Enabling RMS Support for Server Services

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RMS can also provide rights account certificates and use licenses to RMS-enabled server applications. There are a few things that you should be aware of when configuring server services:

  • Discretionary Access Control Lists (DACLs) on the RMS pipelines use the most secure settings by default. You must modify the DACL when using RMS server services.

  • If the RMS client is installed on a Windows Server 2003-based server and Internet Explorer Enhanced Security Configuration is enabled, you must add the RMS cluster URL to the Internet Explorer's Trusted Sites Zone.

  • Many server services use advanced Active Directory directory services functionality that is only available if all Active Directory domain controllers are running Windows Server 2003. If you are using any server services (for example, Microsoft Office SharePoint Server 2007 or Microsoft Exchange Server 2007), it is recommended that all domain controllers are running Windows Server 2003 and that both the domain and forest Active Directory functional levels are at the Windows Sever 2003 level.

Default Discretionary Access Control List (DACL) on Server Certification Pipeline

Applications such as Microsoft Office SharePoint Server 2007 or Microsoft Exchange Server 2007 are RMS-enabled to request use licenses on behalf of users. In a default RMS installation, the DACL of the RMS server certification pipeline is restricted, which means an application cannot obtain certificates and licenses for their users. However, if you have an RMS-enabled application for these computers you can enable them to participate in your RMS system by configuring the DACLs on the RMS server certification pipeline.

RMS-enabled server applications will connect to the RMS certification service by using the ServerCertification.asmx file.

When RMS creates these files, the DACLs of the files are set to only allow access by system processes. It is recommended that you create an Active Directory security group for server services and then populate this group with the Active Directory objects of the computers that are requesting use licenses on behalf of its users.

After you create the group, you can modify the DACL for the ServerCertification.asmx file to allow the group to have the Read & Execute permission on the service. You must also add the RMS Service Group to the DACL with the Read & Execute permission.


If there is more than one RMS server in the cluster, the DACL on the ServerCertification.asmx file must be changed on each server in the cluster.

For Microsoft Exchange Server 2007, the Active Directory computer object of each Exchange bridgehead server must be added to the server services group. If this is not done, the Exchange bridgehead server will not be able to request licenses on behalf of the users who received the e-mail.

For Office SharePoint Server 2007, you must add the Active Directory computer object of the server running Office SharePoint Server 2007 to the server services group. If your Office SharePoint Server 2007 server is configured to use the default server in Active Directory, you must add the RMS Service Group and the group created for server services to the ServiceLocater.asmx file and allow the Read & Execute permission.


Internet Information Services (IIS) must be restarted after changing the DACL on ServerCertification.asmx and ServiceLocater.asmx. To reset IIS, run the iisreset command from a command prompt.