AD RMS: System Requirements
We’ve been talking about Active Directory Rights Management Services (AD RMS) as it applies to both Server 2008 and Server 2008 R2.
In Part 1: AD RMS: Data Access Controls we learned about file access controls to data and resources by leveraging permissions via NTFS and share restrictions.
Part 2: AD RMS: Encryption covered the Encrypting File System and BitLocker functionality.
Part 3: AD RMS: Features and Operational Considerations covered some of the higher level features and operational considerations of the technology, reviewing content permission and control.
In today’s post I will be outlining the system requirements of Active Directory Rights Management Services as well as other dependencies for the service.
Like any other application, Active Directory Rights Management Services has minimum and recommended system requirements.
Server 2008 R2 and Internet Information Services (IIS) are required in order to successfully install and initialize AD RMS. Additionally, AD RMS also requires access to a database server with SQL Server being identified as part of the system requirements. The database can be run either on the same server as AD RMS or on a remote server.
As defined by Microsoft the “requirement” for AD RMS is:
- One (1) Pentium 4 Processors running at 3 GHz or higher
- 512 MB of RAM
- 40 GB of free hard disk space
The recommended configuration is:
- Two (2) Pentium 4 Processors running at 3 GHz or higher
- 1 GB of RAM
- 80 GB of free hard disk space
Below are the software requirements for running your Server 2008 R2 based configuration on the Active Directory Rights Management Services role:
- The File system installed should be NTFS and Message Queuing needs to be enabled.
- Internet Information Services (IIS) is needed as well as ASP.NET.
- Your Server 2008 R2 system in the AD RMS role must be installed in an Active Directory domain. The domain controllers need to be running Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
- An additional requirement is that all users and groups who need to use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory.
- AD RMS also requires a database server and Microsoft’s outlined requirements recommend SQL Server 2005 or SQL Server 2008. (SQL Server 2000 is not supported).
Before AD RMS can be installed there are several additional considerations that need to be reviewed:
- The AD RMS server needs to be installed as a member server in the same domain as the user accounts that will be leveraging the service.
- You will need to create a domain user account to be used as the AD RMS service account.
- You need to also specify a user account to be used for the installation of AD RMS; this account needs to be different than the AD RMS service account and it must have access to query the Active Directory Domain Services (AD DS) domain.
- If you are going to register the AD RMS service connection point (SCP) during installation, the specified user account installing must be a member of the Domain Enterprise Admins group (or have at least the equivalent permissions).
- With respect to using an external database server for the AD RMS databases, the user account must have the right to create new databases. If SQL Server 2005 or SQL Server 2008 is used, the user account must be a member of the System Administrators database role, or equivalent
A Few More Recommendations
Microsoft best practices also details the following additional recommendations:
- The database server used to host the AD RMS databases should be installed on a separate computer.
- When installing an AD RMS cluster, secure sockets layer (SSL) certificates should be used and it should be issued from a trusted root certification authority.
- You will need to create a DNS alias (CNAME) record for the AD RMS cluster URL and a separate CNAME record for the computer hosting the AD RMS configuration database. This is helpful in a scenario where the AD RMS servers are no longer in use or taken out of service as the CNAME record can be updated without having to publish all rights-protected files again.
- If you are using a named instance for the AD RMS configuration database, the SQL Server Browser service must be started on the database server before installing AD RMS. If the SQL Server Browser service is not started the AD RMS installation will not be able to locate the configuration database and the installation will fail.
And that’s as far as system recommendations and other considerations for AD RMS go.
Next time, we’ll finally get to the fun part — installing AD RMS on a Server 2008 R2 system!