none
AD RMS Installation fails

    Question

  • Hi,

    I'm setting up AD RMS Test setup in my production domain.

    My installation fails and i found that during setup of ADRMS Cluster, we get 2 options like below:

    Create a new AD RMS cluster  and Join an existing AD RMS cluster.

    In my domain option for "Join an existing AD RMS cluster" is not greyed out. I beleive this means we already have AD RMS setup in the environment and we can join to an existing setup.

    My Questions:

    How to find existing setup in the environment?

    Can we have 2 AD RMS different setups in same domain?

    Please suggest your feedback. I'm new to AD RMS.

     

    Regards

     

    Wednesday, October 06, 2010 7:12 AM

Answers

  • Ok, now do one thing, add service account on ADRMS Server's local adminstrators group and and login and logoff on the same and then try, it will work
    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, October 07, 2010 11:58 AM
  • Hi,

    first of all, deleting a SCP is not a big thing. You can always recreate it (overwriting the former one of course) from the RMS MMC. Besides, you can use registry overrides to direct clients to a different RMS installation than the one registered in the SCP.
    http://technet.microsoft.com/en-us/library/cc755112.aspx

    You can also leave the SCP and the old installation as they are and install a fresh RMS root cluster without registering the SCP. You then use registry overrides to work with your personal installation. In a productive environment this might not be what you want but it is a start for testing.

    To find your RMS installation, check the contents of the SCP. The URL clients connect to is part of the SCP.

    In dssite.msc right click the SCP node underneath the RightsManagementServices node and select Properties. Open the Attribute Editor tab and look for the ServiceBindingInformation attribute (this is all on W2K8R2). It should contain the URL of your RMS root cluster.

    Once you know the URL you can PING the host to get its IP. If it is load balanced you get a virtual IP which might not be all that helpful. In the case of hardware load balancing you can ask the LB admins where the virtual IP is directed to. IF NLB is used it might be harder to get the actual IPs of the hosts. Maybe you can do a little network sniffing if RMS traffic is not secured with SSL.

    Anyway, you can always connect to http(s)://<hostname>/_wmcs/certification/certification.asmx to check is the service is up and running.

    A complete different approach is to use IRMcheck a tool that is part of the RMS SP2 Administration Toolkit. It is kinda outdated but still helpful in some occasions.
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BAE62CFC-D5A7-46D2-9063-0F6885C26B98
    It does a whole lotta client checking to see if the client is correctly configured and displays a nice little HTML report. The report also contains the URL of the SCP.

    Regards

    Chris

    Wednesday, October 06, 2010 12:23 PM
  • Actually, your ADRMS server does not provide access to normal user to login. This is only cause of the issue!!!.

     

    Please mark answers if all the answers are correct!!!!


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, October 07, 2010 12:33 PM
  • Hi, Finally i was able to figure out the problem. Please find details below:

    I did not start OS build again. It seemed like AdRmsLoggingService was gone.

    I tried command line deprovisioning with logging.

    1. Open cmd.exe as an Administrator.

    2. Go to "%Windir%\System32\rms" directory.

    3. run this command line:

      microsoft.rightsmanagementservices.provision.exe -v -u

    Even doing this did not help. Finally i found that ADRMS works default on port no 1433 which is not mentioned any where during the setup. On SQL, my SQL team defined port number: 8000 which is recomended in our environment. After changing the port on database, issue was resolved.

    Finally i have succesfully installed ADRMS.

    Guys, if you have complete guide on how to work AD RMS for client side, Please share. What all i need to start with client side. Do we really require templates for everything?

    Regards

    Soi

     

    Thursday, October 14, 2010 4:34 AM
  • Hello V-2sahs,

    Thank you for your update.

    On the client, an RMS client must be in place, RMS enabled applications must be deployed and information protection policies and templates must be delivered.

