Additional Lessons
Lesson 4


By Sai Kurada
August 18, 2023
AD-RMS stands for Active Directory Rights Management Services. It is a Microsoft technology that provides a set of services and tools for information protection and control. AD-RMS allows organizations to protect and manage digital information, ensuring that only authorized users can access, share, and modify sensitive data.

Here's a breakdown of the key components and concepts related to AD-RMS:

Rights Protection:
  • AD-RMS enables organizations to apply rights protection to various types of digital content, including documents, emails, and web pages.
  • Rights protection includes controlling who can access the content, what actions they can perform (e.g., view, edit, print, copy), and when those rights expire.

Information Protection Policies:
  • Organizations can define information protection policies that specify how content should be protected.
  • These policies can be tailored to meet specific business and security requirements.

Rights Management Server (RMS):
  • The RMS server is the core component of AD-RMS. It's responsible for enforcing rights protection policies and managing protected content.
  • The server communicates with clients and other services to ensure that content remains protected.

Rights Management Clients:
  • Various Microsoft applications and third-party software can act as RMS clients.
  • RMS clients enable users to create, consume, and interact with rights-protected content.
  • Examples of RMS-enabled applications include Microsoft Office, Outlook, and Adobe Acrobat.

Content Encryption:
  • AD-RMS uses encryption to protect content. When a user applies rights protection to a document, it's encrypted and can only be decrypted by authorized users or devices.

Publishing and Consumption Licenses:
  • AD-RMS issues publishing licenses and consumption licenses to control access to protected content.
  • The publishing license defines how the content can be used, and the consumption license is issued to authorized users, allowing them to access and use the content based on the defined rights.

Templates and Usage Policies:
  • AD-RMS provides templates and usage policies that define how content can be used.
  • Templates specify the rights (e.g., read, edit) that can be applied to content, while usage policies define who can apply these rights.

Integration with Active Directory:
  • AD-RMS integrates with Microsoft Active Directory to authenticate users and manage access control.
  • Organizations can leverage existing AD infrastructure for user management and authentication.

Logging and Auditing:
  • AD-RMS includes logging and auditing capabilities, allowing organizations to track who has accessed rights-protected content and what actions they have taken.
  • This helps with compliance and security monitoring.

Mobile Device Support:
  • AD-RMS can extend protection to content accessed from mobile devices by supporting mobile platforms and applications.

On-Premises and Cloud Deployment:
  • AD-RMS can be deployed on-premises or integrated with cloud-based solutions like Microsoft Azure Information Protection for hybrid or purely cloud-based scenarios.

External Collaboration:
  • AD-RMS supports external collaboration by allowing organizations to share rights-protected content with external users while maintaining control over access and usage.

How AD RMS clients work

  • When publishing content, AD RMS clients request and acquire new licenses for protecting content according to the usage rights and conditions that you as a publisher choose to allow for the content that you wish to protect.
  • When a document is authored and rights protection is chosen, the AD RMS client acquires a Client Licensor Certificate (CLC), which enables it to protect content. It then uses this CLC to encrypt the document, create and sign a Publishing License (PL) and then binds a copy of the PL to the encrypted content. This helps the content to be better protected from misuse even if it is shared to others within your organization or even to others outside of your organization.
  • When others receive the rights-protected content, to access and make use of it they will first need to use a rights-enabled application (such as Microsoft Office) to request and acquire an end-user license for the content. To obtain the end-user license, the AD RMS client must first determine if the recipient of the content conforms to any policies set forth in the publishing license that was used to protect the content. If the AD RMS client determines the user is eligible to access the content, the AD RMS client ensures that the user honors the conditions indicated in the end-use license, which might restrict certain actions. This ensures documents are protected as intended by authors and publishers and are only consumed by recipients according to the assigned rights policies.

How AD RMS servers work

In an AD RMS cluster, all AD RMS servers are one of two types.

Root certification servers. The first AD RMS server in an Active Directory forest assumes this role. There can only be one root certification server in each Active Directory forest.
Licensing servers. This is the role taken on by any additional or secondary AD RMS servers added to provide independent policy options to certain groups within an Active Directory forest.

AD RMS servers are implemented as a set of Web service components that run on Microsoft Internet Information Services (IIS) and work in connection with Microsoft SQL Server and Active Directory Domain Services (AD DS).

The various components that make up an AD RMS server are listed in the following table.