Basic AD RMS Architecture
Updated: August 1, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
This topic provides information about the basic components of the AD RMS architecture.
A basic AD RMS infrastructure is composed of the following components, which are shown in the diagram following these descriptions:
AD RMS root cluster- A server that is running Windows Server 2008 that has the AD RMS role installed. In the most basic scenarios, this is the AD RMS server that issues client, user and use licenses. There can be only one root cluster per Active Directory forest. The root cluster is also referred to as the certification cluster. To increase availability and redundancy, additional AD RMS servers can be added (joined) to the root cluster.
Database server- A database server typically running Microsoft SQL Server 2005 or SQL Server 2008 that stores all AD RMS configuration and logging data. This includes the AD RMS server certificate and private keys in addition to copies of certificates issued by the server.
Directory service- One or more Active Directory Domain Services (AD DS) domain controllers. AD RMS works in close relationship with AD DS. Therefore, correctly configured and healthy AD DS domain controllers must be reachable by the AD RMS cluster. The directory service is used, among other things, for clients to locate the AD RMS root cluster, to authenticate users of the service and to perform group expansion for validating user permissions.
RMS clients- End-user computers that are used to create and consume-rights managed documents and that have the AD RMS client installed and configured. These computers must be able to contact an AD RMS root or licensing-only cluster in order to receive publishing and use licenses. Typically the client computer will be running the AD RMS client software, AD RMS–enabled applications such as Microsoft® Office 2003 Professional or Microsoft Office 2007 (Professional Plus, Enterprise and Ultimate Editions), the XPS viewer, and Windows Internet Explorer. Optionally, the Windows Rights Management Add-on for Internet Explorer (RMA) can be used to view RMS-protected documents in Internet Explorer.
The scope for an AD RMS cluster is the Active Directory forest. Therefore each forest must have an AD RMS root cluster. This is shown in the following diagram.
Although a forest can have only one root (certification) cluster, one or more AD RMS licensing-only clusters can also be deployed in a forest for the following reasons:
To enhance performance and reduce bandwidth consumption. A client may be located in a site that is connected through a slow WAN link to the site that hosts the AD RMS cluster. In this case, installing a local AD RMS licensing-only server in the client’s site will enhance performance. It will also increase availability and reduce network traffic for the clients hosted on that site. This would only apply in environments where document creation and consumption is mostly local. Users in other groups accessing documents published by the licensing-only cluster would have to access that cluster, and vice versa.
To provide independence. Departments that have requirements for strong operational independence might want to use their own licensing servers for their documents. This requirement can be related to regulatory, legal or political reasons, for example.
To provide external access. Users who are not connected to an internal network must be able to reach an AD RMS cluster in order to consume content for which they have not been issued a license. Consequently, an AD RMS cluster has to be available from the Internet. The cluster used for issuing use licenses must be the same cluster that is used for protecting documents. This configuration allows the licensing-only cluster to be used for all document protection, whether the users are inside or outside the internal network.
Document protection through AD RMS can be applied to documents through the native applications that create those documents and that support integration with AD RMS, such as the IRM-enabled editions of Office 2003 and 2007 Microsoft Office system. Another way to apply protection to documents is through policies defined in and automatically applied by a Microsoft Office SharePoint Server 2007 library integrated with AD RMS. The Integrating AD RMS and SharePoint Server 2007 topic describes how that integration works.