Steven JW Kennedy

My Blog

Archive for the ‘Server 2008’ Category


Posted by Steven Kennedy on February 24, 2011

I’ve a Microsoft Rights Management Service server setup on my home network. I have it working with Office 2010 and Exchange 2010. Then I found a reference on-line to the fact that RMS could be made to work with Office for the Mac 2011. So I followed the instructions and I can open and read RMS protected Office documents but the icon to set permissions is grayed out. That’s when I found the following reference in the Word:Mac Product Guide;

Creating IRM-protected documents with Office for Mac 2011 requires the volume license edition of Office 2011, as well as a Rights Management server running Windows Server 2008 R2. SP1 Opening IRM-protected content to which you have been given access can be done from any edition of Office for Mac 2011 or from Office 2003 for Windows or later.

The version I have is the ordinary retail version of Office for Mac 2011. So I can open and read protected documents but I cannot create them. I have a TechNet account and I checked the version available there and it’s; Office for Mac 2011 Home and Business, the same version as I already have. Guess I’m not going to be testing RMS with the Mac anytime soon.

Crying face

Posted in AD RMS, Apple Macintosh | Tagged: | Leave a Comment »

AD RMS: Client side

Posted by Steven Kennedy on February 22, 2011

Both Windows Vista and Windows 7 come with the AD RMS client built-in. For Windows XP you’ll need to download a client, from Microsoft, and install it. In my case I’m using Windows 7 Enterprise 32bit.

Even with the client built-in there’s some configuration that has to take place before you can start using AD RMS templates.

In order to update the templates to a users local PC a scheduled job runs that copies the templates from the previously defined location, in my case \\RMS\Users\Public, to the users PC. Where these templates are located is defined in the registry. This is where I started to have some issue. For me at home it’s not a big deal. I can just use Regedit to setup the key and value. In a business environment that’s not so practical. So you’ll have to resort to defining the registry settings via Group Policy, which is where I ran in to an issue. I’ll address this a bit later on in the this post.

First off you need to enable the scheduled tasks, that’ll update the policy templates on the client PC. You do this by opening up the task scheduler, via the Control Panel.System and Security.Scheduled tasks (this for for Windows 7). You’ll then expand the Task Scheduler Library and expand down through Microsoft.Windows and then select Active Directory Rights Management Services Client. see the screen shot below.

AD_RMS_Task_Scheduler - Annotated

As you can see from the screen shot the Status for the task is Disabled. You’ll need to enable both tasks by selecting each one in turn and clicking on Enable. In my case I had to do this using an administrator account because my normal user account doesn’t have local privileges and a privileged account is required to make these changes. You can also make these changes via Microsoft’s Systems management Server or using Group Policy using the following command; schtasks /Change /TN “\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)” /ENABLE (from Microsoft TechNet posting here). I haven’t tried this yet. This same posting on TechNet tells you how to enter the registry key to point to the location on the local machine where the templates will go. It’s when I tried to use a GPO to do this that I ran in to an issue.

I decided to try using a GPO to make the relevant registry settings. So I down loaded the Office 2010 Administrative templates and applied them. I then went in to Group Policy Manager and activated the template specific for AD RMS clients and entered in the path; %LocalAppData%\Microsoft\DRM\Templates



I then logged off and back on on my client PC, to get the GPO applied. yes I know I could do it via GPUPDATE /Force but I also wanted to force the scheduled task to run. Turns out I had to do that manually or wait up to an hour for it to run.

Anyway, once I was logged back in image my surprise but that the policy propagation wasn’t working. After a bit of digging I found that the Office 2010 Administrative templates defined the key value for AdminTemplatePath as REG_SZ, where it needed to be REG_EXPAND_SZ. As there seemed to be no way to change the administrative template, I didn’t look or try that hard, I ended up using the Preference setting capability that’s now available within AD 2008. In the same GPO editor select User Configuration.Preferences.Registry and define a key, as shown in the screen shot below, by right clicking on Registry and selecting New.Registry Item


(Note! the key path is: Software\Policies\Microsoft\office\14.0\common\drm)

More posts to follow on Exchange and SharePoint and AD RMS and also what the client side sees and can do, specifically with Office 2010.

Posted in AD RMS | Tagged: | Leave a Comment »

AD RMS: Microsoft Active Directory Rights Management Service

Posted by Steven Kennedy on February 22, 2011

Ever since Microsoft came out with their Rights Management Service, now called AD RMS, I’ve been interested in using it. However, in the early days the setup and use of it was not that user friendly. Microsoft have, to a large part, taken care of that. Not only is it easier to setup and use it can be integrated with Microsoft Exchange and SharePoint. I’ll be posting separate posts about my adventures in getting AD RMS working with both Exchange 2010 and SharePoint 2010.

So, last week I installed a new virtual image with AD RMS on it. The installation of the server side of the software was pretty straight forward, I just follow the installation instructions to add the AD RMS role.

