AD RMS How-to: Un-decommission an AD RMS cluster
AD RMS offers a feature for decommissioning the cluster. See Decommission AD RMS for details. As previously documented, Office client versions since 2010 had not made use of the decommission feature in AD RMS. See AD RMS Decommissioning for modern Office clients for some guidance on a functional version of decommissioning.
Intro
If one were to end up with an AD RMS in decommissioned mode what may be done? There is limited functionality available in the GUI. No one may export Trusted Publishing Domains (TPDs). If users need to access AD RMS protected content and the client software doesn't support the decommissioned mode of the service there is no recourse. One might restore a copy of the AD RMS configuration database, using a backup made before the move to decommissioned mode. A new alternative has been found that requires a small database entry change and an iisreset.
Warnings
The aforementioned Decommission AD RMS link, our official documentation, clearly indicates that there is no going back from decommission mode. Once in decommission mode there is no way to restore normal functionality.
The AD RMS console reiterates this message when enabling decommissioning mode.
Thus, if this document were to purport there is a way to un-decommission an AD RMS server it must be understood this is in no way officially supported.
Disclaimer
THIS TOOL AND/OR INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
Details
Preparation
If embarking upon the unsupported actions to un-decommission an AD RMS server certain precautions must be made. The decommissioned AD RMS server needs to be backed up so the starting state may be restored should misfortune strike this unsupported endeavor.
- Back up the existing AD RMS configuration database.
- Back up the AD RMS server. If it is a virtual machine make a snapshot.
The work
When placed in decommission mode several things happen. The one item of importance for this task it the DecommissionEnabled record in the configuration database. This is in the DRM_ClusterPolicies table. This record does not exist in the default functional state of an AD RMS server.
When in this state there are few administrative options in the AD RMS console.
Set DecommissionEnabled to 0
A SQL query may be used to set the PolicyData to 0
USE DRMS_Config_irm_moose_local_443 -- Use the actual DB name
UPDATE dbo.DRMS_ClusterPolicies
SET PolicyData=0
WHERE PolicyName = 'DecommissionEnabled'
IISreset
On the AD RMS server, close any open AD RMS MMC consoles. In an elevated command prompt, run iisreset.
Verification
On the AD RMS server, once the iisreset completes, open the AD RMS console. Full functionality should be restored.