How AD RMS Works
Updated: August 2, 2012
Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012
Active Directory Rights Management Services (AD RMS) encompasses all of the server and client technologies that are required to support information protection through the use of rights management in an organization.
When you use an AD RMS infrastructure, you are able to able to protect the information in your organization using the following client and server components to both publish and consume rights-protected content.
AD RMS clients, which request licenses and enforce assigned rights protection at the document level to files and messages.
AD RMS servers, which administers account certification, licensing and publishing services that use Active Directory as well as assisting clients in locating these services.
AD RMS is the name for what was originally introduced as a standalone release called Rights Management Services (RMS) 1.0 which was first released by Microsoft in 2005 for the Windows Server 2003 server platform.
When publishing content, AD RMS clients request and acquire new licenses for protecting content according to the usage rights and conditions that you as a publisher choose to allow for the content that you wish to protect.
When a document is authored and rights protection is chosen, the AD RMS client acquires a Client Licensor Certificate (CLC), which enables it to protect content. It then uses this CLC to encrypt the document, create and sign a Publishing License (PL) and then binds a copy of the PL to the encrypted content. This helps the content to be better protected from misuse even if it is shared to others within your organization or even to others outside of your organization.
When others receive the rights-protected content, in order to access and make use of it they will first need to use a rights-enabled application (such as Microsoft Office) to request and acquire an end-user license for the content. In order to obtain the end-user license, the AD RMS client must first determine if the recipient of the content conforms to any policies set forth in the publishing license that was used to protect the content. If the AD RMS client determines the user is eligible to access the content, the AD RMS client ensures that the user honors the conditions indicated in the end-use license, which might restrict certain actions. This ensures documents are protected as intended by authors and publishers and are only consumed by recipients according to the assigned rights policies.
AD RMS servers are implemented as a set of Web service components that run on Microsoft Internet Information Services (IIS) and work in connection with Microsoft SQL Server and Active Directory Domain Services (AD DS).
The various components that make up an AD RMS server are listed in the following table.
Administration web service
The AD RMS server computer hosts this web service, which is used to manage AD RMS through the use of either the AD RMS administration console or Windows PowerShell commands for AD RMS.
AD RMS servers generate rights account certificates (RACs) that associate users with specific computers.
AD RMS servers issue end-user licenses. An end-user license enables AD RMS client-enabled applications to access protected content within the user restrictions set by the content publisher.
AD RMS servers also create client licensor certificates that enable content publishers to define the policies that can be enumerated in an end-user license.
Enables a server to request a rights account certificate on behalf of a user in order for Exchange to pre-license content to Outlook users.
Provides the URL of the account certification, licensing, and publishing services to Active Directory so that they can be discovered by AD RMS clients.
In an AD RMS cluster, all AD RMS servers are one of two types.
Root certification servers. The first AD RMS server in an Active Directory forest assumes this role. There can only be one root certification server in each Active Directory forest.
Licensing servers. This is the role taken on by any additional or secondary AD RMS servers added to provide independent policy options to certain groups within an Active Directory forest.
For more information on how servers work within an AD RMS infrastructure, see Server Configuration for an AD RMS Infrastructure.
To assist in easily assigning and managing rights protection to content, rights policy templates can be used. Rights policy templates can help you to scope and create a specific set of rights that you can apply or repurpose as often as needed for protecting content. For example, a template could be created and named "Company Confidential" that where applied to protect a document would allow employees only the right to view the document, but not to forward, copy, or save it.
Rights policy templates that are used within AD RMS are stored and made available from an AD RMS server to client computers through the following example deployment workflow:
Bob is an administrator who chooses to make a new rights policy template for clients to use in protecting content. He uses the AD RMS console to create the template, which is stored in the AD RMS configuration database. (Through optional configuration, the AD RMS cluster also maintains a copy of all rights policy templates in a folder that Bob has specified.)
Bob has configured Group Policy to enable all corporate desktop computers to use AD RMS automatic rights policy template distribution. He has also modified the update frequency setting to cause AD RMS client computers to query the template distribution pipeline and update their templates within the next 5 days.
Bob could also have used System Center Configuration Manager or manually copied the templates himself to client computers as alternative to using Group Policy.
