Windows Server 2012 AD RMS with SharePoint IRM a Step by Step Guide

I have included below for your review and use a copy of a document that I recently created for a 3 Server DEV environment for SharePoint IRM

Create Service Accounts

Account Name

User Logon Name







Enterprise Admins

Server Names Operating System and Role / Applications

Server Names


Roles  / Applications


Windows Server 2012



Windows Server 2012

SQL Server 2012


Windows Server 2012

SharePoint 2010

AD RMS Installation

1. Log on to Domain Controller DSI-DC1 as administrator.

2. Click on Desktop then click Server Manager then click Manage and Add Role and Features

3. Read the Before You Begin section, and then click Next.

Add Role AD RMS

On the Select Server Roles page, select the Active Directory Rights Management Services check box.


Add Required Features

The Add Required Features page appears informing you of the AD RMS required role services and features. Click Next.


Select Additional Features

The Add Additional Features page appears, Click Next


Active Directory Rights Management Services Introduction

Read the AD RMS introduction page, and then click Next.


Select Role Services

On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.


Web Server Role (IIS)

Read the Web Server Role (IIS) introduction page, and then click Next.


Select Role Services

On the Select Role Services page, verify that the Web Server Services, and then click Next.


Confirm Installation Selections

Confirm the AD RMS Installation selections, and then click Next.


Installation Progress


Active Directory Rights Management Configuration


Create a new AD RMS Cluster

Click the Create a new AD RMS root cluster option, and then click Next.


Select Configuration Database Server

Click the Specify a database server and a instance option type DSI-SQL , and choose Default Instance, then Click Next. If you have any issues connecting to the instance you may have to enable the SQL Brower. This is especially the case if you are configuring AD RMS on Windows Server 2012 that has the AD DS Role.


Specify Service Account Requires Domain Admin User Rights

Click Specify, type DIMENSION-SI\ADRMSSVC, click Next.


Specify Cryptographic Mode


Specify Key Storage Mode

Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.


Specify Cluster Key Password

Type a strong password in the Password box and in the Confirm password box, and then click Next.


Specify The AD RMS Web Site

Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the only available Web site should be DEFAULT Web Site.


Specify Cluster FQDN

Click Connection Type Use an SSL-encrypted connection (https://). In the Fully-Qualified Domain Name box, type, and then click Next


Choose SSL Certificate

Click the Create a self-signed certificate for SSL encryption option, and then click Next.


Name the Server Licensor Certificate

Type a name that will help you identify DSI-DC1-ADRMS in the Friendly name box, and then click Next.


Register Service Connection Point

Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation.


Confirm Installation Selections

Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation and Click Close.


Confirm Installation Results


Sign Out

Log off the server, and then log on again to update the security token of the logged-on user account. The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS


By default, the AD RMS cluster server certification pipeline ACL is configured to allow only the local System account. You must add the permissions in order for Office SharePoint Server 2010 to integrate with AD RMS.

Add DSI-SP2010 to the AD RMS Certification Pipeline

1. Log on to DSI-DC1 as DIMENSION-SI\Administrator.

2. Click Start, and then click Computer.

3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.

4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.

5. Click Advanced, click Enable Inheritance, select the Include inheritable permissions from this object’s parent check box, and then click OK two times.

6. Click Edit, and then click Add.

7. Click Object Types, select the Computers check box, and then click OK.

8. Type DSI-SP2010, and then click OK.

9. Click OK to close the ServerCertification.asmx Properties sheet.

By default the Read & execute and the Read permissions are configured for the DSI-DC1 computer account object and all other accounts inherited from the parent folder.

10. Click Start, and then click Command Prompt.

11. Type iisreset, and then press ENTER.

Once the AD RMS cluster certification pipeline is inheriting and you have added DSI-SP2010, you must configure Office SharePoint Server 2010 to use the AD RMS cluster:

SharePoint 2010 Information Rights Management Configuration Guidance

Before using IRM, you must have a Windows Rights Management Services (RMS) server to connect to. In addition, you must have installed the Windows Rights Management Services Client Service Pack 2 on every front-end Web server in the farm running SharePoint Server 2010.

SharePoint IRM Configuration Step by Step

1. On the SharePoint Central Administration Web site, in the Quick Launch, click Security.

2. On the Security page, in the Information Policy section, click Configure information rights management.

Central Administration > Security > Information Rights Management

Use the default RMS server specified in Active Directory Select this option if your organization has specified an RMS server in Active Directory Domain Services (AD DS) and Click OK




Event Log Errors and Reference

If you are unable to open a document from an IRM protected library you may receive two similar events

Event ID 5085 (Windows SharePoint Services health model)



Event ID 5065 (Windows SharePoint Services health model)



As the event states the most likely event is the User email Address has not been configured. However, the documentation has not been updated to support SharePoint 2010. The SharePoint 2010 Architecture has change and you now must ensure that the User Profile Service has synced.

If users attempt to open IRM Protected documents prior to the sync, they will NOT open and you will receive the two errors 5065, 5085 listed above  in the event log. Unfortunately, the two references I list above do not allow for comment or I would have added the comment to the technet library





4 Responses to “Windows Server 2012 AD RMS with SharePoint IRM a Step by Step Guide”

  1.   Caes
    November 13th, 2014 | 10:18 am       Reply


    First of all, thanks for your great tutorial.

    I had had the following error when I tried to connect Sharepoint to ADRMS.

    “Trying to connect SharePoint to your AD RMS server gives you this message “The required Windows Rights Management client is present but could not be configured properly”

    I googled it but none of the solutions proposed worked for me. I was thinking it was a Access Rights problem.

    But no… In fact, it was due to the usage of a RSA 2048 key. The solution was to install the KB2627273 ( on the Sharepoint Server WFE.

    After that, everything works perfectly.

    Hope this will help someone else 😉


  2.   mshoubaki
    February 9th, 2015 | 11:42 am       Reply

    thanks for the post.
    can I enable the RMS server role on a server having Sharepoint Server 2013 already installed?
    can I enable the RMS server role on a server having SQL Server already installed?

    •   ivansanders
      March 11th, 2015 | 7:37 pm       Reply


      but I have never done so. We always provision two separate VMs on two separate Hosts so IRM / AD-RMS is HA



  3.   Michael
    March 3rd, 2015 | 12:30 pm       Reply

    In my case it was not the KB2627273 but upgrading SP2013 from SP1 to Feb2015 updates (KB2920801) helped.
    But probably the same root cause (2048 bit RSA).

Leave a Reply