Friday, 11 November 2011

Deploying Active Directory Rights Management Services in a Multiple Forest Environment Step-by-Step Guide




Deploying Active Directory Rights Management Services in a Multiple Forest Environment Step-by-Step Guide

Microsoft Corporation
Published: March 2008
Author: Brian Lich
Editor: Carolyn Eller
Abstract
This step-by-step guide provides instructions for setting up a test environment to deploy and evaluate Active Directory Rights Management Services (AD RMS) across multiple forests in Windows Server® 2008. It includes the necessary information for installing and configuring AD RMS in two forests and configuring a trusted user domain so that users from both forests can exchange rights-protected content.


This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2008 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.




Contents

Deploying Active Directory Rights Management Services in a Multiple Forest Environment Step-by-Step Guide 5
About This Guide 5
What This Guide Does Not Provide 5
Step 1: Setting up the Trey Research Domain 8
Configure the domain controller (TREY-DC) 9
Configure the Windows Server 2003–based domain controller 9
Install Active Directory 9
Raise the domain functional level to Windows Server 2003 10
Configure a DNS forwarder 10
Configure the Windows Server 2008–based domain controller 11
Install Active Directory Domain Services 11
Configure a DNS forwarder 12
Create user accounts and groups 12
Configure the AD RMS database server (TREY-DB) 14
Configure the AD RMS root cluster computer (TREY-ADRMS) 16
Install the AD RMS root cluster computer 16
Add the AD RMS server role to TREY-ADRMS 17
Configure the AD RMS client computer (ADRMS-CLNT2) 20
Step 2: Configure AD RMS to Work Across Forests 21
Create a trusted user domain between the AD RMS installations 21
Enable anonymous access on the AD RMS licensing pipeline 23
Extend Active Directory schema 24
Extend the schema in the cpandl.com domain 24
Extend the schema in the treyresearch.net domain 26
Create contact objects and distribution groups 28
Step 3: Verifying AD RMS Functionality 30

Deploying Active Directory Rights Management Services in a Multiple Forest Environment Step-by-Step Guide


About This Guide

This step-by-step walks you through the process of setting up two working Active Directory Rights Management Services (AD RMS) infrastructures in a test environment. Specifically, this guide will look at how to implement AD RMS in two different Active Directory forests and then set up an AD RMS trusted user domain so that users in both forests can exchange rights-protected information.
In this guide, you will create a test deployment that includes the following components:
Two AD RMS servers
Two AD RMS database servers
Two AD RMS clients
Two Active Directory domain controllers
This guide assumes that you previously completed Windows Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134), and that you have already deployed the following components:
An AD RMS server
An AD RMS database server
One AD RMS-enabled client
One Active Directory domain controller

What This Guide Does Not Provide

This guide does not provide the following:
An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
Guidance for using identity federation with AD RMS. For guidance about this, see the Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72135).
Guidance for setting up and configuring AD RMS in a production environment.
Complete technical reference for AD RMS.
We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional deployment documentation and should be used with discretion as a stand-alone document.
Upon completion of this guide, you will have two working AD RMS infrastructures configured with a trusted user domain. You can then test and verify AD RMS and AD FS functionality as follows:
Restrict permissions on a Microsoft® Word 2007 document in the CPANDL.COM domain.
Have an authorized user in the TREYRESEARCH.NET domain open and work with the document.
The test environment described in this guide includes eight computers connected to a private network and using the following operating systems, applications, and services:
Computer NameOperating SystemApplications and Services
ADRMS-SRV
TREY-ADRMS
Windows Server® 2008AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing
CPANDL-DC
TREY-DC
Windows Server 2003 with Service Pack 2 (SP2) or Windows Server 2008Note
Domain controllers running Windows 2000 Server with Service Pack 4 can be used. However, in this step-by-step guide it is assumed that you will be using domain controllers running either Windows Server 2003 with SP2 or Windows Server 2008.
Active Directory, Domain Name System (DNS)
ADRMS-DB
TREY-DB
Windows Server 2003 with SP2Microsoft SQL Server® 2005 Standard Edition with Service Pack 2 (SP2)
ADRMS-CLNT
ADRMS-CLNT2
Windows Vista®Microsoft Office Word 2007 Enterprise Edition

Note
Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum requirements for AD RMS (http://go.microsoft.com/fwlink/?LinkId=84733).
The computers form two private intranets and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment, if desired. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is TREY-DC. The following figure shows the configuration of the test environment:

Step 1: Setting up the Trey Research Domain


The Trey Research infrastructure contains all of the required components for an AD RMS installation. In this step, you install the required computers that make up the Trey Research domain:
Configure the domain controller (TREY-DC)
Create user accounts and groups
Configure the AD RMS database server (TREY-DB)
Configure the AD RMS root cluster computer (TREY-ADRMS)
Configure the AD RMS client computer (ADRMS-CLNT2)
Use the following table as reference when setting up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.Important
Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows product activation while each of your computers still has Internet connectivity.
Computer nameOperating system requirementIP settingsDNS settings
TREY-DCWindows Server 2003 with Service Pack 2 (SP2) or Windows Server® 2008IP address:
10.0.0.30
Subnet mask:
255.255.255.0
Configured by DNS server role.
TREY-ADRMSWindows Server 2008 Enterprise or Windows Server 2003 R2 Enterprise Edition with SP2IP address:
10.0.0.33
Subnet mask:
255.255.255.0
Preferred:
10.0.0.30
TREY-DBWindows Server 2003 with SP2IP address:
10.0.0.34
Subnet mask:
255.255.255.0
Preferred:
10.0.0.30
ADRMS-CLNT2Windows VistaIP address
10.0.0.32
Subnet mask:
255.255.255.0
Preferred:
10.0.0.30


Configure the domain controller (TREY-DC)

Depending on your environment, you can evaluate AD RMS in either a Windows Server 2008 domain or a Windows Server 2003 domain. Use one of the following sections depending on the domain to be used.
Configure the Windows Server 2003–based domain controller
Configure the Windows Server 2008–based domain controller

Configure the Windows Server 2003–based domain controller

To configure the domain controller TREY-DC, you must install Windows Server 2003, configure TCP/IP properties, install Active Directory, and raise the Active Directory domain functional level to Windows Server 2003.
First, install Windows Server 2003 with SP2 on the TREY-DC computer.To install Windows Server 2003 Standard Edition
1. Start your computer by using the Windows Server 2003 product CD. (You can use any edition of Windows Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type TREY-DC.

In this step configure TCP/IP properties so that TREY-DC has a static IP address of 10.0.0.30.To configure TCP/IP properties on TREY-DC
1. Log on to TREY-DC with the TREY-DC\Administrator account.
2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.30. In the Subnet mask box, type 255.255.255.0.
5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Install Active Directory

In this step, you are going to create a domain controller for Trey Research. It is important that you first configure the IP addresses as specified in the previous table before you attempt to install Active Directory. This helps ensure that DNS records are configured appropriately.To configure TREY-DC as a domain controller
1. Click Start, and then click Run. In the Open box, type dcpromo, and then click OK.
2. On the Welcome page of the Active Directory Installation Wizard, click Next.
3. Click Next, click the Domain controller for a new domain option, and then click Next.
4. Click the Domain in a new forest option, and then click Next.
5. In Full DNS name for new domain, type treyresearch.net and then click Next.
6. In Domain NetBIOS name, type treyresearch, and then click Next three times.
7. Click the Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server option, and then click Next.
8. Click the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option, and then click Next.
9. In the Restore Mode Password and Confirm Password boxes, type a strong password, and then click Next.
10. Click Next.
11. When the Active Directory Installation Wizard is done, click Finish.
12. Click Restart Now.

Raise the domain functional level to Windows Server 2003

In this step, you raise the Active Directory domain functional level to Windows Server 2003. This functional level allows the use of Active Directory universal groups.To raise the domain functional level to Windows Server 2003
1. Log on to TREY-DC with the TREYRESEARCH\Administrator account.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. Right-click treyresearch.net, and then click Raise Domain Functional Level.
4. In the list under Select an available domain functional level, click Windows Server 2003, and then click Raise.Note
You cannot change the domain functional level once you have raised it.
5. Click OK, and then click OK again.

Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the treyresearch.net domain to the cpandl.com domain, and vice versa.To configure a DNS forwarder on a Windows Server 2003–based computer
1. Log on to TREY-DC with the TREYRESEARCH\Administrator account.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Right-click TREY-DC, and then click Properties.
4. Click the Forwarders tab.
5. In the Selected domain's forward IP address list section, type 10.0.0.1, and then click Add.
6. Click OK.

