Windows 2008

RMS or rights management services is there for to protect documents or email from being printed or forwarded etc.
You will need the following to make this work:

  • Domain controller
  • AD RMS Root Cluster
  • Service connection point (a cname so that users can find the RMS cluster)
  • IIS
  • Database like SQL 2008 or the windows internal database when you don't have a SQL server. This is all needed to store configurations.
  • Certificate for ssl
  • Right to create a database on sql
  • you will need an email address in active directory so the field email address needs to be filled !
  • you will need federation services installed if you need that, this cannot be installed later on.
  • You will need a service account to install RMS ( just a domain user account nothing special)
  • You will need enterprise admin account to install the service connection point
  • Seperate server
  • Cname for the computer where it will run on.

When you start you will need a server to install RMS on and preferably another server with IIS and Certificate service installed. On that server you will duplicate the Web server certificate and call it e.g. RMS Web Server and publish that certificate in Active Directory (NOT ON THE SAME BOX!)
Then you will need to change the security of the certificate to point to the webserver or webservergroup. The permission needs to be set to read and Enroll permission

  • then go to Certificate Template and choose new Certificate and choose the certificate that you have made earlier e.g. RMS Web Server
  • Go the other server and mmc the local certificate snapin. There in personal certificates choose Request new Certificate
  • You cannot enroll the e.g. RMS Web Server certificate before you will need to click on the link and choose
  • Full DN - This will be cn=computername,dc=spundaelab,dc=com and click ADD
  • Alternative name select the url to access the webserver so e.g. rms.spundaelab.com (make an alias ahead!) don't use the computername of the server but an CNAME that points to the server!!
  • Go to the tab private key and click on the little icon on the right to expand it and choose Allow private key to be archived and Make private key exportable
  • After the certificate has been successfull created you can then enroll it and install the Active Directory Rights management Services.
  • Keep in mind that when you need federation services you will need RMS first! after it has been properly installed then you would install federation services and then at role and choose Identity Federation Support
  • Then you would go through the wizard and choose the sqlserver and the Useraccount that you made earlier and choose a password (for the encryption of the cluster key and to add other RMS servers or restore from backup)
  • Then you will continue with the wizard and finish

When you open up the snapin Active directory Rights Management Service you will need to make a rights policy template first

Then you will use that template and restrict access to your Word document and save it. When somebody else opens the document they cannot print, copy, save anything other then the permission that were assigned

Windows 2008

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License