Installing AD RMS

For environments that don’t already have an AD RMS server in place (legacy Windows Server 2003 RMS will work as well), a new Windows Server 2008 R2 AD RMS environment is required. Note that the RMS server requires a separate server from the SharePoint farm servers, and will also require a database for the AD RMS database. In many cases, the AD RMS database server will be the same server as the SharePoint database server.

To install and configure AD RMS on a server, first install Windows Server 2008 R2, (Standard, Enterprise, or Datacenter will work) with the default installation options and then add it to the domain. Log in as an account with local admin access to the box and perform the following steps to install AD RMS:

1. On the RMS server, run the Add Roles Wizard from Server Manager.
2. Click Next to start the wizard.
3. Check the box for Active Directory Rights Management Services
4. Choose to add the required role services when prompted.
5. Ensure that AD RMS and Web Server are checked in the summary dialog box, shown in Figure 17.13, and choose Next to continue.

   Figure 17.13. Installing the AD RMS role.

   

6. Click Next at the AD RMS Welcome dialog box.
7. Under Role Services, leave the default in place and click Next.
8. From the RMS Cluster dialog box, choose to create a new RMS cluster and click Next to continue.
9. From the Database dialog box, shown in Figure 17.14, choose to either use a local Windows Internal DB on the server or use a centralized SQL Server instance on another server. It is highly recommended to choose a separate SQL server, such as the SharePoint database server, for this.

   Figure 17.14. Selecting the database for AD RMS.

   

10. Specify a domain user account in the subsequent dialog box that will be used for AD RMS. This account should not have any special rights other than domain user rights in the domain. You will need to create this account in advance before proceeding. Click Next to continue.
11. Under the Cluster Key Storage dialog box, choose the default AD managed key storage and click next to continue.
12. Enter a password for the cluster. Be sure to save this password; you’ll need it to add additional RMS servers into the cluster in the future. Click Next to continue.
13. Use the default website and click Next to continue.
14. Select whether to use an SSL-encrypted connection to RMS or an HTTP connection, such as what is shown in Figure 17.15. It is highly recommended to use SSL now, because content will display this name at all times. In addition, do not use a server name for the FQDN. Use a name that can be transferred to a VIP or another server in the future, such as rms.companyabc.com. Ideally, your RMS address will then always be https://rms.companyabc.com. Click Next to continue.

    Figure 17.15. Specifying the FQDN for AD RMS.

    

15. At the subsequent dialog box, choose the SSL certificate that matches the FQDN chosen (that is, rms.companyabc.com). If it is not created yet, choose to install it later. This certificate must be installed for RMS to work properly. It is not recommended to use a self-signed certificate. Click Next to continue.
16. Choose the name of the server licensor certificate (accept the default in most cases) and click Next to continue.
17. Select whether to register the SCP now or later. Typically, the SCP will be registered immediately, but be sure to understand the implications of this. Once registered, all Office clients in the domain will “see” the RMS server and will be able to start encrypting content.
18. Accept the default for the web role wizard, and then click Next.
19. Review the settings, such as those shown in Figure 17.16, and choose Install.

    Figure 17.16. Reviewing AD RMS installation settings.

    

20. Choose Close when the wizard completes.