balancing mechanism to distribute the load and provide fault tolerance, AD RMS can continue to operate even when one node is down for maintenance or due to a server failure.
The Database server is a critical component for the AD RMS service, but its continuous availability, again, is not. When the DB server is not available, AD
RMS nodes already running can continue to deliver licenses to users already
certified. Only some functionality is loss during downtime of the Database
services:
- No new users can be activated until access to the database is recovered.
- Reports cannot be generated since reporting information is extracted from the logging database.
- No new exclusions can be defined, or revocation can be performed, while the database is unavailable.
- If an AD RMS server is rebooted while the database is unavailable, it will be
temporarily unable to join the cluster.
Each organization must decide if this type of loss is acceptable. If it is
not, using database clusters or keeping recovery servers through database log
shipping are acceptable high availability solutions.
Some best practices before the installation
always use and design a cluster don’t install RMS as a single node from the
start I have seen customers install it on one node with internal databases that
that’s caused a huge problems afterwards
Next step creating the cluster
- Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) domain as the user accounts that will be consuming rights-protected content.
- Create a domain user account with no additional permissions to be used as the AD RMS service account.
restrictions:
- The user account installing AD RMS must have access to query the AD
DS domain. - If you are registering the AD RMS service connection point (SCP) during installation, the user account installing AD RMS must be a member of the AD DS Enterprise Admins group, or equivalent.
- If you are using an external database server for the AD RMS databases, the user account installing AD RMS must have the right to create new databases. If Microsoft SQL Server 2005 is used, the user account must be a member of the System Administrators database role, or equivalent.
The user account installing AD RMS must have access to query the AD DS domain.
Reserve a URL for the AD RMS cluster that will be available throughout the lifetime of the AD RMS installation. Ensure that the reserved URL is different from the computer name.( also try to make the internal URL the same as the external URL this is not a must but it’s a recommendation )
In addition to pre-installation requirements for AD RMS, I strongly
recommend the following:
- Install the database server used to host the AD RMS databases on a separate computer.
- Install the AD RMS cluster using a secure sockets layer (SSL) certificate. This certificate should be issued from a trusted root certification authority. (try to buy one )
- Create a DNS alias (CNAME) record for the AD RMS cluster URL and a separate CNAME record for the computer hosting the AD RMS configuration database. In the event that the AD RMS servers are retired, lost due to a hardware failure, or the computer’s name is changed, a CNAME record can be updated without having to publish all rights-protected files again.
Important considerations for installing AD RMS
The following are a list of things that should be considered before
installing AD RMS:
- Self-signed certificates should be used only in a test environment. For pilot and production environments, we recommend using an SSL certificate issued by a trusted certification authority.
- The Windows Internal Database with AD RMS is intended for use only in test environments. Because the Windows Internal Database does not support remote connections, it is not possible to add another server to the AD RMS cluster in this scenario.
- If an SCP already exists in the Active Directory forest for which you are
installing AD RMS, ensure that the cluster URL in the SCP is the same as the cluster URL for the new installation. If they are not the same, you should not register the SCP during AD RMS installation. - When installing AD RMS, localhost is not a supported cluster URL.
- When specifying the AD RMS service account during installation, make sure that a smart card has not been inserted into the computer. If a smart card is attached to the computer, you will get an error message that the user account installing AD RMS does not have access to query AD DS.
- Though RMS don’t need exchange to function but it will need the Email attribute from the active directory don’t install RMS on a DC as later on you will need to publish it online.
We start by adding the RMS Role
Note : if you find the second option is on this mean that someone installed
RMS before ,you have to dig in through the schema to find it and delete its
record or you must us the same name (if the server was no longer functional of
course )
You can protect the AD RMS cluster key by using a hardware- or software-based cryptographic service provider (CSP) or by storing the cluster key in the AD RMS configuration database. A hardware-based CSP stores the cluster key in a hardware device.
As a best security practice, we recommend using a hardware-based CSP to
protect the AD RMS cluster key. When using AD RMS to centrally manage the
cluster key from the AD RMS configuration database, you should use a strong
cluster key password. If you are upgrading from RMS to AD RMS and using a
hardware-based CSP, ensure that the drivers are compatible with Windows Server 2008 before proceeding with the upgrade.