Migrating from Windows RMS to AD RMS in a Different Infrastructure

  • Article

Updated: October 29, 2012

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

This guide walks you through the process of migrating a rights management infrastructure based on Rights Management Services (RMS) 1.0 running on server computers that are running Windows Server 2003 SP2 to a new AD RMS infrastructure based on new server computers running Windows Server 2008 R2. It covers a migration scenario that involves a new setup in a new or different datacenter or a move to a different server infrastructure including a different database server but can also be referred to for the following alternate purposes:

  • Moving to a new database.

  • Moving to a new AD RMS cluster in a different forest or domain.

Note

This guide does not cover the implications on policies and their subject groups of moving to a different forest.

This guide does not take an in-place upgrade approach to migrating from RMS to AD RMS. Therefore, considerable additional planning is required for a smooth transition to AD RMS. For example, any dependencies and pre-requisites for AD RMS must be well planned out in advance so that at the time of actual migration, any affected entities are clearly called out. This process also requires reconfiguration of IRM protection for any applications that implement it such as Microsoft Exchange Server or Microsoft Office SharePoint Server.

Note

This guide covers the gap in the traditional and well-documented migration options where an IT administrator might not want or be able to continue using the existing Windows RMS Cluster, or they have a requirement to move the new ADRMS services to a different or a new datacenter or to a new forest/domain or want to just move to a new database server.

As you complete the steps in this guide, you will:

  • Backup the old RMS infrastructure

  • Install a new AD RMS infrastructure

  • Remove the old RMS infrastructure

  • Verify that the move was successful and that AD RMS is up and running again. It can done by testing the ability to create new rights-protected content once the databases have been moved, consume the newly created rights-protected content, and consume existing rights-protected content.

Checklist: Migrating an RMS 1.0 cluster running Windows Server 2003 SP2 to an AD RMS cluster running Windows Server 2008 R2

Below list is a checklist that summarizes the steps required and that should be followed to migrate an RMS 1.0 cluster running Windows Server 2003 SP2 to an AD RMS cluster running Windows Server 2008 R2.

Step Reference

Backup the current Windows RMS configuration database.

Backup the current Windows RMS configuration database

Export the following from the RMS infrastructure: server licensor certificate (SLC), trusted user domain (TUD), trusted publishing domain (TPD) and the RMS cluster private key.

Export SLC, TUD, TPD and RMS private key

Reduce the time-to-live (TTL) value for any DNS resource records associated with resolving the cluster names for your RMS cluster.

Reduce the TTL interval for DNS resource records that support your RMS cluster

Backup the RMS pipelines.

Backup the RMS pipelines

Configure the new SQL Server database cluster for AD RMS.

Plan and design the configuration the new SQL Server database server cluster for ADRMS

Remove the current Service Connection Point (SCP) that references the old RMS infrastructure.

Remove the current Service Connection Point (SCP)

For using the same URL for both internal and external access, verify that the cluster URLs are configured to use HTTPS.

Configure the cluster URL to use HTTPS

Prepare the new AD RMS server root cluster.

Prepare the new AD RMS root cluster

Update the DNS name for the old RMS cluster to point to the load balanced virtual IP address of the new AD RMS cluster so that the clients that will request for licenses for old content will go to the new cluster.

Update the DNS name for the old cluster to point to the load balanced VIP of the new cluster

Configure a Group Policy object (GPO) to add the new AD RMS cluster URL to the Trusted Zone list in Internet Explorer.

Configure a GPO to add the new ADRMS cluster URL to the Trusted Sites zone in Internet Explorer

Configure a SSL certificate in the AD RMS root cluster to support both the new and old URLs.

Configure a SSL certificate in the cluster to support both the new and old URLs

Re-register the SCP with the new URL of the AD RMS cluster.

Re-register the SCP with the new URL of the ADRMS cluster

Import the TPD file that was exported in step 2 to the new AD RMS cluster.

Import the TPD file into the AD RMS cluster

Re-create each template that was imported with the TPD with a slightly different name to avoid potential naming conflicts.

Import the TPD file into the AD RMS cluster

Import the TUD file that was exported in step 2.

To import a TUD file into an AD RMS cluster

Update the pointers in the reverse proxy or firewall to point to the new AD RMS cluster if you are using the same ISA, TMG or reverse proxy server for the new datacenter. Otherwise the old Firewall rule should be disabled and similar rule should be created and enabled on the firewall or proxy in the new datacenter.

Update the proxy/firewall rule to point to the new ADRMS Cluster

Disable IRM protection in SharePoint and Exchange.

Disable IRM protection in Exchange and SharePoint services

Re-enable IRM configuration in SharePoint and Exchange.

Update the IRM configuration for Microsoft Office SharePoint Server and Exchange Server

Configure a login script or equivalent tool that deletes the DRM cache from the user profile for each user.

Configure a login script that will delete the DRM cache from user profiles

Redistribute the new AD RMS templates to the client computers.

Redistribute the templates to the client computers

Setup a test client for validating the new AD RMS environment.

Verifying AD RMS Functionality

Deprovision the old RMS infrastructure.

Decommission the old RMS infrastructure

Backup the current Windows RMS configuration database

To backup the current Windows RMS configuration database

  1. Log on to the server hosting the RMS configuration database with a user account that is a member of the System Administrators database role.

    Click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.

  2. When the Connect to Server window appears, ensure that the server hosting the RMS configuration database is in the Server name box, and then click Connect.

  3. Expand Databases.

  4. Right-click the RMS configuration database, point to Tasks, and then click Back Up.

Note

The default RMS configuration database name is in the form of DRMS_Config_<RMS_cluster_URL>_80, where RMS_cluster_URL is the URL of the RMS cluster.

  1. Click OK and then click OK again.

Export SLC, TUD, TPD and RMS private key

In the most common scenario, when provisioning the RMS servers, you will have Use the default software-based private key protection checkbox selected in RMS Global Administration to encrypt the RMS private key in the configuration database. If you are using an HSM-based key, follow the documentation for RMS support with your HSM to export the keys.

To export a trusted user domain

  1. Log on to RMS Cluster (RMS01 or RMS02) with a user account that is a member of the local Administrators group.

  2. Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration to open the Global Administration page.

  3. On the Trust Policies page, in the Trusted user domains area, click Export.

    The File Download dialog box appears.

  4. Click Save.

    The Save As dialog appears. It is recommended that you modify the .bin file name to include the name of your server, such as RMS_RMS01_LicensorCert.bin. The file is saved to the desktop by default. You can specify a different location if you want.

  5. Click Save to save the file to the location name you specified.

Next, we will look at how to export the trusted publishing domain (TPD).

To export a trusted publishing domain

  1. Log on to RMS Cluster (RMS01 or RMS02) with a user account that is a member of the local Administrators group.

  2. Open the Global Administration page.

    To open the Global Administration page, click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration.

  3. Next to the Web site on which you want to add a trusted publishing domain, click Administer RMS on this Web site.

  4. In the Administration links area, click Trust policies.

  5. In the Trust Policies page, in the Trusted publishing domains area, click Export next to the key container for this RMS cluster.

    The Trusted publishing domain export dialog box appears.

  6. Type the password that will be used to encrypt the trusted publishing domain file.

    You will need this password to import this file onto another RMS cluster. The password must be a strong password.

  7. Enter the password again to confirm that you entered the password you wanted to use.

  8. Type the path and file name to be used for the trusted publishing domain .xml file. Make sure you specify the .xml file name extension.

  9. Click Export to create the trusted publishing domain file.

To export the TPD using Windows PowerShell, you can use the Export-RmsTPD cmdlet. For more information, see Exporting a Trusted Publishing Domain.

Backup the RMS pipelines

In the next step, we look at the steps needed to back up the security settings configured on the RMS pipelines.

To backup the RMS pipelines

  1. Log on to RMS Cluster (RMS01 or RMS02) with a user account that is a member of the local Administrators group.

  2. Open Windows Explorer and navigate to the \Inetpub\wwwroot\_wmcs folder, which is usually located under System disk C:\.

  3. Make a backup copy of all the subfolders and files contained under the _wmcs subfolder and store your backup in a safe and secure location.

Remove the current Service Connection Point (SCP)

Only one SCP for AD RMS can exist in your Active Directory forest. If you try to install AD RMS and an SCP already exists in your forest from a previous RMS installation that was not properly deprovisioned, AD RMS will install as a subenrolled licensing-only cluster, which will not enable you to deprovision the existing RMS cluster. The SCP must therefore be removed before you can install the new AD RMS cluster.

A SCP can be viewed using ADSI Edit or LDP. To view the SCP, connect to the configuration container in ADSI Edit and navigate the following nodes: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP.

The easiest way to remove the SCP is by using the RMS Administration Console. You can also remove an SCP by using the ADScpRegister.exe tool included in the original RMS Administration Toolkit, which you can download from here: Microsoft Download Center: Rights Management Services Administration Toolkit with SP2.

To unregister the current Service Connection Point (SCP)

  1. Login with Domain Enterprise Admin account on Windows RMS clusters.

  2. Open the RMS Administrative console.

  3. Click on RMS Service Connection Point and click on Unregister URL.

    Now the SCP has been unregistered from the WINRMS cluster.

  4. Make sure that within Active Directory Sites and Services that Rights Management Services and the SCP folder are removed after unregistering the SCP URL.

Note

If the company policies are configured to prevent an Enterprise Admin (EA) from logging in to the RMS cluster, as an alternative, an EA could delete the SCP object for AD RMS from Active Directory, or optionally, they could also edit it manually.

Disable IRM protection in Exchange and SharePoint services

To disable IRM protection in Exchange you might need to disable both IRM configurations for the client access server that services Exchange Server 2010 for your organization as well as disable IRM for internal messages sent using your Exchange Server 2010 deployment.

To disable IRM on a client access server for an Exchange 2010 organization

In Microsoft Exchange Server 2010, Information Rights Management (IRM) is enabled by default for internal messages. This allows you to create transport protection rules and Microsoft Outlook protection rules to IRM-protect messages in transport and on Microsoft Outlook 2010 clients. Enabling IRM for internal messages is a prerequisite for all other IRM features in Exchange 2010, such as transport decryption, journal rule decryption, IRM in Microsoft Office Outlook Web App, and IRM in Microsoft Exchange ActiveSync.

To disable IRM for internal messages

To disable the IRM integration on SharePoint servers

  1. Log on to the SharePoint server computer as a portal administrator.

  2. Open the SharePoint Central Administration (CA) console.

    To open the SharePoint CA console, click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administrator.

  3. Click Operation, and then click Information Right Management, select the Do Not Use IRM on the Server option and then click OK.

Tip

Alternatively, Windows PowerShell cmdlets can also be leveraged to manager SharePoint document libraries. For more information, see Use PowerShell Cmdlets to Manage SharePoint Document Libraries.

Plan and design the configuration the new SQL Server database server cluster for ADRMS

In addition to the Active Directory database, AD RMS also uses two other databases for configuration and logging which are hosted using SQL Server. SQL Server also provides two different high availability technologies—failover clustering and log shipping—that can be used in conjunction with AD RMS.

For more about planning and designing how to use and work with these databases and technologies, see AD RMS and Database Design.

Prepare the new AD RMS root cluster

On the computer that will be the first server of the new AD RMS cluster, install Windows Server 2008 or Windows Server 2008 R2. Next, follow the guidance provided in the AD RMS Step-by-Step Guide to prepare the new AD RMS root cluster.

Update the DNS name for the old cluster to point to the load balanced VIP of the new cluster

Updating the DNS name for the old RMS cluster to point to the load balanced VIP of the new AD RMS cluster is done so that any clients that will request licenses for old content will go to the new cluster.

Alternatively, Office clients could use the LicenseServerRedirection registry overrides to point clients to the new URL to license content protected with the old cluster, but this alternative is not always available for other applications. Registry-based policy settings (which are located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. For a sample of an ADMX file that can used to deploy AD RMS registry settings using Group Policy, see Appendix A: ADMX for deploying AD RMS registry overrides through GPO.

Configure a GPO to add the new ADRMS cluster URL to the Trusted Sites zone in Internet Explorer

GPO policy preferences can be used to add the AD RMS URL to the list of Trusted Sites within Internet Explorer.

To configure a GPO to add the new AD RMS cluster URL to the Trusted Sites zone

  1. First, create the registry entries manually, as shown below, on a reference computer.

Note

The reference computer does not need to be a computer where the registry keys have to be located. To create the keys manually, open the Windows Registry editor (regedit.exe) and navigate to the following path:
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zonemap/Domains/
Create a new key called "microsoft.com". Under the new key, create a new value that specifies the domain name used to refer to the cluster for your organization such as "irm.contoso.com" of REG_DWORD(32) type and change the data to 2 (hexadecimal).

  1. Launch Group Policy Management Console (GPMC).

Note

GPMC is not installed by default but can be run from the same computer that you used as a reference computer in the previous step. For more information on GPMC, see Group Policy Management Console.

  1. Select the Internet Explorer GPO and select Edit.

  2. Navigate to the following path: User Preferences\Windows Settings\Registry.

  3. Right-click Registry, point to New, and then click Registry wizard.

  4. Select Local computer if you are running GPMC on the same computer you used as a reference in step 1. Otherwise, choose another computer and specify the name as appropriate if you used a different computer as the reference computer.

  5. Follow the wizard as it guides you through choosing the required entries. Check off all the required items, which are the entries you created in step 1 at the following registry path location: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zonemap/Domains/

  6. Click Finish to complete the wizard.

    You can then go back to this GPO preference and select its properties and utilize client side targeting if only certain Active Directory groups need to have these values for IRM settings applied.

  7. Perform a replication to all domain controllers and then a forced Group Policy update using the gpupdate /force command at the computers in question. Your will be asked to log out for the preferences to take effect. You can either do or reboot the computer for the changes to take effect.

Configure a SSL certificate in the cluster to support both the new and old URLs

A new Subject Alternative Name (SAN) certificate with the names of both the old Windows RMS URL and the new AD RMS URL should be configured on all nodes that will be a part of the AD RMS cluster. This should be done before you register the SCP in AD RMS for the new cluster SCP is registered when SSL is functional.

Additionally, you will also need to map the DNS name for the old cluster to the new cluster so clients acquiring licenses for old content will go to the new cluster.

Import the SAN certificate into the local certificate store for all computers in your AD RMS deployment and then update the SSL bindings in Internet Information Services (IIS).

To update SSL bindings to support yoru AD RMS cluster in IIS Manager

  1. Log on to the ADRMS server with a user account that is a member of the local Administrators group.

  2. Open the IIS Manager console.

    To open the console, click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  3. In the Default Web Site Home page, click Default Web Site and select SSL Settings.

  4. In the Action pane, click Bindings.

  5. In the Edit Site Binding window, in the SSL certificate drop-down list, select the certificate you just obtained and click OK.

  6. In the console tree, click Default Web Site.

  7. From the Default Web Site home page, double click SSL Settings.

  8. In the SSL Settings page that appears, check Require SSL and select Ignore for client certificates.

  9. Click OK and Close.

Reduce the TTL interval for DNS resource records that support your RMS cluster

Next, you will need to reduce the Time-to-Live (TTL) interval for the DNS resource records for IRM URL’s (in both your internal and external DNS namespaces). TTL is the value that determines how long your current DNS settings are cached with Internet service providers.

