To Provision the First Server in the Root Cluster

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To perform this procedure, you must be logged on locally to the administration Web site with a domain user account that is a member of the Administrators group. If you are using a remote SQL Server database, this account must also be granted the Database Creators role on the SQL Server. As a security best practice, consider using Run as to perform this procedure.

To open the Global Administration page, click Start, point to All Programs, point to Windows RMS, and then click Windows RMS Administration.

On each server, RMS can only be provisioned on a single Web site. If you want to provision RMS on a Web site other than the default Web site, use Internet Information Services Manager to add the Web site before starting this provisioning process. If the Web site that you want to provision does not appear in the list of Web sites, close the Global Administration page, add the Web site, and then start the provisioning process again.

If you are deploying RMS in an environment where your Active Directory domain functional level is set to Windows 2000 native, RMS may not be able to read the memberOf attribute on Active Directory distribution list objects that are hidden when attempting to expand group membership. To allow RMS to read the memberOf attribute, the RMS service account must use a domain account that is a member of the Pre-Windows 2000-Compatible Access (Builtin) group in your forest.


Adding the RMS service account to the Pre-Windows 2000 Compatible Access group should only be done if the Active Directory infrastructure contains hidden distribution lists. Members of this group have read access to every object in Active Directory.

If you type a custom URL for the cluster, be sure to register it in your Domain Name System (DNS), and verify that it works. If this is an Internet-enabled deployment, verify that the URL is available both from the Internet and from within your organization. You must specify HTTPS for your cluster URL if you have enabled SSL for the Web services files.

Provisioning the First Server in the Root Cluster

To Provision the First Server in the Root Cluster

  1. Log onto the RMS server as a member of the local Administrators group.

  2. After installing RMS on a server that is designated as the first server in the root cluster in an Active Directory forest, open the Global Administration page by clicking Start, pointing to All Programs, pointing to Windows RMS, and then clicking Windows RMS Administration.

  3. Next to the Web site on which you want to provision RMS, click Provision RMS on this Web site. You can select the default Web site or another Web site that you have created in Internet Information Services (IIS) for this purpose.


    Running any additional Web sites or services on the same server as RMS is not supported. Doing so could result in multiple applications and services running under the same account as RMS, which could expose the private keys to unwarranted operations.

  4. In the Configuration database area, the default option is to create the configuration database on the local server. You can use a database server such as Microsoft SQL Server™ 2000 with SP3, Microsoft SQL Server 2000 Desktop Engine (MSDE), Microsoft SQL Server 2005, or Microsoft SQL Server 2005 Express Edition for a local database. If you are using a remote database, or if you are running your database server on the local server but the database server instance has a name other than the name of this server, select Remote database, and then enter the name of the database server.


    It is recommended that Microsoft SQL Server 2000 Desktop Engine and Microsoft SQL Server 2005 Express Edition be used to support RMS databases only in test environments because they do not support any network interfaces. In addition, the terms of use for these products specify that you cannot use SQL Server client tools to manipulate the databases contained within them. With this restriction you will be unable to view logging information or change data stored in the configuration database.

  5. In the RMS service account area, specify the RMS service account under which RMS will run for most normal operations. Specify a domain account that is part of the Domain Users group and has no additional permissions on your network. Provide the account name in the form domain_name\user_name, and the password.


    For security reasons, it is recommended that you create a special domain user account to use as the RMS service account, and that you do not grant it any special permissions. The RMS service account cannot be the same domain account that was used to install RMS with Service Pack 2.

  6. In the Cluster URL area, type the URL for the root cluster that will be used for clients on the internal network. The default entry uses the server name; for example Contoso-cert. You can edit this as necessary, for example to configure a URL for the cluster or a load balancer that serves the cluster. You can also select either HTTP or HTTPS. After provisioning, you can configure an external cluster URL from the administration Web pages for use by clients that are outside of your internal network.


