Kurt Shintaku's Blog

So here’s some more of my notes around Active Directory Rights Management Services in Windows Server 2008.

—————————

ARCHITECTURE & DESIGN (cont’d)

1. Active Directory Rights Management Services does NOT require Windows Server 2008 Domain Controllers.  You do NOT have to upgrade these authentication servers.
2. You additionally do NOT need to upgrade older RMS Clients if it’s already deployed to existing workstations.  They will work with the new ADRMS infrastructure.

IMPLEMENTATION

1. SUPER, MAJOR, IMPORTANT BEST PRACTICES
1. Always used fully qualified domain names (.com) when configuring ADRMS trusts however be very careful about selecting these names because you will never be able to change them once applied, without re
2. Always use virtual names – not actual server names – whenever you’re configuring ADRMS for seamless agility of servers.  If you configure actual server names, you’ll have to use the same configured servers forever.
3. Always use both HTTP: & a HTTPS: (for external authentication) in case you later want to work with partners via ADFS or need external access to documents without a VPN.  Make it some sort of domain name like https://virtualname.customerdomain.com.  Seriously.  Even if you never, ever think you’ll ever need it, configure it anyway because once millions of files are protected using a “configuration policy” referencing a set of authentication servers, if you ever need access to an authentication server externally, you’ll need to have an encrypted pipe, and that’s going to requires HTTPS:. 
4. Never use self-signed certificates when you’re configuring your HTTPS: configuration.  Remember that people won’t have your root cert if it’s a 3rd party that you’re looking to share with.
2. CLUSTERS
1. You can expect 60 connections per second per cluster.
2. You can NOT have bothe RMS 1.1 and RMS 2008 servers within a cluster.
3. RMS 1.1 licensing clusters should work but it’s not recommended by the product group.
3. ADRMS Client
1. There is a new registry key i.e. a “publishing bit” that enables/disables the ability to ‘create/originate new RMS encrypted content’ .  This allows an organization to control who has the ability on a Group Policy basis to protect documents based on the Office Edition the user owns.   (ONLY Office Professional licensees may ‘create new protected content’ from Outlook/Word/Excel/Powerpoint.  Office Standard licensees & Exchange Outlook users may only ‘receive/read/reply to protected content’.)
   KEY –> HK_CURRENT_USERSoftwareMicrosoftOffice12.0CommonDRM
   DWORD Value –> Disable Creation 0/1
2. Clients must have fully qualified domain names of the ADRMS Cluster in the local Intranet Zone of their Internet Explorer security configuration.
4. ADRMS & Sharepoint, Exchange, and Windows Servers
1. Sharepoint Server & RMS must exist in the same forest; ADFS doesn’t matter in this case.
2. When configuring the Exchange 2007 Pre-licensing Agent, you must have both Exchange Server 2007 Service Pack 1 applied and the RMS Client installed on the server.
3. Windows Server 2008 has RMS Client built directly into the OS.  There is no “install"/”uninstall”.  It’s just there.  Warning:  If something goes irreparably wrong with the client for some reason on the server, it’s hosed.  You’ll need to reinstall the whole server.