command prompt, type:

    Set-ItemProperty -Path  <drive> :\ClusterDatabase -Name UseWindowsInternalDatabase -Value $true

You must use a database instance on a remote server if you plan to add servers to the cluster, or if you plan to use identity federation support.

If you are using a named instance for the AD RMS configuration database, the SQL Server Browser service must be started on the database server before installing AD RMS. Otherwise, the AD RMS installation will not be able to locate the configuration database and the installation will not succeed.

To perform this procedure, you must be logged on with a user account that is a member of the Administrators group of this server and that has the right to create a new database on the remote server.

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ClusterDatabase -Name ServerName -Value  <db_server>

    where <drive> is the name of the Windows PowerShell drive and <db_server> is the name of the remote server hosting the database.

Unless you specify a named instance, the AD RMS server is configured to use the default database instance hosted by the specified server. If you want to use a named instance, use the following procedure to set the InstanceName property of the \ClusterDatabase container after setting the ServerName property.

  1. To enumerate the database instances hosted by the database server, at the Windows PowerShell command prompt, type:

    Get-ChildItem -Path  <drive> :\ClusterDatabase\DatabaseInstance

    where <drive> is the name of the Windows PowerShell drive.

  2. To specify the database instance to be used by the cluster, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ClusterDatabase -Name InstanceName -Value  <db_instance>

    where <drive> is the name of the Windows PowerShell drive and <db_instance> is the name of the database instance hosted by the remote database server.

Back to top

During installation, AD RMS creates the AD RMS Service Group on the local computer and grants it appropriate permissions on all of the resources that are required for AD RMS to operate. When you install the AD RMS server role, you must define a domain account for use as the AD RMS service account. That account is made a member of the AD RMS Service Group, and it is granted the permissions that are associated with this group. During routine operations, AD RMS runs under the AD RMS service account.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  1. At the Windows PowerShell command prompt, type:

    $svcacct = Get-Credential

    A dialog box appears.

  2. In the dialog box, type the account domain and name (in the form <domain>\<account>) and password.

  3. At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ -Name ServiceAccount -Value $svcacct

    where <drive> is the name of the Windows PowerShell drive.

Back to top

You can protect the AD RMS cluster key by using a hardware- or software-based cryptographic service provider (CSP) or by storing the cluster key in the AD RMS configuration database. When using AD RMS to centrally manage the cluster key from the AD RMS configuration database, you should use a strong cluster key password. If you are upgrading from RMS to AD RMS and using a hardware-based CSP, ensure that the drivers are compatible with Windows Server 2008 R2 before proceeding with the upgrade.

noteNote
If there are multiple servers in the AD RMS cluster, and you are using either a software- or hardware-based CSP to protect the cluster key, you must manually move the cluster key to the other computers before installing AD RMS. Consult the CSP documentation for procedures on moving the cluster key.

By default, the first server in an AD RMS cluster uses centrally managed key storage. However, if you choose to use this method to store the cluster key, you must provide a cluster key password before installing the AD RMS server role on the first server in the cluster. You can use the following command to verify that the drive namespace is configured to use the centrally managed cluster key storage:

Get-ItemProperty -Path  <drive> :\ClusterKey -Name UseCentrallyManaged

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  1. At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ClusterKey -Name UseCentrallyManaged -Value $true

    where <drive> is the name of the Windows PowerShell drive.

  2. To securely store the cluster key password in a variable, at the Windows PowerShell command prompt, type:

    $password = Read-Host -AsSecureString -Prompt “Password:”

  3. Type the cluster key password, and then press the ENTER key.

  4. At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ClusterKey -Name CentrallyManagedPassword -Value $password

    where <drive> is the name of the Windows PowerShell drive.

When you configure the server to use a CSP to protect the cluster key, you must specify the key container name. You should also ensure that a new key pair will be created when the server is installed. To list the CSPs that are available on the server, at the Windows PowerShell command prompt, type:

Get-ChildItem -Path  <drive> :\ClusterKey\CSP -Name

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  1. To enable CSP key protection and specify the CSP to be used, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ClusterKey -Name UseCSP -Value $true

    Set-ItemProperty -Path  <drive> :\ClusterKey -Name CSPName -Value  <CSP>

    where <drive> is the name of the Windows PowerShell drive and <CSP> is the name of the CSP to be used to protect the store key.

