Quick Deployment Guide
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This guide is intended to help you quickly set up a server running RMS with Service Pack 2 so that you can evaluate it and decide if you want to do a more wide-scale deployment in your organization.
Step 1 - Prepare for RMS
RMS depends on other components that you install and configure before you use the service. Your infrastructure will satisfy the basic requirements for RMS after you complete the following tasks:
Configure a computer that is running Windows Server 2003, and then join the computer to an Active Directory domain. (For small organizations that have only one server, this computer can also be the domain controller for Active Directory. However, in this case the computer must be running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition. A computer running Windows Server 2003, Web Edition, cannot be a domain controller.)
Configure the server for the Application Server role. To do this, click Start, double-click Control Panel, and then double-click Add or Remove Programs. In Add or Remove Programs, click Add/Remove Windows Components, and then make sure that the following services are enabled under Application Server:
Internet Information Services (IIS)
Accept the default options for each service. No further configuration is necessary.
Configure a database server by using one of the following database applications:
Microsoft® SQL Server 2000 with SP3a or later. This can be a local database installation, or a remote installation that is in the same domain.
Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Release A or Microsoft SQL Server Express Edition. This must be a local installation. To download Microsoft SQL Server Express Edition, see http://go.microsoft.com/fwlink/?LinkID=65771.
Configure the Domain Name System (DNS) to resolve that URL to the RMS cluster IP address. You should use a fully-qualified domain name for the cluster URL to ensure that clients in other DNS zones are able to resolve the IP address of the RMS cluster.
Create an administrator account to use with RMS.
Commonly Used Optional features
The following features are optional; if you elect to use them, be sure to make the necessary preparation before starting the installation and provisioning process for RMS:
You can configure RMS to use a hardware security module (HSM) to store private keys. If you want to use a hardware security module, make sure that the drivers are properly configured and that the security world is defined.
You can automatically download a server licensor certificate during the provisioning process if your RMS server is able to communicate with the Internet. If your organization uses a proxy server to connect to the Internet, verify proxy settings in Internet Explorer, including any authentication requirements, and record them to use later.
If you will be running RMS on a domain controller and you plan to use a user account to run the RMS services, make sure that the Domain Controller Security Policy is configured to grant the user account permission to log on locally. For more information about how to configure the Domain Controller Security Policy, see Windows Server 2003 Help and Support Center.
Step 2 - Provision the first RMS Server
Provisioning is the process of configuring a Web site with RMS so that users can begin to use the service.
To provision the root cluster
Log on to the computer as a domain user with local administrator privileges. If you are installing RMS on a domain controller, log on as a domain administrator.
Click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration to open the Global Administration page. This page lists the Web sites that are available on this server.
Click the Web site that you want to provision with RMS, and then click Provision RMS on this Web site. When the page opens, it says Provision the RMS Root Certification Server at the top of the page.
Complete the page with the information for your organization.
In the Cluster URL box, type the service name (such as certification.contoso.com) that you configured in step 4 in the previous procedure. If you want to use SSL with your installation, click the HTTPS protocol in the protocol list. After making this selection, you must require SSL for RMS Web services and install SSL certificate through IIS.
If your server is connected to the Internet through a proxy server, in the RMS Proxy Settings area complete the section with the information that you recorded from Internet Explorer as described in the optional features portion of the previous procedure.
In the Server Internet Connectivity area select Online if you want the server to connect to the Microsoft Enrollment Service using the Internet and obtain a server licensor certificate automatically during the provisioning process. Select Offline if you want to manually connect to the Microsoft Enrollment Service and download the server licensor certificate and then import it after provisioning RMS.
In approximately 60 to 90 seconds, provisioning is completed successfully, which allows you to return to the Global Administration page where you can administer your newly provisioned RMS server.
On the Global Administration page, select Administer RMS on this Web site to open the Administration home page for the RMS server.
If you selected Offline for Server Internet Connectivity in Step 4, complete the procedure "To Manually Enroll a Root Certification Server" before continuing.
On the Administration home page, click the RMS service connection point link.
The next step in this procedure, registering a service connection point, requires using a domain account that has sufficient privileges to create a container object underneath the Services container in the Active Directory forest Configuration container. The predefined security group, Enterprise Admins, is an example of an account with the required privileges.
On the RMS service connection point page, click the Register URL button. This registers the service connection point of RMS in Active Directory so that RMS-enabled applications can discover RMS licensing, activation proxy, and certification services.
Step 3 - Test RMS
Before you can fully use RMS, you need to install the Microsoft Windows Rights Management Services client and an RMS-enabled application on the client computers. Users must be members of the Active Directory domain, and the client computers must be joined to the domain. Also, domain users must all have e-mail addresses that are defined in Active Directory.
To test RMS
Log on to the client computer as a valid domain user.
If the computer is not running Windows Vista®, install the RMS client with Service Pack 2.
Install an RMS-enabled application.
Create a rights-protected file, give everyone read-only rights to that file, and then save the file to a shared folder to which users have full access.
Log on to the computer as a different user. Open the file and attempt to make changes. If RMS is properly installed, you cannot make changes to the file.