Operating an RMS Server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RMS: Operations refers to management tasks performed after RMS is deployed in an organization. This subject provides information to help you manage your RMS clusters, procedures for common administrative tasks, and resources for additional information as well as best practices information.

In this subject

Terminology Used in This Guide

  • Account certification
    The process that associates user accounts with key pairs in the rights account certificate (RAC).
  • Account certification service
    An RMS Web service that creates and distributes rights account certificates. See also account certification.
  • activation proxy service
    An RMS Web service that supports RMS version 1.0 client machine activation. Used to forward machine activation requests to the Microsoft Activation Service. The activation service generates a unique lockbox and a matching RMS machine certificate for the client computer, which the activation proxy service on the RMS server then forwards back to the requesting client. In RMS with SP1 and later, the lockbox is generated locally on the RMS client so contacting the Microsoft Activation Service is no longer required. See also lockbox.
  • administration service
    An RMS Web service that hosts the administration Web site, allows the management of RMS, and updates the configuration database for the cluster.
  • application manifest
    An XML document that describes the modules of an associated RMS-enabled application, and what may run in the application environment. Any application that writes to the RMS client APIs to create or consume rights-protected information must provide a manifest at run time.
  • attribute
    In Active Directory, a property of an object. For each object class, the schema defines which attributes an instance of the class must have and which additional attributes it might have.
  • binding
    The mechanism that exercises rights in an RMS system, where the RMS client validates the conditions of a use license against the rights that are being requested. If these conditions are met, the rights are granted.
  • certificate
    A digital document that can be used to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA), and they can be issued for a user, a computer, or a service. See also private key; public key.
  • client enrollment
    The process of creating the client licensor certificate, which enables the user's computer or device to create publishing licenses that will be honored by the root or licensing-only cluster.
  • client licensor certificate
    The certificate created by RMS and placed on RMS client computers that enable users to publish protected content offline, without being connected to the internal network. The client licensor certificate contains the key that the RMS client uses to digitally sign publishing licenses.
  • condition
    A set of specified constraints and parameters that are part of the rights group bundled into a publishing license. These are enforced at the time of consumption. A time condition is a common condition allowing a user to set an expiry date for rights-protected information.
  • configuration database
    The database containing RMS configuration information for a server or cluster.
  • consuming content
    Decrypting and exercising usage rights to a piece of rights-protected content.
  • content key
    The key used to both encrypt and decrypt protected content during publishing and consumption. Also known as symmetric key. RMS uses 128-bit AES content keys.
  • content owner
    The person or organization that establishes the access policy for protected content.
  • decryption
    The process of making encrypted data readable again by converting ciphertext to plaintext.
  • digital signature
    A means for originators of a message, file, or other digitally encoded information to bind their identity to the information. The process of digitally signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature. Digital signatures are used in public key environments, and they provide nonrepudiation and integrity services.
  • DRMRemote service
    An RMS Web service that exposes services through .NET Remoting, which is used for communication between different RMS servers.
  • encryption
    The process of converting information into a form that can only be read by a specific receiver. Encryption is an effective way to help keep information secure. To decipher a file that has been encrypted, the receiver must have the secret key or password that will translate it. See also public key encryption.
  • enrollment
    The process by which the root cluster obtains a server licensor certificate signed by the Microsoft Enrollment Service.
  • enrollment request
    A request sent by the RMS root cluster to the Microsoft Enrollment Service for a server licensor certificate.
  • exclusion
    The process used by an RMS cluster to deny a use license request to a client based on exclusion policy. See also exclusion list.
  • exclusion list
    The list of principals that are to be denied licenses by the RMS licensing service.
  • exclusion policy
    Settings in the RMS configuration database that control the manner in which exclusion is applied in the organization.
  • eXtensible rights Markup Language
    The XML-based format that is used by RMS for all of the licenses it supports: machine certificates, RACs, CLCs, use licenses, publishing licenses, and server licensor certificates.
  • issuance license
    Data that specifies the RMS policy applied to protected content.
  • Licensing-only cluster
    One or more servers running the RMS licensing and publishing services outside of the root cluster. These servers use a common database and connection URL, and should be deployed behind load balancer if more than one server is used. Unlike a root cluster that can handle both certification and licensing, the RMS server(s) in a licensing-only cluster cannot perform certification.
  • Licensing-only server
    A server running in a RMS licensing-only cluster that performs licensing and publishing services outside of the root cluster.
  • licensing service
    An RMS Web service that issues use licenses.
  • lockbox
    The software module responsible for authenticating the valid use of protected content, encrypting and decrypting information, and protecting trusted software processing from modification and observation. Also known as secure repository.
  • logging service
    An RMS listener service that transfers logged data from the message queue to the logging database for the RMS server or cluster.
  • machine activation
    The process of obtaining a unique lockbox and machine certificate for a computer in RMS version 1.0. In RMS version 1.0 with SP1 and later, machine activation is the process of obtaining a machine certificate for each user of that computer.
  • manifest
    The signed XML document that identifies the libraries or programs that can or cannot be loaded into the application's processing space.
  • Microsoft Activation Service
    A Microsoft-hosted Web service that issues RMS machine certificates and lockboxes in response to RMS version 1.0 client requests. This is no longer required with RMS 1.0 with SP1 or later.
  • Microsoft Enrollment Service
    A Microsoft-hosted Web service that issues a server licensor certificate to the root cluster in a RMS deployment.
  • precertification
    A feature of the RMS certification service that allows an application to request a rights account certificate from the RMS root cluster on behalf of a user. Rights account certificates obtained using precertification only contain the user's public key.
