Document owner is able to change the document expire date when document expired. But not supper user from what I tested. Anyone has any idea to configure support user same capability as document owner?

Jason

Hey all,

I'm trying to implement a ADRMS+ADFS scenario to connect two forests without any trusts, so they can share protected content.

I have forest A, with a DC server, a FS server, a RMS server and a client computer.

In forest B, I have a DC server, that accumulates with FS server, and a client computer.

The objective is to have protected content created on forest A and consumed in either forest A or forest B.

I've configured the FS servers as per Microsoft documentation, and I've configured RMS to be Federation aware.

I've protected a document in forest A, and I've sent it to the client on forest B. However, when client B tries to open it, I get asked for credentials, to access the RMS link /_wmcs/licensing/servicelocator.asmx. At no point I see anything going to either FS server. Even if I input the client B credentials, it keeps popping up.

I believe that the FS agent on the RMS server is not properly intercepting the request, and forwarding it to the FS server, but I can't quite "prove" it. I can't see anything on the local logs on the RMS server, from either the RMS services or the FS component. The FS servers are both "quiet" and don't seem to have any communication with the client during my tests.

Also, I'm not really sure about the Federation registry key to input in the client B registry. I've seen two different formats for it: urn:federation:localfsserver and https://localfsserver/adfs/ and I think I've seen https://localfsserver/adfs/ls/ somewhere as well. I'm creating the field in HKLM\Software\Microsoft\MSDRM\FederationHomeRealm.

There are all 2008 R2 servers, with AD FS 1.0. The clients are Windows 7 with Office 2010.

Could someone give me a hand with this? I don't know if something needs to be adjusted in the IIS of the RMS server, at it seems that is demanding authentication from the "unknown", forest B client, and that's not exactly the expected behavior in this situation.

Thanks for your time!

Cheers,

Helder

Hi ,

I am getting below mentioned error while running the command to schedule the task on my local PC mentioned in this link:

http://technet.microsoft.com/en-us/library/cc771971(v=ws.10).aspx

command: schtasks /Change /TN “\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)” /ENABLE

ERROR :

C:\WINDOWS\system32>schtasks /Change /TN "\Microsoft\Windows\Active Directory Ri
ghts Management Services Client\AD RMS Rights Policy Template Management (Automa
ted)" /ENABLE
ERROR: Invalid argument/option - 'Directory'.
Type "SCHTASKS /CHANGE /?" for usage.

Any idea why its happening?

As per the link below we need to be part of domain admin group to install AD RMS client on a domain machine. Is it really required? or can i use the local administrator account for it.

http://technet.microsoft.com/en-us/library/jj159267(v=ws.10)

I have new AD RMS 2012 setup and facing the below mentioned issue

When i try to restrict a word document I get two options
1. Sign in with Windows Live ID
2. User a Microsoft Windwos Account

If i Use second option I get this error when i click ok - A problem occured while contacting the restricted permission service. Please try again later or contact your administrator for more details.
If i click cancel in second option i get error - cannot use this feature without credentials

I have mail address assigned to me
I have admin rights on the PC
I am able to access the RMS URLS - licesing and Certification
I can access RMS on same machine using FOxit (PDFs)

Used RMS fix utility and it shows that Office is not installed but i upgraded my office from standard to Pro Plus

Can anyone guide me on this issue?

I have setup AD RMS in a test environment.  The RMS server is running Windows 2012 and the domain is a 2008.  My client PC is a Windows 7 machine with Office 2007 Pro Plus. 

When attempting to protect a document (Word or Excel, same issue), I get prompted for credentials.  I enter in my user name (which also has an email address tied to the account in AD).  It then asks me to use a Windows Live ID or use a Windows account.  I chose 'Windows account'.  I then get an error message 'A problem occurred while contacting the restricted permission service.  Please try again or contact your administrator for more details.'  I've attempted this with another test user account and get the same issues.  I've also noticed that the one test policy I've created doesn't appear in the list either, and I have gone through the steps to publish it via a GPO.

I can access the Licensing and Certification URLs from the client machine.  However, on the licensing page I get a 'HTTP Error 403.14 - Forbidden' error.  Could this be part of the issue?  The Certification page comes up just fine after I enter in my test user credentials.

Any help would be appreciated!

I have Errors on two of my Ad controllers that are all connected i think.

Background:

3-Active directory controllers(2008, 2008, 2012)

2-GC

All servers can ping each other and all servers can Resolve DNS to the other servers.

All servers have a second DNS server as their primary DNS and then the second DNS is their own IP.

All windows Firewalls are turning off..

I get the following errors on The first Ad controller:

Event ID:1126

Additional Data
Error value:
1355 The specified domain either does not exist or could not be contacted.
Internal ID:
3200e25
 
User Action:
Make sure a global catalog is available in the forest, and is reachable from this domain controller. You may use the nltest utility to diagnose this problem.

---------------------------------------------------------------------------------------------------------------------------------------------

Second Error

Event ID:13508

The File Replication Service is having trouble enabling replication from new server to server1 for c:\windows\sysvol\domain using the DNS name new server. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name Server from this computer.
 [2] FRS is not running on 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

________________________________________________________________________________________________

Second AD Controller Error:

Event ID 13508:

Event ID:13508

The File Replication Service is having trouble enabling replication from server1 to new server for c:\windows\sysvol\domain using the DNS name new server. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name Server from this computer.
 [2] FRS is not running on 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

__________________________________________________________________________________________________

Server 3:

Event ID:13508

The File Replication Service is having trouble enabling replication from server2 to server1 for c:\windows\sysvol\domain using the DNS name new server. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name Server from this computer.
 [2] FRS is not running on 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

any ideas on how to fix this would be greatly appreciated!!!

Hello Experts,

Our one of the customer has requirement for AD RMS 2012 R2 for sharing protected documents and email when partners do not have an AD RMS Installation in their environment. They want to deploy second AD forest and AD RMS infra for external users. They don’t want to use WLID

In the above scenario the main drawback to an organization hosting external users is the operational cost, as account provisioning, account de-provisioning, password management and help desk services can demand significant resources.

Please help us to understand can we automate the user provision and de-provisioning with self-service portal. E.g. when external user will try to open AD RMS protected document it will open self-services portal to create account with password for access protected document or email and once ID created it will open AD RMS protected document or email.

Regards,

Nitin Dongre

Regards, Nitin Dongre

HELP!!!!

I recently Deployed AD RMS to my Network and all configurations completed.

When I try to protect a document, I select Manage credentials and select the option to Use a Microsoft Windows Account as shown below

.

It prompts for my credentials and the dialog box shows that it is pointing to the deployed server.

upon entering my credentials it displays accessing Rights Management Server for a couple of seconds and then returns

"A problem occurred while contacting the restricted permission service. please try again later or contyact your administrator for more details...

Please Helps as this is delaying the completion of this project. Below are my Servers Info:

I have 2 mail servers hosted On-Premise running Exchange 2010 and Exchange 2013

AD RMS SERVER

Windows Server 2012

SQL 2012

EXCHANGE SERVERS

1.Windows Server 2012/ Exchange 2013 

2.Windows Server 2008R2 SP1/Exchange 2010 SP3.

Hi Everyone,

In the process of migrating our SQL DB from 2005 to 2012. What permissions will the AD RMS service account need on each of the three databases (Config, Logging, Directory Services)?  I was also looking over a technet article Migrating the RMS Database (http://technet.microsoft.com/en-us/library/cc747607(v=ws.10).aspx) and when looking at the tables within my Databases i do not see an entry for DRMS_ClusterPolicies.

Thank you,

Hi,

In the previous version RMS 1.0, there was a requirement to renew the RMS DRM certificate once a year by going into RMS Global Administration page, then drill down to the cluster resources and hit the renew button. I haven't been able to find the same thing in AD RMS, I did find the WMSvc-Server certificate and that appears to expire every 10 years. Is the DRM certificate renewal still a requirement and where do I find this?

Thanks 

I created an OU in AD 2008 r2 named CC-Computers in order to test GPO.

I completed the test and went to delete the OU from GP management I received the message "The server is unwilling to delete"

The OU is NOT protected from deletion.

There's no delete option in ADUC

ADSIEdit error

Powershell

Is there any way to delete this OU?

Hi Experts

I am trying to integrate ADFS 2012 R2 with AD RMS 2012 R2

I am unable to install ADFS Web Agent on AD RMS 2012 R2 server because I don't find it any where

I need to install Claims aware agent on 2012 R2 RMS server to support ADFS-ADRMS integration just like previous OS version (i.e. 2008 R2)

Am i missing something ?

OR

It seems that web agents have been removed from ADFS ?

Can anybody please guide how to install claims aware agent on 2012 R2 AD RMS server

I am stuck here

Thanks in advance

Thanks Best Regards Mahesh

Hi everyone,

I'm looking for AD RMS Client (MSIPC.DLL) which can be applied to Windows Server 2012. I have tried to install Windows RMS Client Service Pack 2 but it doesn't support. I'm having an error that says "The required Active Directory Rights Management Service Client MSIPC.DLL is present but could not be configured properly. IRM will not work until the client is configured properly". So I think something needs to be installed in my client before connecting and using IRM protector.

