You need to prepare users' Active Directory (AD) accounts for use with RMS. RMS doesn't rely on Microsoft Exchange Server, but because RMS identifies users by email address, every user must have an AD user account with an associated unique email address. If you're running Exchange 2000 Server or later, Exchange's Recipient Policies and Recipient Update Service (RUS) can email-enable the AD accounts. Some other email systems (e.g., Windows 2003's POP3 service) will also populate AD user accounts with users' email addresses. If you aren't running such an email system, you'll need to manually add email addresses to users' accounts or use an Active Directory Service Interfaces (ADSI) or similar script to add the addresses.
Before clients can use RMS, a member of the Enterprise Admins group must publish an AD serviceConnectionPoint object for the RMS certification server, which clients and applicants use to locate the RMS certification server during client activation and when requesting an RAC for a user. If you plan to create multiple RMS hierarchies in your forest or don't want to publish a serviceConnectionPoint object in AD, you'll need to use registry overrides on your client systems. The required overrides will depend on the RMS-aware applications that users plan to leverage; see the Microsoft Office 2003 Editions Resource Kit (http://www.microsoft.com/office/ork) for details about overrides for Office 2003 applications.
To leverage RMS, users must also have access to RMS-aware applications, such as those in Office System 2003, or to RMA and IE 5.5 or later. Software development kits (SDKs) are available for ISVs and for companies that want to develop their own RMS-aware applications. (You can download RMA at http://www.microsoft.com/windows/ie/downloads/addon/default.asp.)
The RMS Certification Server
Installing the RMS certification server is a simple process. Log on to the server as a member of the Domain Admins group. The RMS server component consists of a self-extracting executable file that contains a Windows Installer (.msi) file. The installation program prompts you to agree to license terms and to confirm the installation location for the server component. The installation creates a Start Menu program group with links to an online Help file, a README file, and the Web-based RMS management console.
After you've installed the RMS certification server, you need to provision, or enroll, the server. Provisioning a server is a two-step process: First, you enter configuration information; second, the server enrolls with Microsoft to obtain a signed RMS licensor certificate. Select the Web site on which you want to provision RMS (Microsoft recommends that you do so on a dedicated Web site), then click Provision RMS on this Web site to begin the provisioning process.
Configuration. The RMS server can communicate with a locally installed database or a database on a remote server. If the database is local, select the Local database option in the Configuration database section; otherwise, select the Remote database option and enter the name of the database server.
In the RMS service account section, enter the name and password of the service account that RMS will use. If you chose to use a local configuration database, you can run RMS under the Local System account, although for security reasons I recommend against doing so. If you chose to use a remote database, you must enter the credentials of a domain account. This account will have access to the databases that RMS creates on the database server.
In the Cluster URL section, enter the FQDN that you want to use as the intranet URL. For additional security, you can select HTTPS:// from the drop-down list. This setting directs RMS-aware applications to connect to the RMS server over a Secure Sockets Layer (SSL) connection (you'll need to install an SSL certificate and configure IIS to accept SSL connections).
In the Private key protection and enrollment section, enter a password that RMS will use to protect the keys it generates to secure licenses. Write down the password and keep it safe; you'll need it if you need to reinstall or upgrade the RMS server or add servers to create a cluster. If you have a supported Hardware Security Module (HSM), RMS can use the HSM to securely store keys; simply clear the Use the default storage-based private key connection option and enter the requested information about your HSM. Enter a descriptive name for the Server licensor certificate name and the email address of an administrative contact. If your organization has a proxy server, you can configure your RMS server to connect through the proxy server; select the This computer uses a proxy server to connect to the Internet option. Enter the name of your proxy server and the port it uses in the Address and Port fields. If your proxy server requires users to authenticate by presenting credentials, select the This proxy server requires authentication option, select the type of authentication (Basic, Digest, or Integrated Windows), and complete the User Name, Password, Confirm Password, and Domain fields.
Last, in the Revocation section, you can elect to let a trusted third party revoke the RMS server's licensor certificate. Most organizations won't want to select this option. (Revocation is an advanced topic; for more information, see the RMS Server Deployment Guide.) After you've entered the required configuration information, click Submit to begin the second step of the provisioning process.
Register
