Resetting the AD RMS Cluster Key Password

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

When a new Active Directory Rights Management Services (AD RMS) cluster is provisioned, you choose a method to protect the AD RMS cluster key. If you choose the default option of using AD RMS cluster key protection, you specify a strong password that was used to encrypt the cluster key in the configuration database. The AD RMS cluster key is used to sign the certificates and licenses granted by the cluster. The cluster key is generated, and the password is specified during the initial configuration of the AD RMS server role.

If you are running AD RMS in a clustered environment, and you decided to reset the cluster key, you must reset it on every AD RMS server in the cluster. If you do not, those servers will not be able function as they will be unable to decrypt the cluster key in the configuration database.


This procedure applies only if you are using AD RMS to centrally manage the cluster key. If you are using either a hardware-based or software-based cryptographic service provider (CSP), consult the documentation of the CSP manufacturer.

Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, you must be a member of the System Administrators database role, or equivalent, on the database server.

To reset the cluster key password

  1. To store the password in a variable as a secure string, at the Windows PowerShell command prompt, type:

    $password = Read-Host -AsSecureString

  2. Type the new cluster key password.

  3. To reset the cluster key password, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path<drive>:\SecurityPolicy\ClusterKeyPassword -Name PasswordForCentrallyManagedKey -Value $password

  4. At the prompt, type the confirmed password.

  5. Repeat the preceding steps on each AD RMS server in the cluster.

See Also


Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
Configuring Accounts