Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

A way to find AD RMS protected files or migrate from Windows Server 2008?

Silver Contributor

We still have local AD RMS running on Windows Server 2008 (not R2). It is barely used, but there are a number of files protected by it in local share (maybe also in personal computers, but that's not important). We are not using AIP yet (as RMS was not very used, there was no interest in AIP either). But as AIP is enabled on our tenant and there will be changes incompatible with local RMS, we are looking into options:

 

1) Is there a way to somehow identify all AD RMS protected documents in a local share (via search or something)? All i can see in RMS console is the number of times a license has been assigned. Not even users who have used it (we have User CALs).

2) I have read that only Windows Server 2008 R2 is supported for migration to AIP. Is there still some way to migrate from older version?

2 Replies
Regarding question 1:
"Once the client has the use license no other activity is recorded unless the use license contains a policy that requires users to re-license the content (either every X days or every use). There is no logging on the client side of when and what rights used. The tool in the RMS Toolkit, RMSLogAnalyzer can be used to process the verbose server logs into a much more usable format that can then be used for audit tracked (though as stated before the server only knows about the license issued, not how many times it was used etc). The issuance license can be manually pulled from either the content or the RMS logging database. The tool in the RMS Toolkit, RMS CertAnalyzer can be used to decrypt the issuance license to view who has what rights to the content."
https://blogs.msdn.microsoft.com/rms/2005/06/16/rms-logging-database-whats-collected/
Regarding question 2, you may need to consider a "two hop" migration and go from 2008 to R2. here is an old thread that might help a little bit.
https://social.technet.microsoft.com/Forums/ie/en-US/4f80c4fd-7b89-48cf-8bda-b3910ca81ae4/ad-rms-upg...

This could be a model case study of "technology debt" where if you push off an upgrade too long, then you end up like this, with limited documentation, and limited support.

The thing is that RMS didn't ever really took of here. But it was still left in place as there could be still a few files protected by it in the shares or even on users PCs.. Anyway, i have already contacted our partners and got roughly the same answers. It is  added to the next year plans (though not sure if it will be done actually).