    It is recommended to use a fully qualified domain name (FQDN) for both the cluster URL and the extranet cluster URL. Doing so will make it easier to change the migrate the configuration database in the future because the cluster URLs are not tied to a specific computer name.

  7. In the Private key protection and enrollment area, select the mechanism for protecting the server private key by doing one of the following:

    • Use the default software-based private key protection. If you select this option, the private key is stored and protected in the RMS configuration database. You must provide a strong password for encrypting the key in the database.


    Secure this password in a safe archive for future reference. Store a backup copy of the configuration database (also secured with this password) in the safe archive. This provides a mechanism to restore RMS if the SQL Server database is corrupted. If you change the password for any reason, make a new backup of the configuration database that is keyed to that password, and then place both in the safe archive.

    • Use a cryptographic service provider (CSP). To use a CSP or a hardware security module (HSM), clear the Use the default software-based private key protection check box. In the Select your cryptographic service provider list, select the CSP or HSM that you have installed. RMS requires a full Rivest-Shamir-Adleman (RSA) provider; only those providers are included in the list of CSPs.


    It is recommended that you use either the default software-based private key protection or an HSM. If you use a different software-based CSP, make sure that you have organizational key management practices (such as backup and restore procedures) in place for that CSP before you use it with RMS.

  8. This step only applies if you selected a hardware-based CSP. To specify the server key pair to use, do one of the following:

    • For a new installation, select Create a new public/private key pair.

    • If you are recovering or upgrading an existing RMS root cluster, select Use an existing public/private key pair. Under Existing key container, click Browse, and then select the key container for the server key pair.


    If you do not use an existing key pair when recovering or upgrading an existing RMS root cluster, all existing RMS clients will need to have their license stores cleared (use licenses and rights account certificates deleted) and then they will have to get new licenses from the server to consume content.

  9. In Server Internet Connectivity, specify whether this server connects to the Internet to obtain a server licensor certificate.

    • Select Online to automatically connect to the Microsoft Enrollment Service and obtain a server licensor certificate during the provisioning process.

    • Select Offline if the RMS server does not have an Internet connection or you want to manually obtain the server licensor certificate and import it into the RMS server after provisioning has completed.

  10. In Server licensor certificate name, enter a name to be used inside the server licensor certificate. By default, this is the name of the server.

  11. If your organization uses a proxy server to connect to the Internet, select the This computer uses a proxy server to connect to the Internet check box, and then type the address and port of the proxy server.

    If the proxy server requires authentication, select the authentication type and supply a user name and password that can be authenticated by the proxy server. If you are using Integrated Windows authentication, you must also specify a domain.


    This setting can be modified after provisioning from the Security settings page of the RMS Administration Web site. However, that page is not available until after the server has been enrolled with the Microsoft Enrollment Service. If your organization requires you to use a proxy server to connect to the Internet and you do not configure a proxy server because you selected Offline for Server Internet Connectivity, you will not be able to change your settings for either the enrollment process or the proxy server until after you have completed the manual enrollment process or re-provisioned RMS.

  12. In Administrative contact, type the e-mail address of the administrator to be contacted if issues arise with the provisioning of other servers. After provisioning, you can change this e-mail address.

  13. In the Revocation area, select whether or not to allow a third-party entity to revoke the server licensor certificate of this server. If you select this option, type the path and file name of the third-party's public key file.

  14. Click Submit.

    By clicking Submit, you provision the service. If you selected online enrollment, it also performs the enrollment process for the root cluster. In this process, RMS generates a public/private key pair and sends the public key to the Microsoft Enrollment Service. The Microsoft Enrollment Service creates a server licensor certificate, and returns it to the configuration database within a few minutes. If you are using offline enrollment, you must complete the task described in "To Manually Enroll the First Server in the Root Cluster" later in this subject.


    This server will not be ready to be used until the RMS service connection point (SCP) has been registered in Active Directory, use the steps in "To Register a Service Connection Point" later in this subject to complete this process.

For instructions on adding additional servers to the root cluster, see "To Add a Server to a Cluster" later in this subject.