Configure the Windows Server 2008–based domain controller

To configure the domain controller TREY-DC, you must install Windows Server 2008, configure TCP/IP properties, and install Active Directory Domain Services.
First, install Windows Server 2008.To install Windows Server 2008
1. Start your computer by using the Windows Server 2008 product CD.
2. Follow the instructions that appear on your screen, and when prompted for a computer name, type TREY-DC.

Next, configure TCP/IP properties so that TREY-DC has a IPv4 static IP address of 10.0.0.30.To configure TCP/IP properties on TREY-DC
1. Log on to TREY-DC with the TREY-DC\Administrator account.
2. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Click the Use the following IP address option. In IP address, type 10.0.0.30, and in Subnet mask, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30, and then click OK.
6. On the Networking tab, clear the Internet Protocol Version 6 (TCP/IPv6) check box.
7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Install Active Directory Domain Services

In this step, you are going to create a domain controller for Trey Research. It is important that you first configure the IP addresses as specified in the previous procedure before you attempt to install Active Directory Domain Services (AD DS). This helps ensure that DNS records are configured appropriately.To configure TREY-DC as a domain controller
1. Click Start, and then click Run.
2. In the Open box, type dcpromo, and then click OK.
3. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
4. Click the Domain controller for a new domain option, and then click Next.
5. Click the Create a new domain in a new forest option, and then click Next.
6. In the FQDN of the forest root domain box, type treyresearch.net, and then click Next.
7. In the Forest functional level box, click Windows Server 2003, and then click Next.
8. In the Domain functional level box, click Windows Server 2003, and then click Next.
9. Ensure that the DNS server check box is selected, and then click Next.
10. Click Yes, confirming that you want to create a delegation for this DNS server.
11. On the Location for Database, Log Files, and SYSVOL page, click Next.
12. In the Password and Confirm password boxes, type a strong password, and then click Next.
13. On the Summary page, click Next to start the installation.
14. When the installation is complete, click Finish, and then click Restart Now.
*Note
You must restart the computer after you complete this procedure.

Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the treyresearch.net domain to the cpandl.com domain, and vice versa.To configure a DNS forwarder
1. Log on to TREY-DC with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Right-click TREY-DC, and then click Properties.
4. Click the Forwarders tab.
5. Click Edit.
6. Type 10.0.0.1, and then click OK.
7. Click OK to close the properties sheet.

Create user accounts and groups

In this section, you create the user accounts and groups in the TREYRESEARCH domain.
First, add the user accounts shown in the following table to Active Directory or AD DS. Use the procedure following the table to create the user accounts.
Account NameUser Logon NameE-mail address
ADRMSADMINADRMSADMIN 
ADRMSSRVCADRMSSRVC 
Terrence Philiptphiliptphilip@treyresearch.net

To add new user accounts to the TREYRESEARCH domain
1. Log on to TREY-DC with the TREYRESEARCH\Administrator account.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. In the console tree, expand treyresearch.net.
4. Right-click Users, point to New, and then click User.
5. In the New Object – User dialog box, type ADRMSADMIN in the Full name and User logon name boxes, and then click Next.
6. In the New Object – User dialog box, type a password of your choice in the Password and Confirm password boxes. Clear the User must change password at next logon check box, click Next, and then click Finish.
7. Perform steps 3-6 for ADRMSSRVC and Terrence Philip (tphilip).

Next, add an e-mail address for Terrence Philip.To add e-mail addresses to user accounts
1. In the Active Directory Users and Computers console, right-click Terrence Philip, click Properties, type tphilip@treyresearch.net in the E-mail box, and then click OK.
2. Close the Active Directory Users and Computers console.

Once the user accounts have been created, an Active Directory Universal group should be created with Terrence Philip as a member. The following table lists the Universal group that should be added to Active Directory. Use the procedure following the table to create the Universal group.
Group NameE-mail address
Employeesemployees@treyresearch.net

To add a new group object to Active Directory
1. In the Active Directory Users and Computers console, right-click Users, point to New, and then click Group.
2. In the New Object – Group dialog box, type Employees in Group name, click the Universal option for the Group Scope, and then click OK.

Next, add an e-mail address to the Trey Research employees group:To add an e-mail address to a group object
1. In the Active Directory Users and Computers console, double-click Users, right-click Employees, and then click Properties.
2. Type employees@treyresearch.net in the E-mail box, and then click OK.

Finally, add Terrence Philip to the Employees group by following these steps:To add Terence Philip to the Employees group
1. In the Active Directory Users and Computers console, double-click Users, and then double-click Employees.
2. Click Members, and then click Add.
3. Type tphilip@treyresearch.net, and then click OK.
4. Close the Active Directory Users and Computers console.

Configure the AD RMS database server (TREY-DB)

First, install Windows Server 2003 on the computer that will host the AD RMS databases.To install Windows Server 2003 Standard Edition
1. Start your computer using the Windows Server 2003 product CD. (You can use any edition of Windows Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type TREY-DB.

In this step, configure TCP/IP properties so that TREY-DB has a static IP address of 10.0.0.34.To configure TCP/IP properties on ADRMS-DB
1. Log on to TREY-DB with the TREY-DB\Administrator account.
2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.34. In the Subnet mask box, type 255.255.255.0.
5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the AD RMS database server (TREY-DB) computer to the TREYRESEARCH domain:To join ADRMS-DB to the TREYRESEARCH domain
1. Click Start, right-click My Computer, and then click Properties.
2. Click Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, select the Domain option, and then type treyresearch.net.
4. Click More, and then type treyresearch.net in the Primary DNS suffix of this computer box.
5. Click OK twice.
6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials for TREYRESEARCH\Administrator, and then click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.
8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click OK again.
9. Click Yes to restart the computer.

Next, install Microsoft SQL Server 2005 Standard Edition:To install Microsoft SQL Server 2005
1. Log on to TREY-DB with the TREYRESEARCH\Administrator account.
2. Insert the Microsoft SQL Server 2005 product CD. The installation will start automatically.
3. Click the I accept the licensing terms and conditions check box, and then click Next.
4. On the Installing Prerequisites page, click Install.
5. Click Next.
6. On the Welcome to the Microsoft SQL Server Installation Wizard page, click Next, and then click Next again.
7. In the Name box, type your name. In the Company box, type the name of your organization, and then type in the appropriate product key. Click Next.
8. Select the SQL Server Database Services, and Workstation components, Books Online, and development tools check boxes, and then click Next.
9. Select the Default instance option, and then click Next.
10. Click the Use the built-in System account option, and then click Next.
11. Click the Windows Authentication Mode option, and then click Next.
12. Click Next, accepting the default Collation Settings, and then click Next again.
13. Click Install. When the status of all the selected components is finished, click Next.
14. Click Finish.

Next, add ADRMSADMIN to the local Administrators group on TREY-DB. The AD RMS installing user account needs this membership in order to create the AD RMS databases. After AD RMS installed, ADRMSADMIN can be removed from this group.To add ADRMSADMIN to local Administrators group
1. Click Start, point to Administrative Tools, and then click Computer Management.
2. Expand System Tools, expand Local Users and Groups, and then click Groups.
3. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in Enter the object names to select (examples) box, and then click OK.
4. Click OK, and then close Computer Management.

Configure the AD RMS root cluster computer (TREY-ADRMS)

In this section, the AD RMS root cluster computer is installed and the AD RMS role is added.

Install the AD RMS root cluster computer

To configure the AD RMS root cluster computer, TREY-ADRMS, you must install Windows Server 2008, configure TCP/IP properties, and then join TREY-ADRMS to the domain treyresearch.net. You must also add the account ADRMSADMIN as a member to the local administrators group so that an administrator can use the ADRMSADMIN account to install AD RMS on TREY-ADRMS.
First, install Windows Server 2008 as a stand-alone server.To install Windows Server 2008
1. Start your computer by using the Windows Server 2008 product CD.
2. When prompted for a computer name, type TREY-ADRMS.
3. Follow the rest of the instructions that appear on your screen to finish the installation.

Next, configure TCP/IP properties so that TREY-ADRMS has a static IP address of 10.0.0.33. In addition, configure the DNS server by using the IP address of TREY-DC (10.0.0.30).To configure TCP/IP Properties
1. Log on to ADRMS-SRV with the TREY-ADRMS\Administrator account or another user account in the local Administrators group.
2. Click Start, click Control Panel, double-click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. Click the Use the following IP address option. In IP address, type 10.0.0.33. In Subnet mask, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30.
6. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join TREY-ADRMS to the treyresearch.net domain.To join TREY-ADRMS to the treyresearch.net domain
1. Click Start, right-click Computer, and then click Properties.
2. Click Change settings (at the right side under Computer name, domain, and workgroup settings), and then click Change.
3. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type treyresearch.net.
4. Click More, and type treyresearch.net in Primary DNS suffix of this computer box.
5. Click OK, and then click OK again.
6. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for TREYRESEARCH\Administrator, and then click OK.
7. When a Computer Name/Domain Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.
8. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
9. Click Restart Now.

After the computer has restarted, add ADRMSADMIN to the local administrators group on TREY-ADRMS.To add ADRMSADMIN to the local administrators group
1. Log on to TREY-ADRMS with the TREYRESEARCH\Administrator account.
2. Click Start, click Administrative Tools, and then click Computer Management.
3. Expand System Tools, expand Local User and Groups, and then click Groups.
4. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in Enter the object names to select (examples) box, and then click OK.
5. Click OK, and then close Computer Management.

Add the AD RMS server role to TREY-ADRMS

Windows Server 2008 includes the option to install AD RMS as a server role through Server Manager. Both installation and configuration of AD RMS are handled through Server Manager. The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment. This section will install and configure a single-server AD RMS root cluster in the treyresearch.net domain.
Registering the AD RMS service connection point (SCP) requires that the installing user account be a member of the Active Directory Enterprise Admins group. Important
Access to the Enterprise Admins group should be granted only while AD RMS is being installed. After installation is complete, the TREYRESEARCH\ADRMSADMIN account should be removed from this group.To add ADRMSADMIN to the Enterprise Admins group
1. Log on to TREY-DC with the treyresearch\Administrator account.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. In the console tree, expand treyresearch.net, double-click Users, and then double-click Enterprise Admins.
4. Click the Members tab, and then click Add.
5. Type adrmsadmin@treyresearch.net, and then click OK.

Install and configure AD RMS as a root cluster.To add the AD RMS server role
1. Log on to TREY-ADRMS as treyresearch\ADRMSADMIN.
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens.
5. Read the Before You Begin section, and then click Next.
6. On the Select Server Roles page, select the Active Directory Rights Management Services check box.
7. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next.
8. Read the AD RMS introduction page, and then click Next.
9. On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.
10. Click the Create a new AD RMS cluster option, and then click Next.
11. Click the Use a different database server option.
12. Click Select, type TREY-DB in the Select Computer dialog box, and then click OK.
13. In Database Instance, click Default, and then click Validate.
14. Click Next.
15. Click Specify, type TREYRESEARCH\ADRMSSRVC, type the password for the account, click OK, and then click Next.
16. Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.
17. Type a strong password in the Password box and in the Confirm password box, and then click Next.
18. Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the only available Web site should be Default Web Site.
19. Click the Use an SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain Name box, type trey-adrms.treyresearch.net, and then click Validate. If validation succeeds, the Next button becomes available. Click Next.
21. Click the Choose an existing certificate for SSL encryption option, click the certificate that has been imported for this AD RMS cluster, and then click Next.
22. Type a name that will help you identify the AD RMS cluster in the Friendly name box, and then click Next.
23. Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation.
24. Read the Introduction to Web Server (IIS) page, and then click Next.
25. Keep the Web server default check box selections, and then click Next.
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation.
27. Click Close.
28. Log off the server, and then log on again to update the security token of the logged-on user account. The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS.
*Note
At this point in the guide, you can remove treyresearch\ADRMSADMIN from the local Administrators group on TREY-DB.
Your AD RMS root cluster is now installed and configured.

Configure the AD RMS client computer (ADRMS-CLNT2)

To configure the ADRMS-CLNT2 client computer in the TREYRESEARCH domain, you must install Windows Vista, configure TCP/IP properties, and then join the computer to the TREYRESEARCH domain. You must also install an AD RMS-enabled application In this example, Microsoft Office Word 2007 Enterprise Edition is installed on the client.To install Windows Vista
1. Start your computer by using the Windows Vista product CD.
2. Follow the instructions that appear on your screen, and when prompted for a computer name, type ADRMS-CLNT2.

