To Provision the First Server in a Licensing-only Cluster

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To perform this procedure, you must be logged on locally to the administration Web site with a domain user account that is a member of the Administrators group. In addition, the subenrollment process requires read and execute permissions for both the domain user account and the RMS service group on the subenrollment RMS pipeline. For more information, see "Setting Permissions on the Subenrollment Service File" earlier in this subject. If you are using a remote SQL Server database, the account with which you log on must also have the Database Creators role on the SQL Server. As a security best practice, consider using Run as to perform this procedure.

To open the Global Administration page, click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration.

On each server, you can provision RMS only on a single Web site. If you want to provision RMS on a Web site other than the default Web site, use Internet Information Services Manager to add the Web site before starting this provisioning process. If the Web site that you want to provision does not appear in the list of Web sites, close the Global Administration page, add the Web site, and then start the provisioning process again.

If you are deploying RMS in an environment where your Active Directory domain functional level is set to Windows 2000 native, RMS may not be able to read the memberOf attribute on Active Directory distribution list objects that are hidden when attempting to expand group membership. To allow RMS to read the memberOf attribute, the RMS service account must use a domain account that is a member of the Pre-Windows 2000-Compatible Access (Builtin) group in your forest.


Adding the RMS service account to the Pre-Windows 2000 Compatible Access group should only be done if the Active Directory infrastructure contains hidden distribution lists. Members of this group have read access to every object in Active Directory.

If you type a custom URL for the cluster, be sure to register it in your Domain Name System (DNS), and verify that it works. If this is an Internet-enabled deployment, verify that the URL is available both from the Internet and from within your organization. You must specify HTTPS for your cluster URL if you have enabled SSL for the Web services files.

Provisioning the First Server in a Licensing-only Cluster

To provision the first server in a licensing-only cluster

  1. Log onto the RMS server as a member of the local Administrators group.

  2. Open the Global Administration page, and then click Provision RMS on this Web site.

    You can select the default Web site or another Web site that you have created in Internet Information Services (IIS) for this purpose.


    Running any additional Web sites or services on the same server as RMS is not supported. Doing so could result in multiple applications and services running under the same account as RMS, which could expose the private keys to unwarranted operations.

  3. In the Configuration database area, the default option is to create the configuration database on the local server. You can use a database server such as SQL Server™ 2000 with SP3, Microsoft SQL Server 2000 Desktop Engine (MSDE), Microsoft SQL Server 2005, or Microsoft SQL Server 2005 Express Edition for a local database. If you are using a remote database, or if you are running your database server on the local server but the database server instance has a name other than the name of this server, select Remote database, and then enter the name of the database server.


    It is recommended that Microsoft SQL Server 2000 Desktop Engine and Microsoft SQL Server 2005 Express Edition be used to support RMS databases only in test environments because they do not support any network interfaces. In addition, the terms of use for these products specify that you cannot use SQL Server client tools to manipulate the databases contained within them. With this restriction you will be unable to view logging information or change data stored in the configuration database.

  4. In the RMS service account area, specify the RMS service account under which RMS will run for most normal operations. Specify a domain account that is part of the Domain Users group and has no additional permissions on your network. Provide the account name in the form domain_name\user_name, and the password.


    For security reasons, it is recommended that you create a special domain user account to use as the RMS service account, and that you do not grant it any special permissions. The RMS service account cannot be the same domain account that was used to install RMS with Service Pack 2.

  5. In the Cluster URL area, type the URL for the licensing-only cluster that will be used for clients on the internal network. The default entry uses the server name; for example Contoso-cert. You can edit this as necessary, for example to configure a URL for the cluster or a load balancer that serves the cluster. You can also select either HTTP or HTTPS. After provisioning, you can configure an external cluster URL from the administration Web pages for use by clients that are outside of your internal network.


    It is recommended to use a fully qualified domain name (FQDN) for both the cluster URL and the extranet cluster URL. Doing so will make it easier to change the migrate the configuration database in the future because the cluster URLs are not tied to a specific computer name.

  6. In the Private key protection and sub-enrollment area, select the mechanism for protecting the server private key by doing one of the following:

    • Use the default software-based private key protection. If you select this option, the private key is stored and protected in the RMS configuration database. You must provide a strong password for encrypting the key in the database.


    Secure this password in a safe archive for future reference. Store a backup copy of the configuration database (also secured with this password) in the safe archive. This provides a mechanism to restore RMS if the SQL Server database is corrupted. If you change the password for any reason, make a new backup of the configuration database that is keyed to that password, and then place both in the safe archive.

    • Use a cryptographic service provider (CSP). To use a CSP or a hardware security module (HSM), clear the Use the default software-based private key protection check box. In the Select your cryptographic service provider list, select the CSP or HSM that you have installed. RMS requires a full Rivest-Shamir-Adleman (RSA) provider; only those providers are included in the list of CSPs.


    It is recommended that you use either the default software-based private key protection or an HSM. If you use a different software-based CSP, make sure that you have organizational key management practices (such as backup and restore procedures) in place for that CSP before you use it with RMS.

  7. This step only applies if you selected a hardware-based CSP. To specify the server key pair to use, do one of the following:

    • For a new installation, select Create a new public/private key pair.

    • If you are recovering or upgrading an existing RMS server, select Use an existing public/private key pair. Under Existing key container, click Browse, and then select the key container for the server key pair.


    If you do not use an existing key pair when recovering or upgrading an existing RMS server, all existing RMS clients will need to have their license stores cleared (use licenses and rights account certificates deleted) and then they will have to get new licenses from the server to consume content.

  8. In Server licensor certificate name, enter a name to be used inside the server licensor certificate. By default, this is the name of the server.

  9. If your organization uses a proxy server to connect to the Internet, select the This computer uses a proxy server to connect to the Internet check box, and then type the address and port of the proxy server.

    If the proxy server requires authentication, select the authentication type and supply a user name and password that can be authenticated by the proxy server. If you are using Integrated Windows authentication, you must also specify a domain.

  10. Click Submit.

    The RMS subenrollment service generates a public/private key pair for the licensing server and signs the public key with the root cluster private key. It also creates a server licensor certificate for the licensing-only cluster. It sends these items to the configuration database within a few minutes.


    If error messages display, do not close the page. Instead, run IISReset from a command prompt to stop and restart IIS, go back to the previous page, re-enter the provisioning information, and then click Submit again. If you receive a "Request timed out" error, close the window, verify that the system meets the minimum hardware requirements, and try provisioning the server again.

For instructions on adding additional server to a licensing-only cluster, see "To Add a Server to a Cluster" later in this subject.