Deploying Active Directory Rights Management Services
in a Multiple Forest Environment Step-by-Step Guide
This step-by-step walks you through the process of setting
up two working Active Directory Rights Management Services (AD RMS)
infrastructures in a test environment. Specifically, this guide will look at
how to implement AD RMS in two different Active Directory forests and then
set up an AD RMS trusted user domain so that users in both forests can
exchange rights-protected information.
In this guide, you will create a test deployment that
includes the following components:
· Two
AD RMS servers
· Two
AD RMS database servers
· Two
AD RMS clients
· Two
Active Directory domain controllers
This guide assumes that you previously completed Windows
Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134),
and that you have already deployed the following components:
· An
AD RMS server
· An
AD RMS database server
· One
AD RMS-enabled client
· One
Active Directory domain controller
·
What This Guide Does Not Provide
This guide does not provide the following:
· An
overview of AD RMS. For more information about the advantages that
AD RMS can bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
· Guidance
for using identity federation with AD RMS. For guidance about this, see
the Using Identity Federation with Active Directory Rights Management Services
Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72135).
· Guidance
for setting up and configuring AD RMS in a production environment.
· Complete
technical reference for AD RMS.
We recommend that you first use the steps provided in this
guide in a test lab environment. Step-by-step guides are not necessarily meant
to be used to deploy Windows Server® features without additional
deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this guide, you will have two working
AD RMS infrastructures configured with a trusted user domain. You can then
test and verify AD RMS and AD FS functionality as follows:
· Restrict
permissions on a Microsoft® Word 2007 document in the CPANDL.COM domain.
· Have
an authorized user in the TREYRESEARCH.NET domain open and work with the
document.
The test environment described in this guide includes eight
computers connected to a private network and using the following operating
systems, applications, and services:
|
Computer Name
|
Operating System
|
Applications and Services
|
|
ADRMS-SRV
TREY-ADRMS
|
Windows Server® 2008
|
AD RMS, Internet Information Services (IIS) 7.0,
World Wide Web Publishing Service, and Message Queuing
|
|
CPANDL-DC
TREY-DC
|
Windows Server 2003 with Service Pack 2 (SP2) or
Windows Server 2008
 Note
Domain controllers running Windows 2000 Server with
Service Pack 4 can be used. However, in this step-by-step guide it is assumed
that you will be using domain controllers running either Windows
Server 2003 with SP2 or Windows Server 2008.
|
Active Directory, Domain Name System (DNS)
|
|
ADRMS-DB
TREY-DB
|
Windows Server 2003 with SP2
|
Microsoft SQL Server® 2005 Standard Edition with
Service Pack 2 (SP2)
|
|
ADRMS-CLNT
ADRMS-CLNT2
|
Windows Vista®
|
Microsoft Office Word 2007 Enterprise Edition
|
Note
Before installing and configuring the components in this
guide, you should verify that your hardware meets the minimum requirements for
AD RMS (http://go.microsoft.com/fwlink/?LinkId=84733).
The computers form two private intranets and are connected
through a common hub or Layer 2 switch. This configuration can be emulated
in a virtual server environment, if desired. This step-by-step exercise uses
private addresses throughout the test lab configuration. The private network ID
10.0.0.0/24 is used for the intranet. The domain controller for the domain
named cpandl.com is CPANDL-DC and the domain controller for the domain name
treyresearch.net is TREY-DC. The following figure shows the configuration of
the test environment:
·
Step 1: Setting up the Trey Research Domain
The Trey Research infrastructure contains all of the
required components for an AD RMS installation. In this step, you install
the required computers that make up the Trey Research domain:
Use the following table as reference when setting up the
appropriate computer names, operating systems, and network settings that are
required to complete the steps in this guide.
Important
Before you configure your computers with static Internet
Protocol (IP) addresses, we recommend that you first complete Windows product
activation while each of your computers still has Internet connectivity.
|
Computer name
|
Operating system requirement
|
IP settings
|
DNS settings
|
|
TREY-DC
|
Windows Server 2003 with Service Pack 2 (SP2) or
Windows Server® 2008
|
IP address:
10.0.0.30
Subnet mask:
255.255.255.0
|
Configured by DNS server role.
|
|
TREY-ADRMS
|
Windows Server 2008 Enterprise or Windows
Server 2003 R2 Enterprise Edition with SP2
|
IP address:
10.0.0.33
Subnet mask:
255.255.255.0
|
Preferred:
10.0.0.30
|
|
TREY-DB
|
Windows Server 2003 with SP2
|
IP address:
10.0.0.34
Subnet mask:
255.255.255.0
|
Preferred:
10.0.0.30
|
|
ADRMS-CLNT2
|
Windows Vista
|
IP address
10.0.0.32
Subnet mask:
255.255.255.0
|
Preferred:
10.0.0.30
|
·
Configure
the domain controller (TREY-DC)
Depending on your environment, you can evaluate AD RMS
in either a Windows Server 2008 domain or a Windows Server 2003
domain. Use one of the following sections depending on the domain to be used.
·
Configure
the Windows Server 2003–based domain controller
To configure the domain controller TREY-DC, you must install
Windows Server 2003, configure TCP/IP properties, install Active
Directory, and raise the Active Directory domain functional level to Windows
Server 2003.
First, install Windows Server 2003 with SP2 on the
TREY-DC computer.
To install Windows
Server 2003 Standard Edition|
1. Start your computer by using the Windows
Server 2003 product CD. (You can use any edition of Windows
Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your
computer screen, and when prompted for a computer name, type TREY-DC.
|
In this step configure TCP/IP properties so that TREY-DC has
a static IP address of 10.0.0.30.
To configure TCP/IP properties on
TREY-DC|
1. Log on to TREY-DC with the
TREY-DC\Administrator account.
2. Click Start, point to
Control Panel, point to Network
Connections, click Local Area Connection, and
then click Properties.
3. On the General tab,
click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following
IP address option. In the IP address box, type 10.0.0.30. In the Subnet
mask box, type 255.255.255.0.
5. Click OK, and then
click Close to close the Local Area
Connection Properties dialog box.
|
· Install
Active Directory
In this step, you are going to create a domain controller
for Trey Research. It is important that you first configure the IP addresses as
specified in the previous table before you attempt to install
Active Directory. This helps ensure that DNS records are configured
appropriately.
To configure TREY-DC as a domain
controller|
1. Click Start, and then
click Run. In the Open box, type dcpromo, and then click OK.
2. On the Welcome page of the Active Directory
Installation Wizard, click Next.
3. Click Next, click the
Domain controller for a new domain option, and then
click Next.
4. Click the Domain in a new
forest option, and then click Next.
5. In Full DNS name for new
domain, type treyresearch.net
and then click Next.
6. In Domain NetBIOS name,
type treyresearch, and then click
Next three times.
7. Click the Install and
configure the DNS server on this computer and set this computer to use this
DNS server as its preferred DNS server option, and then click Next.
8. Click the Permissions
compatible only with Windows 2000 or Windows Server 2003 operating
systems option, and then click Next.
9. In the Restore Mode Password
and Confirm Password boxes, type a strong password, and
then click Next.
10. Click Next.
11. When the Active Directory Installation
Wizard is done, click Finish.
12. Click Restart Now.
|
· Raise
the domain functional level to Windows Server 2003
In this step, you raise the Active Directory domain
functional level to Windows Server 2003. This functional level allows the
use of Active Directory universal groups.
To raise the domain functional
level to Windows Server 2003|
1. Log on to TREY-DC with the
TREYRESEARCH\Administrator account.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Users and Computers.
3. Right-click treyresearch.net,
and then click Raise Domain Functional Level.
4. In the list under Select an
available domain functional level, click Windows
Server 2003, and then click Raise.
Note
You cannot change the domain functional level once
you have raised it.
5. Click OK, and then
click OK again.
|
· Configure
a DNS forwarder
DNS forwarders are used in this guide to forward DNS
requests that cannot be resolved from the treyresearch.net domain to the
cpandl.com domain, and vice versa.
To configure a DNS forwarder on a
Windows Server 2003–based computer|
1. Log on to TREY-DC with the
TREYRESEARCH\Administrator account.
2. Click Start, point to
Administrative Tools, and then click DNS.
3. Right-click TREY-DC,
and then click Properties.
4. Click the Forwarders
tab.
5. In the Selected domain's
forward IP address list section, type 10.0.0.1, and then click Add.
6. Click OK.
|
·
Configure
the Windows Server 2008–based domain controller
To configure the domain controller TREY-DC, you must install
Windows Server 2008, configure TCP/IP properties, and install Active
Directory Domain Services.
First, install Windows Server 2008.
To install
Windows Server 2008|
1. Start your computer by using the Windows
Server 2008 product CD.
2. Follow the instructions that appear on your
screen, and when prompted for a computer name, type TREY-DC.
|
Next, configure TCP/IP properties so that TREY-DC has a IPv4
static IP address of 10.0.0.30.
To configure TCP/IP properties on
TREY-DC|
1. Log on to TREY-DC with the
TREY-DC\Administrator account.
2. Click Start, click Control Panel, click Network and Internet,
click Network and Sharing Center, click Manage
Network Connections, right-click Local Area Connection,
and then click Properties.
3. On the Networking
tab, click Internet Protocol Version 4 (TCP/IPv4),
and then click Properties.
4. Click the Use the following
IP address option. In IP address, type 10.0.0.30, and in Subnet
mask, type 255.255.255.0.
5. Click the Use the following
DNS server addresses option. In Preferred DNS server,
type 10.0.0.30, and then click OK.
6. On the Networking
tab, clear the Internet Protocol Version 6 (TCP/IPv6)
check box.
7. Click OK, and then
click Close to close the Local Area
Connection Properties dialog box.
|
· Install
Active Directory Domain Services
In this step, you are going to create a domain controller
for Trey Research. It is important that you first configure the IP addresses as
specified in the previous procedure before you attempt to install
Active Directory Domain Services (AD DS). This helps ensure that DNS
records are configured appropriately.
To configure TREY-DC as a domain
controller|
1. Click Start, and then
click Run.
2. In the Open box, type
dcpromo, and then click OK.
3. On the Welcome to the Active
Directory Domain Services Installation Wizard page, click Next.
4. Click the Domain controller
for a new domain option, and then click Next.
5. Click the Create a new
domain in a new forest option, and then click Next.
6. In the FQDN of the forest
root domain box, type treyresearch.net,
and then click Next.
7. In the Forest functional
level box, click Windows Server 2003, and
then click Next.
8. In the Domain functional
level box, click Windows Server 2003, and
then click Next.
9. Ensure that the DNS server
check box is selected, and then click Next.
10. Click Yes, confirming
that you want to create a delegation for this DNS server.
11. On the Location for Database,
Log Files, and SYSVOL page, click Next.
12. In the Password and Confirm password boxes, type a strong password, and then
click Next.
13. On the Summary page,
click Next to start the installation.
14. When the installation is complete, click Finish, and then click Restart Now.
|
Note
You must restart the computer after you complete this
procedure.
· Configure
a DNS forwarder
DNS forwarders are used in this guide to forward DNS
requests that cannot be resolved from the treyresearch.net domain to the
cpandl.com domain, and vice versa.
To configure a DNS forwarder|
1. Log on to TREY-DC with the
TREYRESEARCH\Administrator account or another user account in the local
Administrators group.
2. Click Start, point to
Administrative Tools, and then click DNS.
3. Right-click TREY-DC,
and then click Properties.
4. Click the Forwarders
tab.
5. Click Edit.
6. Type 10.0.0.1,
and then click OK.
7. Click OK to close the
properties sheet.
|
·
Create
user accounts and groups
In this section, you create the user accounts and groups in
the TREYRESEARCH domain.
First, add the user accounts shown in the following table to
Active Directory or AD DS. Use the procedure following the table to create
the user accounts.
|
Account Name
|
User Logon Name
|
E-mail address
|
|
ADRMSADMIN
|
ADRMSADMIN
|
|
|
ADRMSSRVC
|
ADRMSSRVC
|
|
|
Terrence Philip
|
tphilip
|
tphilip@treyresearch.net
|
To add new user accounts to the
TREYRESEARCH domain|
1. Log on to TREY-DC with the
TREYRESEARCH\Administrator account.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Users and Computers.
3. In the console tree, expand treyresearch.net.
4. Right-click Users,
point to New, and then click User.
5. In the New Object – User
dialog box, type ADRMSADMIN in
the Full name and User logon name
boxes, and then click Next.
6. In the New Object – User
dialog box, type a password of your choice in the Password
and Confirm password boxes. Clear the User
must change password at next logon check box, click Next,
and then click Finish.
7. Perform steps 3-6 for ADRMSSRVC and
Terrence Philip (tphilip).
|
Next, add an e-mail address for Terrence Philip.
To add e-mail addresses to user
accounts|
1. In the Active Directory
Users and Computers console, right-click Terrence
Philip, click Properties, type tphilip@treyresearch.net in the E-mail box, and then click OK.
2. Close the Active Directory
Users and Computers console.
|
Once the user accounts have been created, an Active
Directory Universal group should be created with Terrence Philip as a member.
The following table lists the Universal group that should be added to Active
Directory. Use the procedure following the table to create the Universal group.
|
Group Name
|
E-mail address
|
|
Employees
|
employees@treyresearch.net
|
To add a new group object to
Active Directory|
1. In the Active Directory
Users and Computers console, right-click Users,
point to New, and then click Group.
2. In the New Object – Group
dialog box, type Employees in Group name, click the Universal option
for the Group Scope, and then click OK.
|
Next, add an e-mail address to the Trey Research employees
group:
To add an e-mail address to a
group object|
1. In the Active Directory
Users and Computers console, double-click Users,
right-click Employees, and then click Properties.
2. Type employees@treyresearch.net
in the E-mail box, and then click OK.
|
Finally, add Terrence Philip to the Employees group by
following these steps:
To add Terence Philip to the
Employees group|
1. In the Active Directory
Users and Computers console, double-click Users,
and then double-click Employees.
2. Click Members, and
then click Add.
3. Type tphilip@treyresearch.net,
and then click OK.
4. Close the Active Directory
Users and Computers console.
|
·
Configure
the AD RMS database server (TREY-DB)
First, install Windows Server 2003 on the computer that
will host the AD RMS databases.
To install Windows
Server 2003 Standard Edition|
1. Start your computer using the Windows
Server 2003 product CD. (You can use any edition of Windows
Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your
computer screen, and when prompted for a computer name, type TREY-DB.
|
In this step, configure TCP/IP properties so that TREY-DB
has a static IP address of 10.0.0.34.
To configure TCP/IP properties on
ADRMS-DB|
1. Log on to TREY-DB with the
TREY-DB\Administrator account.
2. Click Start, point to
Control Panel, point to Network
Connections, click Local Area Connection, and
then click Properties.
3. On the General tab,
click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following
IP address option. In the IP address box, type 10.0.0.34. In the Subnet
mask box, type 255.255.255.0.
5. Click OK, and then
click Close to close the Local Area
Connection Properties dialog box.
|
Next, join the AD RMS database server (TREY-DB)
computer to the TREYRESEARCH domain:
To join ADRMS-DB to the
TREYRESEARCH domain|
1. Click Start,
right-click My Computer, and then click Properties.
2. Click Computer Name
tab, and then click Change.
3. In the Computer Name Changes
dialog box, select the Domain option, and then type treyresearch.net.
4. Click More, and then
type treyresearch.net in the Primary DNS suffix of this computer box.
5. Click OK twice.
6. When a Computer Name Changes
dialog box appears prompting you for administrative credentials, provide the
credentials for TREYRESEARCH\Administrator, and then click OK.
7. When a Computer Name Changes
dialog box appears welcoming you to the treyresearch.net domain, click
OK.
8. When a Computer Name Changes
dialog box appears telling you that the computer must be restarted, click OK, and then click OK again.
9. Click Yes to restart
the computer.
|
Next, install Microsoft SQL Server 2005 Standard
Edition:
To install Microsoft SQL
Server 2005|
1. Log on to TREY-DB with the
TREYRESEARCH\Administrator account.
2. Insert the Microsoft SQL Server 2005
product CD. The installation will start automatically.
3. Click the I accept the
licensing terms and conditions check box, and then click Next.
4. On the Installing Prerequisites
page, click Install.
5. Click Next.
6. On the Welcome to the
Microsoft SQL Server Installation Wizard page, click Next, and then click Next again.
7. In the Name box, type
your name. In the Company box, type the name of your
organization, and then type in the appropriate product key. Click Next.
8. Select the SQL Server
Database Services, and Workstation components, Books
Online, and development tools check boxes, and then click Next.
9. Select the Default instance
option, and then click Next.
10. Click the Use the built-in
System account option, and then click Next.
11. Click the Windows
Authentication Mode option, and then click Next.
12. Click Next, accepting
the default Collation Settings, and then click Next again.
13. Click Install. When the
status of all the selected components is finished, click Next.
14. Click Finish.
|
Next, add ADRMSADMIN to the local Administrators group on
TREY-DB. The AD RMS installing user account needs this membership in order
to create the AD RMS databases. After AD RMS installed, ADRMSADMIN
can be removed from this group.
To add ADRMSADMIN to local
Administrators group|
1. Click Start, point to
Administrative Tools, and then click Computer
Management.
2. Expand System Tools,
expand Local Users and Groups, and then click Groups.
3. Right-click Administrators,
click Add to Group, click Add,
type ADRMSADMIN in Enter the object names to select (examples) box, and then
click OK.
4. Click OK, and then
close Computer Management.
|
·
Configure
the AD RMS root cluster computer (TREY-ADRMS)
In this section, the AD RMS root cluster computer is
installed and the AD RMS role is added.
·
Install the AD RMS root cluster computer
To configure the AD RMS root cluster computer,
TREY-ADRMS, you must install Windows Server 2008, configure TCP/IP
properties, and then join TREY-ADRMS to the domain treyresearch.net. You must
also add the account ADRMSADMIN as a member to the local administrators group
so that an administrator can use the ADRMSADMIN account to install AD RMS
on TREY-ADRMS.
First, install Windows Server 2008 as a stand-alone
server.
To install
Windows Server 2008|
1. Start your computer by using the Windows
Server 2008 product CD.
2. When prompted for a computer name, type TREY-ADRMS.
3. Follow the rest of the instructions that appear
on your screen to finish the installation.
|
Next, configure TCP/IP properties so that TREY-ADRMS has a
static IP address of 10.0.0.33. In addition, configure the DNS server by using
the IP address of TREY-DC (10.0.0.30).
To configure TCP/IP Properties|
1. Log on to ADRMS-SRV with the
TREY-ADRMS\Administrator account or another user account in the local
Administrators group.
2. Click Start, click Control Panel, double-click Network and
Sharing Center, click Manage Network Connections,
right-click Local Area Connection, and then click Properties.
3. On the Networking
tab, click Internet Protocol Version 4 (TCP/IPv4),
and then click Properties.
4. Click the Use the following
IP address option. In IP address, type 10.0.0.33. In Subnet
mask, type 255.255.255.0.
5. Click the Use the following
DNS server addresses option. In Preferred DNS server,
type 10.0.0.30.
6. Click OK, and then
click Close to close the Local Area
Connection Properties dialog box.
|
Next, join TREY-ADRMS to the treyresearch.net domain.
To join TREY-ADRMS to the
treyresearch.net domain|
1. Click Start,
right-click Computer, and then click Properties.
2. Click Change settings
(at the right side under Computer name, domain, and workgroup
settings), and then click Change.
3. In the Computer Name/Domain
Changes dialog box, select the Domain option,
and then type treyresearch.net.
4. Click More, and type treyresearch.net in Primary
DNS suffix of this computer box.
5. Click OK, and then
click OK again.
6. When a Computer Name/Domain
Changes dialog box appears prompting you for administrative
credentials, provide the credentials for TREYRESEARCH\Administrator, and then
click OK.
7. When a Computer Name/Domain
Changes dialog box appears welcoming you to the treyresearch.net
domain, click OK.
8. When a Computer Name/Domain
Changes dialog box appears telling you that the computer must be
restarted, click OK, and then click Close.
9. Click Restart Now.
|
After the computer has restarted, add ADRMSADMIN to the
local administrators group on TREY-ADRMS.
To add ADRMSADMIN to the local
administrators group|
1. Log on to TREY-ADRMS with the
TREYRESEARCH\Administrator account.
2. Click Start, click Administrative Tools, and then click Computer
Management.
3. Expand System Tools,
expand Local User and Groups, and then click Groups.
4. Right-click Administrators,
click Add to Group, click Add,
type ADRMSADMIN in Enter the object names to select (examples) box, and then
click OK.
