Active DirectoryMicrosoft Technologies

Active Directory Right Management Service (AD RMS) – Part 02 – AD RMS Components

In my previous blog post about AD RMS, I have explained what is RMS and its capabilities. If you didn’t read it yet, you can find it here . In this post I am going to explain about AD RMS components. 

AD RMS have its own role services and related components which need to work together in order to maintain healthy AD RMS environment. Let look in to these components in details. 

Active Directory Domain Services (AD DS) – AD RMS is one of Active Directory Role service. AD RMS can only be installed in AD DS environment and it must be on member servers. It also uses to publish service connection point (SCP), where internal users can automatically discover the URL for AD RMS environment. 

AD RMS Cluster – AD RMS Cluster is a single RMS server or group of servers which shares certificates and licensing requests from its clients. Even its says as “Cluster” it is different from typical Windows failover cluster. Failover cluster at least needed two nodes. But in RMS cluster, event it’s have single server it become a cluster. But there is one requirement for AD RMS cluster if there are multiple servers involves. AD RMS supports two types of databases similar to AD FS. By default, it uses Windows Internal Database (WID) and it also supports to Microsoft SQL Server Database. If AD RMS Cluster going to have multiple servers it must use MS SQL database in separate server. 

There are two type of clusters in AD RMS, 

Root Cluster – When setup first AD RMS server in infrastructure, it becomes root cluster. By default, it responds to both licensing and certificates requests from clients. When required, additional RMS servers can be added to the cluster. There is only one root cluster can exist on one AD DS forest. 

Licensing Cluster – If organization has multiple active directory sites, there are situation where remote sites prefers to use servers in their own site whenever possible. It prevents users by connecting sites through slow links. In such scenarios, organizations can deploy licensing-only cluster in remote sites. It only responses to licensing requests from clients. 

When new RMS server add to the infrastructure, based on installed roles it will automatically make it part of relevant cluster. However, it is recommended to use root cluster only as it will automatically load balance both certificates and licensing requests. When it has two clusters, load balancing is handled by each cluster separately even though it’s components of one system. 

Web Server – AD RMS required web service for its operations. There for it required IIS 7.0 or latest with following role services. 

Web Server (IIS)

Web Server

o Common HTTP Features

Static Content

Directory Browsing

HTTP Errors

HTTP Redirection

o Performance

Static Content Compression

o Health and Diagnostics

HTTP Logging

Logging Tools

Request Monitor

Tracing

o Security

Windows Authentication

Management Tools

o IIS Management Console

o IIS 6 Management Compatibility

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

SQL Server – AD RMS supports Windows Internal Database (WID) and Microsoft SQL Server Database. If AD RMS Cluster going to have multiple servers, its database must be in MS SQL server. It supports SQL server 2005 onwards. AD RMS have three databases. 

Configuration Database – Configuration database includes configuration data related to AD RMS cluster, windows users identities and AD RMS certificate key pair which used to create cluster. 

Logging Database – This contain the logging data for the AD RMS setup. By default, it will install it in the same SQL server instance which hosts the Configuration Database.

Directory Service Database – This database maintains cached data about users, SID Values, Group membership and related identifiers. This data been collected by AD RMS licensing service from LDAP queries which ran against global catalog server. by default its refresh in every 12 hours.  

AD RMS support SQL High availability solutions including SQL failover clustering, database mirroring and log shipping. It is NOT supported SQL server AlwaysOn. 

In previous section I have mentioned about mobile device extensions which can used to extend AD RMS to manage corporate data in mobile devices. It does not support to Windows Internal Database (WID) and if you going to use this feature, Ad RMS databases must run for separate SQL server. 

AD RMS Client – AD RMS client is required to communicate with AD RMS cluster and protect data. This is included in all the recent operating systems which was released after windows XP. However, this still need to install on MAC and Mobile devices to use AD RMS. 

Active Directory Certificate Service (AD CS) – AD RMS uses several certificates to protect the communication between AD RMS components and clients. Most of those can issue using corporate trusted certificate authority. As an example, AD RMS cluster can build using SSL certificate to protect communication between servers in cluster. If AD RMS setup required to publish service URLs externally, then it will be required a certificate from public certificate authority. AD RMS itself uses various Extensible Rights Markup Language (XrML)-based certificates to protect communication between components and data. These certificates are different from AD CS certificates. 

This marks the end of this blog post. In Part 03 I will be explaining how AD RMS really works. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *