Let's say that you decide that you want to enable SSL on your Active Directory Rights Management Services (AD RMS) pipelines after AD RMS is provisioned. It is recommended that you decrypt all AD RMS-protected content, re-install and re-provision AD RMS, and then encrypt the content again. However, this is not always possible.

One alternative option is to provision a new AD RMS environment and redirect all of your AD RMS clients to use this new licensing server. Before we see how to do this, there are several assumptions made about your AD RMS environment:

  • The AD RMS deployment is configured with a software-based Server Licensor private key. This scenario will not work if you're using an HSM to secure your AD RMS cluster's private key.
  • An SSL certificate is already installed and configured to require SSL encryption within IIS on the AD RMS virtual directory roots.
  • The existing AD RMS database and servers have been backed up and the tapes stored in a safe place.
  • Because this requires that a registry entry is added to every AD RMS client, you must have a way to update the clients.

Now, to enable SSL in your AD RMS environment after the AD RMS server has been provisioned, you should follow these steps:

  1. Provision a new AD RMS server using the HTTPS option for the Intranet Cluster URL.
  2. Configure the old server as a Trusted User Domain on the new server. For instruction on this, see the TechNet article Trusted User Domains (http://technet.microsoft.com/en-us/library/dd983944%28WS.10%29.aspx).
  3. Configure the old server as a Trusted Publishing Domain on the new server. For more information on this, see the TechNet article AD RMS Trusted Publishing Domain Considerations (http://technet.microsoft.com/en-us/library/dd772677(WS.10).aspx).
  4. Add a new String Value named LicenseServerRedirection registry entry to all of your AD RMS clients. The registry entry should be added to HKCU\Software\Microsoft\Office\12.0\Common\DRM for clients running Microsoft Office 2007 (for clients running Microsoft Office 2003 substitute 11.0 for 12.0). The value of this entry should be set to the name of the new server in the format of https://NewADRMSServer/_wmcs/licensing.
  5. Update your Active Directory Service Connection Point to the new server. This can be done manually or via the ADScpRegister utility available from the AD RMS Toolkit. Note: You must be a member of the Active Directory Enterprise Admins group to do this.
  6. Retire the old AD RMS server.

Please note that the rights policy templates and trusted user domains will not be transferred using the steps outlined in this post.  Also, the ideal method to enable SSL after AD RMS is provisioned is as follows:

  1. Back up the publishing certificate.
  2. Remove the service connection point (SCP) from Active Directory.
  3. Unprovision AD RMS.
  4. Provision AD RMS again using HTTPS.
  5. Register the new SCP.
  6. Import the publishing certificate.
  7. Modify the LicenseServerRedirection registry on all AD RMS-enabled clients to reflect this change.

See Also