AD RMS root cluster installation

I am not going to explain here each installation wizard step, you can find at least one guide on microsoft technet. I have explained here RMS installation within Windows Server 2008r2. Installation on a previous OS has some deviations.

First of all, don’t even try understanding diagram without text explanation below. I tried to do simple diagram with a simple description. Hopefully I did it successfully, But I am not entitled to judge myself here… you can do it… 🙂

So, you marked “Active Directory Rights Management Server” checkbox in Server Manager and pressed Next button…

Server Bootstraping_Root_Only


1. Next-next-next…

2. On almost the last step installation wizard asks you to put a password. Read carefully text: “AD RMS uses the cluster key password to encrypt the cluster key…”. Later, or even right now you can observe on a diagram where and for which purposes this password will be in use. By the way, you need access to cluster key every time when you join other RMS servers to cluster, or restore server from backup. This password isn’t assigned with any user in AD DS, it isn’t the same password as you use to restore AD DS. You can’t reset this password even if you are member of Enterprise Administrators group. It is fully new password. Remember it. If you don’t remember it, or lost it somehow, please, keep your CV up to date. 🙂

3. AD RMS server generates key pair: public (green) and privat (red) keys. Previously with installation wizard (Configure AD RMS Cluster  Key Storage) you defined key length : Use AD RMS centrally managed key storage or Use CSP key storage (“CSP” means Cryptographic Service Provider). To tell the truth if Hardware Security Module is unavailable for you, only one option you can use – AD RMS Centrally Managed Storage, at it means RSA 1024 key length.

4.  AD RMS server generates first certificate – Service Licensor Certificate (SLC). This certificate contains public key which was generated on previous step. This certificate is selfsigned.

5. The rest of the servers in scope of one cluster (root in my example) use  the same SLC. It means if your environment contains 5 RMS root cluster each of them in this case use the same SLC. RMS servers in licensing only cluster share the different SLC. Licensing only cluster will be explained later.

6. Meanwhile AD RMS server protects private key with a password which you set previously. I think now it should be clear why it is so important to know (remember) this password. I don’t know any official or unofficial method how to get private key if you don’t remember the encryption password.

7. Private key encryption result RMS server stores as a BLOB.

8. RMS server during installation creates 3 databases on SQL server: configuration, directory and logging. Actually configuration DB contains private key encryption BLOB.  The private key is decrypted each server reboot\start.

The order isn’t strict here. In fact private key encryption and saving should be earlier then SLC creation. But all these processes happen transparently, and I’ve never met any troubles during these installation steps, I propose to consider about SLC creation and private key encryption tasks as simultaneous processes.


1. AD RMS Server has selfsigned certificate – Service Licensor Certificate

2. You must remember cluster key password.

3. All servers in scope of one cluster share the same SLC.

To be continued…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s