Resetting the AD RMS Cluster Key Password
Updated: October 22, 2009
Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1
When a new Active Directory Rights Management Services (AD RMS) cluster is provisioned, you choose a method to protect the AD RMS cluster key. If you choose the default option of using AD RMS cluster key protection, you specify a strong password that was used to encrypt the cluster key in the configuration database. The AD RMS cluster key is used to sign the certificates and licenses granted by the cluster. The cluster key is generated, and the password is specified during the initial configuration of the AD RMS server role.
If you are running AD RMS in a clustered environment, and you decided to reset the cluster key, you must reset it on every AD RMS server in the cluster. If you do not, those servers will not be able function as they will be unable to decrypt the cluster key in the configuration database.
This procedure applies only if you are using AD RMS to centrally manage the cluster key. If you are using either a hardware-based or software-based cryptographic service provider (CSP), consult the documentation of the CSP manufacturer.
Membership in the AD RMS Enterprise Administrators and the local Administrators group, or equivalent, is the minimum required to complete this procedure. In addition, you must be a member of the System Administrators database role, or equivalent, on the database server.
To reset the cluster key password
To store the password in a variable as a secure string, at the Windows PowerShell command prompt, type:
$password = Read-Host -AsSecureString
Type the new cluster key password.
To reset the cluster key password, at the Windows PowerShell command prompt, type:
:\SecurityPolicy\ClusterKeyPassword -Name PasswordForCentrallyManagedKey -Value $password
At the prompt, type the confirmed password.
Repeat the preceding steps on each AD RMS server in the cluster.