    The following KB are for your reference:

    AD RMS Client Deployment and Usage Considerations
    http://technet.microsoft.com/en-us/library/dd772718(WS.10).aspx

    AD RMS Client Deployment
    http://technet.microsoft.com/en-us/library/dd772680(v=WS.10).aspx

    Windows Rights Management Client Installation
    http://technet.microsoft.com/en-us/library/dd941591(v=WS.10).aspx

    Brent Hu
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Thursday, October 14, 2010 6:31 AM
    Moderator

All replies

  • Its best if you can post your quesry in RMS forums, the people over ther are dedicated to that product.

    http://social.technet.microsoft.com/Forums/en-US/rms/threads


    http://www.virmansec.com/blogs/skhairuddin
    • Proposed as answer by Anouar KETAT Wednesday, October 06, 2010 8:08 AM
    Wednesday, October 06, 2010 7:33 AM
  • Thsnk yo so much.
    Wednesday, October 06, 2010 7:37 AM
  • Hi,

     

    Answers of your 3 questions are:

     

    1) Check within Site and services that, your object of ADRMS is created or not ( Click on advance view for service node)

    2) No, ADRMS cannot be 2 in same domain

     

    Please check with roles, if it is installed successfully or not. Actually when installation fails of ADRMS then possibly reason is SCP (Service connection point ). Let me know if any error found in Roles page

     


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Wednesday, October 06, 2010 8:16 AM
    Wednesday, October 06, 2010 8:16 AM
  • Hi, Thank you so much for your reply.

    Now the problem is that Existing setup might be done by some one long time back for which we have no idea. We also need to find existing setup of RMS server. Is it possible to find which one was existing set of servers?

    How can we find existing setup in our environment using dssite.msc?

    (We beleive we have existing setup some where in the domain though we are setting up additional AD RMS seperately) In the end of setup while AD RMS provisioning.exe is being installed, it gets Timed out.

    Please suggest on how should i verify and proceed ahead?

    Wednesday, October 06, 2010 8:46 AM
  • Hi,

     

    1) Open Dssite.msc

    2) Click on view

    3) Click on "Show Service Node"

    4) Find the Rights Management Service

    5) Delete the Service and try to install ADRMS again

     


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Wednesday, October 06, 2010 9:21 AM
    Wednesday, October 06, 2010 9:21 AM
  • Hi, Thanks. I just checked and found Rightsmanagementservices and underneath SCP folder.

    Is it ok to just delete it and existing RMS setup is gone from the domain. Earlier i found one article which says, there is proper method to follow for decomissioning of RMS setup.

    Its very critical and production setup. Though I'm sure existing setup which might be used at one point of time for testing in production is not being used currently. We also don't know the host names for existing setup and it is very difficult to find in 1000's of servers.

    So please suggest if i can directly remove the entry from dssite.msc and everyhting is gonna be ok. Also, can you suggest if there is any command line to find RMS servers in the domain.

    I really appreciate your help.

     

    Wednesday, October 06, 2010 9:35 AM
  • Hi,

     

    Use the decommission document. Once you finished with that document then delete the RMS from SCP folder.

    If you install after decommission, then it will take the previous SCP registered point so better we delete the old registered SCP.


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Wednesday, October 06, 2010 9:51 AM
    Wednesday, October 06, 2010 9:50 AM
  • Hi, but please tell me how can i find my existing RMS server. I'm not aware of the setup and no one in my company also. We need to first find on which server existing setup is running?
    Wednesday, October 06, 2010 10:14 AM
  • Hi,

     

    You can find all your answers in below link, Please go through the same, if any issue, please let me know!!!

     

    http://social.technet.microsoft.com/wiki/contents/articles/the-ad-rms-service-connection-point.aspx


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Wednesday, October 06, 2010 10:41 AM
    Wednesday, October 06, 2010 10:40 AM
  • Hi, Thanks once again.

    I checked above URL and it does not talk anything about how to find existing AD RMS server in the domain. I'm looking for host name of the server where existing setup was done.

    Also, i checked so many articles, no one talks about how to find existing setup of the server.

    Wednesday, October 06, 2010 11:22 AM
  • Hi,

     

    Actually, once open the SCP through Adsiedit then u can find the RMS Server hostname, Plese follow the scp register point as given below

     

    A SCP can be viewed using ADSI Edit or LDP.  To view the SCP, connect to the configuration container in ADSI Edit and navigate the following nodes: CN=Configuration [server name], CN=Services, CN=RightsManagementServices, CN=SCP. 

     


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Wednesday, October 06, 2010 11:28 AM
    Wednesday, October 06, 2010 11:28 AM
  • Thanks a ton once again.

    I checked the path and there is no server listed. Can i assume that existing setup was decommissioned and only SCP entry was left.

    Do i need to manually delete the Rightsmanagementservices along with SCP in dssite.msc or adsiedit.msc or i really need to use the tool (ADScpRegister.exe) to remove SCP.

     

    Thank you.

