The Official RMS Team Blog

Your official source for all the latest news and tech tips for Microsoft AD RMS and Azure RMS.

AD RMS Installation Best Practices

AD RMS Installation Best Practices

  • Comments 2
  • Likes

(This post was originally published on the original RMS team blog in March 2010)

Here are a few best practices to keep in mind when installing Active Directory Rights Management Services (AD RMS):

Use dedicated AD RMS servers.  Installing AD RMS on the same server as a domain controller, Microsoft Exchange Server, Certification Authority, or Microsoft Office SharePoint Server is a poor security practice.

Do not install AD RMS on a domain controller.  If you do, you must add the AD RMS service account, which is normally configured with no additional permissions, to the Domain Admins group.

You cannot install the Identity Federation Support feature until you have an Active Directory Federation Services (AD FS) server in place.  If AD FS is not configured in your environment at the time of installation, you can install the feature later.

You should only use Windows Internal Database in a test environment.  Windows Internal Database does not support remote connections; therefore, you would be unable to add additional AD RMS servers to your cluster.  In a production environment you should use Microsoft SQL Server.

Use DNS aliases, such as CNAME records, or DNS host records, such as A Records for your database server.  This makes future migration of the databases much easier.

Use DNS aliases, such as CNAME records, or DNS host records, such as A Records for the fully qualified domain name of the AD RMS cluster.  This allows you to easily add additional servers to the cluster and allows you to load balance and perform disaster recovery very easily.

If you plan to deploy AD RMS on a website that is already set up, be sure that website has an http binding, even if you are provisioning AD RMS to use https.

If you plan to deploy AD RMS on a non-default website, install the IIS 6 Management Capability role service before you start provisioning.

Using SSL protocol increases the security of the connections to the AD RMS cluster.  Also, SSL is required to integrate AD RMS with AD FS.  Remember that this cannot be changed once it has been specified.

If installing Identity Federation Support, use lower case letters for the fully qualified domain name, as AD FS is case sensitive.

You should configure your extranet URL at the time of installation, even if it will not be initially deployed.  If external access is enabled after documents are AD RMS protected you must remove the protection, remove the DRM folder on the client computers, configure extranet access, and then protect the documents again.

You should use self-signed certificates only in a test environment.  In a production environment you should use an SSL certificate issued from a certification authority.

After an installation or upgrade is complete you must log off and log back in again before you can administer AD RMS using the AD RMS console.

Once installation is complete you should back up your Server Licensor Certificate and your private key.

There are two paths to upgrading an earlier version of RMS to AD RMS: migration and in-place upgrade.  Migration is the recommended process.  If you choose to do an in-place upgrade, be sure to run the upgrade wizard after the operating system upgrade completes.  This wizard is launched from a link in Server Manager.  For more information on migrating or upgrading a cluster see the TechNet article RMS to AD RMS Migration and Upgrade Guide.

For information on AD RMS prerequisites visit the TechNet article AD RMS Prerequisites.  For more information on installing AD RMS the AD RMS Step-by-step Guide walks you through the process of installing AD RMS in a test environment.

  • thanks for the post.
    can I enable the RMS server role on a server having Sharepoint Server 2013 already installed?
    can I enable the RMS server role on a server having SQL Server already installed?

  • Subject :- AD RMS 2012 and AD/GC in different site.

    I’m planning to install AD RMS 2012 but client don’t have local AD and GC.

    What will be bandwidth and latency required, if AD RMS 2012 talk to AD and GC in other AD site

    As a best practice place the RMS Servers with close proximity to global catalog servers. If possible host RMS infrastructure in the same VLAN or Subnet where Global Catalog servers are installed. Make sure minimum of two Global catalog servers are available for RMS infrastructure in close proximity i.e in same network/ADSite. Average LDAP read latency should not exceed more than 50ms. We recommend installing dedicated Global catalog server with close proximity with RMS Server.

    Kindly help with the latency that is acceptable and the bandwidth required. As mentioned before client cannot have the RMS servers in the same LAN as AD Global catalog servers.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment