Setting Up Certification and Licensing Services on the First Server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To set up RMS in a forest, first install and provision one server. The first server that you deploy is the root cluster. This server provides both certification and licensing support, and can be used as the only server in a single-server configuration, or as the initial server of a root cluster.

Roles, Permissions, and Rights Required for Installation and Provisioning Additional RMS Servers

To install RMS, you must log on using an account that has local administrator privileges. In addition, you must be logged on to a domain with a valid domain account to allow Active Directory to authenticate RMS. If you are deploying RMS in an environment where your Active Directory infrastructure uses Windows 2000 native mode, RMS may not be able to read the memberOf attribute on Active Directory objects when Active Directory attempts to expand group membership. To allow RMS to read the memberOf attribute, the RMS service account must be a domain account that is a member of the Pre-Windows 2000-compatible access group that is in your forest. If you have deployed groups with hidden membership you will also need to configure the RMS service account with permissions that enable it to read the hidden membership. For more information, see Microsoft Knowledge Base article 812841 (


The RMS service account cannot be the same domain account that was used to install RMS.

Installation and Provisioning Processes for the Initial Server

Deploying the RMS server involves two steps. First, the RMS server software must be installed along with all supporting software such as IIS, Message Queuing and ASP.NET. For more information about installation, see "To Install RMS with Service Pack 2" in “RMS: Operations” in this documentation collection.


RMS can also be installed at a command prompt. For more information, see “Command Prompt RMS Installation” in “RMS: Operations” in this documentation collection.

After you install RMS on a server, you must provision RMS to be used on a single Web site that is on the server. When you provision this Web site, many of the settings of the Web site are modified and virtual directories are added. For more information about these changes, see “Internet Information Services Support for RMS” in “RMS: Technical Reference” in this documentation collection.

You can use either the default Web site that is in IIS or you can create a new Web site. To provision RMS on a site other than the default Web site, you must create the Web site before you start this provisioning process. If you are using the default Web site for other purposes, you should create a new site for RMS so that the default configuration is maintained for the default Web site.

When you click Windows RMS Administration on the Start menu, the Global Administration page appears. On this page, you can start the provisioning process on a Web site. To provision the first RMS server, you must supply the following information:

  • Specify the name of the database to be used for the RMS configuration, logging, and directory services databases.

    If your SQL Server instance has a name that is not the same name as the local server name, you must set it up as a remote SQL Server instance, even if everything is installed on a single server.

    During provisioning the currently logged on user account must have permission to create databases on the database server.

  • Specify the account to be used for the RMS service account. For a local configuration, you can use the Local System account, although it is not recommended because of the inherent security issues that are involved with running a service that has Local System privileges. It is recommended to use domain account with no additional permissions.

    For an installation that includes a remote SQL Server instance or more than one RMS server, you must specify a domain account. The domain account that you use must have Active Directory look-up privileges, and it will be used to create the IIS Application Pool under which the Administration console runs. If you are not upgrading or using an existing database, the RMS service account requires database-creation privileges. If you are using existing databases, the account needs read and write permissions for each of the RMS databases.

  • Specify the cluster URL to be used to access this Web site. The default value is the name of the site that you are provisioning (such as Default Web site, if you are provisioning a server with a default installation of IIS). You can specify a custom cluster URL to access a different Web site, for example, to support a load-balancing URL or to support both intranet and Internet access. You must verify that the custom cluster URL works and that it has a DNS entry configured to ensure that both the Global Administration and Provision pages find the virtual roots. If this URL is for an Internet-enabled deployment, ensure that the new URL is available from both the Internet and the corporate network.

  • Select the mechanism to be used to protect the root installation private key that is used for enrollment. The default is to use software-based encryption and protect the encrypted private key in the RMS configuration database. If you use the default configuration, you must provide a strong password for encrypting the value that is in the database.

