Monday, January 28, 2008 9:21 PM
I am trying to test RMS but I keep on getting error Event ID 139
message:"Active Directory Rights Management services (AD RMS) failed to query Active Directory Domain Services (AD DS).
I went through the troubleshooting document on TechNet but everything looks good, did anybody else run into this issue?
The Client is XP with Office 2003.
Monday, January 28, 2008 9:38 PM
Can you let me know which doc you are looking at?
At the risk of repeating the doc, my chief concerns would be DNS (you can't be using a cached credential), RMS client install and the AD schema mods...
Tuesday, January 29, 2008 1:25 PM
RMS client is installed, what do you mean AD schema mods...
How do I check for cached credential?
Tuesday, January 29, 2008 4:53 PM
My apologies - I mis-spoke...
It doesn't mod the schema, but it does make some entires into Active Directory. If you hop into ADSI edit and look under CN=Services,CN=Configuration,DC=domain,DC=com (assuming your domain is named "domain.com") you should see some information that involve your RMS configuration. If that isn't there, that could be a problem.
As far as using cached credentials and verifying DNS is working:
The doc you are looking at appears to make the assumption that a ping is sufficient. If anyone from MS is reading this thread, I invite them to have a peek and verify that I am not reading it wrong.
I would perform an NSlookup <domain name> from the machine that is giving you this grief. You should be able to resolve the domain name to some IP addresses of domain controllers. You should also be able to nslookup <global catalog server name> and resolve that to an IP address.
Check the event logs on the relevant domain controllers and verify that AD replication is functional.
Check the DNS zones to verify that you have the appropriate srv entries within your domain structure to let everything know where your GCs are (they are the gc records).
Let me know what you find,
Wednesday, January 30, 2008 9:09 PMI don't see this "CN=Services,CN=Configuration,DC=domain,DC=com". when I run ADSI.
Wednesday, January 30, 2008 9:24 PM
If open ADSI edit, it should allow you to select your connection point. You can connect to a few different partitions - the most common is "domain" but you need to connect to "configuration" to get into the services section.
If this is not available to you, make sure that you are usin an account with supreme access...
Thursday, January 31, 2008 3:01 PMI see it and it has, now what it looks like it has all the pointers.
Saturday, February 02, 2008 4:25 AM
You could run GPUpdate on the client and the RMS server (to see if you can chat with the domain). Right after, check the event logs on both. There may be some interesting bangs in there that you will need to iron out.
Temporarily grant the RMS service account domain admin rights - obviously not necessary for operation, but will rule out an overly-pruned rights scenario unless someone has placed a "deny" somewhere in the mix.