Ahmed Hussein Online

• DON’T use the NetBIOS name of the machine as the cluster URL.
• DO make a back-ups of your SLC and Publishing Certificate located in the ‘Trust Policies’ section of your RMS Admin UI, *immediately* after provisioning. There is an Export button for the SLC, and an Export link for the publishing cert. Put these in a safe place. If your RMS installation blows up, and you don’t have these, you will be in alot of trouble.
• DO  write down your private key password, and create a document with screenshots detailing the entire setup process.
• DON’T forget to print a hard copy of this information and lock it up in a safe place. It is the ‘one piece of data’ you probably don’t want to RMS protect.
• DO use a CNAME for your SQL server. In a disaster recovery situation, it is easier to change the single A record of the CNAME to point to a backup server, then to change the 6 or 7 places within RMS that need to be changed.
• DON’T install RMS without a detailed plan, including whether or not you want to use HTTPS, or HSMs. Changing these things after the fact is a big pain in the back-side.
• DO make sure that your superusers group is a Universal Distribution group. The RMS server needs to be able to expand the group with a GC query, and this is the only group type whos full membership is replicated to the GC. This really goes for any group, with members in different domains, that you need to use RMS.
• DO make a backup of your DRMS_Config_Cluster_80 database regularly. It can be used for disaster recovery.
• DON’T forget to set an extranet URL if you plan on people using RMS outside of your environment. If you don’t set this, all of the CLC (offline publishing certificates) issued will not have this link, and all of the users with those CLCs will be creating content with no extranet URL embedded into them. Once that happens, you can’t open that content from outside the domain (i.e. from the internet). This would be bad if you have people that need to work from home.
• DO set the IIS permissions on the License.asmx, and the ServiceLocator.asmx in the licensing pipeline to ‘anonymous access’ only, on your Internet facing RMS machine, if you have a TUD (Trusted User Domain) with another company, or are trusting Passport RACs.
• DON’T forget that in order for your users on the internet (or intranet users if you aren’t registering an SCP in the AD) to use RMS you need to have them put these registry settings on their machine.

Related Posts

• Active Directory Rights Management Services (AD RMS ) : Part 12 ( Best Practices from Microsoft IT )
• Forefront Threat Management Gateway (TMG) : Part 3 (the Configuration ) And best practices from the field
• Active Directory Rights Management Services (AD RMS ) : Part 2 ( The Parts and process )
• Active Directory Rights Management Services (AD RMS ) : Part 3 ( Available Rights and other technologies )
• Active Directory Rights Management Services (AD RMS ) : Part 4 ( To cluster or not to cluster that is the Question )
• DPM 2010 BMR and SYSSTAT Recovery
• Active Directory Rights Management Services (AD RMS ) : Part1 (Introduction)