I recently had a call regarding revocation lists. My favorite topic because I really don’t get too many calls on it, and don’t know a lot about it.
What we discovered is that revocation lists on Windows Server 2008 and 2008 R2 is actually completely unsupported. (Yes..even though there is a revocation option in the templates).
Here is the “official” statement:
“AD RMS License revocation is not supported in Windows Server 2008 or Windows Server 2008 R2. Instead, the document lifecycle should be set in the protection policy. If there is a high probability of a need to remove access to a particular document, we recommend that the customer set the validity time to “0” in the template, or select “Require a connection to verify a user’s permission” in Office. Note that these options will require a connection to the RMS Server when opening content, which will impact offline consumption scenarios.”
O.K… now that the bad news is out of the way, and we've wiped the tiny tears from our eyes, let’s move on to something more productive.
How to ignore the statement above and do it anyways (of course with the warning of “Use at your own risk”). 😀
The first thing you will notice is that where RMS V1 had a Tools directory in the administration folders when you installed it, the ADRMS role doesn’t have this. This is a problem because the RLSigner tool that you need to sign your revocation list was in that directory.
Fret not grasshopper… I dumped it out to my tools repository for your convenience.
You will also need the sn.exe tool from the Windows SDK, but since that one is easy I’ll let you install that.
OK. So now we have the tools we need. Let’s see if the old RLSigner tool works with the new stuff.
I wrote down all the steps (including Eye Popping, amazing and completely realistic 2D screen captures) in a word document that is supposedly attached to the bottom of this blog post.
Hope this helps, and remember...I was never here, and no-one likes a stool pigeon!