Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Attempting to install Active Directory Rights Management Services (AD RMS) fails with the following event:

Product: Windows Operating System
ID: 204
Source: Active Directory Rights Management Services
Version: 6.0
Symbolic Name: GetCertificateHierarchyFailedEvent
Message: Active Directory Rights Management Services (AD RMS) was not able to retrieve the certificate hierarchy  


This can occur if the Service Connection Point (SCP) is corrupt or invalid.


To resolve this issue, complete the following:

1. Open adsiedit.msc on a Domain Controller in the domain.
2. Connect to the Configuration container (“Select a well known Naming Context: Configuration”)
3. Navigate the following nodes: CN=Configuration [server name], CN=Services.
4. Verify that CN=RightsManagementServices and CN=SCP are missing.

Recreate the nodes, leaving them empty:

1. Navigate to CN=Configuration [server name], CN=Services
2. Right-click in Services and choose New Object
3. Select Container.
4. Name the container RightsManagementServices
5. In that new container, right-click and choose New Object
6. Select Container.
7. Name the container SCP

Exit out of ADSIEdit.


Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!