locked
How to change Domain membership of AD RMS server RRS feed

  • Question

  • Hi,

    We have a AD RMS cluster with only one node running in a child domain. I need to change the domain membership of the AD RMS server to the parent domain. is there any step-by-step or checklist available for a smooth domain change ?

    We are using independent licensing & certifications URLs for AD RMS and we are not going to change the emails of users as well. So from these 02 aspects, hope we are safe.

    Please anyone can tell how to change the domain to parent domain for ADRMS.

    Regards,

    J R Dash

    Tuesday, July 15, 2014 3:01 PM

All replies

  • Hi,

    the only thing you should look in is how you authenticate against the SQL database. If you have just a local SQL express (what is not recommended because you cannot add another node to your RMS cluster) then you can just join the machine to the new domain. If you use SPNs you need to update those as well (http://technet.microsoft.com/en-us/library/dd759186.aspx).

    Hope that helps,

    Lutz

    Tuesday, July 15, 2014 6:50 PM
  • Hi,

    I have remote full version SQL database in place and the service account is in the child domain it self which also need to change.

    Also, AD RMS creates a SCP in active directory. How to move that to the parent domain ?

    Regards,

    J R Dash

    Wednesday, July 16, 2014 6:17 AM
  • The SCP is created in the root domain. Typically the URL includes something like rms.domain.com. But if you have the actual server name incluing the child domain name in it you need to update it. (http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx)

    Regards,

    Lutz

    Wednesday, July 16, 2014 6:58 AM
  • Yes, I can see the SCP in all my child domains through out the forest. So now I hope I can proceed with the below steps..

    1. Need to create a service account in parent domain and assign necessary permissions on the remote SQL database

    2. Change the domain of the ADRMS server to parent domain

    3. Change service account via ADRMS console

    4. Publish SCP in parent domain because currently ADRMS shows SCP publication in child domain if go to ADRMS server properties.

    Regards,

    J R Dash

    Monday, July 21, 2014 7:00 AM
  • That is a great list. Just on step 4 make sure that you do not change the Intranet or Extranet URLs because these are embedded in each RMS protected document and therefore it is hard to impossible to change those URLs because you would need to have access to all data to update the URLs.

    In my RMS installs the SCP URL and the Certification URL has the same value and that's why I am bringing that up.

    Monday, July 21, 2014 5:03 PM
  • As I mentioned in the problem statement, we are using domain independent licensing & certification URLs which are same for intranet & extranet. So that part is already safe.

    Regards,

    J R dash

    Friday, July 25, 2014 5:46 AM