Update: I have completely installed AD RMS Client 2.0 but still get the error above.

---------------------------------------------

Information Rights Management (IRM): There was a problem while creating the generic issuance license template.
All issuance licenses for protected documents are constructed from a generic, base issuance license template.
Additional Data
Error value: 0x8004020A
---------------------------------------------

Has anyone encountered the same error? I really appreciate you helps.

Regards,
-T.s

Thuan Soldier
SharePoint Vietnam | Blog | Twitter

Hi;

For test purposes i was installed and successfully deployed RMS server few mounts before. (2008 R2) (windows7 office 2010)

But cuz of it doesnt work on portable devices we decide to cancel that project.

But now problem is my clients office programs still tries to connect my old server.

i was tried that http://social.technet.microsoft.com/wiki/contents/articles/7697.ad-rms-troubleshooting-reset-the-client.aspx

article but every time i delete DRM folder contents and other registry keys, every time when any office program opens recreates that old server parameters. and office not able to use restrict permissions. I was checked 3 times already all my gpo s (maybe it took it from gpo ) but not there too

If any one has any idea could be perfect.

Thanks in advance.

Hi,

I have successfully configure the AD RMS with lots of work around. now i want to use multi tenant domain environment. i have multiple domains running on my production env. Now can anyone help me out to configure the RMS Server to add multiple URLs for licensing and certifications in AD RMS Server on windows Server 2012. i need a proper step by step configuration roles to activate on immediate basis. 

Any help in this regards will be highly appreciated,

Attahcments screent shots might help you what i want ;)

Regards,

Imran Bashir

MCSA 2008, MCITP, MCTS, MCP

JNCIA ER,EX

Brocade Certified

Imran Bashir Network Administrator MCP, JNCIA-EX,ER,JNIOUS +92-333-4330176

I have AD RMS 2012 R2 deployed

On client computers I have deployed RMS Sharing App

Sharing App let allow me to add my company email address, however it refuse to add external email address

How can I resolve this issue

I have already enabled Federated trust with partner organization with ADFS and I am able to send him protected document  and messages with native RMS client, its not working with RMS Sharing App

Please find below screen shot

Any Help would be highly appreciated

Thanks

Thanks Best Regards Mahesh

Hi, I've a problem with an AD RMS installation.

1. The digital certificate (ssl) is wrong, missed its private key

2. I replaced by a new certificate (ssl) and the Verification URL its Ok (certification and licencing).

3. I can't change the Cluster Key Password and the Password Service Account from AD RMS console and I cannot export the Trusted Publishing Domain to install a New AD RMS and import the "old" Trusted Publishing Domain:

I need to know which option I have to get my AD RMS and continue to open my documents and email(outlook) protected.

Camilo L

Hello, I couldn't find any information on this before, apologies if this is a duplicate response.

We have a server running AD RMS 2.1, it's currently set up in production mode. We have an API that runs on IIS in that box which protects documents, among other things. IIS is running using the ADRMSSVC user, our AD RMS install is running with the ADRMSAdmin user.

We have created 4 templates that we wish for the API to make use of when protecting documents, however those templates do not appear to be available to the application. In doing a SafeNativeMethods.IpcGetTemplateList call, we're only actually seeing one of them. The ADRMSAdmin user, while running powershell Get-RMSTemplates only sees the same template.

I have turned off every caching option I can find, but it appears that neither of these users "knows" about the templates that we have created through the server. I have even renamed the template which is showing up, and that name change is not being reflected through the API or powershell. If I displace the %allusersprofile%/Microsoft/MSIPC/Server/Templates directory,  I get an error through both those means that "The operation being requested was not performed because the user has not been authenticated."

The machine is running in AWS - is it possible that resizing the machine has somehow voided the Machine Certificate, and therefore the machine cannot connect to ADRMS to get the new templates?

If it helps at all, I have exported the templates to a shared directory, and all 4 XML files that we have created show up there just fine.

Any help would be much appreciated.

I keep getting this error when trying to connect my ADRMS server to SQL (for initial configuration).  I just connected sharepoint pretty recently and it is functioning (the SQL server seems to be working fine with sharepoint).  Any clue where to go from here (I have tried removing ADRMSADMIN and then recreating the user).  The user is a local admin on SQL server and has dbcreator, securityadmin checked in SQL manager.  What am I missing?  Why wouldn't AD be able to verify? Error is as follows: