Introduction to Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS) is an information protection technology included with Windows Server 2019 that uses encryption and policy enforcement to restrict access to documents, emails, and other sensitive content. AD RMS works by issuing licenses that specify what operations a user can perform on protected content, such as reading, printing, forwarding, or editing. Even if protected content is copied or forwarded outside the organization, the rights enforcement remains in place because the content cannot be decrypted without a valid license issued by the AD RMS cluster. This makes AD RMS an essential component in protecting intellectual property and ensuring compliance with data protection regulations.

Prerequisites

Before installing AD RMS, confirm the following requirements are met. Windows Server 2019 must be joined to an Active Directory domain. You need an account that is a member of the local Administrators group and the Domain Admins group. A dedicated service account should be created in Active Directory specifically for the AD RMS service. SQL Server is required for the AD RMS configuration database; you can use SQL Server Express for smaller deployments. A valid SSL certificate is strongly recommended for the AD RMS cluster URL because some clients require HTTPS. Ensure that Internet Information Services is not already configured with conflicting bindings on port 443.

New-ADUser -Name "svc-adrms" -SamAccountName "svc-adrms" -UserPrincipalName "[email protected]" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) -PasswordNeverExpires $true -Enabled $true

Installing the AD RMS Role

Install the AD RMS server role using Server Manager or PowerShell. Using PowerShell with all required sub-features:

Install-WindowsFeature ADRMS, ADRMS-Server, ADRMS-Identity -IncludeManagementTools
Install-WindowsFeature Web-Server, Web-Asp-Net45, Web-Windows-Auth -IncludeManagementTools

Verify the installation completed successfully:

Get-WindowsFeature ADRMS* | Select-Object Name, InstallState

Configuring the AD RMS Cluster

After installing the role, open Server Manager, click the AD RMS flag notification, and select Perform additional configuration. The AD RMS Configuration Wizard will launch. Alternatively, open Active Directory Rights Management Services from the Tools menu and follow the configuration wizard steps.

During configuration, select Create a new AD RMS root cluster on the first server. On the configuration database page, specify the SQL Server instance. For a single-server test deployment you can use the Windows Internal Database by typing the server name followed by MICROSOFT##SSEE, though SQL Server Express is recommended for production. Set the cluster key storage to AD RMS Centrally Managed Key Storage and provide a strong cluster key password that you must record and store securely.

For the cluster address, specify the FQDN such as rms.contoso.com and choose HTTPS if you have a certificate ready. Select the service account created earlier. The wizard will complete the configuration and register the Service Connection Point (SCP) in Active Directory automatically if the account has Enterprise Admins rights.

Registering the Service Connection Point

The SCP allows AD RMS-aware clients to discover the cluster automatically. If the SCP was not registered during installation, register it manually:

Set-RmsScp -Path "CN=RMS,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com"

Verify the SCP registration in Active Directory:

Get-ADObject -Filter {objectClass -eq "serviceConnectionPoint"} -SearchBase "CN=Services,CN=Configuration,DC=contoso,DC=com" -Properties keywords | Where-Object {$_.keywords -like "*rms*"}

Creating AD RMS Rights Policy Templates

Rights policy templates define the permissions applied to protected content. Open the AD RMS management console, expand the cluster, expand Rights Policy Templates, and click Distributed Rights Policy Templates. In the right panel, click Create Distributed Rights Policy Template.

The wizard asks you to name the template and provide a description in multiple languages if needed. On the Add User Rights page, add users or groups and assign permissions. Common permission sets include View Only which grants only the right to read content, Do Not Forward for email which prevents forwarding, printing, and copying, and Confidential which restricts to a specific security group with view and print rights only.

Example permissions to set for a Confidential template include: View, Edit but not Print, not Copy, not Export, not Forward. You can also configure expiration so that licenses expire after a set number of days or on a fixed date, and set the offline access interval which determines how long cached licenses remain valid without reconnecting to the AD RMS server.

Configuring Template Distribution

Templates must be distributed to clients before users can apply them. Configure the distributed templates folder which is a network share accessible by all users:

New-Item -ItemType Directory -Path "C:RMSTemplates"
New-SmbShare -Name "RMSTemplates" -Path "C:RMSTemplates" -ReadAccess "Domain Users" -FullAccess "Domain Admins"

In the AD RMS console, right-click Distributed Rights Policy Templates and select Properties. Set the path to the templates folder as \Server01RMSTemplates. Export templates to this share:

Export-RmsTemplate -Path "C:RMSTemplates" -Force

Configure Group Policy to point Office clients to the templates folder:

# GPO path: User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center
# Set: "Specify Permission Policy File Locations" to \Server01RMSTemplates

Configuring Trusted User Domains

Trusted User Domains (TUDs) allow your AD RMS cluster to issue use licenses to users from external AD RMS deployments. This is needed for B2B scenarios where partner organizations also use AD RMS. To add a trusted user domain, export the Server Licensor Certificate from the partner organization and import it:

Import-RmsTrustedPublishingDomain -Path "C:PartnerRMS.xml" -Password (ConvertTo-SecureString "PartnerPassword" -AsPlainText -Force)

To add a Trusted Publishing Domain so users in your organization can consume content protected by a partner’s AD RMS:

Import-RmsTrustedUserDomain -Path "C:PartnerServerLicensorCert.bin"

Configuring Exclusion Policies

Exclusion policies prevent specific users, applications, or lockbox versions from obtaining use licenses. This is useful for revoking access when an employee leaves or when a vulnerable application version is detected. To exclude a user:

Add-RmsUserExclusion -UserID "[email protected]" -Permanent $true

To exclude an application such as a specific version of a custom application that should not be able to consume RMS-protected content:

Add-RmsApplicationExclusion -ApplicationID "CustomApp.exe" -VersionMinimum "1.0.0.0" -VersionMaximum "1.5.0.0"

Installing the AD RMS Client

Windows 10 and Windows Server 2019 include the AD RMS client built in. For older clients, deploy the RMS client using Group Policy software installation or SCCM. Verify the client can discover the AD RMS cluster:

nltest /dsgetsite
# Test discovery from a client
reg query HKLMSoftwareMicrosoftMSDRMServiceLocation

If the client is not discovering the cluster automatically, check that the SCP is registered and that the client’s domain account has read access to the SCP object in AD DS.

Protecting Documents with AD RMS

Users can protect documents directly from Microsoft Office applications. In Word, Excel, or PowerPoint, click File, then Info, then Protect Document, and select Restrict Access. The available templates are listed. PowerShell can also be used to protect files programmatically using the RMS SDK or the AIPService module if Azure Information Protection is in scope:

Install-Module -Name AzureInformationProtection -Force
Set-AIPFileLabel -Path "C:SensitiveReport.docx" -LabelId "Confidential"

Backing Up the AD RMS Cluster

Back up the cluster key and configuration database regularly. The cluster key is essential for recovering AD RMS after a disaster. Export the cluster key using the AD RMS console by right-clicking the cluster and selecting Back Up or Restore. Store the backup in a secure, offline location. Back up the SQL configuration database:

Backup-SqlDatabase -ServerInstance "SQL01" -Database "DRMS_Config_rms_contoso_com_443" -BackupFile "D:BackupsADRMS_Config_$(Get-Date -Format yyyyMMdd).bak"

Monitoring and Troubleshooting AD RMS

Review AD RMS logs to identify issues with license acquisition or server performance. Logs are stored in the AD RMS database and in Windows Event Viewer under Applications and Services Logs > Active Directory Rights Management Services. Check the health of the AD RMS service:

Get-Service adrmsvc | Select-Object Status, DisplayName
Test-NetConnection -ComputerName rms.contoso.com -Port 443
Invoke-WebRequest -Uri "https://rms.contoso.com/_wmcs/certification/servercertification.asmx" -UseDefaultCredentials

A successful response from the ASMX endpoint confirms the AD RMS web services are responding correctly. AD RMS on Windows Server 2019 provides robust, policy-based information protection that travels with the content, ensuring sensitive data remains protected regardless of where it resides.