SharePoint in Depth
A chronicle of issues encountered in SharePoint

Once AD RMS is set up on the server, you need to set it up for the end users to actually use the AD RMS functionality.  This is a 2-step process:

1. Install/validate RMS client on client machines
2. Use RMS within Office apps (Word, Excel, PowerPoint, and Outlook)

RMS client on client machines

The AD RMS client comes installed out-of-the-box on Microsoft end-user operating systems Vista, Windows 7, and Windows 8 as well as the server operating systems of Windows Server 2008 and Server 2008 R2.  However, earlier versions of Windows (i.e. Windows XP or Windows Server 2003) require the manual installation of the RMS client.  [Note: the client is actually just one file: msdrm.dll (Microsoft Digital Rights Management -dot – dynamic link library) which can be found in the %windir%/system32 directory.]

If you need to install the AD RMS client manually, first determine the operating system platform, the service pack installed (if any), and the architecture (32-bit or 64-bit) of the machine where you want the client installed, then visit the Microsoft AD RMS client page to download the correct AD RMS client version.

RMS in Office apps on client machines

Once the proper RMS client is installed, you need to set up Office 2010 to use the RMS functionality.  Microsoft has posted a helfpul article called Information Rights Management in Office 2010 that covers the process pretty well.  Essentially, once RMS is set up, users simply need to click File, Info, and then select the restriction settings they want.  Piece of cake.  See below for Word 2010 Professional.

Additionally, if you would like to add a ribbon command for Protecting documents in Word 2010, it’s a fairly elaborate process, honestly.  Check it out.  Some of your users will prefer this method (the ribbon command) while others will prefer the “standard” way of clicking Info from the File menu.  Either way, you’ll have covered both of your bases.

These instructions work for both Office 2010 and Office 2007 Professional versions, however, RMS will also work with Office 2003 Professional.  For Office 2003 Professional the process is simply to click the File menu, and select Permissions from the dropdown.  Then, simply follow the prompts.  You will be prompted for which users and/or groups are to have access followed by a screen where you select the individual permissions to be restricted.  See below.  Piece of cake.

Final

After you have set up the client’s machines for the RMS client and you’ve set up Office 2010 to use RMS functionality, you’ll want to train the users on how to follow the process of protecting their documents, e-mails, spreadsheets, and powerpoints.  At that point, you will have completed the AD RMS mission.

I inherited a partial installation of AD RMS.  The previous IT guy had simply installed the AD RMS and IIS roles on the box and assigned a url for the cluster.  Unfortunately, it was not the correct url so I needed to “remove the cluster” which sounded like a total mess.  Since AD RMS had not been in production yet (and thus no certificates had been issued and no documents protected) it made perfect sense to just delete everything and start from scratch.  I looked high and low on the Internet for the information I am about to provide.  I wasn’t successful in finding much help on the matter so I’m sharing my steps with you here.

Just so you know, when you install the AD RMS server role on Windows Server 2008 R2 (which runs the AD RMS installation wizard), it reaches out and creates several things in your enterprise:

1.  It creates a Service Connection Point (SCP) in Active Directory

2.  It creates two databases in SQL Server (configuration and logging)

3.  It integrates with IIS on the server and/or installs the IIS server role if it wasn’t installed already

For any reason, if the installation needs to be performed again, you need to clean up all of these touch points. 

First, remove the AD RMS and the IIS server roles.  You also need to clean up the databases that are created in SQL Server (configuration and logging) by taking them offline and then deleting them in SQL Server Management Studio.  Then, remove the SCP created by AD RMS in Active Directory (see the posting just previous to this one).

Reboot the machine.

When it comes back up, simply Add the following roles: AD Rights Management Service and IIS and follow the wizard.

Error Msg: Attempt to configure Active Directory Rights Management Server failed. The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again…

If you are receiving this error, it’s probably because of a previous installation (or failed installation) of AD RMS.  When AD RMS is installed, the wizard reaches out to your Active Directory controller and creates a Service Connection Point (SCP) there.  Later attempts to install will fail because they cannot overwrite the existing SCP.  You’ll simply need to delete it.  A poster named Sally.Mark contributed the below which worked for us:

Just wanted you to know that I was able to solve this problem. For anyone else who may someday come across this problem. What I did to solve it was, on AD computer, I opened the run command and then ran  ADSIedit.msc.   The ADSI edit MMC window popped up and I browsed down to Configuration and then expanded the first node, then expanded Services and then I deleted the SCP that said  CN=RightsManagementServices.  I deleted the whole thing and subfolders and then I went back and reinstalled AD RMS on my server. This time it worked perfectly.

Source: http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/4feaa2d2-afb2-4d7c-8414-fdf44a13d0bb/