Known issues with RMS to AD RMS migration

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 R2

The following list contains known issues that should be addressed before migrating from RMS on Windows Server 2003 to AD RMS on Windows Server 2008 or Windows Server 2008 R2:

  • On the new AD RMS server that you will be installing AD RMS on, you must temporarily disable the FIPS requirement until AD RMS is installed. This is because Message Queuing is installed as a dependent role service when the AD RMS server role is installed. To disable the FIPS requirement, set the following registry entry to zero:


  • RMS servers must have at least RMS with Service Pack 1 (SP1) or RMS with Service Pack 2 (SP2) before the server is upgraded or migrated to Windows Server 2008, or at least RMS with SP2 before the server is upgraded or migrated to Windows Server 2008 R2. These service packs are available on the Microsoft Download Center ( and, respectively).

  • In order to install AD RMS on a Web site other than the Internet Information Services (IIS) Default Web site, you must first install the IIS 6 Metabase Compatibility role service, which is a part of the Web Server server role. AD RMS uses this role service to enumerate the Web sites available on the AD RMS server. If the IIS 6 Metabase Compatibility role service is not installed, the AD RMS server role wizard shows only the Default Web site.

  • If you are using a port number other than 80 or 443 for your AD RMS installation, you should ensure that the intranet and extranet cluster URLs display the correct port number. You can verify this by using the Active Directory Rights Management Services console.

  • If you are installing AD RMS on a domain controller that was upgraded from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2 and you are using a software-based cryptographic storage provider, you must add the AD RMS Service Group and the Domain Admins groups to the private key. The private key is found in the %systemdrive%\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

  • If you receive the following error:

    “The 'tempDirectory' attribute must be set to a valid absolute path."

    You must set enable32BitAppOnWin64="false" in the IIS applicationHost.config file. By default, this file is located in %windir%\system32\inetsrv\config, where %windir% is the root directory of the Windows installation.

  • If you try to join a Windows Server 2008– or Windows Server 2008 R2–based computer to an RMS cluster that is not running RMS with the correct service pack, you may see the following error:

    Attempt to configure Active Directory Rights Management Server failed. Could not find stored procedure 'AddTrustedCertificateAuthority.’