Some of my more 'bleeding edge' readers that are playing around with 2008 may be wondering why the old AD cache setting keys that we used in RMS 1.0 no longer work with RMS 2.0. Well the reason is simple. We don't use the registry keys anymore. :)

To disable Active Directory caching (or modify the default values) here is what you do:

 1.You need to access dbo.DRMS_clusterpolicies database and set following policy value to 0 (or whatever value you want):
UseDirectoryServicesCacheDatabase
EnableNoRightsCaching
This will disable all database cache.

2.You can reset IIS to cleanup memory cache, or you can set following policy value to 0 in dbo.DRMS_clusterpolicies database:
DirectoryServicesMemoryPrincipalCacheMaxSize
DirectoryServicesMemoryGroupIdCacheMaxSize
DirectoryServicesMemoryGroupMembershipCacheMaxSize
DirectoryServicesMemoryContactGroupMembershipCacheMaxSize
DirectoryServicesMemoryPrincipalCacheExpirationMinutes
DirectoryServicesMemoryGroupCacheExpirationMinutes

…and before you ask EnableNoRightsCaching is new to ADRMS. It caches ‘No Rights’ failures, so that we can quickly tell a user who keeps trying to open content they don't have access to ‘You’ve already been told you don’t have access, punk!', without making a round trip to the DC again.

Thanks to Sarah, my compadre from CSS-Security for continually pushing me for these answers, and always keeping me entertained with new ways to put up RMS in strange scenarios.

 -Jason