Do’s and Don’t in RMS

Jason Tyler had published a very good post Do’s and Don’t in RMS. I am merely replicating that….very useful information and should be considered  🙂

  • DO use CNAME records for your RMS cluster URL. This will allow you to load balance, and or do disaster recovery by simply changing the A record that the CNAME record points to.
  • DON'T use the NetBIOS name of the machine as the cluster URL.
  • DO make a back-ups of your SLC and Publishing Certificate located in the 'Trust Policies' section of your RMS Admin UI, *immediately* after provisioning. There is an Export button for the SLC, and an Export link for the publishing cert. Put these in a safe place. If your RMS installation blows up, and you don't have these, you will be in a lot of trouble.
  • DO write down your private key password, and create a document with screenshots detailing the entire setup process
  • DO use a CNAME for your SQL server. In a disaster recovery situation, it is easier to change the single A record of the CNAME to point to a backup server, than to change the 6 or 7 places within RMS that need to be changed.
  • DON'T install RMS without a detailed plan, including whether or not you want to use HTTPS, or HSMs.
  • DO make sure that your superusers group is a Universal Distribution group. The RMS server needs to be able to expand the group with a GC query, and this is the only group type whos full membership is replicated to the GC. This really goes for any group, with members in different domains, that you need to use RMS.
  • DON'T enable the superusers group unless you have to, and only put 2 or 3 people in this group for redundency.
  • DO make a backup of your DRMS_Config_Cluster_80 database regularly. It can be used for disaster recovery.
  • DON'T forget or lose your RMS software private key you used to provision the server. This should be in the paper that your *good* admin who followed the DO's and DON'Ts of RMS made for you before he was given the cardboard box, and walked to his car by security.
  • DO download the RMS Administration Toolkit form, and keep it handy. IRMCheck is a great tool for troubleshooting client issues.
  • DON'T put RMS on a server that is hosting multiple services. The more things you put on a server, the larger the attack surface of that machine becomes. Since this machine will be responsible for the security of your companies intellectual property, keep it clean and free of excess services.
  • DO remember that by default ServerCertification.asmx, and MobileDeviceCertification.asmx have no-one assigned to their access control lists. In order to use things like MOSS, or Mobile Devices, you need to go into the Properties of these files, and the Security tab, click the 'Advanced' button, and check the box to allow permission from parent to propogate. For MOSS integration you also need to add the MOSS$ machinename account, and the identity that the MOSS service is running as (if it is anything other than Network Service), with Read/Read & Execute rights to the ServerCertification.asmx file in c:\InetPub\wwwroot\_wmcs\Certification directory.
  • DO use strong passwords.
  • DON'T put RMS on a domain controller. You have to give the RMS_Service account admin rights on the machine to do this.
  • DON'T forget to set an extranet URL if you plan on people using RMS outside of your environment. If you don't set this, all of the CLC (offline publishing certificates) issued will not have this link, and all of the users with those CLCs will be creating content with no extranet URL embedded into them. Once that happens, you can't open that content from outside the domain (i.e. from the internet). This would be bad if you have people that need to work from home.
  • DO set the IIS permissions on the License.asmx, and the ServiceLocator.asmx in the licensing pipeline to 'anonymous access' only, on your Internet facing RMS machine, if you have a TUD (Trusted User Domain) with another company, or are trusting Passport RACs.
  • DO remember that you can read RMS protected content with any version of Office 2003 or higher (there are exceptions to this if you use the HTTP option), but you can only create content with Office 2003 Professional, and Office 2007 Professional *Plus* and above.
  • DON'T forget that in order for your users on the internet (or intranet users if you aren't registering an SCP in the AD) to use RMS you need to have them put these registry settings on their machine (changed of course to reflect your environment). Just copy and paste this into a text file, and change the extension to .reg, give it to them and tell them to double-click on it.

Windows Registry Editor Version 5.00





  • DO check the time on the RMS server and the clients to ensure that everything is right. Otherwise you will get time expiration related errors (Well, you'll get a generic error, but if you use DebugView, the actual error code will be a time synch error).


Use these tips on Do’s and Don’t to have trouble free RMS deployment.

Skip to main content