Event ID 147 — Active Directory Domain Services Availability
Applies To: Windows Server 2008 R2
Active Directory Rights Management Services (AD RMS) uses Active Directory Domain Services (AD DS) to regulate access to rights-protected content for all AD RMS users in the AD DS forest. If AD DS is not available, AD RMS cannot grant licenses to publish and consume rights-protected content.
|Product:||Windows Operating System|
|Source:||Active Directory Rights Management Services|
|Message:||Active Rights Management Services (AD RMS) group membership expansion across forests failed.
Check group expansion pipeline URL
When Active Directory Rights Management Services (AD RMS) users consume rights-protected content that was not protected in the user account's home forest (the Active Directory forest where the user account resides), the AD RMS cluster will contact the AD RMS cluster in the remote forest (an Active Directory forest with AD RMS installed and an AD RMS trust policy established) by using group expansion. The AD RMS group expansion URL must be valid and the AD RMS service account must have access to the AD RMS group expansion pipeline.
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
Ensure that AD RMS group expansion URL is correct
To ensure that the AD RMS group expansion URL is correct:
- Log on to a server in the AD RMS cluster in the home forest using the home cluster's AD RMS service account credentials.
- Click Start, click All Programs, and then click Internet Explorer.
- In the address bar, type http(s)://cluster_url/groupexpansion/groupexpansion.asmx where cluster_url is the cluster URL for AD RMS in the remote forest, and then press ENTER.
- Verify that the GroupExpansionWebService Web Service Web page appears in the browser window.
- If the GroupExpansion WebService Service Web page does not appear, add the AD RMS service account to the AD RMS cluster group expansion pipeline in the remote forest.
Add the AD RMS service account to the cluster group expansion pipeline in the remote forest
To add the AD RMS service account to the cluster group expansion pipeline in the remote forest:
- Log on to an AD RMS server in the remote forest.
- Click Start, and then click Computer.
- Navigate to the IIS home directory. By default, the path to this directory is %systemdrive%:\inetpub\wwwroot where %systemdrive% is the partition on which Windows is installed.
- Double-click _wmcs.
- Double-click groupexpansion.
- Right-click groupexpansion.asmx, and then click Properties.
- Click the Security tab.
- Click Advanced, and then click Edit.
- Click Add.
- On the Select Users, Computers, or Groups window, type the name of the AD RMS service account and then click OK.
- Click OK and then click OK again.
- Repeat steps 1 - 11 for all servers in the AD RMS cluster in the remote forest.
To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.
Note: Microsoft Office Word 2007 is used as an example in this section. Any AD RMS-enabled application can be used in place of Word 2007.
To verify that AD RMS can access the Active Directory Domain Services forest:
- Log on to an AD RMS-enabled client computer.
- Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
- In the new document type This is a test document.
- Click the Microsoft Office Start Button, point to Prepare, point to Restrict Permissions, and then click Restricted Access.
- Select the Restrict permissions to this document check box.
- Type another AD RMS user's e-mail address in the Read box, and then click OK.
- Send this file to the person who was granted access in step 6.
- Have this person open the document and verify that he or she cannot do anything else other than read the document, such as print it.