Here are a few best practices to keep in mind when installing Active Directory Rights Management Services (AD RMS):

Use dedicated AD RMS servers.  Installing AD RMS on the same server as a domain controller, Microsoft Exchange Server, Certification Authority, or Microsoft Office SharePoint Server is a poor security practice.

Do not install AD RMS on a domain controller.  If you do, you must add the AD RMS service account, which is normally configured with no additional permissions, to the Domain Admins group.

You cannot install the Identity Federation Support feature until you have an Active Directory Federation Services (AD FS) server in place.  If AD FS is not configured in your environment at the time of installation, you can install the feature later.

You should only use Windows Internal Database in a test environment.  Windows Internal Database does not support remote connections; therefore, you would be unable to add additional AD RMS servers to your cluster.  In a production environment you should use Microsoft SQL Server.

Use DNS aliases, such as CNAME records, or DNS host records, such as A Records for your database server.  This makes future migration of the databases much easier.

Use DNS aliases, such as CNAME records, or DNS host records, such as A Records for the fully qualified domain name of the AD RMS cluster.  This allows you to easily add additional servers to the cluster and allows you to load balance and perform disaster recovery very easily.

If you plan to deploy AD RMS on a website that is already set up, be sure that website has an http binding, even if you are provisioning AD RMS to use https.

If you plan to deploy AD RMS on a non-default website, install the IIS 6 Management Capability role service before you start provisioning.

Using SSL protocol increases the security of the connections to the AD RMS cluster.  Also, SSL is required to integrate AD RMS with AD FS.  Remember that this cannot be changed once it has been specified.

If installing Identity Federation Support, use lower case letters for the fully qualified domain name, as AD FS is case sensitive.

You should configure your extranet URL at the time of installation, even if it will not be initially deployed.  If external access is enabled after documents are AD RMS protected you must remove the protection, remove the DRM folder on the client computers, configure extranet access, and then protect the documents again.

You should use self-signed certificates only in a test environment.  In a production environment you should use an SSL certificate issued from a certification authority.

After an installation or upgrade is complete you must log off and log back in again before you can administer AD RMS using the AD RMS console.

Once installation is complete you should back up your Server Licensor Certificate and your private key.

There are two paths to upgrading an earlier version of RMS to AD RMS: migration and in-place upgrade.  Migration is the recommended process.  If you choose to do an in-place upgrade, be sure to run the upgrade wizard after the operating system upgrade completes.  This wizard is launched from a link in Server Manager.  For more information on migrating or upgrading a cluster see the TechNet article RMS to AD RMS Migration and Upgrade Guide.

For information on AD RMS prerequisites visit the TechNet article AD RMS Prerequisites.  For more information on installing AD RMS the AD RMS Step-by-step Guide walks you through the process of installing AD RMS in a test environment.


See Also