1 300 737 205

Configuring Active Directory Rights Management Services (AD RMS)

Active Directory Rights Management Services (AD RMS) allows the user to generate protection of information solutions and apply these solutions to existing applications. Persistent usage policies are provided by AD RMS for information, and these policies even remain with the information if they happen to be displaced.  AD RMS can be used to prevent sensitive information, such as, customer data, conditional emails, intranet web sites, or documents being acquired by your competitors or hackers.

Deploying AD RMS for an organization is beneficial for the following reasons:

  • Sensitive Information is safeguarded: Applications can be AD RMS-enabled (i.e. word processors, e-mail clients) where users can specify who can access, modify, print, forward or perform other actions to help protect sensitive information. Custom usage policy templates, for example ‘confidential-read only’, can be directly applied to the information by businesses.
  • Protection remains consistent: Existing perimeter-based security solutions, such as access control lists (ACLs) and firewalls, are utilized by AD RMS for improved information protection. This is performed by securing the usage rights within the document itself and managing how information is used even after it has been accessed by intended recipients.
  • Customizable and Flexible technology: Applications can be AD-RMS enabled or other services (such as portal servers operating on Windows) can be enabled to function with AD RMS to aid in protecting sensitive information by Independent software vendors (ISVs)  and developers. ISVs are allowed to incorporate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.


Installing and configuring AD RMS:

Navigate to Start – Administrative Tools – Server Manager. Select Roles and click on Add Roles.


 The Add Roles Wizard – Before you Begin page appears. Select Next. On the Select Server Roles page, tick the check box Active Directory Rights Management Services. Press the Next button.


An Add Roles Wizard dialog box pops up requesting if you want to add role services and features required for AD RMS. Click Add Required Role Services to continue.


You are returned to the Select Server Roles page, press Next. The AD RMS introductory page of the Add Roles wizard appears. Click Next.


On the Select Role Services page, ensure that the Active Directory Rights Management Server checkbox is ticked. Click Next.


Note: For users who want to integrate AD RMS with Active Directory Federation Services (AD FS), tick Identity Federation Support as well. 

The Create or Join an AD RMS Cluster appears where you can choose to create a new AD RMS cluster or join an existing AD RMS cluster. Since you have just installed AD RMS, only the Create a new AD RMS cluster option is available and therefore selected by default. Click Next.


The Select Configuration Database page displays where you can specify whether you want to use Windows Internal Database on this server (local database) or use a different database server (remote database).

If you want to use the local database server, select the Use Windows Internal Database on this server option and click Next (as shown in our example).  The AD RMS cluser is then limited to a single-server cluster.

If you want to use the remote database server and enable a multi-server cluster, you need to click the use a different database server.  Then click on the Select button, enter the name of the computer in which the particular database is situated, and validate the entry.


On the Specify Service Account page, identify a Domain User Account and password for AD RMS so that it can communicate with other services on this computer and the network.

Select the Specify… button and enter a User name and password for your Domain (as shown in the example below). Click OK. You are then returned to the Specify Service Account page of the wizard. Click Next to continue.


The Configure AD RMS Cluster Key Storage page displays. AD RMS clusters use an AD RMS cluster key to sign certificates and licenses issued by the cluster. You need to specify whether you want to store the AD RMS cluster key in the AD RMS centrally managed key storage or CSP key storage.

For our example, we deicde to select Use AD RMS centrally managed key storage to protect the AD RMS cluster key by using a password-based encrypted key. Click Next.


Enter and confirm the AD RMS cluster key password on the Specify AD RMS Cluster Key Password page. Click Next.


On the Select AD RMS Cluster Web Site page, select the website where an Internet Information Services (IIS) virtual directory can be used to host AD RMS. Usually you are only provided with the Default Web site option (as shown in our example below). Select this option and click Next.


The Specify Cluster Address page appears where you specify a connection type for this AD RMS cluster. We recommend to use the Secure Sockets Layer (SSL) protocol to encrypt network traffic between AD RMS clients and the cluster. Select the Use an SSL-encrypted connection (https://) radio button.


You are now required to specify an internal address for this AD RMS cluster. For our example, we enter in adminadrms.cloudbt.com in the Fully-Qualified Domain Name text box. Click Validate and then select Next to continue on to the next page.


On the Name the Server Licensor Certificate page, put in a name that can help you easily identify a server licensor certificate. AD RMS generates this particular certificate to establish the identify of this AD RMS cluster to clients. Click Next.


The Register AD RMS Service Connection Point page displays where you specify whether you want to register the AD RMS service connection point (SCP) now or later. We recommend to select the Register the AD RMS service connection point now option as the SCP of the AD RMS cluster will be created in the Active Directory Domain Services ) AD DS as soon as AD RMS cluster is installed.


The Web server (IIS) introductory page displays. Click Next to continue.


The Select Role Services for Web Server (IIS) page displays. In our case, we accept the default role services and click Next.


On the Confirm Installation Selections page, ensure that you are fine with the specifications and click Install to commence installation of the AD RMS cluster on the server. Once installed, log off and log on again to the server to update the security token of the logged-on user account and automatically become a member of the AD RMS Enterprise Administrators local group.

To manage the AD RMS console, you can now access it via Start – Administrative Tools – Active Directory Rights Management Services (as shown below).




Request Your Free Consultation Today

We’ll come to your place of business, and give you a full diagnostic snapshot of your IT systems.