Once AD RMS client computers have queried the template pipeline and have updated their local cached folder of AD RMS templates with the new policy template, users can select it and apply the template to any new documents they want to author and protect using it.
By default, new rights policy templates are distributed to all AD RMS clients but starting with Windows Server® 2008, administrators have the option to control by using the AD RMS console whether templates are archived or remain actively distributed for use. If a template is archived it is not distributed to clients but the AD RMS cluster will still be able to generate end user licenses for rights-protected content that has a publishing license generated from that template. Templates should not typically be deleted as any content protected by a template will no longer be accessible if the template is deleted from the AD RMS configuration.
For more information on templates, see AD RMS Policy Templates.
The following sections help to walk you through a demonstration of how AD RMS works as the process of publishing, sharing and consuming a rights-protected document occurs within first a single organization, and then as its occurs between two different organizations.
An AD RMS client and server can be used within your organization to help protect content through assigning rights protection as it is published and shared with others. This section discusses how a basic AD RMS service infrastructure (which includes an AD RMS server, a SQL Server computer hosting the AD RMS databases and Active Directory domain controllers) can be used to support rights protection.
Terry Adams is a senior process engineer who has been working on site at Contoso Pharmaceuticals manufacturing facility in Redmond, Washington for the past four weeks. During that time, Terry has observed production line activities being carried out and been meeting privately with employees at the facility.
Terry has completed his process review and has been asked by his manager, Diane Margheim, to share a confidential copy of his report with the plant manager, Lola Jacobson. In order to ensure the report remains confidential, Diane has asked Terry to apply rights protection to his report document after he is finished writing it in Microsoft Word before forwarding it on to Lola to allow her preview it for comment before it is passed along to the executive leadership.
In the following graphic, we see how AD RMS works using servers and clients to support this user scenario. Terry is an information author working at his corporate desktop and using Microsoft Word to create and prepare his report.
Terry chooses the option to rights protect the document which allows him to select both the people and the level of access those people will have to his content. He grants read-only access to Lola as the information recipient for the document. This will enable Lola to view the report but deny her the ability to change, copy or print the document.
As Terry applies his access restrictions, the AD RMS client launches and initiates a service request on his behalf to the Contoso AD RMS server.
The AD RMS server for Contoso returns a Client Licensor Certificate to the AD RMS client installed at Terry's desktop, which enables him to save the document in encrypted form with the desired level of rights-protection.
Terry then attaches and sends the rights-protected report Word document to Lola in an email.
Lola receives Terry's email and saves the attached document to her local desktop and then opens it. When she does, the AD RMS client working at her desktop contacts the Contoso AD RMS server to acquire an end-user license.
The AD RMS client at Lola's desktop receives back the end user license, which indicates that she is permitted to view the document. The AD RMS client then decrypts the document and applies the appropriate restrictions to the enable Lola to access the content according to the access permissions that Terry assigned to it.
While AD RMS clients and servers can be used within a single organization or Active Directory forest to help protect content, you can also with some additional configurations allow for published content to be protected across organizations or forest boundaries.
In order to use AD RMS across organizational and forest boundaries, a level of trust must be established across the organizations or across forests. There are several ways in which this can occur:
At the most basic level, Trusted User Domains (TUDs) can help allow AD RMS to process requests from users located across Active Directory forests. A simple TUD relationship between two AD RMS clusters can be established quickly and can be a lightweight and low-cost method of managing AD RMS trust between two separate organizations. For more information, see Trusted User Domains.
Where there is a need to acquire licenses from an RMS cluster for content protected with another RMS cluster, Trusted Publishing Domains (TPDs) offer another means of enabling cross-server trust that go beyond the ability of TUDs. This option is rarely used across organizations. For more information, see Trusted Publishing Domains.
For organizations that have invested in the federated identity capabilities of Active Directory Federation Services (AD FS), you can also leverage the power of existing federated trusts to make AD RMS work across forest boundaries. For more information, see Active Directory Federation Services with AD RMS and Federating AD RMS.
For a more detailed understanding of how AD RMS works across organizational lines, see Sharing Documents with External Organizations.