Next, configure TCP/IP properties so that ADRMS-CLNT2 has a static IP address of 10.0.0.32. In addition, configure the DNS server of TREY-DC (10.0.0.30).To configure TCP/IP properties
1. Log on to ADRMS-CLNT2 with the ADRMS-CLNT2\Administrator account or another user account in the local Administrators group.
2. Click Start, click Network, and then click Network and Sharing Center.
3. Click Manage Network Connections, right-click Local Area Connection, and then click Properties.
4. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
5. Select the Use the following IP address option. In IP address, type 10.0.0.32, in Subnet mask, type 255.255.255.0.
6. Select the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30.
7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the ADRMS-CLNT2 to the TREYRESEARCH domain.To join ADRMS-CLNT2 to the TREYRESEARCH domain
1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change settings.
3. On the Computer Name tab, click Change.
4. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type treyresearch.net.
5. Click More, and in the Primary DNS suffix of this computer box, type treyresearch.net.
6. Click OK, and click OK again.
7. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for treyresearch\administrator, and then click OK.
8. When a Computer Name/Domain Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.
9. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
10. In the System Settings Change dialog box, click Yes to restart the computer.

Finally, install Microsoft Office Word 2007 Enterprise Edition on ADRMS-CLNT2.To install Microsoft Office Word 2007 Enterprise
1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.
2. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office Word 2007 Enterprise, and then click Install Now. This might take several minutes to complete.
*Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content. All editions will allow you to consume rights-protected content.

Step 2: Configure AD RMS to Work Across Forests


In this step, you do the following:
Create a trusted user domain between the AD RMS installations
Enable anonymous access on the AD RMS licensing pipeline
Extend the Active Directory schema
Create contact objects and distribution groups

Create a trusted user domain between the AD RMS installations

In a default AD RMS installation, use licenses are not issued to users whose rights account certificates were issued by a different AD RMS cluster. You can configure AD RMS so that it processes this type of request by importing the trusted user domain of another AD RMS installation.
The trusted user domain must be exported from one AD RMS cluster and then imported into the other. A trusted user domain is required only if the AD RMS clusters are in a different forest.
First, export the trusted user domain by using the Active Directory Rights Management Services console.To export a trusted user domain from the cpandl.com domain
1. Log on to ADRMS-SRV as cpandl\adrmsadmin.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Expand the AD RMS cluster, and then expand Trust Policies.
5. Click Trusted User Domains, right-click the certificate named Enterprise, and then click Export Trusted User Domain.
6. In the File name box, type \\adrms-db\public\cpandlTUD.bin, and then click Save.Note
For scenarios in which the domains are in different networks, make sure that the users in the second domain can access the location of this file.

Next, import the trusted user domain that was just exported from the AD RMS cluster in the CPANDL domain into the TREYRESEARCH domain by using the Active Directory Rights Management Services console.To import a trusted user domain file into the treyresearch.net domain
1. Log on to TREY-ADRMS as treyresearch\adrmsadmin.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User Domains, and then click Import Trusted User Domain.
5. In the Trusted user domain file box, type \\adrms-db\public\cpandlTUD.bin.
6. In the Display name box, type CPANDL.COM, and then click Finish.

Finally, repeat the above procedures and import the Trey Research trusted user domain file into the CPANDL domain.To export a trusted user domain from the treyresearch.net domain
1. Log on to TREY-ADRMS as treyresearch\adrmsadmin.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Expand the AD RMS cluster, and then expand Trust Policies.
5. Click Trusted User Domains, right-click the certificate named Enterprise, and then click Export Trusted User Domain.
6. In the File name box, type \\adrms-db\public\treyresearchTUD.bin, and then click Save.Note
For scenarios in which the domains are in different networks, make sure that the users in the second domain can access the location of this file.
*To import a trusted user domain file into the cpandl.com domain
1. Log on to ADRMS-SRV as cpandl\adrmsadmin.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User Domains, and then click Import Trusted User Domain.
5. In the Trusted user domain file box, type \\adrms-db\public\treyresearchTUD.bin.
6. In the Display name box, type TREYRESEARCH.NET, and then click Finish.

Enable anonymous access on the AD RMS licensing pipeline

For each AD RMS cluster, you must enable anonymous access on the AD RMS license.asmx and servicelocator.asmx files in the licensing pipeline.To enable anonymous access on the AD RMS licensing pipeline
1. Log on to ADRMS-SRV as cpandl\adrmsadmin.
2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Expand the domain node, expand Sites, expand Default Web Site, and then expand _wmcs.
5. Right-click the licensing folder, and then click Switch to Content View.
6. Right-click ServiceLocator.asmx, and then click Switch to Features View.
7. Under IIS, double-click Authentication, right-click Anonymous Authentication, and then click Enable.
8. Right-click the licensing directory again, and then click Switch to Content View.
9. Right-click license.asmx, and then click Switch to Features View.
10. Double-click Authentication, right-click Anonymous Authentication, and then click Enable.
11. Log on to TREY-ADRMS as treyresearch\adrmsadmin and repeat steps 1-10 for the treyresearch.net domain.

Extend Active Directory schema

When users across Active Directory forests need to exchange rights-protected content, the AD RMS clusters need to know the forest in which the user account or group resides. This is done by using the msExchOriginatingForest Active Directory schema attribute. This schema attribute is installed with Microsoft Exchange Server 2003 and later. If you do not have an Exchange server deployed in your environment, you must extend the schema to include this attribute by using ldifde.exe from the command prompt on a domain controller in each forest.

Extend the schema in the cpandl.com domain

To extend the schema in the cpandl.com domain you should copy the following text into a text file named cpandl.ldf. In this guide, you save it to the cpandl\administrator desktop on CPANDL-DC.
dn: CN=ms-Exch-Originating-Forest,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0



dn: CN=Contact,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=Group,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=User,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
Finally, you should run the ldifde.exe command to extend the schema by using the following procedure:To run the ldifde command to extend the schema
1. Log on to CPANDL-DC as cpandl\administrator.
2. Click Start, and then click Command Prompt.
3. Type the following, and then press ENTER:
cd %systemdrive%\Users\Administrator\Desktop
where %systemdrive% is the volume on which Windows Server 2008 is installed.
4. Type the following, and then press ENTER:
ldifde.exe -s cpandl-dc -v -i -k -f cpandl.ldf /c "CN=Schema,CN=Configuration,DC=CPANDL,DC=COM" "CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"
The last two entries of this command are the same because the source and target name are the same.
5. To confirm that the command was successful, the last two lines of the output should say the following:
4 entries modified successfully. The command has completed successfully.

Extend the schema in the treyresearch.net domain

To extend the schema in the treyresearch.net domain you should copy the following text into a text file named trey.ldf. In this guide, you save it to the treyresearch\administrator desktop on TREY-DC.
dn: CN=ms-Exch-Originating-Forest, CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0



dn: CN=Contact,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=Group,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=User,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-
Finally, you should run the ldifde.exe command to extend the schema by using the following procedure:To run the ldifde command to extend the schema
1. Log on to TREY-DC as treyresearch\administrator.
2. Click Start, and then click Command Prompt.
3. Type the following, and then press ENTER:
cd %systemdrive%\Users\Administrator\Desktop
where %systemdrive% is the volume on which Windows Server 2008 is installed.
4. Type the following, and then press ENTER:
ldifde.exe -s trey-dc -v -i -k -f trey.ldf /c "CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET" "CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"
The last two entries of this command are the same because the source and target name are the same.
5. To confirm that the command was successful, the last two lines of the output should say the following:
4 entries modified successfully. The command has completed successfully.

Create contact objects and distribution groups

Active Directory contact objects are used to tell the AD RMS cluster the forest in which the user account resides. Similarly, distribution groups are used to tell the AD RMS cluster the forest in which the group resides. You must create contact objects and distribution groups in each forest for every user and group that will be used with AD RMS. In this guide, you create contact objects for Nicole Holliday and Terrence Philip, and distribution groups for the Employees group in each forest.
Create the contact objects by using the following procedure:To create an Active Directory contact object for the cpandl.com domain
1. Log on to CPANDL-DC as cpandl\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. Click View, and then click Advanced Features.
4. Expand cpandl.com, right-click Users, point to New, and then click Contact.
5. In the Full Name and Display name boxes , type Terrence Philip, and then click OK.
6. Open the Users folder, and then double-click the Terence Philip contact object.
7. In the E-mail box, type tphilip@treyresearch.net, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.
9. In the Value to add box, type treyresearch.net, click Add, and then click OK.
10. Click OK to close the Terrence Philip properties sheet.

Next, create the contact objects in the Trey Research domain:To create an Active Directory contact object for the treyresearch.net domain
1. Log on to TREY-DC as treyresearch\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. Click View, and then click Advanced Features.
4. Expand treyresearch.net, right-click Users, point to New, and then click Contact.
5. In the Full Name and Display name boxes , type Nicole Holliday, and then click OK.
6. Open the Users folder, and then double-click the Nicole Holliday contact object.
7. In the E-mail box, type nhollida@cpandl.com, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.
9. In the Value to add box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the Nicole Holliday properties sheet.

Next, create the distribution groups and assign the appropriate msExhOriginatingForest schema attribute for each group.To create the Trey Research Employees distribution group for the cpandl.com domain
1. Log on to CPANDL-DC as cpandl\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. Click View, and then click Advanced Features.
4. Expand cpandl.com, right-click Users, point to New, and then click Group.
5. In the Group name box, type Trey Research Employees, click the Universal option, click the Distribution option, and then click OK.
6. Open the Users folder, and then double-click the Trey Research Employees distribution group.
7. In the E-mail box, type employees@treyresearch.net, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.
9. In the Value to add box, type treyresearch.net, click Add, and then click OK.
10. Click OK to close the Trey Research Employees properties sheet.

Finally, create the distribution group and assign the appropriate msExchOriginatingForest schema attribute for each group.To create the CPANDL Employees distribution group for the treyresearch.net domain
1. Log on to TREY-DC as treyresearch\Administrator.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. Click View, and then click Advanced Features.
4. Expand treyresearch.net, right-click Users, point to New, and then click Group.
5. In the Group name box, type CPANDL Employees, click the Universal option, click the Distribution option, and then click OK.
6. Open the Users folder, and then double-click the CPANDL Employees distribution group.
7. In the E-mail box, type employees@cpandl.com, and then click Apply.
8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.
9. In the Value to add box, type cpandl.com, click Add, and then click OK.
10. Click OK to close the CPANDL Employees properties sheet.


Step 3: Verifying AD RMS Functionality


The AD RMS client is included in the default installation of Windows Vista and Windows Server 2008. Previous versions of the client are available for download for some earlier versions of the Windows operating systems. For more information, see the Windows Server 2003 Rights Management Services page in the Microsoft Windows Server TechCenter (http://go.microsoft.com/fwlink/?LinkId=68637).
Before you can publish or consume rights-protected content on Windows Vista, you must add the AD RMS cluster URLs for each forest to the Internet Explorer Local Intranet security zone on the AD RMS client computers. This is required to ensure that your credentials are automatically passed from Microsoft Office Word to the AD RMS Web services.To add AD RMS cluster URLs to the Internet Explorer Local Intranet security zone
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).
2. Click Start, click Control Panel, click Network and Internet, and then click Internet Options.
3. Click the Security tab, and then click Local Intranet.
4. Click Sites, and then click Advanced.
5. In the Add this website to the zone box, do the following:
a. Type https://adrms-srv.cpandl.com, and then click Add.
b. Type https://trey-adrms.treyresearch.net, and then click Add.
6. Repeat steps on ADRMS-CLNT2 for Terrence Philip (treyresearch\tphilip).

To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a Microsoft Word 2007 document, and then restrict permissions on it so that Terrence Philip is able to read the document but is unable to change, print, or copy it. You then log on as Terence Philip, verifying that Terence Philip can read the document but do nothing else with it.To restrict permissions on a Microsoft Word document
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).
2. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3. Type Only Terence Philip can read this document, but cannot change, print, or copy it. Click Microsoft Office Button, point to Prepare, point to Restrict Permission, and then click Restricted Access.
4. Select the Restrict permission to this document check box.
5. In the Read text box, type tphilip@treyresearch.net, and then click OK to close the Permission dialog box.
6. Click the Microsoft Office Button, click Save As, and then save the file as \\adrms-db\public\ADRMS-TST.docx.
7. Log off as Nicole Holliday.

Finally, log on as Terence Philip on ADRMS-CLNT2 in the TREYRESEARCH.NET domain and attempt to open the document, ADRMS-TST.docx.To view a protected document
1. Log on to ADRMS-CLNT2 as Terence Philip (TREYRESEARCH\tphilip).
2. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3. Click the Microsoft Office Button, click Open, and then type \\adrms-db\public\ADRMS-TST.docx. If you are prompted for credentials, use those of CPANDL\Administrator to allow Terence Philip to access the document in its location in the cpandl forest.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permissions."
4. Click OK.
The following message appears: "Verifying your credentials for opening content with restricted permissions".
5. When the document opens, click Microsoft Office Button. Notice that the Print option is not available.
6. Click View Permission in the message bar. You should see that Terence Philip has been restricted to being able only to read the document.
7. Click OK to close the My Permissions dialog box, and then close Microsoft Word.
8. Log off as Terence Philip.

You have successfully deployed and demonstrated the functionality of using AD RMS across forests, using the simple scenario of applying restricted permissions to a Microsoft Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

No comments: