Pre-installation Information for Active Directory Rights Management Services
Applies To: Windows Server 2008
Before you install AD RMS
Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that must be met:
Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) forest as the user accounts that will be using rights-protected content.
If you are using groups to grant rights to users, use universal groups. (Otherwise, you will need to install the AD RMS server in the same domain as the users who will be publishing or accessing protected content.)
Create a domain user account that has no additional permissions that can be used as the AD RMS service account.
Select the user account for installing AD RMS with the following restrictions:
The user account installing AD RMS must differ from the AD RMS service account.
If you are registering the AD RMS service connection point (SCP) during installation, the user account installing AD RMS must be a member of the AD DS Enterprise Admins group, or equivalent.
If you are using an external database server for the AD RMS databases, the user account installing AD RMS must have the right to create new databases. If Microsoft SQL Server 2005 or Microsoft SQL Server 2008 is used, the user account must be a member of the System Administrators database role, or equivalent
The user account installing AD RMS must have access to query the AD DS domain.
Reserve a URL for the AD RMS cluster that will be available throughout the lifetime of the AD RMS installation. Ensure that the reserved URL differs from the computer name.
Important
It is strongly recommended that you use a fully qualified domain name (FQDN) instead of the NetBIOS name for the cluster URL. This will ensure that the cluster URL is globally unique. Using the NetBIOS name or other non-unique URL can prevent your users from being able to share rights-protected information with users in another organization that has used the same URL to deploy AD RMS.
In addition to pre-installation requirements for AD RMS, we strongly recommend the following:
Install the database server that is used to host the AD RMS databases on a separate computer. See System requirements for information about database servers that Windows Server 2008 R2 supports.
Install the AD RMS cluster by using a secure sockets layer (SSL) certificate. This certificate should be issued from a trusted root certification authority.
Create a DNS alias (CNAME) record for the AD RMS cluster URL and a separate CNAME record for the computer that is hosting the AD RMS configuration database. In the event that the AD RMS servers are retired, lost due to a hardware failure, or the computer's name is changed, a CNAME record can be updated without having to publish all rights-protected files again.
If you are using a named instance for the AD RMS configuration database, the SQL Server Browser service must be started on the database server before you install AD RMS. Otherwise, the AD RMS installation will not be able to locate the configuration database and the installation will not succeed.
Before you upgrade from RMS to AD RMS
If you are upgrading from any version of Rights Management Services (RMS) to AD RMS, do the following:
Back up the RMS databases and store in a secure location.
If your RMS cluster was configured to use the local SYSTEM account as the service account for the cluster, you must change the service account from the local SYSTEM account to a domain user account before upgrading from RMS to AD RMS.
If you used the offline enrollment option to provision RMS, make sure that the enrollment is complete before upgrading to AD RMS.
If you have been using MSDE to host your RMS databases, you must upgrade the databases to Microsoft SQL Server 2005 or a later version before you upgrade the RMS cluster to AD RMS. An upgrade from versions of RMS by using the MSDE database is not supported.
If you have been using Microsoft SQL Server 2000 to host your RMS databases, you must upgrade the databases to Microsoft SQL Server 2005 or a later version before you upgrade the RMS cluster to AD RMS.
Flush the RMS Message Queuing queue to make sure that all messages are written to the RMS logging database.
Important considerations for installing AD RMS
The following is a list of things that should be considered before you install AD RMS:
Self-signed certificates should be used only in a test environment. For pilot and production environments, we recommend that you use an SSL certificate issued by a trusted certification authority.
The Windows Internal Database with AD RMS is intended for use only in test environments. Because the Windows Internal Database does not support remote connections, you cannot add another server to the AD RMS cluster in this scenario.
If an SCP already occurs in the Active Directory forest for which you are installing AD RMS, make sure that the cluster URL in the SCP is the same as the cluster URL for the new installation. If they are not the same, you should not register the SCP during AD RMS installation.
When installing AD RMS, localhost is not a supported cluster URL.
When specifying the AD RMS service account during installation, make sure that a smart card has not been inserted into the computer. If a smart card is attached to the computer, you will get an error message that the user account installing AD RMS does not have access to query AD DS.
When joining a new server to an existing AD RMS cluster, the SSL certificate should exist on the new server before the AD RMS installation starts.
By default, AD RMS does not support Kerberos authentication. For information about steps that you must take to configure the server to support Kerberos authentication, see Enable support for Kerberos authentication.
Windows Server 2008 R2 does not support Windows Rights Management Services (RMS) Client version 1. Support for this version of the client has ended with the release of the latest service pack for RMS Client version 1. To continue being able to create and access AD RMS-protected content, clients that are running RMS Client version 1 must install the latest service pack from the Windows Rights Management Services TechCenter on TechNet (https://go.microsoft.com/fwlink/?LinkId=140054).
Important considerations for installing AD RMS with identity federation support
The following is a list of things that should be considered before you install AD RMS with identity federation support:
A federated trusted relationship must be configured before you install Identity Federation Support. During the installation of the Identity Federation Support role service, you are asked to specify the URL of the federation service.
Active Directory Federation Services (AD FS) requires secure communication between AD RMS and the AD FS resource server. In order to use federation support with AD RMS, AD RMS must be installed using a secure cluster address.
The AD RMS service account must have the Generate Security Audits right. This right is granted by using the Local Security Policy console.
The AD RMS extranet cluster URLs must be available to the federated account partner.
Important considerations for installing AD RMS with Microsoft Federation Gateway Support
The following is a list of things that should be considered before you install AD RMS with Microsoft Federation Gateway:
The AD RMS cluster must be configured to use an SSL-encrypted connection that uses a certificate that the Microsoft Federation Gateway trusts. To prove your ownership of the domain that you want to federate with the Microsoft Federation Gateway, you must own the X.509 SSL certificate for that domain. It must be from one of the trusted root certification authorities (CAs) that are configured in the Microsoft Federation Gateway. The following table lists those CAs.
CA certificate friendly name
Issued to
Intended purposes
Entrust (https://go.microsoft.com/fwlink/?LinkId=162663)
Entrust.net Secure Server Certification Authority
Server authentication, client authentication, code signing, secure messaging, IP security tunnel termination, Internet Protocol security (IPsec) user, Internet Protocol security (IPsec) Internet Key Exchange (IKE) intermediate, time stamping, file-system encryption
Go Daddy Class 2 Certification Authority (https://go.microsoft.com/fwlink/?LinkId=162664)
Go Daddy Class 2 Certification Authority
Server authentication, client authentication, secure messaging, code signing
Network Solutions (https://go.microsoft.com/fwlink/?LinkId=162665)
Network Solutions Certificate Authority
Server authentication, client authentication, secure messaging, code signing, time stamping
VeriSign Class 3 Public Primary CA (https://go.microsoft.com/fwlink/?LinkId=162667)
Class 3 Public Primary Certification Authority
Secure messaging, client authentication, code signing, server authentication
VeriSign
Class 3 Public Primary Certification Authority
Secure messaging, client authentication, code signing, server authentication
VeriSign
VeriSign Trust Network
Secure messaging, client authentication, code signing, server authentication
VeriSign
VeriSign Class 3 Public Primary Certification Authority - G5
Server authentication, client authentication, secure messaging, code signing
The SSL certificate that you use to enroll with the Microsoft Federation Gateway must be a certificate that shows ownership of the AD RMS cluster's extranet URL. If the AD RMS cluster is configured with an intranet URL that is different from the extranet URL and if the intranet URL is not a domain name that can be accessed from the Internet, you must install the SSL certificate associated with the extranet URL on this AD RMS server and then select that certificate when enrolling with the Microsoft Federation Gateway.
If the SSL certificate contains a subject alternate name (SAN), the last entry in the SAN list must be the fully qualified domain name of the domain you want to enroll with the Microsoft Federation Gateway.
The virtual directories that are created for use by Microsoft Federation Gateway Support use https://. Because of this, your firewall must be configured to enable https:// data to pass through. Note, however, that the https:// transactions for Microsoft Federation Gateway Support use message-level security.
For more information, see Understanding the Microsoft Federation Gateway.
Warning
Before uninstalling Service Pack 1 for Windows Server® 2008 R2, you must remove Microsoft Federation Gateway Support from the AD RMS cluster. Failure to do this may cause an inconsistent configuration of your AD RMS cluster. For more information, see Remove Microsoft Federation Gateway Support.
System requirements
The following table describes the minimum hardware requirements and recommendations for running Windows Server® 2008 R2 servers with the AD RMS server role.
Requirement | Recommendation |
---|---|
One Pentium 4 3 GHz processor or higher |
Two Pentium 4 3 GHz processors or higher |
512 MB of RAM |
1024 MB of RAM |
40 GB of free hard disk space |
80 GB of free hard disk space |
The following table describes the software requirements for running Windows Server 2008 R2 servers with the AD RMS server role. For requirements that can be met by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.
Software | Requirement |
---|---|
Operating system |
Windows Server 2008 R2 |
File system |
NTFS file system is recommended |
Messaging |
Message Queuing |
Web services |
Internet Information Services (IIS) ASP.NET must be enabled. |
Active Directory or AD DS |
AD RMS must be installed in an Active Directory domain in which the domain controllers are running Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, Windows Server® 2008 or Windows Server 2008 R2. All users and groups that use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory. |
Database server |
AD RMS requires a database server, such as Microsoft SQL Server 2005, and stored procedures to perform operations. The AD RMS server role on Windows Server 2008 R2 does not support Microsoft SQL Server 2000. |