As you are transitioning to a new cluster infrastructure, lowering the TTL before making any other DNS changes avoids the lengthy period for the traffic to query two servers at once. To adjust the TTL on an individual resource record you will need to be sure and use the Advanced view in the DNS console. For more information, see Modify an existing resource record in a zone.

Re-register the SCP with the new URL of the ADRMS cluster

The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services.

The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered after installation has completed. To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority. If the user account installing AD RMS does not have permission to register the SCP you will see Event ID: 190 in the Event Viewer. To manually register the SCP, use the following procedures.

To register the SCP using the AD RMS console

  1. Open the Active Directory Management Services console.

    Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  2. Right-click the AD RMS cluster, and then click Properties.

  3. Click the SCP tab.

  4. Select the Change SCP check box.

  5. Select the Set SCP to current certification cluster option, and then click OK.

To register the SCP using Windows PowerShell

  • At the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\ -Name ScpUrl -Value <SCP_address>

    where <drive> is the name of the Windows PowerShell drive, and <SCP_address> is the address of the service connection point being registered.

For example, if you have created a Windows PowerShell drive named Z:, to register the SCP as a secure sockets layer (SSL) URL for a server named rms.contoso.com, type:

Set-ItemProperty -Path Z:\ -Name ScpUrl -Value https://rms.contoso.com:443/_wmcs/certification

Note

If a client computer is not located within the Active Directory Forest, you must use registry keys to point the AD RMS client to the AD RMS cluster. These registry keys are created in HKEY_Local_Machine\Software\Microsoft\MSDRM\ServiceLocation. Create a key called Activation with the value of http(s)://<your_cluster>/_wmcs/certification where <your_cluster> is the URL of the root cluster used for certification.
If you are registering the SCP from an AD RMS cluster in a child domain you may receive an error stating that SCP registration failed. In many cases, the registration was successful, but the registration first takes place in the top-level domain and it takes time to replicate to the child domain where the AD RMS cluster checks for the SCP object. Once the SCP has been replicated to all global catalog servers in the forest, the message will no longer appear.

Import the TPD file into the AD RMS cluster

Import the Trusted Publishing Domain (TPD) file that was exported previously from the RMS cluster into the new AD RMS cluster. To do so, use the AD RMS console and the following procedure.

To import a TPD file into an AD RMS cluster

  1. Open the Active Directory Management Services console.

    Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  2. In the console tree, expand Trust Policies, and then click Trusted Publishing Domains.

  3. In the Actions pane, click Import Trusted Publishing Domain.

  4. In Trusted Publishing Domain file, type the path to the trusted publishing domain file or click Browse to locate it.

    This file contains the licensor certificate, private key (if the key is stored in software), and rights policy templates. This file is encrypted.

  5. In Password, type the password required to decrypt this file.

  6. In Display name, type a name to identify this trusted user domain.

  7. Click Finish.

Next, you will want to import the Trusted User Domain (TUD) of the previous RMS installation to be trusted. The TUD for this installation should already be exported and available. For more information about exporting a TUD, see Export a Trusted User Domain.

To import a TUD file into an AD RMS cluster

  1. Open the Active Directory Management Services console.

    Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  2. In the console tree, expand Trust Policies, and then click Trusted User Domains.

  3. In the Actions pane, click Import Trusted User Domain.

  4. In Trusted User Domain file, type the path to the exported server licensor certificate of the user domain to trust or click Browse to locate it.

  5. In Display name, type a name to identify this trusted user domain.

  6. Click Finish.

Configure the cluster URL to use HTTPS

For using the same cluster URL to be used for both internal and external access and also for secure communication between clients and servers, HTTPS should be configured and used for the AD RMS cluster URL.

Update the proxy/firewall rule to point to the new ADRMS Cluster

If you are using the same proxy or firewall server for the new AD RMS cluster, then update the existing ISA rule to point to the new AD RMS server. Otherwise the old rule should be disabled and a similar rule should be created and enabled on the proxy/firewall used for the new AD RMS cluster.

