hello all i have problem in RMS i installed the role on the AD machine but i found some problems so i decided to setup the role on another machine i removed the role by just removing the role from the server manager when i installed it on another windows 2008 server i got this message <Error>: Attempt to configure Active Directory Rights Management Server failed. The AD RMS installation could not determine the certificate hierarchy. If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again. at Microsoft.RightsManagementServices.Configuration.LicensingServerSelfEnrollment.DecideCertificateHierarchy() at Microsoft.RightsManagementServices.Configuration.CertificationServerSelfEnrollment.Enroll(EnrolleeServerInformation enrolleeInformation, EnrolleeRevocationInformation revocationInformation, String certificateDisplayName, String cspName, String keyContainerName) at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Enroll() at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Run() at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.DoProvision() at Microsoft.RightsManagementServices.Configuration.ProvisionerHelper.Run(OperationType operationType, Object data) at Microsoft.RightsManagementServices.Configuration.ProvisionEngine.Run(OperationType operationType, Boolean passwordEncrypted) at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run() Remove and re-install AD RMS to attempt provisioning again. What can i do in this ?

Hi, The error message "The AD RMS installation could not determine the certificate hierarchy" occurs, when Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy. You can follow the steps listed in the below article and test the result: Retrieve the certificate hierarchy http://technet2.microsoft.com/windowsserver2008/en/library/a65941cb-02ef-4194-95ce-7fd213b1e48c1033.mspx?mfr=true As for the error message " If the AD RMS service connection point (SCP) you need to use is registered in Active Directory but is not valid, revise it to make it valid, or create a new SCP, and install AD RMS again", It indicates SCP is not valid. The ADRMS service connection point (SCP)can be registered automatically during installation. If the ADRMS administrator account (theuser accountinstalling ADRMS) does not have appropriate permissions to the Active Directory forest, the SCP will not be automatically registered. If an ADRMS SCP already exists in the forest, the ADRMS administrator account must have access to delete the existing SCP and create a new one. To perform these procedures, you must be a member of the local ADRMS Enterprise Administrators group and the Active Directory Domain Services (ADDS)Enterprise Admins group, or you must have been delegated the appropriate authority. To register the ADRMS SCP manually: 1. Open the Active Directory Management Services console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. 2. Right-click the ADRMS cluster, and then click Properties. 3. Click the SCP tab. 4. Select the ChangeSCP check box. 5. Select the Set SCP to current certification cluster option, and then click OK. More information about connecting SCP, please see: AD RMS Service Connection Point Registration http://technet2.microsoft.com/windowsserver2008/en/library/0ea5df81-1723-49bf-93c8-fe5878e136001033.mspx?mfr=true Hope this helps.

Hi, Morgan.Che I just came across this thread the other day as I was having the exact same problem. I am just trying to setup AD RMS in a test environment to try it out. I am very new to Windows Server 2008 but have a somewhat good feel for Windows Server 2003. I went through both of the solutions that you listed but neither of them helped me out. When I install AD RMS I get the exact same error message as the person in the first post. First it says that the certificate hierarchy cannot be found and then it says that the SCP may not be correct. I have an enterprise CA setup on my AD server but I have done nothing to add certificates or anything like that on my 2008 AD RMS box. I wasn't sure if I needed to add a certificate or add it to the trusted root CA list on my AD RMS box before installing it. Also is there any way to check or test the hierarchy before hand to see if it will work? I have installed and then uninstalled AD RMS several times and changed little things each time and nothing seems to help. I have performed the above steps of going into registry editor and changing the hierarchy key to 0 and that doesn't help either. The AD RMS server is able to communicate fine with the AD/DNS server so I don't know where the problem there could be. On the SCP related note, I am not sure exactly what it is saying. In DNS I have gone ahead and created an A record for adrms.xxxxxx.com for my forward lookup zone which I then use as my FQDN in RMS but I wasn't sure if this is what the SCP is referring to. I have tried deleting this record and letting RMS create it itself and that didn't change anything either. Any help would be greatly appreciated.

Just wanted you to know that I was able to solve this problem. For anyone else who may someday come across this problem. What I did to solve it was, on AD computer, I opened the run command and then ran ADSIedit.msc. The ADSI edit MMC window popped up and I browsed down to Configuration and then expanded the first node, then expanded Services and then I deleted the SCP that said CN=RightsManagementServices. I deleted the whole thing and subfolders and then I went back and reinstalled AD RMS on my server. This time it worked perfectly. Hopefully someone finds this information useful.

Hi I had same issue . You need to delete the SEP entry from Active Directory and the re-installed the ADRMS role . Don't make any mistake while installing it . I alos had the same issue i resoved it by deleteing SEP entry on my AD server . Mail me if you don't know how to delete the SEP entry . I will send the steps . Sarvenkumar@hotmail.com .

How to delete SEP entry form Active directory Domain? I received number of mail how to delete the Sep Go to active directory Site and services >select the (Active Directory Sites and services [computer.name.domain.com] and click on View , "Check the show services Node"it will show the service node now inside the service Go to "RightManagmentServices"folder and delete it . This step will delete the SEP from Active directory domain Thanks,Sarven

Thanks, Sally!I had the same problem andit is solved by this way.But, deinstallation of AD RMS by just removing the role through Server Manager may be bad idea in a production environment.The Decomissioning Guidemay be foundhere:http://technet.microsoft.com/en-us/library/cc770462(WS.10).aspxHowever, this guide contains no information on what to do if you have just removed the role withoutthe necessary preliminary steps.So, the problem remained is Active Directory configuration.We often read the installation/deployment guide and rarely deinstallation guide, as usual...Thanks again for help in solving the problem.

Tks Sarven,your solution work fine.I revolved my problem with RMS installation following yuor suggestion to remove entry in Directory Site and Services.

hi there, i got this problem also. the error is like this : <Informational>: This server might need to be restarted after the removal completes. Active Directory Rights Management Services Active Directory Rights Management Services: Removal failed <Error>: Attempt to perform custom actions before un-installing Active Directory Rights Management Server failed. Index was out of range. Must be non-negative and less than the size of the collection. Parameter name: index at System.Collections.CollectionBase.System.Collections.IList.get_Item(Int32 index) at System.DirectoryServices.PropertyValueCollection.get_Item(Int32 index) at Microsoft.RightsManagementServices.Configuration.ProvisionHelper.GetPort(String strTargetComputer, String strIIsService, String strSiteindex, Boolean fSSL) at Microsoft.RightsManagementServices.Configuration.ProvUtils.GetWebsites(String strTargetComputerName, String strIIsWebService) at Microsoft.RightsManagementServices.Configuration.ProvUtils.IsProvisioned() at Microsoft.RightsManagementServices.Configuration.ProvisioningBase.Unprovision() at Microsoft.RightsManagementServices.Configuration.ProvisionerBase.Unprovision() at Microsoft.RightsManagementServices.Configuration.CmdLineHandler.Run() The following role services were not removed: Active Directory Rights Management Server Please refer to the full log at: 'C:\Windows\logs\ServerManager.log' i already delete the SCP i already decommisioned the AD RMS but i still can't uninstall the AD RMS Server Role. does anybody know how to fix this issue? pls advise.. thx. Willie

Thanks, It also worked for me.

Thanks, Sarven!

Hi Guys, can anyone help me to sort the issue i raised on below link: http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/fa8a67cc-6945-4a6c-9bc8-8e950a9c7adb#fa8a67cc-6945-4a6c-9bc8-8e950a9c7adb Thanks in Advance Owais

AD RMS SCP registration is also discussed in the newly created AD RMS FAQ on the TechNet Wiki. Please, feel free to contribute to this list of questions and answers. http://social.technet.microsoft.com/wiki/contents/articles/ad-rms-faq.aspx#ADRMSSCP Thank you!