Understanding the AD RMS Databases
Applies To: Windows Server 2008
Servers in the AD RMS cluster are tightly integrated with the database server during normal operations. The AD RMS database server stores configuration, logging, and directory services information for use by AD RMS.
You can use the Windows Internal Database in Windows Server® 2008 to support a new installation of AD RMS using a single-server.
Warning
If you are using the MSDE 2000 to host the Rights Management Services (RMS) databases, you cannot upgrade to AD RMS. An upgrade is only supported if you are using Microsoft SQL Server 2000 or Microsoft SQL Server 2005 to host the AD RMS databases.
We recommend that you use a separate database server such as Microsoft SQL Server 2005. AD RMS uses the following databases:
Configuration database
The configuration database is a critical component of an AD RMS installation because it stores, shares, and retrieves all configuration data and other data that you need to manage account certification, licensing, and publishing services for a cluster. The way that you manage your configuration database directly affects the security and availability of rights-protected content.
Each AD RMS cluster has one configuration database. The configuration database for the root cluster contains a list of Windows user identities and their rights account certificate (RAC)s. If the cluster key is centrally managed by AD RMS, the certificate key pair is encrypted to the AD RMS cluster key before it is stored in the database. The configuration databases for licensing-only clusters do not contain this information.
Logging database
For each root or licensing-only cluster, by default AD RMS installs a logging database in the same database server instance that hosts the configuration database. AD RMS also creates a private message queue on each server in the AD RMS cluster for logging in Message Queuing. The AD RMS logging service transmits data from this message queue to the logging database.
Directory services database
This database contains information about users, identifiers (such as e-mail addresses), security ID (SID), group membership, and alternate identifiers. This information is obtained from Lightweight Directory Access Protocol (LDAP) queries made to the Active Directory Domain Services (AD DS) global catalog by the AD RMS licensing service.
The user account that was logged on when the AD RMS server role was added has Database Owner permissions on all of these databases.