5. Click OK, and then
close Computer Management.
|
·
Add the AD RMS server role to TREY-ADRMS
Windows Server 2008 includes the option to install
AD RMS as a server role through Server Manager. Both installation and
configuration of AD RMS are handled through Server Manager. The first
server in an AD RMS environment is the root cluster. An AD RMS root
cluster is composed of one or more AD RMS servers configured in a
load-balancing environment. This section will install and configure a
single-server AD RMS root cluster in the treyresearch.net domain.
Registering the AD RMS service connection point (SCP)
requires that the installing user account be a member of the Active Directory
Enterprise Admins group.
Important
Access to the Enterprise Admins group should be granted only
while AD RMS is being installed. After installation is complete, the TREYRESEARCH\ADRMSADMIN
account should be removed from this group.
To add ADRMSADMIN to the
Enterprise Admins group|
1. Log on to TREY-DC with the
treyresearch\Administrator account.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Users and Computers.
3. In the console tree, expand treyresearch.net,
double-click Users, and then double-click Enterprise Admins.
4. Click the Members tab,
and then click Add.
5. Type adrmsadmin@treyresearch.net,
and then click OK.
|
Install and configure AD RMS as a root cluster.
To add the AD RMS server role|
1. Log on to TREY-ADRMS as
treyresearch\ADRMSADMIN.
2. Click Start, point to
Administrative Tools, and then click Server
Manager.
3. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and
then click Continue.
4. In the Roles Summary
box, click Add Roles. The Add Roles
Wizard opens.
5. Read the Before You Begin
section, and then click Next.
6. On the Select Server Roles
page, select the Active Directory Rights Management Services
check box.
7. The Role Services
page appears informing you of the AD RMS dependent role services and
features. Make sure that Web Server (IIS), Windows Process Activation Service
(WPAS), and Message Queuing are listed, and then click Add
Required Role Services. Click Next.
8. Read the AD RMS introduction page, and
then click Next.
9. On the Select Role Services
page, verify that the Active Directory Rights Management
Server check box is selected, and then click Next.
10. Click the Create a new
AD RMS cluster option, and then click Next.
11. Click the Use a different
database server option.
12. Click Select, type
TREY-DB in the Select
Computer dialog box, and then click OK.
13. In Database Instance,
click Default, and then click Validate.
14. Click Next.
15. Click Specify, type TREYRESEARCH\ADRMSSRVC, type the
password for the account, click OK, and then click Next.
16. Ensure that the Use
AD RMS centrally managed key storage option is selected, and then
click Next.
17. Type a strong password in the Password box and in the Confirm password
box, and then click Next.
18. Choose the Web site where AD RMS will
be installed, and then click Next. In an installation
that uses default settings, the only available Web site should be Default Web Site.
19. Click the Use an
SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain
Name box, type trey-adrms.treyresearch.net,
and then click Validate. If validation succeeds, the Next button becomes available. Click Next.
21. Click the Choose an existing
certificate for SSL encryption option, click the certificate that has
been imported for this AD RMS cluster, and then click Next.
22. Type a name that will help you identify the
AD RMS cluster in the Friendly name box, and then
click Next.
23. Ensure that the Register the
AD RMS service connection point now option is selected, and then
click Next to register the AD RMS service
connection point (SCP) in Active Directory during installation.
24. Read the Introduction to Web
Server (IIS) page, and then click Next.
25. Keep the Web server default check box
selections, and then click Next.
26. Click Install to
provision AD RMS on the computer. It can take up to 60 minutes to
complete the installation.
27. Click Close.
28. Log off the server, and then log on again to
update the security token of the logged-on user account. The user account
that is logged on when the AD RMS server role is installed is
automatically made a member of the AD RMS Enterprise Administrators
local group. A user must be a member of that group to administer AD RMS.
|
Note
At this point in the guide, you can remove
treyresearch\ADRMSADMIN from the local Administrators group on TREY-DB.
Your AD RMS root cluster is now installed and
configured.
·
Configure
the AD RMS client computer (ADRMS-CLNT2)
To configure the ADRMS-CLNT2 client computer in the
TREYRESEARCH domain, you must install Windows Vista, configure TCP/IP
properties, and then join the computer to the TREYRESEARCH domain. You must
also install an AD RMS-enabled application In this example, Microsoft
Office Word 2007 Enterprise Edition is installed on the client.
To install Windows Vista|
1. Start your computer by using the
Windows Vista product CD.
2. Follow the instructions that appear on your
screen, and when prompted for a computer name, type ADRMS-CLNT2.
|
Next, configure TCP/IP properties so that ADRMS-CLNT2 has a
static IP address of 10.0.0.32. In addition, configure the DNS server of
TREY-DC (10.0.0.30).
To configure TCP/IP properties|
1. Log on to ADRMS-CLNT2 with the
ADRMS-CLNT2\Administrator account or another user account in the local
Administrators group.
2. Click Start, click Network, and then click Network and Sharing
Center.
3. Click Manage Network
Connections, right-click Local Area Connection, and
then click Properties.
4. On the Networking
tab, click Internet Protocol Version 4 (TCP/IPv4), and
then click Properties.
5. Select the Use the following
IP address option. In IP address, type 10.0.0.32, in Subnet
mask, type 255.255.255.0.
6. Select the Use the following
DNS server addresses option. In Preferred DNS server,
type 10.0.0.30.
7. Click OK, and then
click Close to close the Local Area
Connection Properties dialog box.
|
Next, join the ADRMS-CLNT2 to the TREYRESEARCH domain.
