• What are the server-side requirements for RMS?
  
  RMS requires SQL Server 2000, IIS and Active Directory. SQL Server is used to store all policies, templates, licenses, certificates, keys et cetera. Active Directory is needed to authenticate the users. IIS is used to serve up the licensing and enrollment applications.
  

Return to top.

• Does RMS require a mail server?
  
  No, a mail server is not required. However, an e-mail address MUST be present in the “E-Mail” field in users’ Active Directory entries. If content will be RMS-protected for Active Directory groups, the groups must also have an e-mail address.

Return to top.

• Can I use any LDAP Directory?
  
  No, only Active Directory is supported for RMS. Return to top.

Return to top.

• Can I use Active Directory Application Mode (ADAM)?
  
  No, a full implementation of Active Directory is required for RMS.

Return to top.

• Does RMS require any Active Directory schema changes?
  
  No, not unless you have multiple forests and are trying to perform cross-forest group expansion. In which case, the msExchOriginatingForest attribute must be present and must have the FQDN of the domain and forest where the account resides.

Return to top.

• How does Revocation work?
  
  Revocation Lists can be implemented in order to revoke any entities in the RMS infrastructure. This includes protected content, principals, licenses, applications and certificates.
  
  A revocation policy must be defined in a Rights Policy Template if it is to be used. When a client attempts to access protected content, a cached Revocation List is checked (or if required, a new Revocation List is downloaded to the client machine and cached). If it is determined that any entity involved in the current operation has been revoked, the RMS-enabled application will prevent the Use License from binding to the content, and will therefore prevent the consumption of the content.

Return to top.

• Do clients need require Internet-connectivity for machine activation?
  
  If there is no RMS Infrastructure in the organization then yes, Internet connectivity from the client machine to Microsoft is required in order to successfully activate and receive a lockbox. If there is an RMS Infrastructure in place, the client will proxy the machine activation request through their local RMS Server.

Return to top.

• What do I need on the client-side in order to consume or protect RMS-protected content?
  
  At a minimum, the RMS client software must be installed to consume and to protect content. Office 2003 Professional (or any other RM-enabled application) must be installed in order to protect content such as Office 2003 documents like Word, Excel etc. To consume Office 2003 RMS-protected content, the recipient can use the Internet Explorer-AddOn (RMA) to render the content within IE if they don’t have Office 2003 installed. A valid lockbox, as well as an RM Account Certificate (RAC) are also required.

Return to top.

• How do I define a location for Rights Policy Templates?
  
  A registry entry in the HKEY_CURRENT_USER hive on the users’ machines will define the location for Rights Policy Templates for Office 2003 applications. The entry is:     [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\DRM]     “AdminTemplatePath”=\\Location\of\templates\

Return to top.

• Can I use GPOs to distribute the RMS Client?
  
  The RMS Client MSI, Office 2003 and the IE-AddOn can all be deployed throughout your organization by leveraging Group Policy Objects. GPOs can also be used to define the Rights Templates Policy locations and several other options when using the ADM from the Office Resource Kit.

Return to top

• How do I protect content for users outside of my Enterprise?
  
  There are 3 methods that can be used to protect content for users outside of your organization:  
  
  1. Establish a Trusted User Domain (such as Microsoft’s Passport service). For use where you want to allow another organization to request a use license from your License Server.  
  
  2. Establish a Trusted Publishing Domain. A situation where two or more organizations want to interoperate, for example one organization wishes to issue Use Licenses for content protected by another organization’s RMS server.  
  
  3. Place an RMS Server in the DMZ and grant the appropriate access to AD and IIS (beware of security implications here).

Return to top.

• How do I use Rights Policy Templates?
  
  Rights Policy Templates are applied by the RMS-enabled application. Policy Templates must first be defined and distributed. For example, a policy template may be defined which denies the users the right to print the content. From within the application, the user will select the template from the list of available templates. When a recipient attempts to access the content, the most recent version of that template will be applied.

Return to top.

• How do I assign rights in Outlook 2003?
  
  Using Outlook 2003, a user may choose to click the “Permissions” button on the toolbar when composing an email. This action will result in the recipient not being able to forward, print or copy content. If further granularity is required, such as setting an expiration date on an email, users will have to apply a pre-defined Rights Policy Template.

Return to top.

• If a document is RMS-protected by someone that leaves the organization, how will the organization be able to access that content?
  
  RMS allows the creation of groups which could be defined as “Super Users”. A member of the Super-User group can acquire an Owner Use License for any RMS content and change or even remove the assigned rights.

Return to top

• I protected a document for “Anyone”. Does this really mean that anyone can consume the document?
  
  “Anyone” (or “Everyone” if using Rights Policy Templates) really means “Anyone with a trusted RAC”. So long as the recipient has a RAC that can be verified by the Licensing Server, a Use License will be issued and they will be assigned the rights specified at protection-time.

Return to top

• When using RMS with Outlook 2003, are my mail attachments RMS-protected?
  
  Yes. While there will be no rights associated with the attachments themselves, all attachments will be encrypted with the same symmetric key that was used to encrypt the message.

Return to top

• How do my users know where the RMS server is located?
  
  Clients will attempt to read the Service Connection Point in Active Directory. If that SCP does not exist, client applications will not be aware of an organization’s RMS Infrastructure and will prompt the user to enroll in the Microsoft Passport trial service

Return to top

• Does the RMS client work in VMware, VirtualPC, VirtualServer et cetera?
  
  Windows RMS is designed not to work on virtualized hardware. This is so that debugging tools can not be used to watch the encryption/decryption process.

Return to top

• I replaced my RMS server and now it won’t provision. Why?
  
  It might be that when the previous RMS deployment was removed, the Service Connection Point was not removed from AD. Remove the SCP using ADSiEdit or the ADScPRegister tool from the RMS Admin Toolkit 1.0 and try provisioning again.

Return to top

• I opted to “Trust Passport RACs”. Why can’t I consume RMS content from Passport users?
  
  By adding the Microsoft RM Certification Service (Passport) as a Trusted User Domain, you are enabling Passport users to acquire a Use License from your RMS Infrastructure. This is a one-way trust. Passport users can only protect RMS content for other Passport users.

Return to top

• Why can't I enroll my user?
  
  In order for a user to successfully enroll in the RMS Service and obtain a RAC, the machine must first be activated. If IRMcheck.exe reports that the machine is not yet activated, address that problem before attempting to diagnose why client enrollment is failing. There are many factors that may be preventing your user from successfully enrolling. Does the user have an e-mail address in their AD entry? Does the user have the RMS Server listed in their Intranet Sites list within IE? Run IRMcheck.exe from the RMS Admin ToolKit 1.0 and examine the results.

Return to top

• Why can't I provision my Subordinate License Server?
  
  Before enrolling a Subordinate License Server, some NTFS permissions need to be added to the _wmcs\Certification\SubEnrollService.asmx file. By default, only the Local System account has rights to that file. You must grant Read and Execute permissions to both the RMS Service Group and to the user who is performing the provisioning of the Subordinate License Server.

Return to top

• Where can I go for help with RMS?
  
  Further information can be found at Microsoft's RMS web page at http://www.microsoft.com/rms. Also, Microsoft's public news server at msnews.microsoft.com hosts a very helpful newsgroup called microsoft.public.rights_mgmt_svcs

Return to top