Thursday, May 29, 2008 1:04 PM
i have problem in RMS i installed the role on the AD machine but i found some problems so i decided to setup the role on another machine i removed the role by just removing the role from the server manager when i installed it on another windows 2008 server i got this message
<Error>: Attempt to configure Active Directory Rights Management Server failed. The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again. at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy() at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String keyContainerName) at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll() at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run() at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision() at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data) at Microsoft.RightsManagementServices.Configuration.ProvisionEngine.Run(OperationType operationType, Boolean passwordEncrypted) at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run() Remove and re-install AD RMS to attempt provisioning again.
What can i do in this ?
Friday, June 06, 2008 2:01 AMModerator
The error message "The AD RMS installation could not determine the certificate hierarchy" occurs, when Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy. You can follow the steps listed in the below article and test the result:
Retrieve the certificate hierarchy
As for the error message " If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again", It indicates SCP is not valid.
The AD RMS service connection point (SCP) can be registered automatically during installation. If the AD RMS administrator account (the user account installing AD RMS) does not have appropriate permissions to the Active Directory forest, the SCP will not be automatically registered. If an AD RMS SCP already exists in the forest, the AD RMS administrator account must have access to delete the existing SCP and create a new one.
To perform these procedures, you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been delegated the appropriate authority.
To register the AD RMS SCP manually:
Open the Active Directory Management Services console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
Right-click the AD RMS cluster, and then click Properties.
Click the SCP tab.
Select the Change SCP check box.
Select the Set SCP to current certification cluster option, and then click OK.
More information about connecting SCP, please see:
AD RMS Service Connection Point Registration
Hope this helps.
- Marked As Answer by Morgan Che [MSFT]Moderator Friday, June 06, 2008 8:33 AM
Wednesday, June 10, 2009 7:33 PMHi, Morgan.CheI just came across this thread the other day as I was having the exact same problem. I am just trying to setup AD RMS in a test environment to try it out. I am very new to Windows Server 2008 but have a somewhat good feel for Windows Server 2003.I went through both of the solutions that you listed but neither of them helped me out. When I install AD RMS I get the exact same error message as the person in the first post. First it says that the certificate hierarchy cannot be found and then it says that the SCP may not be correct. I have an enterprise CA setup on my AD server but I have done nothing to add certificates or anything like that on my 2008 AD RMS box. I wasn't sure if I needed to add a certificate or add it to the trusted root CA list on my AD RMS box before installing it. Also is there any way to check or test the hierarchy before hand to see if it will work? I have installed and then uninstalled AD RMS several times and changed little things each time and nothing seems to help. I have performed the above steps of going into registry editor and changing the hierarchy key to 0 and that doesn't help either. The AD RMS server is able to communicate fine with the AD/DNS server so I don't know where the problem there could be.On the SCP related note, I am not sure exactly what it is saying. In DNS I have gone ahead and created an A record for adrms.xxxxxx.com for my forward lookup zone which I then use as my FQDN in RMS but I wasn't sure if this is what the SCP is referring to. I have tried deleting this record and letting RMS create it itself and that didn't change anything either.Any help would be greatly appreciated.
Wednesday, June 10, 2009 10:20 PMJust wanted you to know that I was able to solve this problem. For anyone else who may someday come across this problem. What I did to solve it was, on AD computer, I opened the run command and then ran ADSIedit.msc. The ADSI edit MMC window popped up and I browsed down to Configuration and then expanded the first node, then expanded Services and then I deleted the SCP that said CN=RightsManagementServices. I deleted the whole thing and subfolders and then I went back and reinstalled AD RMS on my server. This time it worked perfectly.Hopefully someone finds this information useful.
- Proposed As Answer by Amr - Nassar Wednesday, December 22, 2010 6:36 PM
Thursday, June 11, 2009 4:39 AM
I had same issue . You need to delete the SEP entry from Active Directory and the re-installed the ADRMS role . Don't make any mistake while installing it . I alos had the same issue i resoved it by deleteing SEP entry on my AD server . Mail me if you don't know how to delete the SEP entry . I will send the steps
Thursday, August 06, 2009 2:53 PM
How to delete SEP entry form Active directory Domain?
I received number of mail how to delete the Sep
Go to active directory Site and services >select the
(Active Directory Sites and services [computer.name.domain.com]
and click on View ,
"Check the show services Node"
it will show the service node now inside the service Go to "
folder and delete it .
This step will delete the SEP from Active directory domain
Thursday, September 24, 2009 12:23 PMThanks, Sally!
I had the same problem and it is solved by this way.
But, deinstallation of AD RMS by just removing the role through Server Manager may be bad idea in a production environment.
The Decomissioning Guide may be found here:
However, this guide contains no information on what to do if you have just removed the role without the necessary preliminary steps.
So, the problem remained is Active Directory configuration.
We often read the installation/deployment guide and rarely deinstallation guide, as usual...
Thanks again for help in solving the problem.
Wednesday, December 02, 2009 10:14 AMTks Sarven,
your solution work fine.
I revolved my problem with RMS installation following yuor suggestion to remove entry in Directory Site and Services.
Thursday, July 15, 2010 4:36 AM
hi there, i got this problem also.
the error is like this :
<Informational>: This server might need to be restarted after the removal completes.
Active Directory Rights Management Services
Active Directory Rights Management Services: Removal failed
<Error>: Attempt to perform custom actions before un-installing Active Directory Rights Management Server failed. Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index at System.Collections.CollectionBase.System.Collections.IList.get_Item(Int32 index) at System.DirectoryServices.PropertyValueCollection.get_Item(Int32 index) at Microsoft.RightsManagementServices.Configuration.ProvisionHelper.GetPort(String strTargetComputer, String strIIsService, String strSiteindex, Boolean fSSL) at Microsoft.RightsManagementServices.Configuration.ProvUtils.GetWebsites(String strTargetComputerName, String strIIsWebService) at Microsoft.RightsManagementServices.Configuration.ProvUtils.IsProvisioned() at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Unprovision() at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.Unprovision() at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run()
The following role services were not removed:
Active Directory Rights Management Server
Please refer to the full log at: 'C:\Windows\logs\ServerManager.log'
i already delete the SCP
i already decommisioned the AD RMS
but i still can't uninstall the AD RMS Server Role.
does anybody know how to fix this issue?
Sunday, July 18, 2010 5:42 AM
It also worked for me.
Friday, January 28, 2011 10:33 PMThanks, Sarven!
- Edited by Renato Natali Friday, January 28, 2011 10:34 PM
Friday, May 27, 2011 3:00 PM
can anyone help me to sort the issue i raised on below link:
Thanks in Advance
Friday, July 08, 2011 11:43 PM
AD RMS SCP registration is also discussed in the newly created AD RMS FAQ on the TechNet Wiki. Please, feel free to contribute to this list of questions and answers.