AD RMS Infrastructure Deployment Tips
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Depending upon the complexity of your organization and its Active Directory deployment, deploying AD RMS can have a number of aspects to it that might require additional consideration. This topic discusses the core best practices that are common to all AD RMS deployments.
Centralize servers as much as possible
When you are setting up AD RMS within a new organization, the primary guidance to consider regarding AD RMS is that you should always try to minimize the number of AD RMS servers required. As much as possible, you should also try to centralize AD RMS servers and have them in as few locations as is necessary for your deployment.
An AD RMS infrastructure does not require a great deal of network and processor overhead to complete its day-to-day certification and licensing operations but it does need to contain and store data that must be consistently available for it to service clients properly. The more complexity in your AD RMS topology, the more complex it is to troubleshoot issues where service operations are not completing as expected.
Depending on the complexity of your organization and the scale of your Active Directory, some additional AD RMS servers might be necessary and unavoidable. This happens because as a fundamental rule of design, you must have one AD RMS root cluster for each Active Directory forest in a deployment. Therefore, if you have a need to support AD RMS in multi-forest deployment, you will need to have at least one AD RMS root cluster for each of the forests involved.
Use a single cluster if possible
If you have a single Active Directory forest for your organization, try to use only a single AD RMS cluster to support all of your deployment needs. In general, deploying fewer clusters is the better and more robust approach to use when planning and designing for AD RMS.
For example, suppose that you are seeking scalability and performance in your AD RMS deployment and have four server computers to dedicate and use to support your AD RMS deployment. In general, you will have better performance if you use all four server computers in a single root cluster that supports both certification and licensing then if you were to create two clusters, one purposed for certification and the other configured to act as a licensing-only cluster.
This happens because you can better use load balancing across a single certification cluster that is doing both licensing and certification. Therefore, a central server cluster scales better than using subordinate licensing servers because you cannot load balance a certification cluster with a licensing cluster.
It is also generally recommended that you have AD RMS licensing centralized in one cluster to improve administration. Licensing clusters are not effective to distribute load as AD RMS clients will always try to contact the licensing cluster that provided them the license originally unless reconfigured. Multiple licensing clusters also add complexity, making other administrative operations such as reporting, monitoring and troubleshooting more difficult to perform.
Use licensing-only cluster only if required
AD RMS licensing-only clusters can be useful in some circumstances for segmenting administration to the branch or department level based on the following business requirements.
When departments need to have independent licensing due to legal or regulatory concerns.
For example, in some organizations which have offices located within multiple countries, there could be legal requirements that documents encrypted and protected within one country must not be encrypted or forwarded using keys obtained from a server located or managed outside of the borders of that country. In these circumstances, a licensing-only cluster could be required to fulfill legal compliancy requirements.
When departments have poor connectivity and generate and consume content generally in an isolated manner.
In some organizations, network connectivity and content usage patterns could be decisive factors in the decision to implement a new licensing cluster. Where network connectivity is poor and 90% or more of the content that is to be published and consumed using information rights management (IRM) features occurs within the same geographic site location, deploying an additional licensing-only cluster to service local users and computers makes sense and should be considered.
Centralize licensing from multiple forests in one central cluster
When your organization has an Active Directory infrastructure that spans multiple forests, you should use a load-balanced cluster for AD RMS certification in one forest to serve publishing and licensing requests for the entire enterprise. This action simplifies administration tasks and minimizes troubleshooting work when all publication licenses come from the same source. You can then configure the licensing URLs in the different clusters so they are all the same and point to the same “central” cluster, or deploy registry keys to users in the other forests to point them to this central cluster.
Finally, you can use Trusted User Domains (TUDs) to integrate the certification clusters in the other forests with the central cluster that is doing the servicing of licensing and publishing requests. This will make the AD RMS clusters in the other forests only active for user certification and group expansion of distribution lists and ensures all the content is protected with the same keys and on the same cluster.
For more insights into how to deploy AD RMS in a multi-forest environment, see AD RMS Performance Insight from Microsoft IT's Implementation or for full details, download the technical deployment white paper, "Deploying Active Directory Rights Management Services at Microsoft" from the Microsoft Download Center.