Posted by: kurtsh | July 28, 2008

INFO: Kurt’s Big Active Directory Right Management Services Adventure (Part 1 of 3)

lock I had the privilege of taking an Active Directory Rights Management Services for Windows Server 2008 course over the last two days containing content that should have been delivered over 4 days, and learned more than I could have imagined about the product.

Because I know that a lot of you have been strongly considering licensing Active Directory Rights Management Services or have purchased licenses for it and are planning on deploying Active Directory Rights Management Services, I’m going to document what information I was able to glean in a series of blog posts because this material simply doesn’t appear to be documented anywhere.

Before I begin, the most important thing to take away from this is that the lead Product Support engineer for Active Directory Rights Management Services at Microsoft is a guy named Jason Tyler, and he has a blog that he maintains at that is SCARY GOOD. 

Very rarely is there a blog with this much unique and pertinent content on a given product.  In fact, I wish there were more “support oriented” blogs out there written by the support geniuses that have to answer calls and debug issues on the products.

That being said, here we go:  A random series of notes that I took regarding Active Directory Rights Management Services for Windows Server 2008.



  1. Active Directory Rights Management Services is the only cross-application product on the market that support email encryption & policy-based usage restriction.  Other products – like Adobe – do not.
  2. Windows Mobile-based devices are the only mobile devices on the market that can ORIGINATE Rights Managed content out of the box – specifically usage restricted emails.  Blackberries and other devices can at best – leveraging 3rd party add-on solutions for RMS – “read” and “consume” rights-managed email and content, but not originate it.
  3. MSDN has a “Content Protection Tool” that enables a developer to write flawless code leveraging Active Directory Rights Management Services by literal “code creation” which the developer can cut & paste into their application.
  4. The 3 major partners of Microsoft’s in the Rights Management Services space are Gigatrust, Titus, and Liquid Machines.


  1. Scaling of Active Directory Rights Management Services depends on the number of devices, the document count to be protected, the enforcement policies used.
  2. Scaling Active Directory Rights Management Services is very easy.  It simply involved deploying more load balanced Rights Management Servers in a cluster that connect to a highly available cluster of SQL Servers with a RMS database. 
  3. The Active Directory Rights Management Servers themselves can be formatted, reinstalled & hooked up to the SQL Server with no problem being that all the configuration data, policies, logs and certificate information are stored in the SQL back end and not configured on the ADRMS Server installation.
  4. Active Directory Rights Management Server is supported in virtualized configurations HOWEVER the deploying customer must strongly consider the security & performance implications of doing so.  “Mobilizing” the RMS system by virtualizing it is not likely a good idea.
  5. Both Windows Vista Services Pack 1 & Windows Server 2008 contain the Active Directory Rights Management Services client built into the operating system code.  It is not an “installable” component nor is it visible in Control Panel.  It’s just there in the OS itself.
    1. This makes every deployed Windows Vista machine ready to use Active Directory Rights Management Services out of the box.  Just add Group Policies and RMS Template distribution to configure appropriately.
    2. The same can be said for Windows Server 2008 which may require the use of the Active Directory Rights Management Services client’s libraries for various server side operations.  For example, if the server is an Exchange Server 2007, Exchange requires the ADRMS Client libraries to pre-cache licenses for emails so that the client doesn’t need to retrieve them.
  6. Active Directory Rights Management Services client has no client-side logging.  This is a function provided by 3rd party add-on vendors like Gigatrust, Titus, and Liquid Machines.
  7. The Active Directory Rights Management Service leverages 3 databases:
    – Configuration Database
    – Logging Database
    – Directory Services Database  (Used as a replica of AD for Group Membership caching – synchronized every 12 hrs with AD Domain Controller)

    These databases are represented by a SINGLE INSTANCE on a SINGLE PHYSICAL SERVER; i.e. you can not separate these databases out into different host SQL Servers.

  8. There is only ONE ADRMS implementation per Active Directory forest.  To have two forest implementations work together, one must leverage the NEW ADRMS TRUST functionality of RMS in Windows Server 2008.  This configuration requires both an AD trust as well as a ADRMS Trust.
  9. Audit reporting for access attempts, successes, & failures is not readily available out of the box; i.e. 3rd party partners develop comprehensive solutions for this.  Despite the availability of a log in ADRMS, we provide only basic reporting that is primarily used for troubleshooting – not for auditing.  (ex:  how many people have accessed this file, who specifically has read it so far, etc.)


%d bloggers like this: