Upgrading AD RMS to Windows Server 2016
Introduction
Active Directory Rights Management Services (AD RMS) is a Microsoft service that protects sensitive documents and emails. Unlike traditional protection methods, such as firewalls and ACLs, AD RMS encryption and protection are persistent no matter where a file goes or how it is transported.
This document provides guidance for migrating from Windows Server 2012 R2 with SQL Server 2012 to Windows Server 2016 and SQL Server 2016. The same process can be used to migrate from older but supported versions of AD RMS. Please note that Active Directory Rights Management Services is no longer in active development, and for the latest capabilities customers should consider migrating to Azure Information Protection, which offers a much more comprehensive set of features with more complete device and application support.
For information on migrating to Azure Information Protection from AD RMS without having to re-protect your content see the Azure Information Protection migration documentation.
About the environment used in this guide
AD FS is an optional component of an AD RMS installation. In this guide, the use of AD FS is assumed. If AD FS hasn't been used in your environment for supporting AD RMS users, you can skip all steps that refer to AD FS.
In this guide, SQL Server is upgraded to SQL Server 2016 by performing a parallel install and moving the databases over via a backup. Alternatively, if you can upgrade your AD RMS and AD FS database servers to SQL Server 2016 in-place, you can move to the next section in this document after having done that without having to follow the steps in this section.
Installation
Configuring SQL Server 2016
The following section details implementation tasks related directly to the SQL Server 2016 configuration. This guide focuses on using the Server Manager and the SQL Server Management Studio to complete these tasks.
These steps must be completed on a SQL Server 2016 installation. Install SQL Server 2016 on suitable hardware as per your organization's standard practices and policies.
Preparing the SQL Server
The following section details how to prepare the SQL Server so that it can be upgraded to SQL Server 2016 before upgrading other services in the AD RMS platform to use Windows Server 2016.
Adding CNAME for SQL Server 2016 to DNS
The CNAME is used to help ensure that the Windows Server 2016 setup will be getting the appropriate data since it will be pointed at the new SQL Server 2016. Note: If already using a CNAME for the AD FS and AD RMS service, you can move on to the next steps.
To add a CNAME for SQL Server 2016 to DNS
Log on to the Windows Server 2012 R2 Domain Controller with Domain admin credentials.
Open Server Manager.
Click Tools and select DNS to open the DNS Manager.
From the left navigation pane, expand the DC and open up Forward Lookup Zones.
Open the appropriate domain resources then right click in the right view pane and select New Alias (CNAME) to begin creating the CNAME.
For the alias name enter in a logical name to differentiate it from other that may be present (Ex. SQLADRMS or SQLADFS)
After entering the name, provide the FQDN for the target host which will be the new SQL Server 2016 server. (ex. SQL2016.contoso.com)
Once all the information has been entered, click OK.
Backup the AD RMS and AD FS Databases
The AD RMS and AD FS databases hold critical information necessary to AD RMS, such as the public key of the Server Licensor Certificate, rights policy templates, AD FS configuration data, and logging information. Without these databases, clients cannot issue licenses to consume protected content, among other issues.
Of the databases, the AD RMS configuration database is considered the most important, as it stores the SLC, rights policy templates, users' keys, and configuration information. Therefore, though you should take care to back up all of the AD RMS and AD FS databases, you should plan to back up the configuration database regularly.
The logging database stores information about user requests to the AD RMS cluster for certificates and use licenses. Your backup strategy of this database should be based on company policy for retaining this type of information.
The directory services database is not critical to AD RMS functionality and, if the latest data is lost, the database will repopulate with information as the AD RMS server receives requests for certificates and use licenses. You do not need to backup this database regularly, but you do need to have at least a copy of the database as it was originally configured after deploying AD RMS.
To backup an AD RMS and/or AD FS database with Microsoft SQL Server
Log on to the Windows Server 2012 R2 AD RMS database server with SQL 2012.
Click Start, click All Programs, click Microsoft SQL Server, and click SQL Server Management Studio.
In the Connect to Server window, confirm the server hosting the AD RMS databases is in the Server Name box and click Connect.
Expand Databases. Right click the appropriate database (DRMS and Adfs), point to Tasks, and select Backup.
Repeat step 4 for the remaining databases.
Ensure that the backup of the databases can be accessed by other machines on the network or using a storage device as they will be needed for later steps during the migration.
Now you can store the database copies in a secure location. Remember to back up your databases frequently.
Adding Domain Admin, SQL, AD RMS, and/or AD FS Service Account to SQL Server 2016
The following steps will showcase how to add the various Service Accounts to SQL Server 2016 to assist with migrating the data from the Windows Server 2012 R2 environment. This will give the proper permissions when trying to access the content and handle the data.
To add the Domain Admin, SQL, AD RMS, and/or AD FS Service Account to SQL Server
Log on to the server with SQL Server 2016 as the Local Admin account.
Click Start, click All Programs, click Microsoft SQL Server, and click SQL Server Management Studio.
In the Connect to Server window, confirm the server hosting the AD RMS databases is in the Server Name box then for Authentication click the drop-down menu and select SQL Server Authentication.
In the Login field enter the name of the Local Admin account (Ex. localadmin) and then provide the appropriate password and click Connect.
Expand Security and then right-click Logins and select New Login from the context menu that appears.
Once the window appears enter in the Domain Admin account in the Login name field (Ex. Contoso\ContosoAdmin)
From the left navigation pane, choose Server Roles.
Then mark the checkbox for sysadmin under the server roles and click OK.
Restart SQL Server Management.
In the Connect to Server window, confirm the server hosting the AD RMS databases is in the Server Name box then for Authentication click the drop-down menu and select Windows Authentication and click Connect.
Restoring the AD RMS and AD FS Databases to SQL Server 2016
The following steps will showcase how to restore the data from the previous SQL Server instance to the new 2016 instance. This will allow the new SQL to utilize the relevant configuration data from the previous AD RMS and AD FS databases.
To restore the data from the previous SQL Server to the new SQL Server
Log on to the server with SQL Server 2016 with the appropriate account.
From the left navigation pane, right-click Databases and select Restore Database to begin the restoration process.
Under Source choose Device and then browse for the location where the database files were stored in the earlier steps.
Once the files have been selected, click OK.
Ensure that all the database files have been added and complete the process by clicking OK.
Configuring Windows Server 2016 Active Directory Federation Services (AD FS)
AD FS has been deployed to provide single sign-on (SSO) access to AD RMS as an application. It has also been configured with the AD RMS Mobile Device Extension (MDE), which enables Mac and mobile device support for end users.
The following sections provide guidance on operational tasks you may need to perform on your AD FS deployment.
Adding a 2016 AD FS Server to the Farm
You can deploy additional AD FS servers to support the AD RMS deployment. You may choose to perform this action in the event of increased traffic to the AD RMS servers, or additional applications, or if you need to retire one of the servers currently being used for AD FS.
To add the 2016 AD FS server to the farm
From the Microsoft Entra Connect server, double click the Microsoft Entra Connect icon to launch the Microsoft Entra Connect wizard.
In the Welcome page, click Configure.
In the Additional Tasks page, click Deploy an additional Federation Server and then click Next.
In the Connect to Microsoft Entra ID page, enter the user name and password of an account with Global Administrative permissions and then click Next.
In the Domain Administrator credentials page, enter the user name and password of an account with Domain Admin permissions and click Next.
Click Browse and select the certificate file used when configuring the AD FS farm using the Microsoft Entra Connect.
Click Enter Password to open the Certificate Password dialog box.
Enter the password of the certificate in the Password field and then click OK.
Click Next.
In the AD FS Servers page, enter the name or the IP address of the new AD FS server and click Add.
In the Ready to Configure page, click Install.
In the Installation Complete page, click Exit.