    However, if you have a hardware security module (HSM) installed and configured on the computer, you can also select a hardware-based cryptographic service provider (CSP) to use with the hardware security module and store the private keys in hardware, such as a smart card. RMS requires a full RSA provider, and only those providers are available in the list of CSPs. Using an HSM to protect the RMS private key is strongly recommended.

    If you use the software-based CSP option to secure the RMS private key with a password, you should secure that password in a safe archive for future reference. You should also store a backup copy of the configuration database with the password. When you do this, you can restore RMS if the configuration database becomes damaged. If you change the password for any reason, make a new backup copy of the configuration database that stores the private key secured with that password, and then place both in the safe archive. For more information about how to back up and restore the configuration database, see “Backing Up and Restoring the System for RMS” in “RMS: Planning” in this documentation collection.

  • Specify the name to be used inside the server licensor certificate. By default, this is the name of the server.

  • Specify a proxy server (including address and port) to reach the Internet, if appropriate.

  • Specify an e-mail address that other RMS administrators can use to contact an administrator if issues arise when that administrator attempts to subenroll a server in a licensing-only cluster. After you provision the root installation, you can change the address.

  • Select a server licensor certificate revocation method to control who, other than the Microsoft Enrollment Service, can revoke the server licensor certificate of the root installation. To use third-party revocation, you must specify the path and name of the file that contains the public key for that third-party entity.

If you selected the online enrollment option, when you click Submit on the Provision page (after you configure all appropriate options), RMS generates a key pair and sends the public key to the Microsoft Enrollment Service.


If you receive error messages, do not close the page on which the errors are displayed. After you resolve the errors, open a command prompt window and type IISReset to stop and restart IIS, go back to the previous screen, retype the information on the provisioning screen, and then click Submit again.

The Microsoft Enrollment Service creates a server licensor certificate and returns it to the configuration database within a few minutes. Because this is the first server in the domain on which RMS is installed, this step constitutes the process of enrolling the first server in root cluster.

If you selected the offline enrollment option, you will enroll the server with the Microsoft Enrollment Service manually after the provisioning process is complete. The enrollment process must be completed before the server can be used. For more information, see “To Manually Enroll a Root Certification Server” in “RMS: Operations” in this documentation collection.

After you finish provisioning and enrolling a server, the links that are on the Global Administration page change. The Provision RMS on this site link changes to an Administer RMS on this site link, the Add this server to a cluster link is replaced with a Change RMS service account link, and a Remove RMS from this Web site link is added to the page.

This initial server establishes the root cluster installation of RMS. The root cluster can consist of a single server or multiple servers. After you finish the installing and provisioning of the initial server, you can set up additional servers to provide redundancy and load-balancing support for certification and licensing services.

Once your configuration is complete you must register the service connection point of your root cluster in Active Directory to allow RMS-enabled clients to discover the service. For more information, see “Registering the Service Connection Point” in “RMS: Operations” in this documentation collection. If the service connection point is not registered and RMS client registry overrides are not in place, your RMS client will not be able to be used with RMS.


You must completely install and provision RMS on the first server before you start the installation of RMS on any other servers.

RMS supports protection of content to Active Directory groups whose membership spans multiple forests. If your organization does not have multiple forests or groups that span multiple forests, you can optimize the performance of the use license issuance process on your RMS cluster by modifying the MaxCrossForestCalls cluster policy in the RMS configuration database.

This policy specifies the maximum number of times a group's membership can cross forest boundaries. The default value is 10. To change that value to 0, use the following SQL command:

update DRMS_ClusterPolicies set PolicyData=0 where PolicyName='MaxCrossForestCalls'

The following topics provide the detailed steps that are required to complete the tasks that are available from the RMS Global Administration page:

  • For information about how to use the installation wizard to install the initial server, see “To Install RMS with Service Pack 2” in “RMS: Operations” in this documentation collection.

  • For information about how to provision the initial server, see “To Provision the First Server in the Root Cluster” in “RMS: Operations” in this documentation collection.

  • For information about how to add servers to the root cluster, see “Adding Servers to Support Certification and Licensing” later in this subject.