To join ADRMS-CLNT2 to the
TREYRESEARCH domain|
1. Click Start,
right-click Computer, and then click Properties.
2. Under Computer name, domain,
and workgroup settings, click Change settings.
3. On the Computer Name
tab, click Change.
4. In the Computer Name/Domain
Changes dialog box, select the Domain option,
and then type treyresearch.net.
5. Click More, and in
the Primary DNS suffix of this computer box, type treyresearch.net.
6. Click OK, and click OK again.
7. When a Computer Name/Domain
Changes dialog box appears prompting you for administrative
credentials, provide the credentials for treyresearch\administrator, and then
click OK.
8. When a Computer Name/Domain
Changes dialog box appears welcoming you to the treyresearch.net
domain, click OK.
9. When a Computer Name/Domain
Changes dialog box appears telling you that the computer must be
restarted, click OK, and then click Close.
10. In the System Settings Change
dialog box, click Yes to restart the computer.
|
Finally, install Microsoft Office Word 2007 Enterprise
Edition on ADRMS-CLNT2.
To install Microsoft Office
Word 2007 Enterprise|
1. Double-click setup.exe
from the Microsoft Office 2007 Enterprise product CD.
2. Click Customize as
the installation type, set the installation type to Not
Available for all applications except Microsoft Office Word 2007
Enterprise, and then click Install Now. This might take
several minutes to complete.
|
Important
Only the Ultimate, Professional Plus, and Enterprise
editions of Microsoft Office 2007 allow you to create rights-protected
content. All editions will allow you to consume rights-protected content.
·
Step 2: Configure AD RMS to Work Across Forests
In this step, you do the following:
·
Create
a trusted user domain between the AD RMS installations
In a default AD RMS installation, use licenses are not
issued to users whose rights account certificates were issued by a different
AD RMS cluster. You can configure AD RMS so that it processes this
type of request by importing the trusted user domain of another AD RMS
installation.
The trusted user domain must be exported from one
AD RMS cluster and then imported into the other. A trusted user domain is
required only if the AD RMS clusters are in a different forest.
First, export the trusted user domain by using the Active
Directory Rights Management Services console.
To export a trusted user domain
from the cpandl.com domain|
1. Log on to ADRMS-SRV as cpandl\adrmsadmin.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Rights Management Services.
3. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and
then click Continue.
4. Expand the AD RMS cluster, and then
expand Trust Policies.
5. Click Trusted User Domains,
right-click the certificate named Enterprise, and then
click Export Trusted User Domain.
6. In the File name box,
type \\adrms-db\public\cpandlTUD.bin,
and then click Save.
Note
For scenarios in which the domains are in different
networks, make sure that the users in the second domain can access the
location of this file.
|
Next, import the trusted user domain that was just exported
from the AD RMS cluster in the CPANDL domain into the TREYRESEARCH domain
by using the Active Directory Rights Management Services console.
To import a trusted user domain
file into the treyresearch.net domain|
1. Log on to TREY-ADRMS as
treyresearch\adrmsadmin.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Rights Management Services.
3. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and
then click Continue.
4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User
Domains, and then click Import Trusted User Domain.
5. In the Trusted user domain
file box, type \\adrms-db\public\cpandlTUD.bin.
6. In the Display name
box, type CPANDL.COM, and then
click Finish.
|
Finally, repeat the above procedures and import the Trey
Research trusted user domain file into the CPANDL domain.
To export a trusted user domain
from the treyresearch.net domain|
1. Log on to TREY-ADRMS as
treyresearch\adrmsadmin.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Rights Management Services.
3. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and
then click Continue.
4. Expand the AD RMS cluster, and then
expand Trust Policies.
5. Click Trusted User Domains,
right-click the certificate named Enterprise, and then
click Export Trusted User Domain.
6. In the File name box,
type \\adrms-db\public\treyresearchTUD.bin,
and then click Save.
Note
For scenarios in which the domains are in different
networks, make sure that the users in the second domain can access the
location of this file.
|
To import a trusted user domain
file into the cpandl.com domain|
1. Log on to ADRMS-SRV as cpandl\adrmsadmin.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Rights Management Services.
3. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and
then click Continue.
4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User
Domains, and then click Import Trusted User Domain.
5. In the Trusted user domain
file box, type \\adrms-db\public\treyresearchTUD.bin.
6. In the Display name
box, type TREYRESEARCH.NET, and
then click Finish.
|
·
Enable
anonymous access on the AD RMS licensing pipeline
For each AD RMS cluster, you must enable anonymous
access on the AD RMS license.asmx and servicelocator.asmx files in the
licensing pipeline.
To enable anonymous access on the
AD RMS licensing pipeline |
1. Log on to ADRMS-SRV as cpandl\adrmsadmin.
2. Click Start, point to
Administrative Tools, and then click Internet
Information Services (IIS) Manager.
3. If the User Account Control
dialog box appears, confirm that the action it displays is what you want, and
then click Continue.
4. Expand the domain node, expand Sites, expand Default Web Site, and
then expand _wmcs.
5. Right-click the licensing
folder, and then click Switch to Content View.
6. Right-click ServiceLocator.asmx,
and then click Switch to Features View.
7. Under IIS, double-click Authentication,
right-click Anonymous Authentication, and then click Enable.
8. Right-click the licensing
directory again, and then click Switch to Content View.
9. Right-click license.asmx,
and then click Switch to Features View.
10. Double-click Authentication,
right-click Anonymous Authentication, and then click Enable.
11. Log on to TREY-ADRMS as
treyresearch\adrmsadmin and repeat steps 1-10 for the treyresearch.net
domain.
|
·
Extend
Active Directory schema
When users across Active Directory forests need to exchange
rights-protected content, the AD RMS clusters need to know the forest in
which the user account or group resides. This is done by using the
msExchOriginatingForest Active Directory schema attribute. This schema
attribute is installed with Microsoft Exchange Server 2003 and later. If
you do not have an Exchange server deployed in your environment, you must extend
the schema to include this attribute by using ldifde.exe from the command
prompt on a domain controller in each forest.
·
Extend the schema in the cpandl.com domain
To extend the schema in the cpandl.com domain you should
copy the following text into a text file named cpandl.ldf. In this guide, you
save it to the cpandl\administrator desktop on CPANDL-DC.
dn:
CN=ms-Exch-Originating-Forest,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory:
CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0
dn: CN=Contact,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
dn: CN=User,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
Finally, you should run the ldifde.exe command to extend the
schema by using the following procedure:
To run the ldifde command to
extend the schema|
1. Log on to CPANDL-DC as
cpandl\administrator.
2. Click Start, and then
click Command Prompt.
3. Type the following, and then press ENTER:
cd %systemdrive%\Users\Administrator\Desktop
where %systemdrive% is the volume on which
Windows Server 2008 is installed.
4. Type the following, and then press ENTER:
ldifde.exe -s cpandl-dc -v -i -k -f cpandl.ldf /c
"CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"
"CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"
Note
The last two entries of this command are the same
because the source and target name are the same.
5. To confirm that the command was successful,
the last two lines of the output should say the following:
4 entries modified successfully. The
command has completed successfully.
|
·
Extend the schema in the treyresearch.net domain
To extend the schema in the treyresearch.net domain you
should copy the following text into a text file named trey.ldf. In this guide,
you save it to the treyresearch\administrator desktop on TREY-DC.
dn: CN=ms-Exch-Originating-Forest, CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory:
CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0
dn: CN=Contact,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
dn: CN=Group,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
dn: CN=User,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
Finally, you should run the ldifde.exe command to extend the
schema by using the following procedure:
To run the ldifde command to
extend the schema|
1. Log on to TREY-DC as
treyresearch\administrator.
2. Click Start, and then
click Command Prompt.
3. Type the following, and then press ENTER:
cd %systemdrive%\Users\Administrator\Desktop
where %systemdrive% is the volume on which
Windows Server 2008 is installed.
4. Type the following, and then press ENTER:
ldifde.exe -s trey-dc -v -i -k -f trey.ldf /c
"CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"
"CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"
Note
The last two entries of this command are the same
because the source and target name are the same.
5. To confirm that the command was successful,
the last two lines of the output should say the following:
4 entries modified successfully. The
command has completed successfully.
|
·
Create
contact objects and distribution groups
Active Directory contact objects are used to tell the
AD RMS cluster the forest in which the user account resides. Similarly,
distribution groups are used to tell the AD RMS cluster the forest in
which the group resides. You must create contact objects and distribution
groups in each forest for every user and group that will be used with
AD RMS. In this guide, you create contact objects for Nicole Holliday and
Terrence Philip, and distribution groups for the Employees group in each
forest.
Create the contact objects by using the following procedure:
To create an Active Directory
contact object for the cpandl.com domain |
1. Log on to CPANDL-DC as
cpandl\Administrator.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Users and Computers.
3. Click View, and then
click Advanced Features.
4. Expand cpandl.com,
right-click Users, point to New,
and then click Contact.
5. In the Full Name and Display name boxes , type Terrence Philip, and then click OK.
6. Open the Users
folder, and then double-click the Terence Philip contact
object.
7. In the E-mail box,
type tphilip@treyresearch.net,
and then click Apply.
8. Click the Attribute Editor tab,
click msExchOriginatingForest in the
Attributes box, and then click Edit.
9. In the Value to add
box, type treyresearch.net, click
Add, and then click OK.
10. Click OK to close the
Terrence Philip properties sheet.
|
Next, create the contact objects in the Trey Research
domain:
To create an Active Directory
contact object for the treyresearch.net domain |
1. Log on to TREY-DC as
treyresearch\Administrator.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Users and Computers.
3. Click View, and then
click Advanced Features.
4. Expand treyresearch.net,
right-click Users, point to New,
and then click Contact.
5. In the Full Name and Display name boxes , type Nicole Holliday, and then click OK.
6. Open the Users
folder, and then double-click the Nicole Holliday contact
object.
7. In the E-mail box,
type nhollida@cpandl.com, and
then click Apply.
8. Click the Attribute Editor tab,
click msExchOriginatingForest in the
Attributes box, and then click Edit.
9. In the Value to add
box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the
Nicole Holliday properties sheet.
|
Next, create the distribution groups and assign the
appropriate msExhOriginatingForest schema attribute for each group.
To create the Trey Research
Employees distribution group for the cpandl.com domain|
1. Log on to CPANDL-DC as
cpandl\Administrator.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Users and Computers.
3. Click View, and then
click Advanced Features.
4. Expand cpandl.com,
right-click Users, point to New,
and then click Group.
5. In the Group name
box, type Trey Research Employees,
click the Universal option, click the Distribution
option, and then click OK.
6. Open the Users
folder, and then double-click the Trey Research Employees
distribution group.
7. In the E-mail box,
type employees@treyresearch.net,
and then click Apply.
8. Click the Attribute Editor tab,
click msExchOriginatingForest in the
Attributes box, and then click Edit.
9. In the Value to add
box, type treyresearch.net, click
Add, and then click OK.
10. Click OK to close the
Trey Research Employees properties sheet.
|
Finally, create the distribution group and assign the
appropriate msExchOriginatingForest schema attribute for each group.
To create the CPANDL Employees
distribution group for the treyresearch.net domain|
1. Log on to TREY-DC as
treyresearch\Administrator.
2. Click Start, point to
Administrative Tools, and then click Active
Directory Users and Computers.
3. Click View, and then
click Advanced Features.
4. Expand treyresearch.net,
right-click Users, point to New,
and then click Group.
5. In the Group name
box, type CPANDL Employees, click
the Universal option, click the Distribution
option, and then click OK.
6. Open the Users
folder, and then double-click the CPANDL Employees
distribution group.
7. In the E-mail box,
type employees@cpandl.com, and
then click Apply.
8. Click the Attribute Editor tab,
click msExchOriginatingForest in the
Attributes box, and then click Edit.
9. In the Value to add
box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the
CPANDL Employees properties sheet.
|
·
Step 3: Verifying AD RMS Functionality
The AD RMS client is included in the default
installation of Windows Vista and Windows Server 2008. Previous
versions of the client are available for download for some earlier versions of
the Windows operating systems. For more information, see the Windows
Server 2003 Rights Management Services page in the Microsoft Windows
Server TechCenter (http://go.microsoft.com/fwlink/?LinkId=68637).
Before you can publish or consume rights-protected content
on Windows Vista, you must add the AD RMS cluster URLs for each
forest to the Internet Explorer Local Intranet security zone on the AD RMS
client computers. This is required to ensure that your credentials are
automatically passed from Microsoft Office Word to the AD RMS Web
services.
To add AD RMS cluster URLs to
the Internet Explorer Local Intranet security zone|
1. Log on to ADRMS-CLNT as Nicole Holliday
(CPANDL\nhollida).
2. Click Start, click Control Panel, click Network and Internet,
and then click Internet Options.
3. Click the Security
tab, and then click Local Intranet.
4. Click Sites, and then
click Advanced.
5. In the Add this website to
the zone box, do the following:
a. Type https://adrms-srv.cpandl.com,
and then click Add.
b. Type https://trey-adrms.treyresearch.net,
and then click Add.
6. Repeat steps on ADRMS-CLNT2 for Terrence
Philip (treyresearch\tphilip).
|
To verify the functionality of the AD RMS deployment,
you log on as Nicole Holliday, create a Microsoft Word 2007 document, and
then restrict permissions on it so that Terrence Philip is able to read the
document but is unable to change, print, or copy it. You then log on as Terence
Philip, verifying that Terence Philip can read the document but do nothing else
with it.
To restrict permissions on a
Microsoft Word document|
1. Log on to ADRMS-CLNT as Nicole Holliday
(CPANDL\nhollida).
2. Click Start, point to
All Programs, click Microsoft Office,
and then click Microsoft Office Word 2007.
3. Type Only
Terence Philip can read this document, but cannot change, print, or copy it.
Click Microsoft Office Button, point to Prepare,
point to Restrict Permission, and then click Restricted Access.
4. Select the Restrict
permission to this document check box.
5. In the Read text box,
type tphilip@treyresearch.net,
and then click OK to close the Permission
dialog box.
6. Click the Microsoft Office
Button, click Save As, and then save the file as
\\adrms-db\public\ADRMS-TST.docx.
7. Log off as Nicole Holliday.
|
Finally, log on as Terence Philip on ADRMS-CLNT2 in the
TREYRESEARCH.NET domain and attempt to open the document, ADRMS-TST.docx.
To view a protected document|
1. Log on to ADRMS-CLNT2 as Terence Philip
(TREYRESEARCH\tphilip).
2. Click Start, point to
All Programs, click Microsoft Office,
and then click Microsoft Office Word 2007.
3. Click the Microsoft Office
Button, click Open, and then type \\adrms-db\public\ADRMS-TST.docx. If
you are prompted for credentials, use those of CPANDL\Administrator to allow
Terence Philip to access the document in its location in the cpandl forest.
The following message appears: "Permission
to this document is currently restricted. Microsoft Office must connect to
https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and
download your permissions."
4. Click OK.
The following message appears: "Verifying
your credentials for opening content with restricted permissions".
5. When the document opens, click Microsoft Office Button. Notice that the Print option is not
available.
6. Click View Permission in
the message bar. You should see that Terence Philip has been restricted to
being able only to read the document.
7. Click OK to close the
My Permissions dialog box, and then close Microsoft
Word.
8. Log off as Terence Philip.
|
You have successfully deployed and demonstrated the
functionality of using AD RMS across forests, using the simple scenario of
applying restricted permissions to a Microsoft Word 2007 document. You can
also use this deployment to explore some of the additional capabilities of AD RMS
through additional configuration and testing.
No comments:
Post a Comment