AD RMS root cluster installation

I am not going to explain here each installation wizard step, you can find at least one guide on microsoft technet. I have explained here RMS installation within Windows Server 2008r2. Installation on a previous OS has some deviations.

First of all, don’t even try understanding diagram without text explanation below. I tried to do simple diagram with a simple description. Hopefully I did it successfully, But I am not entitled to judge myself here…¬†you can do it… ūüôā

So, you marked “Active Directory Rights Management Server” checkbox in Server Manager and pressed Next button…

Server Bootstraping_Root_Only


1. Next-next-next…

2. On almost the last step installation wizard asks you to put a password. Read carefully text: “AD RMS uses the cluster key password to encrypt the cluster key…”. Later, or even right now you can observe on a diagram where and for which purposes this password will be in use. By the way, you need access to cluster key every time when you join other RMS servers to cluster, or restore server from backup. This password isn’t assigned with any user in AD DS, it isn’t the same password as you use to restore AD DS. You can’t reset this password even if you are member of Enterprise Administrators group. It is fully new password. Remember it. If you don’t remember it, or lost it somehow, please, keep your CV up to date. ūüôā

3. AD RMS server generates key pair: public (green) and privat (red) keys. Previously with installation wizard (Configure AD RMS Cluster ¬†Key Storage)¬†you defined key length¬†:¬†Use AD RMS centrally managed key storage¬†or¬†Use CSP key storage (“CSP” means Cryptographic Service¬†Provider).¬†To tell the truth if Hardware Security Module¬†is unavailable for you, only one option you can use – AD RMS Centrally Managed Storage, at it means RSA 1024 key length.

4.  AD RMS server generates first certificate РService Licensor Certificate (SLC). This certificate contains public key which was generated on previous step. This certificate is selfsigned.

5. The rest of the servers in scope of one cluster (root in my example) use  the same SLC. It means if your environment contains 5 RMS root cluster each of them in this case use the same SLC. RMS servers in licensing only cluster share the different SLC. Licensing only cluster will be explained later.

6. Meanwhile AD RMS server protects private key with a password which you set previously. I think now it should be clear why it is so important to know (remember) this password. I don’t know any official or unofficial method how to get private key if you don’t remember¬†the encryption password.

7. Private key encryption result RMS server stores as a BLOB.

8. RMS server during installation creates 3 databases on SQL server: configuration, directory and logging. Actually configuration DB contains private key encryption BLOB.  The private key is decrypted each server reboot\start.

The order isn’t strict here. In fact private key encryption and saving should be earlier then SLC creation. But all these processes happen transparently, and I’ve never met any troubles during these installation steps, I propose to consider about SLC creation and private key encryption tasks as simultaneous processes.


1. AD RMS Server has selfsigned certificate – Service Licensor Certificate

2. You must remember cluster key password.

3. All servers in scope of one cluster share the same SLC.

To be continued…

AD Rights Management Server

I decided to start my blog with articles about Rights Management Server role. You can find a lot of blogs and technical articles where authors try explaining how to install RMS server in your environment,¬†but very rarely (almost never) you can find explanation – what happens from technical point of view during this process. In fact that this knowledge will help you afterwards to do troubleshouting and fix your RMS-environment.¬†Microsoft does¬†so much efforts to provide for us very simple installation wizard, so, installation isn’t a problem at all. Even if you missed some requirements smart wizard in very polite form explains you what you missed, and what you have to do to continue installation process. Thus even my grandma can install any windows role on a server, but which processes happened during installation and what to do next? This is actually main difference between real IT-professional and “any-key” specialist.

Let’s go…