Event ID 78 — AD RMS Trust Hierarchy Determination

  • Article

Applies To: Windows Server 2008 R2

Active Directory Rights Management Services (AD RMS) supports two trust hierarchies: production, and ISV. The ISV hierarchy is used for developing AD RMS-enabled applications. The production hierarchy should be used for all production installations of AD RMS.

Important: The production hierarchy should be used for all AD RMS installations, unless you are developing an AD RMS-enabled application.

Event Details

Product: Windows Operating System
ID: 78
Source: Active Directory Rights Management Services
Version: 6.1
Symbolic Name: NoTrustHierarchyInfoEvent
Message: The trust hierarchy for this Active Directory Rights Management Services (AD RMS) server could not be determined.

Resolve

Restore AD RMS configuration database from backup

The server licensor certificate (SLC) must chain back to one of the trusted roots in the AD RMS configuration database. If this chain of trust does not exist, rights-protected content may not be able to be consumed. You can attempt to restore the AD RMS configuration database from a previous backup that contains the SLC by following the procedure in the "Restore AD RMS configuration databaase from previous backup" section. If this procedure does not correct the issue, you should remove AD RMS and then install AD RMS again by using the following procedures: "Remove the Active Directory Rights Management Services server role" and "Install the Active Directory Rights Management Services server role."

Restore AD RMS configuration database from previous backup

The AD RMS configuration database stores the SLC. If the SLC information does not exist in the AD RMS configuration database, you should restore the AD RMS configuration to a state where the SLC information existed.

To perform this procedure, you must be a member of the System Administrators database role in the AD RMS configuration database, or you must have been delegated the appropriate authority.

To restore AD RMS configuration database from previous backup:

  1. Log on to the AD RMS configuration database server, click Start, point to All Programs, click Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. In the Server name box, type the name of the AD RMS configuration database server, and then click Connect.
  3. Right-click Databases, and then click Restore Database.
  4. In the To database box, select the AD RMS configuration database from the list.
  5. Click the From device option, and then click the browse button.
  6. Click Add.
  7. In the Locate Backup File window, select the database backup file, and then click OK two times.
  8. Select the Restore check box, and then click OK.

Remove the Active Directory Rights Management Services server role

If the SLC information exists in the AD RMS configuration database, the SLC chain of trust is not valid. The only way to correct this chain of trust is to to re-install the AD RMS cluster.

Caution: This section should only be done if restoring the AD RMS configuration database did not restore the SLC information in the AD RMS configuration database. All rights-protected content should be decrypted before re-installing the AD RMS cluster.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To remove the Active Directory Rights Management Services server role:

  1. Log on to a server in the AD RMS cluster.
  2. Click Start, point to Administrative Tools, and then click Server Manager.
  3. In the Roles Summary section, click Remove Roles, and then click Next.
  4. Clear the Active Directory Rights Management Services check box, and then click Next.
  5. Click Remove.

Install the Active Directory Rights Management Services server role

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To install the Active Directory Rights Management Services server role:

  1. Log on to a server in the AD RMS cluster.
  2. Click Start, point to Administrative Tools, and then click Server Manager.
  3. In the Roles Summary section, click Add Roles, and then click Next.
  4. Select the Active Directory Rights Management Services check box, and then click Next.
  5. Complete the appropriate information in the AD RMS role wizard setup.
  6. Click Install.
  7. When the installation is complete, click Close.

Verify

Two trust hierachies are supported by AD RMS: Production and ISV. The Production hierarchy should be used, except in special scenarios such as when you are developing an AD RMS-enabled application and want to be in the ISV hierarchy.

To perform this procedure, you must be a member of the local AD RMS Enterprise Administrators group, or you must have been delegated the appropriate authority.

To verify that the trust hierarchy is correct:

  1. Log on to a server in the AD RMS cluster.
  2. Open the Active Directory Rights Management Services console.
  3. Right-click the AD RMS cluster, and then click Properties.
  4. Click the Server Certificate tab. Verify that the value in the hierarchy box is Production.

AD RMS Trust Hierarchy Determination

Active Directory Rights Management Services