For my setup, being as it’s at home, I just used self signed certificates, which cause a number of pop-ups as you use AD RMS. More on that in later posts on using AD RMS. Suffice to say, if you have a valid certificate authority it’ll make deployment and use of AD RMS easier and less intrusive to users.

One issue I did run into is the distribution of policy templates. You not only need to define a location for the templates, that all users can get to read, but you also need to setup the clients to be able to read these templates, in order that they can make use of them. For Windows Vista and Windows 7 this is somewhat easier as the AD RMS Client is part of the Operating System. For Windows XP you have to install an AD RMS client explicitly. In my case I’m currently using Windows 7 Enterprise 32bit.

So my home setup consists of a Windows Server 2008 R2 server with the Active Directory Rights Management Service role enabled. Windows 7 client with Office 2010.

Once I’d installed RMS, and made sure it and the server had all updates applied I went and created a folder to put the RMS Policy Templates that I’d be creating. I took the easy way out and used the ‘Public’ folder on the RMS server; \\RMS\Users\Public, where RMS is the host name for the server hosting the AD RMS role. I then used the Active Directory Rights Management Services console to point AD RMS to this folder. In the console select Rights Policy Templates, indicated by the 1 on the screen shot. Then click on the link Change distributed rights policy templates file location, indicated by the 2. In my case as I’d already done this the location is shown as \\RMS\Users\Public, indicated by the 3.

Policy_Template_files_location - annotated

Once you click on Change distributed rights policy templates file location you’ll be presented with a dialog box, like the one below, to enter the location you wish to use. In the screen shot below it’s showing the location I’d already set. If you haven’t previously set a location then the Current templates file location: will be blank


Once I had this setup I could go ahead and create Policy Templates. Again, this is pretty straight forward but it’s worth noting here that to apply AD RMS to something, like an email, Word document etc. you have say who it is that’s getting the rights. This is done via email addresses. So you either have to provide explicit email addresses, of your users, or use distribution lists. You can also use Windows Live ID’s if you enabled them during installation, or even use Active Directory Federation Services if you enabled that functionality during installation. In my case I only enabled Windows Live ID. It’s seems fairly obvious that it’s best to use Distribution lists, that way you only need to update the DL’s membership without having to update the policy. Also, defining the policy with a DL means that you don’t have to re-distribute the policy every time you update the membership of the policy.

This leads to something else you should consider when setting up AD RMS. naming conventions. You should come up with something for the policy names and for any associated DL’s that the policies use. I’ll touch on this in a separate posting as this one is getting quite long as it is.

Once you have a policy template defined you can check the templates file location to see if it’s there. You can also have other users look at the location to make sure that they have read access t the location and the template files located there.

That’s the first part of making an AD RMS template available. The second piece is for the client to access it. This is where I ran in to an issue. I was able to use Word and Outlook to select a template but only the default, provided ones. The templates that I’d defined weren’t showing up. I’ll go in to that in my next post, AD RMS: Client side.

Posted in AD RMS, General, Server 2008 | Tagged: | Leave a Comment »

Error when listing or trying to change Server Roles or Features on Server 2008 R2

Posted by Steven Kennedy on December 31, 2010

I recently ran in to an issue when I was working with my SharePoint 2010 server. I was trying to set it up to be able to send an receive emails. In order to do so I went to enable the SMTP feature on the the server, only to get an error when I tried to access it via Server Manager.

I stopped and restarted Server Manager but to no avail so I re-booted the server. I still got the same problem. As I was somewhat impatient I decided to try to enable the SMTP Feature via PowerShell. However, when I tried that I got an error there as well, unfortunately I didn’t take a screen shot or note the wording.

I then started to look in the various Windows logs to see if there was anything there. I did see the same error popping up a number of times, in the System Log and the Application log. I’ve included both screen shots and the text, of both the errors I saw, below.


The Windows Modules Installer service terminated unexpectedly.  It has done this 5 time(s).

Windows Modules Installer - System Event Log Entry


Faulting application name: TrustedInstaller.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc4b0
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b802
Exception code: 0xc00000fd
Fault offset: 0x0000000000052880
Faulting process id: 0xa04
Faulting application start time: 0x01cba90ddb32e4d5
Faulting application path: C:\Windows\servicing\TrustedInstaller.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 2f761c45-1501-11e0-9d8d-00155d01051c

Trusted Installer - Application Event Log

I did some searching on the Internet to see what came up associated with these two errors but nothing much came up except to change what action should be carried out when the service failed.

After some more searching I cam across an entry on a site called Fix my IT system that pointed me to a Microsoft Hotfix that you can find here

I applied the hot fix, for Server 2008 R2, no re-boot required, and that fixed my problem. I was then able to run Server Manager and add the SMTP service Feature.

Posted in Operating Systems, Server 2008, SharePoint 2010 | Tagged: | Leave a Comment »