Blog Post

Security, Compliance, and Identity Blog
5 MIN READ

Testing AD RMS for your Environment

Azure Information Protection Team's avatar
Sep 08, 2018
First published on CloudBlogs on Apr, 28 2012

(This post was published on the original RMS team blog in May 2010)

Before you implement AD RMS you may want to test it in a test environment that mirrors your production environment.  This post will help you in this process.

First, you must decide how you will use AD RMS in your organization so that you will know what to test.  How many AD RMS users do you have in your organization?  Do they reside in the same domain and forest?  Will you be implementing any trust relationships with other Active Directory forests?  Will you have any licensing-only clusters?  What client and server applications will end-users use to protect and consume content?  For example, if you plan to use AD RMS with Microsoft Office SharePoint Services (MOSS), you should include it in your testing.  The closer your test environment mirrors your production environment, the more relevant your test data will be.

Your server specifications and roles in your test environment should also mirror your production environment.  We recommend that you use the specifications described in the TechNet documents AD RMS Prerequisites and AD RMS SQL Server Requirements .  Ideally you are using dedicated servers for your AD RMS server, domain controller, and Microsoft SQL Server.  Either way, ensure that the two environments are as identical as possible.  However, you can safely test AD RMS using virtual machines; the performance between AD RMS on a virtual machine and on a physical server is not significant.

In preparation for testing, knowing the steps behind the most common AD RMS transactions can be helpful.  When an end user creates or consumes protected content for the very first time she must be bootstrapped.  During this process the client generates a Machine Account Certificate (MAC) and obtains a Rights Account Certificate (RAC) from the AD RMS cluster.  The first time a user publishes protected content a Client Licensor Certificate (CLC) is obtained from the AD RMS cluster.

After a user is bootstrapped she can publish content on a client computer using her existing MAC, RAC, and CLC.  For a user to consume content, after the bootstrapping process is complete, she can use her existing MAC and RAC, but must get an End Use License (EUL) from the AD RMS cluster.

To summarize, Machine Activation and the publishing of AD RMS protected content happens on a client computer, and therefore cannot be directly tracked by the AD RMS cluster.  Certification, client enrollment, and EUL occur on the AD RMS cluster and can be directly measured by AD RMS Performance Counters.

There are no out-of-the-box tools available to test AD RMS, but you can load test the pipelines (asmx files) like any other ASP.net application.  When stress testing the AD RMS server, make sure it is not being used for anything other than AD RMS and ensure that it is tested to 100% load.  Then use the AD RMS Performance Counters in the Performance Monitor to gather your test results.  AD RMS Performance Counters offer valuable statistics that you can use to validate the performance of your AD RMS installation.  The following table identifies a few of the most useful counters when testing your environment

AD RMS Operation

Performance Counter

Description

Certification - AD RMS Server

AD RMS CertificationCertification Failed Requests

Returns the total number of failed Certification Requests

AD RMS CertificationCertification Successful Requests

Returns the total number of successful Certification Requests

AD RMS CertificationCertification Successful Request Rate

Returns the total rate (requests per second ) of successful Certification Requests

Precertification - AD RMS Server

AD RMS CertificationPreCertification Failed Requests

Returns the total number of failed pre-certification requests

AD RMS CertificationPreCertification Successful Requests

Returns the total number of successful pre-certification requests

AD RMS CertificationPreCertification Successful Request Rate

Returns the total rate (requests per second) of successful pre-certification requests

Client Enrollment - AD RMS Server

AD RMS LicensingClient Licensor Certificate Failed Requests

Returns the total number of failed Client Enrollment Requests

AD RMS LicensingClient Licensor Certificate Successful Requests

Returns the total number of successful Client Enrollment Requests

AD RMS LicensingClient Licensor Certificate Successful Requests Rate

Returns the total rate (request per second) of successful Client Enrollment Requests

Publishing - AD RMS Server

AD RMS LicensingPublishing Failed Requests

Returns the total number of failed publishing requests

AD RMS LicensingPublishing Successful Requests

Returns the total number of successful publishing requests

AD RMS LicensingPublishing Successful Requests Rate

Returns the total rate (requests per second) of publishing requests

License - AD RMS Server

AD RMS LicensingLicensing Failed Single Requests

Returns the total number of failed Licensing Requests

AD RMS LicensingLicensing Successful Single Requests

Returns the total number of successful Licensing Requests

AD RMS LicensingLicensing Successful Single Requests Rate

Returns the total rate (request per second ) of successful Licensing Requests

AD RMS LicensingLicensing Successful Batched Requests

Returns the total number of successful batched requests (Server applications like MOSS and Exchange use batch licensing)

AD RMS LicensingPreLicensing Successful Requests

Returns the total number of successful Prelicensing requests (used in Exchange Prelicensing)

Batch Licensing - AD RMS Server

AD RMS LicensingLicensing Failed Batch Requests

Returns the total number of failed batch licensing requests

AD RMS LicensingLicensing Successful Batch Requests

Returns the total number of successful batch licensing requests

AD RMS LicensingLicensing Successful Batch Requests Rate

Returns the total rate (requests per second) of successful batch licensing requests

Prelicense - AD RMS Server

AD RMS LicensingPreLicensing Failed Requests

Returns the total number of failed prelicensing requests

AD RMS LicensingPreLicensing Successful Requests

Returns the total number of successful Prelicensing requests

AD RMS LicensingPreLicensing Successful Requests Rate

Returns the total rate (requests per second) of successful Prelicensing requests

System

ASP.NET Apps v2.0.50727(__Total__)Requests/Sec

Assuming Total Transaction on the AD RMS Server = Transaction on the IIS

Processor(_Total)% Processor Time

Processor usage (since Crypto operations are costly)

MemoryAvailable MBytes

Available Free Memory

Please note that the majority of the requests from end users will be license requests.  Also, remember that the AD RMS logging database will grow at a substantially faster rate than the other databases.  Testing the database server, and the logging database in particular, should be a key component of your testing strategy.

We recommend testing a worst case scenario as part of your testing strategy.  An example of this might be a company-wide protected e-mail message with a few attachments and several replies.  In such a scenario, you could reasonably expect a total of ten use licenses per user over the course of an hour.  Continuing the example, if your organization has 10,000 AD RMS end-users, then your cluster would have to be able to support a peak load of 100,000 license requests per hour, or 30 requests per second.  The particulars of your AD RMS usage will dictate what a worst case scenario will look like for your organization.  The TechNet article Scaling the Infrastructure Components offers some average performance rates of AD RMS servers with certain specifications.  You can use these numbers as a baseline in your own testing.

Finally, we recommend testing AD RMS with rights policy templates and Active Directory groups.  Individually adding rights and users increases the size of the publishing license and, in turn, increases the load on the AD RMS server.  In a multi-domain environment, make sure you allot enough time for the Active Directory groups to replicate across the entire forest.

Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment