Changing the RMS Service Account Password

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Depending on the password policy specified for the RMS servers, the RMS service account password may periodically expire. If the password expires, RMS will stop functioning. Therefore, you must change the password before it expires.

Using One RMS Service Account

When you are using one RMS service account, you can change the password on each RMS server as follows:

  1. If the server is in a cluster, temporarily take the server out of the load-balancing rotation by stopping the cluster service on the server.

  2. Log on to the server by using the credentials of the RMS service account.

  3. Change the RMS service account password.

    Important

    The other servers that use the same RMS service account will experience a service outage because the credentials that are stored by these servers will be invalid after the password is changed.

  4. Log off of the server.

  5. Log on to the server again by using RMS administrator credentials.

  6. To reconfigure the user identity on the server, on the Global Administration page, click Change RMS Service Account, and then, on the Change RMS Service Account page, specify the domain, user name, and password.

  7. Restart IIS.

  8. If applicable, put the server back into rotation by starting the cluster service on the server.

  9. Repeat step 6 through step 8 for each of the RMS servers in the cluster.

This is the simplest approach to changing the RMS service account password; however, it could result in a certain amount of downtime for RMS because Active Directory is updated with the new password when you change the RMS service account password on a server. IIS periodically restarts the application pools, and those application pools that are running under the old credentials will not be able to start until you change the RMS service account password and restart IIS on that server. RMS cannot function until the application pools start running again.

Using Two RMS Service Accounts

With this method, first create two RMS service accounts that have different expiration policies or dates. During normal operations, RMS runs under the first account. When you are ready to change the service account password for the first account, take the following steps on each RMS server:

  1. If the server is in a cluster, take the server out of rotation by stopping the cluster service on the server.

  2. Specify the second RMS service account as the account under which to run RMS. For instructions on changing the account, see "Changing the RMS Service Account" later in this subject.

  3. Restart IIS.

  4. If applicable, put the server back into rotation by starting the cluster service on the server.

Once all of the RMS servers are using the second RMS service account, you can change the password on the first RMS service account without affecting the operation of the RMS system. You can switch back and forth between the two accounts in this manner, thereby avoiding downtime for RMS.