By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.

For information about AD RMS, see the Active Directory Rights Management Services TechCenter page at https://go.microsoft.com/fwlink/?LinkId=80907.

In the following sections, learn more about AD RMS, the required and optional features in AD RMS, and hardware and software used for running AD RMS. At the end of this topic, learn how to open the AD RMS console and how to find more information about AD RMS.

What is Active Directory Rights Management Services?

An AD RMS system includes a Windows Server® 2008 R2-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows® 7 and Windows Vista® operating systems. The deployment of an AD RMS system provides the following benefits to an organization:

  • Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as "confidential - read only" that can be applied directly to the information.

  • Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.

  • Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.

AD RMS provides developer tools and industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions. For creating customized AD RMS solutions, an AD RMS software development kit (SDK) is available.

Features in AD RMS

By using Server Manager, you can set up the following components of AD RMS:

  • Active Directory Rights Management Services. The Active Directory Rights Management Services (AD RMS) role service is a required role service that installs the AD RMS components used to publish and consume rights-protected content.

  • Identity Federation Support. The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services.

  • Microsoft Federation Gateway Support . The Microsoft Federation Gateway is an identity service that runs over the Internet and mediates between an organization or business and the external services that the organization wants to use. The gateway connects users and other identities to the services that it works with, so that an organization only has to manage a single identity-federation relationship to enable its identities to access all Microsoft and Microsoft-based services they want to use.

Hardware and software considerations

AD RMS runs on a computer running the Windows Server 2008 R2 operating system. When the AD RMS server role is installed, the required services are installed, one of which is Internet Information Services (IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the same server as AD RMS or on a remote server, and an Active Directory Domain Services forest.

The following table describes the minimum hardware requirements and recommendations for running Windows Server 2008 R2-based servers with the AD RMS server role.

Requirement Recommendation

One Pentium 4 3 GHz processor or higher

Two Pentium 4 3 GHz processors or higher

512 MB of RAM

1024 MB of RAM

40 GB of free hard disk space

80 GB of free hard disk space

Note

A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based Systems.

To assist with your hardware considerations, use testing in a lab environment, data from existing hardware in a production environment, and pilot roll-outs to determine the capacity needed for your server.

The following table describes the software requirements for running Windows Server 2008 R2-based servers with the AD RMS server role. For requirements that can be met by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.

Software Requirement

Operating system

Windows Server 2008 R2

File system

NTFS file system is recommended

Messaging

Message Queuing

Web services

Internet Information Services (IIS).

ASP.NET must be enabled.

Active Directory or Active Directory Domain Services

AD RMS must be installed in an Active Directory domain in which the domain controllers are running Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, Windows Server® 2008, or Windows Server 2008 R2. All users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory.

Database server

AD RMS requires a database server, such as Microsoft SQL Server 2005 or Microsoft SQL Server 2008, and stored procedures to perform operations. The AD RMS server role on Windows Server 2008 R2 does not support Microsoft SQL Server 2000.

The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. These applications require the Enterprise, Professional Plus, or Ultimate versions of Microsoft Office 2007 to create rights-protected content. For additional security, AD RMS can be integrated with other technologies such as smart cards.

Windows 7 and Windows Vista include the AD RMS client by default, but other client operating systems must have the RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded from the Microsoft Download Center and works on versions of the client operating system earlier than Windows Vista and Windows Server 2008.

For more detailed information about hardware and software considerations with AD RMS, see the Pre-installation Information for Active Directory Rights Management Services topic on the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=84733).

Installing AD RMS

After you finish installing the operating system, you can use Initial Configuration Tasks or Server Manager to install server roles. To install AD RMS, in the list of tasks, click Add roles, and then click the Active Directory Rights Management Services check box.

For detailed instructions about installing and configuring AD RMS in a test environment, see the AD RMS installation Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72134).

Managing AD RMS

Server roles are managed by using a Microsoft Management Console (MMC) snap-in. Use the Active Directory Rights Management Services console to manage AD RMS. To open the Active Directory Rights Management console, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

For more information

To learn more about AD RMS, you can view the Help on your server. To do this, open the Active Directory Rights Management Services console, and then press F1, or visit the Active Directory Rights Management Services TechCenter (https://go.microsoft.com/fwlink/?LinkId=80907).

Table Of Contents