Raising the AD FS Farm Behavior Level
When deploying an AD FS server that exceeds the current environment level such as, having an AD FS on Windows Server 2012 R2 and then adding an AD FS Windows Server 2016, the Farm Behavior Level will need to be increased. This is needed to ensure that the environment is using the most up to date information and functions.
To raise the AD FS Farm Behavior Level
Navigate to the Windows Server 2016 AD FS.
Open an admin PowerShell session.
Enter the following command: $cred = Get-Credential
A window will appear asking for credentials, enter in the domain admin credentials.
Then enter this command: Invoke-AdfsFarmBehaviorLevelRaise -Credential $cred
A prompt will appear asking, Do you want to continue with this operation? Then enter a to accept the prompt.
After the command has completed, the Farm Behavior Level will be setup and ready.
Enabling Mobile Device Extension Logging
The Mobile Device Extension can log requests it receives from end user devices. Logging is disabled by default and we recommend only enabling logging in a troubleshooting scenario. All requests, from mobile devices and desktop machines, to bootstrap or acquire an end use license are logged in the AD RMS logging database or Azure storage account. MDE logging will create two additional tables to the SQL Server used by AD RMS: the client debug log table and the client performance log table.
To enable Mobile Device Extension logging
From an AD RMS server, open Windows PowerShell as an administrator.
Type the following command and press Enter: Import-Module AdRmsAdmin
Type the following command and press Enter: New-PSDrive -Name AdrmsCluster -PsProvider AdRmsAdmin -Root https://localhost
Type the following command and press Enter: Set-ItemProperty -Path AdrmsCluster:\ -Name IsLoggingEnabled -Value $true
If you are using MDE logging for troubleshooting, we recommend disabling it after addressing the issue.
To disable Mobile Device Extension logging
From an AD RMS server, open Windows PowerShell as an administrator.
Type the following command and press Enter: Import-Module AdRmsAdmin
Type the following command and press Enter: New-PSDrive -Name AdrmsCluster -PsProvider AdRmsAdmin -Root https://localhost
Type the following command and press Enter: Set-ItemProperty -Path AdrmsCluster:\ -Name IsLoggingEnabled -Value $false
Upgrading AD RMS to Windows Server 2016
The following sections provide guidance on how to add a Windows Server 2016-based AD RMS Server into the current Windows Server 2012 R2 cluster. The server will be added into the cluster and the information will be replicated to it so that the previous AD RMS server can be deprecated to free up resources.
After you add one Windows Server 2016-based AD RMS server has been added to your AD RMS cluster, all nodes based on older versions of Windows will become inactive. After this is done you can deprovision those servers (e.g. shut down, repurpose or reinstall with Windows Server 2016 to join the AD RMS cluster).
You can deploy additional AD RMS servers to the cluster to support the load on your AD RMS deployment. You may also choose to perform this action in the event of increased traffic to the AD RMS servers.
This guide doesn't cover the steps required to alter the load balancing mechanisms you might be using in your environment to exclude the servers you are deprecating and to include the ones you are adding to the cluster.
Adding a 2016 AD RMS Server
If your AD RMS cluster is using a Hardware Security Module instead of a Centrally Managed key for its Server Licensor Certificate, you will need to install the software and other HSM artifacts (e.g. key and configuragtion files) on the server before installing AD RMS. You will also need to connect the HSM to the server, either physically or through the relevant network configurations. Follow your HSM guidance for these steps.
To add a 2016 AD RMS Server
Install the AD RMS Role on the desired Windows Server 2016 deployment.
After installation completes, select the link to Perform additional configuration.
Select Join an existing AD RMS cluster and click Next.
On the Select Configuration Database page, enter the CNAME specified in the DNS for the 2016 SQL server (FQDN).
Click List on the second line and select the DefaultInstance from the drop-down.
Under Configuration Database Name, select the drop-down menu and choose the DRMS configuration that appears. Then click Next.
On the Database Information page, enter the cluster key password in the field provided. After that, click Next.
In the next page of the wizard, specify the AD RMS service account and provide the password for it and click Next once it has been verified.
Once the Cluster Web Site page appears, simply ensure that the appropriate web site has been selected and click Next.
On the Choose a Server Authentication Certificate page, select the imported SSL certificate and click Next.
Click Install to begin the installation.
After configuration completes, you will need to log off and back on to administer AD RMS.
Once logged back on, open Server Manager select Tools and then Active Directory Rights Management. The management window should appear and indicate that the cluster has the additional server in the cluster.
If the AD RMS Mobile Device Extension was installed in the original AD RMS cluster, you need to also install the MDE in the updated cluster nodes. Follow the instructions in the MDE documentation to add MDE to your AD RMS cluster. At this point, you can repurpose all the preexisting nodes or upgrade them to Windows Server 2016 and re-join them to the AD RMS cluster using the same process outlined above.
Configuring Windows Server 2016 Web Application Proxy (WAP)
The following sections provide guidance on operational tasks you may need to perform on your Web Application Proxy deployment. This is an optional step, not required if you are publishing AD RMS to the Internet through other mechanisms.
Adding a Windows Server 2016 WAP Server
You can deploy additional Web Application Proxy servers to support the AD RMS deployment. You may choose to perform this action in the event of increased traffic to the AD RMS servers or if you need to retire one of the servers currently being used for the Web Application Proxy.
To add a 2016 Web Application Proxy server
From the server you wish to setup as a Web Application Proxy, navigate to the Server Manager console and click Add roles and features.
In the Add Roles and Features Wizard, click Next until you get to the Server Role selection screen.
On the Select Server Roles screen, select Remote Access, and then click Next until you are back at the Select Server Roles screen.
On the Select Server Roles screen, select Web Application Proxy, click Add Features, and then click Next.
On the Confirm Installation Selections screen, click Install.
Once the installation has completed, click Close.
Now it is time to configure the server. To do this, open the Remote Access Management console on the Web Application Proxy server. Open the Start menu, type RAMgmtUI.exe, and then select the application.
In the navigation pane, click Web Application Proxy.
In the Remote Access Management console click Run the Web Application Proxy Configuration Wizard. Once in the wizard, click Next.
On the Federation Server screen enter the fully qualified domain name of the AD FS server (Ex. adfs.contoso.com) and then enter credentials for an administrator on the AD FS server.
On the AD FS Proxy Certificate screen, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy, and then click Next.
On the Confirmation screen, review the settings then click Configure.
Once the configuration is complete, click Close.
DNS Configuration for 2016 WAP Server
Once the Windows Server 2016 Web Application Proxy server has been put in place, some DNS changes will need to be made. This will require using a DNS service, such as GoDaddy, to point the AD FS and AD RMS services at the 2016 WAP server.
To point the DNS at the WAP server
Navigate to your provider's website (ex. GoDaddy).
Go into Domain Management and then DNS Management.
Locate the AD FS and AD RMS service and replace the Points to portion with the Public IP Address of the 2016 WAP server and Save.
The changes may take time to propagate, but once they do this setup will be complete.
Enabling Debugging Logs
Detailed logging information is available on the Web Application Proxy servers. You can configure advanced debugging logging using the Event Viewer. Additional settings can also be selected for the size of the logs to help ensure that the analytics are useful to the viewer.
Enabling Debugging Logs for the Web Application Proxy
Open the Event Viewer console on the Web Application Proxy.
Expand the Microsoft node.
Expand the Windows node.
Open the Web Application Proxy logs.
You will then be able to open the Admin logs.
Open the Action menu, located in the top left, and select Properties.
Under the General tab, choose the option to Enable Logging.
Finally, you are able to customize maximum log size and what happens when the maximum event log size is reached.
Configuring High Availability for Windows Server 2016 Services
The following sections provide guidance on operational tasks you may need to setup your Windows Server 2016 environment in High Availability.
Adding a 2016 AD RMS Server for High Availability
You can deploy additional AD RMS servers to setup High Availability. You may choose to perform this action in the event of increased traffic to the AD RMS servers.
To add a 2016 AD RMS server for High Availability
Install the AD RMS Role on the desired Windows Server 2016 deployment.
After installation completes, select the link to Perform additional configuration.
Select Join an existing AD RMS cluster and click Next.
On the Select Configuration Database page, enter the CNAME specified in the DNS for the 2016 SQL server (FQDN).
Click List on the second line and select the DefaultInstance from the drop-down.
Under Configuration Database Name, select the drop-down menu and choose the DRMS configuration that appears. Then click Next.
On the Database Information page, enter the cluster key password in the field provided. After that, click Next.
In the next page of the wizard, specify the AD RMS service account and provide the password for it and click Next once it has been verified.
Once the Cluster Web Site page appears, simply ensure that the appropriate web site has been selected and click Next.
On the Choose a Server Authentication Certificate page, select the imported SSL certificate and click Next.
Click Install to begin the installation.
After configuration completes, you will need to log off and back on to administer AD RMS.
Once logged back on, open Server Manager select Tools and then Active Directory Rights Management. The management window should appear and indicate that the cluster has the additional server in the cluster.
After confirming the server setup, configure your Load Balancing service to balance the load between the different AD RMS servers in the cluster.
Adding a Windows Server 2016 AD FS Server for High Availability
You can deploy additional AD FS servers to setup High Availability. You may choose to perform this action in the event of increased traffic to the AD FS servers. Note: after raising the farm behavior level, a new database entry will be entered into the SQL Server 2016(Adfs Configv3) and the old configuration database must be deleted before continuing with these steps.
To add the Windows Server 2016 AD FS server for High Availability
Install the AD RMS Role on the desired Windows Server 2016 deployment.
After installation completes, select the link to Configure the federation service on this server.
In the welcome section of the wizard, choose the option to Add a federation server to a federation server farm and then click Next.
Specify the proper admin account and click Next.
On the Specify Farm page, pick the Specify database location for an existing farm using SQL Server then enter the CNAME for the SQL service for the Database Host Name and click Next.
Under the Specify Service Account area of the wizard, enter the credentials for the AD FS service account and then click Next.
In Review Options, click Next.
Click Configure when the button becomes available.
After the configuration, restart the machine.
After confirming the server setup, Load Balance the AD FS servers as required.
Adding a Windows Server 2016 WAP Server for High Availability
You can deploy additional WAP servers to setup High Availability. You may choose to perform this action in the event of increased traffic to the AD RMS servers.
To add a Windows Server 2016 Web Application Proxy server for High Availability
From the server you wish to setup as a Web Application Proxy, navigate to the Server Manager console and click Add roles and features.
In the Add Roles and Features Wizard, click Next until you get to the Server Role selection screen.
On the Select Server Roles screen, select Remote Access, and then click Next until you are back at the Select Server Roles screen.
On the Select Server Roles screen, select Web Application Proxy, click Add Features, and then click Next.
On the Confirm Installation Selections screen, click Install.
Once the installation has completed, click Close.
Now it is time to configure the server. To do this, open the Remote Access Management console on the Web Application Proxy server. Open the Start menu, type RAMgmtUI.exe, and then select the application.
In the navigation pane, click Web Application Proxy.
In the Remote Access Management console click Run the Web Application Proxy Configuration Wizard. Once in the wizard, click Next.
On the Federation Server screen enter the fully qualified domain name of the AD FS server (Ex. adfs.contoso.com) and then enter credentials for an administrator on the AD FS server.
On the AD FS Proxy Certificate screen, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy, and then click Next.
On the Confirmation screen, review the settings then click Configure.
Once the configuration is complete, click Close.
After confirming the server setup, Load Balance the WAP servers in the DMZ.
Adding a SQL Server 2016 node for Always On High Availability
You can deploy additional SQL servers to setup Always On High Availability. You may choose to perform this action in the event of increased traffic to the AD RMS servers. Note: ensure that both SQL Servers have the Inbound port 5022 open.
To add a SQL server 2016 server for Always On High Availability
From the server you wish to setup as an additional SQL Server 2016 server, navigate to the Server Manager console and click Add roles and features.
Click Next till the Select Features dialog box.
Select the Failover Clustering checkbox. Note: follow this step for the original SQL server 2016 server as well so that both SQL Servers have the Failover Clustering feature.
Click Install to install the Failover Clustering feature.
Now, open Server Manager and select Tools then Failover Cluster Manager.
From the left menu pane, right-click Failover Cluster Manager and select Create Cluster
This will open the Create Cluster Wizard.
Browse for the SQL server 2016 servers which will be used for Always On High Availability and enter them in then click Next.
You will receive a validation warning. Select Yes to Validate the Cluster nodes and then click Next.
Under the Testing Options page, select the option Run all tests and click Next.
Note: The Cluster Validation Wizard is expected to return several Warning messages, especially if you will not be using shared storage. Other than that, if you find any error messages you need to fix them prior to creating the Windows Server Failover Cluster.
In the Access Point for Administering the Cluster dialog box, enter the cluster name and virtual IP address for the Windows Server Failover Cluster, then click Next.
Verify that the configuration is successful in Summary and click Finish.
Back in the Failover Cluster Manager, right-click on your cluster and select More Actions then choose Configure Cluster Quorum Settings
Click Next and then pick the option for Select the quorum witness and hit Next again.
In the Select Quorum Witness page, select the Configure a file share witness option. Then click Next.
Select Browse and locate the path of the file share that you want to use in the File Share Path dialogue box. Click Next.
On the Confirmation page, click Next.
On the Summary page, click Finish.
Now, open the Start menu and search for SQL Server Configuration Manager.
Right-click the SQL Server name and pick Properties.
In the Properties dialog box, select the AlwaysOn High Availability tab. Check the Enable AlwaysOn Availability Groups check box. Click OK. Note: do this on both SQL server 2016 servers.
Then restart the SQL Server service.
Now, open the Start menu and search for SQL Server Management Studio and from the left navigation pane, right-click Availability Groups and click New Availability Group Wizard then click Next.
In the Specify Availability Group Name page pick a group name (Ex.SQLAvailabilityGroup2016). Then click Next.
Under the Select Databases section, specify the databases. Then click Next. Note: some database may need to be backed up again or put into Full Recovery mode.
Once on the Specify Replicas page, click the Add Replica button and pick your other 2016 SQL Server.
After adding the other server, click the check boxes and set the secondary server to be a readable secondary.
Navigate to the Endpoints tab and click the Refresh option. While also here, scroll across and ensure that the same service account is on the primary and secondary node.
Now, choose the Backup Preferences tab and select the Prefer Secondary option.
Move on to the Listener tab.
Specify a name (Ex. SQLListener) and ensure that the port is 1433 and then click Next.
In the Select Initial Data Synchronization page of the wizard, choose the Full option and specify network location accessible by all the SQL servers and then click Next.
Finally, click Finish and the process will complete.
Decommission Windows Server 2012 R2 nodes
The following sections provide guidance on operational tasks you may need to remove your Windows Server 2012 R2 servers after successfully upgrading the AD RMS cluster to Windows Server 2016.
Removing a Windows Server 2012 R2 AD RMS Server
You can remove unnecessary AD RMS servers after an upgrade. You may choose to perform this action when it becomes needed to decommission AD RMS servers.
To remove a Windows Server 2012 R2 AD RMS server
On the Windows Server 2012 R2 AD RMS server in Server Manager, select Manage from the top right menus and then choose Remove Roles and Features.
The Remove Roles and Features Wizard will open up and on the Before you Begin screen, click Next.
On the Server Selection Screen, click Next.
On the Server Roles screen, remove the check next to Active Directory Rights Management Services and click Next.
On the Features Screen, click Next.
On the Confirmation Screen, click Remove.
Once this completes, restart the server.
You can now shut down this server and reallocate the resources as needed.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for