  2. Do one of the following:

    • To ensure that a new key pair will be created for the CSP when AD RMS is installed, at the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterKey -Name CreateNewKeyPair -Value $true

    • To reuse an existing CSP key pair, at the Windows PowerShell command prompt, type:

      Set-ItemProperty -Path <drive>:\ClusterKey -Name UseExistingKeyPair -Value $true

      Set-ItemProperty -Path <drive>:\ClusterKey -Name KeyContainerName -Value <KeyPairName>

      where <drive> is the name of the Windows PowerShell drive and <KeyPairName> is the name of a CSP key pair in the CSP container specified in the previous step.

Back to top

Before completing the installation of the AD RMS server role, you must specify the Web site where the AD RMS Web services will be installed if you are not using the default Web site. If you have installed the Internet Information Services (IIS) 6 Management Compatibility Service, you can get a listing of the Web sites hosted on the server by typing at a Windows PowerShell command prompt:

Get-ChildItem -Path  <drive> :\ClusterWebSite

where <drive> is the name of the Windows PowerShell drive.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ClusterWebSite -Name WebSiteName -Value “ <web_site>

    where <drive> is the name of the Windows PowerShell drive and <web_site> is the name of the Web site to be used to host the AD RMS Web services.

Back to top

AD RMS clients use the cluster address to communicate with the cluster over the network. As a best security practice, you should specify an SSL-encrypted connection (that is, a connection that uses https://) as the AD RMS cluster address. If you specify an SSL-encrypted connection, you must configure the server with a valid certificate for SSL encryption.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ -Name ClusterURL -Value “ http[ s] ://<cluster_url>:<port>

    where <drive> is the name of the Windows PowerShell drive, <cluster_url> is the URL of the AD RMS cluster, and <port> is the number of the port used to access the cluster URL.

For example, to set the property on a drive named RC to specify an unencrypted connection to a URL named Cluster1 on the default port, type:

Set-ItemProperty -Path RC:\ -Name ClusterURL -Value “http://Cluster1:80”

To specify an encrypted connection to the same URL, type:

Set-ItemProperty -Path RC:\ -Name ClusterURL -Value “https://Cluster1:443”

Back to top

When the AD RMS server role is installed and configured on the first server in the cluster, AD RMS generates a unique SLC for itself called self-enrollment that establishes its identity and that has a validity time of 250 years. This enables the archiving of rights-protected data for an extended period of time.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ -Name SLCName -Value “ <SLC_name>

    where <drive> is the name of the Windows PowerShell drive and <SLC_Name> is the name you want to use to identify the SLC that will be created.

Back to top

By default, the service connection point (SCP) for AD RMS is registered in Active Directory Domain Services when you install the AD RMS server role on the first server in a root cluster. The SCP identifies the connection URL for the service to the AD RMS-enabled clients in your organization. After you register the SCP in Active Directory Domain Services (AD DS), clients will be able to discover the AD RMS cluster to request use licenses, publishing licenses, and rights account certificates (RACs). If you do not register the SCP when you install the first server in the root cluster, you can register the SCP from the cluster Properties sheet in the Active Directory Rights Management Services console.

noteNote
If you are registering an SCP from an AD RMS cluster in a child domain, you might receive an error stating that SCP registration failed. In many cases, the registration was successful, but the registration first takes place in the top-level domain and it takes time to replicate to the child domain where the AD RMS cluster checks for the SCP object. If this happens, allow enough time for the SCP to be replicated to all global catalog servers before attempting to re-register the SCP.

To verify that the drive namespace is configured to register the SCP, at the Windows PowerShell command prompt, type:

Get-ItemProperty -Path  <drive> :\ -Name RegisterSCP

If the RegisterSCP property is set to False, you can use the following procedure to register the SCP when the AD RMS server role is installed.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path  <drive> :\ -Name RegisterSCP -Value $true

    where <drive> is the name of the Windows PowerShell drive.

Back to top

See Also

Community Additions

ADD
Show: