AD RMS Installation Account RRS feed

  • Question

  • I am trying to install AD RMS, but I keep getting the following:

    The account you are logged on with is not valid for installing the AD RMS server role.  Log on with a domain account that is a member of the local Administrators group.

    However, the account I am logged on with is a member of Enterprise Admins, Domain Admins and directly a member of the Local Administrators group.  What credentials does the installation account need?\


    Friday, June 13, 2008 4:12 PM

All replies

  • The Pre-installation Information for Active Directory Rights Management Services stipulates:

              there are several requirements that must be met:

    Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) domain as the user accounts that will be consuming rights-protected content.

    Create a domain user account with no additional permissions to be used as the AD RMS service account.

    Select the user account for installing AD RMS with the following restrictions:

    The user account installing AD RMS must be different than the AD RMS service account.

    If you are registering the AD RMS service connection point (SCP) during installation, the user account installing AD RMS must be a member of the AD DS Enterprise Admins group, or equivalent.

    If you are using an external database server for the AD RMS databases, the user account installing AD RMS must have the right to create new databases. If Microsoft SQL Server 2005 is used, the user account must be a member of the System Administrators database role, or equivalent.

    The user account installing AD RMS must have access to query the AD DS domain.

    Do you have these requirements covered?
    Friday, June 13, 2008 5:30 PM
  • I would assume I have all this covered.  The same installation account was able to install AD CS as a Root Certificate Authority so that should cover the querying AD.  There is only one domain, in a single forest with no trust so that covers the first point. 

    I don't get far enough to choose the service account or the SQL server so its not the 2nd, 4th or 6th points.

    As I said, the user is a mamber of Enterprise Admins, but even if it wasn't, the 5th point should not prevent installation right?  It would only stop me from registring the SCP.

    I have even trid using the DOMAIN\Administrator account, but it gets the same error.
    Thursday, June 19, 2008 6:14 PM
  • Is there any reason that Domain\Administrator would not be able to install AD RMS?
    Thursday, June 26, 2008 1:30 PM
  • I would just like to +1 on this issue. Never been able to install the 2008 AD RMS role - "preparing wizard pages" chugs away and after 10 seconds the error message as described above appears. I've tried all sorts of combinations of test accounts as well as Domain\Administrator.

    Domain functional level is 2003 native. We once ran 2003 rms (as a test exercise) years ago, is it possible some old entry in AD is preventing installation and the error details are spurious?
    Friday, June 27, 2008 4:29 PM
  • I now have the same issue in 2 domains (both the only domain in the forest).

    Both domains are 2008 native.  The 1st domain had a previous AD RMS install that was decomissioned, but the 2nd domain has never seen AD RMS.  The 2nd domain is just 2 DCs and an AD CA, no group policies (other than the two default ones).

    I am trying to install AD RMS on the same server as the already installed AD CA.

    Friday, June 27, 2008 4:39 PM
  • I remember, all user account need email address in AD, are you config email address for your account?
    this RMS cluster root server is the first RMS server in your forest? I know there only one RMS root in your AD forest. but you can have many other RMS not root server.

    Friday, July 25, 2008 2:00 AM
  • Hi,

    I am having the EXACT SAME PROBLEM.
    Have you been able to troubleshoot and solve it?

    Any help would be much apreciated.
    Many thanks in advance

    Susana Guedes
    Tuesday, July 29, 2008 10:47 AM
  • *bump*

    Does anyone have an inkling on this one? Any other role installs just fine. I've tried sending an email to the RMS team via their (somewhat abandoned) blog, so we'll see what happens...


    Tuesday, September 9, 2008 4:05 PM
  • Rob,

    I found the problem that was causing that error on  my environment.
    My server was connected to a FAR FAR AWAY Domain Controller and the accounts I created for RMS were not being replicated to that DC in useful time (the replication occurs once a week).
    I am no sure that this info can help you, but after I have connected my server to the DC located near him (where I have created the accounts) the problem was solved.

    Best wishes
    Susana Guedes
    Thursday, September 11, 2008 4:12 PM
  • Seems like a strange one. Any chance you are running some security templates (i.e. lockdowns) on these servers? Whenever I see something happening on multiple different servers, using multiple different accounts, I start thinking, what is the 'constant' in this equation. A constant would be the environment, and a GPO would be the most likely culprit. You can go out to a command prompt and just type gpresult /v

    Also, if you go onto a DC, and open AD Sites and Services, then click View>Show Services Node, and Expand the services node,do you have a 'RightsManagementServices' entry in there?

    If you do, then you had RMS in your environment before, and you'll need to delete this entry...unless you are trying to 'add' this machine to an existing cluster.

    Just a few thoughts.


    Thursday, September 11, 2008 10:29 PM
  • Just thought I'd bump this thread one last time with the news that Jason pinpointed the problem on my domain. The error text was actually inappropriate in describing the cause in this instance: the real cause was a NETBIOS name mismatch to the DNS of the domain. (If the DNS version was abc-def.com, the NETBIOS was not ABC-DEF but rather ABC.)

    Jason offered a rendom of the domain in order to resolve the problem, but in the end I elected to wait until the 2008 R2 release which does not share the same domain-naming requirement. I have tested under 2008 R2 B1 and AD RMS will install without throwing the error.

    Thanks to Jason and his colleagues for sticking with me in what was a very annoying bug!

    • Proposed as answer by Rob Hardman Monday, January 26, 2009 11:00 PM
    Monday, January 26, 2009 11:00 PM