    Wednesday, October 06, 2010 11:44 AM
  • HI,

     

    Yes, Delete the existing entry through dssite and adsiedit. While installing, it will register SCP automatically


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Wednesday, October 06, 2010 11:54 AM
    Wednesday, October 06, 2010 11:54 AM
  • Thank you so much
    Wednesday, October 06, 2010 12:04 PM
  • Hi,

    first of all, deleting a SCP is not a big thing. You can always recreate it (overwriting the former one of course) from the RMS MMC. Besides, you can use registry overrides to direct clients to a different RMS installation than the one registered in the SCP.
    http://technet.microsoft.com/en-us/library/cc755112.aspx

    You can also leave the SCP and the old installation as they are and install a fresh RMS root cluster without registering the SCP. You then use registry overrides to work with your personal installation. In a productive environment this might not be what you want but it is a start for testing.

    To find your RMS installation, check the contents of the SCP. The URL clients connect to is part of the SCP.

    In dssite.msc right click the SCP node underneath the RightsManagementServices node and select Properties. Open the Attribute Editor tab and look for the ServiceBindingInformation attribute (this is all on W2K8R2). It should contain the URL of your RMS root cluster.

    Once you know the URL you can PING the host to get its IP. If it is load balanced you get a virtual IP which might not be all that helpful. In the case of hardware load balancing you can ask the LB admins where the virtual IP is directed to. IF NLB is used it might be harder to get the actual IPs of the hosts. Maybe you can do a little network sniffing if RMS traffic is not secured with SSL.

    Anyway, you can always connect to http(s)://<hostname>/_wmcs/certification/certification.asmx to check is the service is up and running.

    A complete different approach is to use IRMcheck a tool that is part of the RMS SP2 Administration Toolkit. It is kinda outdated but still helpful in some occasions.
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BAE62CFC-D5A7-46D2-9063-0F6885C26B98
    It does a whole lotta client checking to see if the client is correctly configured and displays a nice little HTML report. The report also contains the URL of the SCP.

    Regards

    Chris

    Wednesday, October 06, 2010 12:23 PM
  • Hi,

    I just checked what Chris mentioned and i found that we have Cluster URl under ServiceBindingInformation attribute. Now i also found C name record and its pointing to the server does not exist in AD anymore. So it has been decommissioned.

    Now i will manually delete the SCP and install RMS.

    Please let me know if you want to point me some where.

    Thank you for your help Chris and Vikas.

    Wednesday, October 06, 2010 1:14 PM
  • Hi,

    be aware you need to delete the complete RightsManagementServices node. Only deleting the SCP node will not do the trick.

    Regards
    Chris

     

    Wednesday, October 06, 2010 1:19 PM
  • Hi,

    I understood the same now.

    Thanks everyone.

    Thursday, October 07, 2010 6:06 AM
  • Hi, I'm back.

    Can you please suggest for below issue?

    I'm installing ADRMS with ADRMSADMIN account(Enterprise Admin) and during setup we recieve an option of Service account(Here we need to enter Domain user account without any specified permissions). AFter entering Domain user account, we receive arror: The Password Could not be validated.

    Account is absolutely correct.

    Do any one have any idea?

    Thursday, October 07, 2010 10:45 AM
  • Hi,

     

    Please create one Service account name ADRMSSVC ( normal user account ), while installing ADRMS will ask for ADRMS service account so please put domain\Service account and pasword and move ahead


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Thursday, October 07, 2010 11:13 AM
    Thursday, October 07, 2010 11:13 AM
  • Hi Vikas, I did the same and same error. Even if we enter Domainname\serviceaccount or serviceaccount it gives same error. This service account is only Domain User account.

    Still we are receiving same error.

    Thursday, October 07, 2010 11:23 AM
  • Ok, Are you able to login with that user on any machine?

    If its a new created user then, unclear the option of "Password change on first time login" in user properties


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    • Proposed as answer by Vikas Siingh Thursday, October 07, 2010 11:52 AM
    Thursday, October 07, 2010 11:52 AM
  • I'm able to login with the same account.

    Account is password never expires and Password change on first time login is not applied.

     

    Thursday, October 07, 2010 11:54 AM
  • Ok, now do one thing, add service account on ADRMS Server's local adminstrators group and and login and logoff on the same and then try, it will work
    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, October 07, 2010 11:58 AM
  • Thanks, this works fine. But i think this should be changed in articles which are published. What do you say?

    Thursday, October 07, 2010 12:29 PM
  • Actually, your ADRMS server does not provide access to normal user to login. This is only cause of the issue!!!.

     

    Please mark answers if all the answers are correct!!!!


