Directory Rights Management Services (AD RMS) is a Digital Rights
Management (DRM) technology that allows for restrictions to be placed on
how content is managed, transmitted, and viewed. RMS uses PKI
technology to encrypt content such as documents and email messages, and
only allows access to view said content if restrictions are placed on
the content, such as disabling the ability to print, cut/paste, and/or
AD RMS in Windows Server
2008 R2 is the next iteration of the Windows Rights Management Server
technology that has been developed over a period of several years. In
addition to retaining existing functionality, it adds tighter
integration with Active Directory Domain Services (AD DS) and greater
Understanding the Need for AD RMS
Many organizations are faced
with the problem of defining how their intellectual property can be
managed after it has been distributed. Several high-profile leaks of
sensitive internal emails from major corporations have exposed the need
to manage and restrict how email that contains sensitive corporate
information is disseminated.
The problem stems from the
fact that computer systems have historically been good at restricting
information to unauthorized individuals, but as soon as an authorized
individual gains access to that data, those organizations have
traditionally lost control over what is done with the content.
Authorized individuals have copied documents offsite, emailed sensitive
information, had their laptops stolen, and have found a myriad of other
ways to lose control of an organization’s confidential information.
Active Directory RMS was
designed to give the control back to an organization. It allows
enforcement personnel the ability to restrict how a document is
transmitted, printed, copied, or when it expires. Integration with
Active Directory Domain Services allows the content to be only decrypted
by individuals stipulated in the policies as well.
RMS-protected documents are not reflected unless the document itself is
“republished” and the client does not have the use license cached in
conjunction with a local copy of the RMS-protected document. If the
original use license has not expired, users will continue to have access
to protected documents that have either not been republished or have
been moved from the location of the newly published document.
AD RMS also includes a
role service known as Identity Federation. Installing this service
allows an organization to share rights-protected content with other
Understanding AD RMS Prerequisites
Before installing AD RMS, the following prerequisites must be satisfied:
Create a service
account for RMS within AD DS. The service account must be different from
the account that is used to install RMS.
The AD RMS server must be a domain member within the domain of the user accounts that will use the service.
An AD RMS root cluster for certification and licensing must be created.
fully qualified domain name resolvable from the locations where RMS
files will be consumed needs to be set up. For example,
rms.companyabc.com can be set up for clients to be able to connect to
the AD RMS server to validate their RMS rights.
server running SQL Server must be available to store the AD RMS
databases. It is highly recommended to use an alternate server than the
one where AD RMS is installed.
Installing AD RMS
Installation of AD RMS can be
performed using the Server Manager utility, by adding the AD RMS role to
the server. The process of adding the AD RMS role is as follows:
Open Server Manager (Start, All Programs, Administrative Tools, Server Manager).
In the Nodes pane, select Roles, and then click the Add Roles link in the tasks pane.
Click Next at the welcome page.
the Select Server Roles page, check the box for Active Directory Rights
Management Services. If prompted to add additional services and
features such as IIS or the Message Queuing Service, choose to add the
Required Role Services, and then click Next to continue.
Review the Introduction page, and click Next to continue.
On the Select Role Services page, shown in Figure 1, select which components to install. In this case, only the core AD RMS role service is installed. Click Next to continue.
Figure 1. Installing AD RMS.
On the AD RMS Cluster page, choose to Create a New AD RMS Cluster, and click Next to continue.
the Select Configuration Database page, choose whether to install the
limited Windows Internal Database service (not recommended) or to create
an RMS database on a separate server running SQL Server 200x.
On the Specify Service Account page, shown in Figure 2,
choose which service account will be used for RMS by using the Specify
button. It cannot be the same account that is used to install AD RMS.
Figure 2. Specifying the RMS Service Account.
On the subsequent page, select Use AD RMS Centrally Managed Key Storage, and click Next.
Enter a strong password when prompted, and click Next to continue.
which IIS website (Default Web Site for a dedicated build) will hold
the AD RMS web services, and click Next to continue.
Type the FQDN that will be used for the AD RMS service. For this example, enter rms.companyabc.com,
and then click the Validate button. The FQDN must already be set up to
resolve to the IP address of the IIS website on the RMS server. Click
Next to continue.
Using an SSL certificate for an HTTPS connection to the RMS server is recommended, and can be enabled from this wizard.
If using SSL to protect the IIS website, select the certificate.
Enter a descriptive name for the RMS cluster, and click Next to continue.
On the AD RMS Service Connection Point Registration page, click Next to register the Service Connection Point (SCP) in AD DS.
If installing IIS at the same time, accept the defaults for setup by clicking Next, and then clicking Next again.
Click Install to finalize the installation wizard. It might take a while for the installation to complete.
Click Finish when the wizard is complete. Restart the server and log back on to complete the install.