For more information on how to configure the ISA Server to support AD RMS, see Step 2: Installing and Configuring ISA-SRV in the AD RMS Deployment in an Extranet Step-by-Step Guide.

Create rights policy templates for the new AD RMS cluster

While the existing rights policy templates from the old RMS cluster will be imported as part of the TPD import, those templates will be set as "Archived" in the new cluster and as such will not be available to be used for protecting new content. Therefore, rights policy templates will need to be created again with identical properties and a slightly different name to avoid name conflicts. Users will only see the new templates after they have been deployed.

To ease administration of the rights policy templates, AD RMS in Windows Server 2008 introduced a rights policy template creation wizard that you can use as described in the following procedure.

To create new AD RMS rights policy templates

  1. Log on to ADRMS server as ADRMS Admin.

  2. Open the AD RMS administration console.

    To open the AD RMS administration console, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the console tree, expand the AD RMS cluster name.

  5. Right-click Rights Policy Templates, and then click Properties.

  6. Select the Enable export check box, type \\adrmssharedserver\public in the Specify templates file location (UNC) box, and then click OK.

  7. In the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed Rights Policy Template wizard.

  8. Click Add.

  9. In the Language box, choose the appropriate language for the rights policy template.

  10. Type the new name in the Name box.

    It should be similar to the name of the corresponding template in the old cluster, but must differ in at least one character to avoid conflicting with the imported templates.

  11. Type a description identical to the one in the old template in the Description box, and then click Add.

  12. Click Next.

  13. Click Add, and add the same email addresses and rights used in the old templates. Enter the same properties used in the existing templates.

  14. Click Finish.

Deploy the new AD RMS rights policy templates

After you have re-created the rights policy templates using AD RMS, you will need to re-deploy them as well. Refer to the following articles for more information on deploying rights policy templates.

Copy the new templates to shared folders

You will also want to copy the new templates to the existing shared folders for the co-existence and migration phase and for legacy client support.

For more information, you can refer to the procedures provided in the following blog post: Creating and Using Templates.

Configure a login script that will delete the DRM cache from user profiles

You will need to clear the DRM cache from the user profile for each user. The following login script can be used to accomplish this task.

@echo off
del /q /f /s "%ALLUSERSPROFILE%\Application Data\Microsoft\DRM\Server\*.*"
del /q /f "%USERPROFILE%\Application Data\Microsoft\DRM\*.*"
del /q /f "%USERPROFILE%\Local Settings\Application Data\Microsoft\DRM\*.*"
del /q /f "%SYSTEMROOT%\system32\secrep.dll"
del /q /f "%SYSTEMROOT%\system32\secure*.sst"
attrib -h -s "%SYSTEMROOT%\system32\clockfile.drm"
del /q /f "%SYSTEMROOT%\system32\clockfile.drm"

Redistribute the templates to the client computers

You will then need to redistribute the new templates to client computers. You can do so using a logon script that is written in VBScript for both Windows XP and Windows 7 (only if you plan not to use Task Scheduler option as explained below).

The following VBScript can be used for the redistributing templates.

' --------------------------------------------------------------------
' This is an example VBScript (.vbs) to copy the XML files to the AD RMS 
' template locations for both Windows XP SP2 and Windows 7. 
' 
' Note that this script will always copy the XML files to the location. 
' You can improve the script to copy the files only when they do not exist or when 
' updated, etc. You can also add error checking. Make sure firewall ' is open to copy the files through network
' --------------------------------------------------------------------
Option Explicit 

Dim Obj,objFileSys
Dim OSVersion
Dim ADRMSTemplatePath, ADRMSTempatePathParent
Dim pathUserProfile, pathLocalAppData
Dim orginalTemplatePath

' -------------------------------------------------------------------- 
' Change this file location for AD RMS right policy templates 
' --------------------------------------------------------------------
originalTemplatePath = "\\WINRMS\RMS-Templates\*.xml"

Set Obj=WScript.CreateObject("Wscript.Shell") 
Set objFileSys = CreateObject("Scripting.FileSystemObject")

OSVersion=Obj.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion") 

' --------------------------------------------------------------------
' Check operating system version and call create directory and copy the file 
' functions
' --------------------------------------------------------------------
If OSVersion = 5.1 then ' XP
 pathUserProfile=ExpandEnvironment("%USERPROFILE%") 
 ADRMSTemplatePath = objFileSys.BuildPath(pathUserProfile, "Application Data\Microsoft\DRM\Templates")
CreateFolderAndCopy(ADRMSTemplatePath)
Elseif OSVersion = 6.1 then ' Windows 7
 pathLocalAppData=ExpandEnvironment("%LocalAppData%")
 ADRMSTemplatePath = objFileSys.BuildPath(pathLocalAppData, "Microsoft\DRM\Templates")
CreateFolderAndCopy(ADRMSTemplatePath)
Else ' add more if you wish
End If

Set Obj = Nothing
Set objFileSys = Nothing

' --------------------------------------------------------------------
' Create Folder and Copy sub routine
' --------------------------------------------------------------------
Sub CreateFolderAndCopy(Path)

ADRMSTempatePathParent = objFileSys.GetParentFolderName(Path)

If objFileSys.FolderExists(Path) <> True Then
 if objFileSys.FolderExists(ADRMSTempatePathParent) <> True then
 objFileSys.CreateFolder ADRMSTempatePathParent
 End If
 objFileSys.CreateFolder Path
End If

' add path and error checking 
objFileSys.CopyFile orginalTemplatePath, Path

End Sub

' --------------------------------------------------------------------
' Get Environment Variable
' --------------------------------------------------------------------

Function ExpandEnvironment(Environment) 
 
 On Error Resume Next 
 Dim objWshShell 
 
 Set objWshShell = WScript.CreateObject("WScript.Shell") 
 If Err.Number = 0 Then 
 ExpandEnvironment = objWshShell.ExpandEnvironmentStrings(Environment) 
 Else 
 WScript.Echo "Error: " & Err.Description 
 End If 
 
 Set objWshShell = Nothing 
End Function

Note

For Windows 7 clients, the above VBScript is only required if you plan not to enable the Task Scheduler job in the following section.

Configure the Task Scheduler batch script for Windows 7 clients

Windows 7 clients can use a built-in Task Scheduler job to The following command line can be added to a batch file command to enable this job.

schtasks.exe /change /tn "\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)" /enable

Update the IRM configuration for Microsoft Office SharePoint Server and Exchange Server

You will then need to update the IRM configuration for both Microsoft Office SharePoint Server and Exchange Server.

Enable IRM protection in Microsoft Office SharePoint Server

To enable the IRM protection in SharePoint Server, please refer to the instructions in Step 2: Configuring AD RMS to Work with SPS-SRV in AD RMS Deployment with Microsoft Office SharePoint Server 2007 Step-by-Step Guide.

Enable IRM protection in Exchange Server

To work with IRM protection in Exchange Server, please refer to the following TechNet Library topics for Exchange Server.

Verifying AD RMS Functionality

Once you have completed the reconfiguration and re-deployment tasks, you are ready to verify that AD RMS functionality is working well. To verify AD RMS functionality, follow the procedures to protect an Office document and then try to consume it as described in Step 5: Verifying AD RMS Functionality in the AD RMS with AD FS Identity Federation Step-by-Step Guide.

Decommission the old RMS infrastructure

At this point the original RMS cluster is no longer being used, so the nodes and the database server holding its data can be shut down and decommissioned. For more information on how to decommission your old RMS infrastructure, see Decommissioning RMS.

Additional Resources

The following additional resources can be useful to you in planning and migrating from an RMS infrastructure to a new AD RMS infrastructure.