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, October 07, 2010 12:33 PM
  • Hi, This ADRMS doesn't  get installed as it is described in the articles.

    I've been trying setup from so many days and it always fails due to different errors. NOw i have gone through videos and articles but it fails always. I ve given proper rights and database also i've given finally sysadmin role(adminaccount) and installation fails with provisioning error. I've tried 10-15 times and always fails. Please find below error:

    Installation succeeded with errors:

    Attempt to configure Active directory rights management server dailed. Provisioning of ADRMS timed out without any specefic error.

    Remove and re-install AD RMS on this server, you must logoff and log on again.

     

    I CAN NOT FIND ANYTHING ON INTERNET AS WELLL. PLEASE HELP IF YOU GUYS HAVE ANY IDEA. I WILL BE HIGHLY OBLIGED IF YOU GUYS CAN FIX IT. I'VE TO LAUNCH THIS IN PRODUCTION. PLEASE SUPPORT.

    Thanks.

    Saturday, October 09, 2010 6:51 AM
  • Hi V-2sahs,

    well, the suggestion is probably not to bad. Why don't you make sure you uninstall everything AD RMS related: AD RMS, IIS, etc. Btw, are you using integrated SQL or a separate SQL instance?

    Anyway, there is no reason why you would want to make the AD RMS service account member of the local administrators, a simpel domain user account is sufficient. Except if you are installing on a Domain Controller (DC). But in that case you don't have local administrators anyway. What I do in the DC case is I make AD RMS service account member of Domain Printer Operators for installation and remove em again afterwards.

    So to me this looks like your whole installaation is somehow messed up. Is ist possible to start from scratch on a new clean installation?

    Regards
    Chris

    Sunday, October 10, 2010 12:45 PM
  • Hi Chris,

    Thanks for your reply. Well now i have already new setup. I have 2008 for AD RMS and seperate 2008 server with SQL. Still getting the same error.

    Accounts being used:

    ADRMSADMIN (Enterprise admin, Domain Admin, Locan admin on SQL Server and also have DBcreator and Sysadmin)

    ADRMSSVC (Domain User Account with Local Admin privellage)

    I run setup with ADRMSADMIN account and after sometime setup fails with provisioning error.

     

    Monday, October 11, 2010 5:56 AM
  • Hi, Also i noticed that when i;m installing AD RMS using step by step guide, i'm not getting option for below points:

    24.  Read the Introduction to Web Server (IIS) page, and then click Next.

    25.  Keep the Web server default check box selections, and then click Next.

    26.  Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation.

    I beleive this is as i have already installed IIS on the servers.

    Monday, October 11, 2010 7:48 AM
  • Hi,

    Can you provide the Event ID please, must be event register while provisioning of the server!!


    Thanks and Regards, Vikas This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Monday, October 11, 2010 8:10 AM
  • Hi Everyone,

    I'm in process of performing fresh OS installation. I will update once completed.

    Tuesday, October 12, 2010 5:33 AM
  • Hi, Finally i was able to figure out the problem. Please find details below:

    I did not start OS build again. It seemed like AdRmsLoggingService was gone.

    I tried command line deprovisioning with logging.

    1. Open cmd.exe as an Administrator.

    2. Go to "%Windir%\System32\rms" directory.

    3. run this command line:

      microsoft.rightsmanagementservices.provision.exe -v -u

    Even doing this did not help. Finally i found that ADRMS works default on port no 1433 which is not mentioned any where during the setup. On SQL, my SQL team defined port number: 8000 which is recomended in our environment. After changing the port on database, issue was resolved.

    Finally i have succesfully installed ADRMS.

    Guys, if you have complete guide on how to work AD RMS for client side, Please share. What all i need to start with client side. Do we really require templates for everything?

    Regards

    Soi

     

    Thursday, October 14, 2010 4:34 AM
  • Hello V-2sahs,

    Thank you for your update.

    On the client, an RMS client must be in place, RMS enabled applications must be deployed and information protection policies and templates must be delivered.

    The following KB are for your reference:

    AD RMS Client Deployment and Usage Considerations
    http://technet.microsoft.com/en-us/library/dd772718(WS.10).aspx

    AD RMS Client Deployment
    http://technet.microsoft.com/en-us/library/dd772680(v=WS.10).aspx

    Windows Rights Management Client Installation
    http://technet.microsoft.com/en-us/library/dd941591(v=WS.10).aspx

    Brent Hu
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Thursday, October 14, 2010 6:31 AM
    Moderator