Relocating the AD RMS database - The simple but complete guide
Before you start
As a disaster recovery step export your Enterprise Trusted Publishing Domain (TPD) (This may be used as a minimal disaster recovery backup). For information on exporting the TPD please see AD RMS How To: Export TUD and TPD keys.
If you are not sure what the Cluster Key Password it must the set to something known. In this case, please see AD RMS How To: Change the Cluster Key Password for steps on resetting the Cluster Key Password.
Moving the database
- Back up the existing AD RMS databases.
- Restore the AD RMS databases to the new desired SQL location.
Modify newly restore database settings
There are three records that need updated to reflect the new SQL location. These are in the DRMS_Config database table DRMS_ClusterPolicies. Use SQL Server Management Studio (SMSS) to update these settings.
Database: DRMS_Config
Table: DRMS_ClusterPolicies
PolicyName entries in which the PolicyData value needs to reflect the new SQL connection string information.
- LoggingDatabaseServer
- CertificationUserKeyStorageConnectionString
- DirectoryServicesCacheDatabase
Sample SQL Script
/*
THIS TOOL AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
*/
UPDATE [dbo].[DRMS_ClusterPolicies]
SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='CertificationUserKeyStorageConnectionString'
UPDATE [dbo].[DRMS_ClusterPolicies]
SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='DirectoryServicesCacheDatabase'
UPDATE [dbo].[DRMS_ClusterPolicies]
SET PolicyData = '' --(your new string with updated information goes between the ' ' )
WHERE PolicyName='LoggingDatabaseServer'
AD RMS Server Registry Updates
On each AD RMS server in the cluster the following registry keys must be updated to reflect the new SQL/instance. The ConnectionStringConfigDatabaseConnectionString value needs to be updated to reflect the new SQL server name/instance.
- HKLM\Software\Microsoft\DRMS\ConnectionStringConfigDatabaseConnectionString
- HKLM\Software\Microsoft\DRMS\KeyProtection
The software protected RMS key is in the registry. The value is named with the original SQL DB name/instance. This may need to be updated.
- Export the "HKLM\SOFTWARE\Microsoft\DRMS\KeyProtection" key to a .reg file on the desktop.
- Make a copy of the .reg file just exported (to have the original backed up).
- Delete the "PASSWORDDERIVEDKEY_..." entry from registry.
- Edit the .reg file.
- Where the name of the value refers to the original database location (e.g. "PASSWORDDERIVEDKEY_SQL01\IPC_DRMS_CONFIG_IPC_CPANDL_COM_443"),
- Change it to reflect the new SQL server/instance name (e.g. "PASSWORDDERIVEDKEY_SQL02\ADRMS_DRMS_CONFIG_IPC_CPANDL_COM_443").
- Save the .reg file.
- Import the edited .reg file into the registry.
Note, if SQL connection string has a port in it, the PASSWORDDERIVEDKEY name will have it as well, " ,xxxx " for the format.
The following keys may not be present in AD RMS on Server 2012 and higher. These values need to be updated to reflect the new SQL server name/instance.
- HKLM\System\CurrentControlSet\Services\ADRMSLoggingService\Params\ConnectionString
- HKLM\System\CurrentControlSet\Services\ADRMSLoggingService\Params\LoggingDatabaseServer
Testing
Once you move the database and perform the necessary edits do an IIS reset.
On the AD RMS server ensure AD RMS administration console (MMC) opens and connects.
On a client machine complete the following steps to reset the RMS client.
- Close open Office applications.
- In an command prompt run the following commands.
- rmdir %localAppData%\Microsoft\DRM /S /Q
- rmdir %localAppData%\Microsoft\MSIPC /S /Q
- reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\MSIPC"
- Create a new protected document.
Creation of a new protected document forces the client to bootstrap against AD RMS. If that works, then test some existing protected content.