  • principal
    An entity (such as a user, group, or protected content manager) that has an established role in the RMS security scheme, and to which objects can be secured.
  • private key
    The secret half of a cryptographic key pair that is used with a public key algorithm. Private keys are typically used to decrypt a symmetric session key, digitally sign data, or decrypt data that has been encrypted with the corresponding public key. See also public key; public key encryption.
  • provision
    To configure a RMS server to work in an organization.
  • public key
    The non-secret half of a cryptographic key pair that is used with a public key algorithm. Public keys are typically used when encrypting a session key, verifying a digital signature, or encrypting data that can be decrypted with the corresponding private key. See also private key; public key encryption.
  • public key encryption
    A method of encryption that uses two encryption keys that are mathematically related. One key is called the private key and is kept confidential. The other is called the public key and is freely given out to all potential correspondents. In a typical scenario, a sender uses the receiver's public key to encrypt a message. Only the receiver has the related private key to decrypt the message. The complexity of the relationship between the public key and the private key means that, provided the keys are long enough, it is computationally infeasible to determine one from the other. Also called asymmetric encryption. See also private key; public key.
  • publishing license
    The license created when publishing rights-protected content. It specifies, among other items, who can access the content, which rights are granted, and under what condition it can be accessed. Also known as an issuance license.
  • publishing service
    An RMS service that signs publishing licenses and issues client licensor certificates. See also client licensor certificate; publishing license.
  • RAC
    See definition for rights account certificate.
  • revocation
    A process by which entities are listed as having invalid licenses.
  • revocation list
    An XrML based document that lists the certificates and licenses that have been revoked by the issuer. See also revocation.
  • right
    An action permitted to specified users for content protected by RMS technology. These rights can be further constrained by using conditions.
  • rights account certificate (RAC)
    The certificate that uses the machine certificate from RMS activation to bind a user's account and key to a specific computer or groups of computers. The certificate's components are used to consume rights-protected content. Also known as group identity certificate (GIC) in the RMS SDK.
  • rights management
    A technology that provides persistent protection to digital data using encryption, certificates, and authentication. Authorized recipients or users must acquire a license in order to consume the protected files, according to the rights, or business rules, set by the content owner.
  • Rights Management Services client
    A set of RMS APIs that each client computer in an RMS system must install. It is a prerequisite for machine activation, and is required for using RMS-enabled applications.
  • Rights-protected content
    Digital information that is protected by RMS technology.
  • rights policy template
    Describes a standard set of users, rights, and conditions that can be applied to rights-protected content. When a user applies a rights policy template to a piece of content, the rights and conditions it describes become part of the publishing license.
  • RMS activation
    The process of placing a lockbox on an end user's computer in RMS version 1.0. This can only be provided by the RMS activation service, and is essential for using the RMS technology. In RMS version 1.0 with SP1 and later, this is the process of obtaining a machine certificate for a user of that computer and does not require a connection to the RMS activation service. Also known as activation.
  • RMS Certification Service
    A Microsoft-hosted Web service that issues rights account certificates to users based on their Microsoft .NET Passport credentials.
  • RMS client
    See Rights Management Services client.
  • RMS machine certificate
    The certificate placed on a RMS client during RMS activation. The public key in this certificate is used to encrypt the user's private key contained in the user's rights account certificates.
  • RMS-enabled application
    An application that has been extended by using the Rights Management Services SDK to allow users to specify the rights attached to content that they create.
  • RMS-enabled computer
    A computer that has the RMS client component installed and has undergone RMS machine activation so that it can process content protected by RMS.
  • RMS-protected content
    See rights-protected content.
  • root certification cluster
    See root cluster.
  • root certification server
    The first server in an RMS root cluster that provides administration, enrollment, account certification, activation proxy, licensing, and publishing services. There can only be one root certification server per Active Directory forest.
  • Root cluster
    One or more servers in an RMS deployment providing administration, enrollment, account certification, activation proxy, licensing, and publishing services. These servers use a common database and connection URL, and should be deployed behind either a software or hardware load balancer. There can only be one root cluster per Active Directory forest.
  • root of trust
    A trusted entity that provides the basis for establishing the trust of other certificates. All the certificate providers and the ultimate user must trust the root.
  • security ID (SID)
    A Windows data structure that identifies every Windows user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name.
  • server licensor certificate
    The certificate that establishes the credentials of the RMS server, making it a valid certification and licensing service, and enabling it to run. The licensor certificate contains the public key used to encrypt content keys in publishing licenses.
  • server service
    An RMS Web service that is intended to be used by another service.
  • service connection point (SCP)
    An Active Directory object that references the root cluster URL of an RMS deployment. The RMS client uses this information to locate RMS services during service discovery.
  • Service discovery
    The process by which RMS clients discover the RMS services available on the network.
  • subenrollment
    Part of the provisioning process for a licensing-only cluster, by which the licensing-only cluster obtains a server licensor certificate from the root cluster.
  • subenrollment request
    A request sent by a licensing-only cluster to the root cluster for a server licensor certificate.
  • subenrollment service
    An RMS Web service on the root cluster that responds to requests for server licensor certificates that are submitted by licensing-only clusters during provisioning.
  • super user
    A member of the super user group.
  • super user group
    An optional user group for each RMS cluster that will be granted owner licenses by the RMS server when opening content published by that server.
  • use license
    The license that lists the rights and conditions under which an end user can consume rights-protected content. Also known as end-user license (EUL).