The Enterprise Admin (unpleasant) Way to Add an AD RMS Service Connection Point

  • Article

The Situation:

You need to install a new AD RMS cluster in your environment because you got a nastygram from an auditor about not having your document libraries protected.  However, you have secured your environment against modern threats which means that your Enterprise Admin cannot log into one of those dirty Tier 1 servers (good job!).  Unfortunately, there isn't a quick and easy way to register the SCP any more unless you are an EA logged into an AD RMS server.  There was a toolkit once upon a time (RMS 1.0 SP2 Administration Toolkit, I believe) that had a nifty tool that let you register the SCP from a command line, but alas, that toolkit has gone the way of the dinosaur and cannot be found unless you delve into deep dark places on the web that no respectable Admin should be going.  One would think that this is an easy thing to create a PowerShell module for, but I am not going to start venting here.  Anyway, I had to manually create an SCP the other day so I thought I would do a quick and dirty writeup on how it can be done. (Perhaps sometime in the future a nifty PowerShell module will make this post obsolete...hint, hint, PG).

The Solution:

So...if there isn't a tool to do the job, we do it manually.  It really isn't that hard, but you would be amazed at the lack of useful information about this that exists out there.  Anyway, follow the steps below to create a nice SCP that (almost) looks exactly like the one AD RMS would create itself.

Log into a Domain Controller or Privileged Admin Workstation and launch ADSI Edit.

In ADSI Edit, right-click on ADSI Edit and click Connect to...

In the Connection Settings dialog, click the drop-down menu under Select a well known Naming Context, select Configuration, and click OK.

Double-click on Configuration and CN=Configuration...

Right-click on CN=Services and select New > Object...

In the Create Object dialog, select container and click Next.

On the next page, in the Value field, type RightsManagementServices and click Next.

Click Finish on the last page to create the CN=RightsManagementServices container.

Right-click on the new CN=RightsManagementServices container and select New > Object...

In the Create Object dialog, select serviceConnectionPoint and click Next.

On the next page, in the Value field, type SCP and click Next.

On the last page, click More Attributes.

In the Attributes dialog, click the drop-down menu next to Select a property to view and select serviceBindingInformation.

 

Under Attribute Values, in the field next to Edit Attribute, type the SCP URL https://fqdn/_wmcs/certification (eg. https://adrms.contoso.com/\_wmcs/certification)

Click the Add button to set the Value

Click the drop-down menu next to Select a property to view and select keywords.

Under Attribute Values, in the field next to Edit Attribute, type MSRMRootCluster and click Add.

Under Attribute Values, in the field next to Edit Attribute, type 1.0 and click Add.

Click OK to close the Attributes dialog and click Finish to complete creation of the SCP.

 

Super simple right??? OK, yeah, that is not the most pleasant experience but it will allow your Enterprise Admins to create the SCP on a secure system and make your AD RMS cluster stop whining about not having an SCP.  If anyone knows of an easier way to do this or automate the creation I would love to add it here!  Rating and comments are very welcome!  Thanks!

 

Kevin

Check out https://aka.ms/Kevin for more of my content!