Created:
4/9/2008 1:48:48 PM

Author:
Przemek Radzikowski

permalink [Permalink]





International Careers & Jobs - An international employment directory, reviewing world-wide top job sites




  • Home  ›
  • Articles  ›
  • Troubleshooting Windows Rights Management Services (RMS) - One Root Certification Server Warning



| More

Troubleshooting Windows Rights Management Services (RMS) - One Root Certification Server Warning

When installing Windows Rights Management Services (RMS) 1.0 with SP2 onto an Active Directory infrastructure with an Enterprise Root Certification Authority and one which may have had RMS deployed previously, you might be prompted with a warning about a Root CA, or RMS assumes that another Root CA already exists. This article will attempt to discuss the internals of and how it integrates with Active Directory.


 

 

RMS in a Nutshell

Windows Rights Management Services (RMS) is Microsoft’s implementation of digital rights management (DRM).  Much like DRM for audio and video protection, RMS is aimed primarily at the office user and the protection of sensitive information.  Some of its features are, document encryption, restrict copy, restrict forward (for emails), expiry on documents.  RMS integrates with the Microsoft Office Suite of products as well as other RMS aware applications.

Installation Problems

It is quite typical (unfortunately) that many production environments are treated as a test bed for many installations.  In this instance you may be faced with a scenario where you will need to deploy RMS into an environment that hasn’t perhaps been controlled with a proper change management policy or a test environment where staff can "play".

When starting the provisioning stage of the RMS deployment you may be faced with some of the following scenarios, I will try to cover most of the common resolution strategies:

  • You receive a warning about a root CA not existing
  • RMS assumes that you have already deployed the first Root CA
  • Errors with Service Connection Points

Fixing the root CA not existing Warning

A warning about a Root CA not existing, in the case of adding an additional RMS server to the cluster.  You will be prompted with the following warning:

Warning: Only one root certification server can exist per Active Directory forest. If you are not sure that this server should be the root certification server for your enterprise, contact your network administrator

Image-0015

Ensure that you have installed the Widows Support Tools for your version of Windows Server.  The support tools can be found on the Microsoft Windows Server CD.  Once installed, you should be able to click on Start > Run > Adsiedit.msc

Image-0018

and click OK.  Adsiedit.msc opens.

Image-0019

If you’re running Adsiedit.msc from your local machine you will need to connect to the Configuration connection point.  To do this follow the following steps:

  1. In ADSI Edit select Action > Connect to ...
  2. The Connection Settings dialog opens
  3. In the Select a well known Naming Context dropdown, select Configuration and click OK
  4. Expand to CN=Configuration,DC=contoso,DC=com 
  5. Expand to CN=Services 
  6. A normal configuration should look as follows, but in your case you’re probably missing the CN=RightsManagementServices container. We will need to recreate this container. 

    Image-0022
  7. Ensure that the account you’re logged in on has Domain Admin rights. 
  8. Right click Servcies and select New > Object ... 
  9. In the Create Object dialog, select container and click Next 

    Image-0023
  10. In the Value field enter RightsManagementServices 
  11. Click Next, click Finish
  12. We now need to create a child container under the RightsManagementServices container. Right click on CN=RightsManagementServices and select New > Object ...
  13. In the Create Object dialog, select container and click Next
  14. In the Value field enter SCP 
  15. Click Next, click Finish.

Your ADSI Edit window should look something like this, showing the newly created containers.

Image-0024

At this point go back to your RMS administration website and refresh the provisioning page. You should notice that the warning has disappeared.

Fixing RMS assumes that you have already deployed the first Root CA

RMS may assume that a Root RMS CA already exists and may try to install the current instance as a Licensing server, not as a Root CA. This usually occurs when a previous installation of RMS was deployed and then either forgotten about or removed. Typically these issues arise when systems administrators or engineers are allowed to deploy “test” solutions into the production environment without full knowledge of the artefacts which are left behind.

The easiest way to fix this problem is to delete the RightsManagementServices from Active Directory manually using Adsiedit.msc. Before performing this, ensure that there are no other RMS deployments in the organization – it is feasible that within a large global enterprise with poor change management policies such an installation could exist. If an RMS installation exists, deletion of the RightsManagementServices container will disable it. The following instructions will show how to delete the RightsManagementServices container:

  1. Open Adsiedit.msc as in the previous example
  2. Connect to the Configuration naming context as in the previous section
  3. Expand to CN=Configuration,DC=contoso,DC=com 
  4. Expand to CN=Services
  5. Right click CN=RightsManagementServices and select Delete
  6. Ensure you wait for the Domain Controllers to replicate this new change, or force a replication manually using Active Directory Sites and Services
  7. Refresh the page by leaving it and returning it.  Clicking on the refresh icon or pressing F5 will not always refresh the page correctly

Problems after Provisioning - Fixing Service Connection Points (SCP)

You may encounter other warnings when administering your RMS deployment. One of the more common issues is with the registration of the Service Connection Point (SCP)

You will be prompted with the following warning:

Warning! RMS did not detect the service connection point in Active Directory. RM clients will not be able to discover the RMS service until the service URL is registered in Active Directory. Please click RMS service connection point link below to register the SCP.

Image-0027

To get around this warning, you should click on the RMS service connection point (SCP) link in the left hand margin and Click on the Register URL button.

Image-0017

Once you go back to the Administration page you may notice that the warning is still showing. Give it some time to update the changes in AD. Depending on your environment it may take some time. Be patient. Refresh the administration page periodically to see if the SCP has been updated.

Note: The standard refresh methods won’t work, so you will need to leave and enter the page before the changes will be reflected. Also, ensure that you give enough time for the SCP to replicate throughout your AD infrastructure or force a manual replication.

Fun with the RMS databases

The RMS SQL databases can be installed either locally or on a central SQL server. In either situation RMS will create three databases in order to maintain records, logs and configuration information. These databases are named:

  • DRMS_DirectoryServices_[YourClusterURL]_80 
  • DRMS_Config_[YourClusterURL]_80 
  • DRMS_Logging_[YourClusterURL]_80

Please note that [YourClusterURL] is a placeholder for whatever you called your cluster whilst configuring the Root RMS server.

When you uninstall RMS these databases are left behind on the SQL server. When reinstalling RMS, RMS detects the existence of these databases and will give you the option of reconfiguring them. The reconfiguration process, will clear and reconfigure the DirectoryService and Config databases and create a new Logging database: DRMS_Logging_[YourClusterURL]_80_01.

If you want to start from scratch however, it is safe to delete all these databases. RMS will recreate them again during the installation process.

 

permalink [Permalink] - Updated: Monday, October 28, 2013





| More

 

Articles of Interest


International Careers & Jobs - An international employment directory, reviewing world-wide top job sites


 
 
(c) Capitalhead Pty Ltd
Contact Capitalhead About Us Articles & Publications Partners Solutions & Services Products Valid XHTML Valid CSS