1 – Lets start by creating ADRMS service account on Domain Server (Service account – Microsoft recommends using a standard domain user account with additional permissions. You can use a managed service account as the AD RMS service account).
2 – On DC01 server, open Active Directory User & Computers and create new OU call Service Accounts…
3 – Next, create new user call ADRMSVC with complete password…
4 – Next, create new Group in Users container call ADRMS_SuperUsers and create another group call Executives…
5 – Next, add few users to Executives group, for this Demo I choose my 4 of my Marketing users to join Executive group…
6 – Next, still on the DC01 Server, open DNS Manager and add new Host call adrms with SVR01 IP address, On the DNS Manager, right click Comsys.localand click New Host (A or AAAA)…
7 – In the New Host box, enter the following information, and then click Add Host :
– Name: adrms
– IP address: 10.10.0.30
click OK, and then click Done…
Orait, we now successfully add new ADRMS users & groups to AD and also configure DNS so that new ADRMS resource record created.
8 – Next, log in to SVR01.comsys.local to start Install and configure the AD RMS server role…
Open Server Manager, click Manage, and then click Add Roles and Features, in the Add Roles and Features Wizard, click Next 3 times…
9 – Then click Next 4 times…
10 – Next, click Install to proceed…
11 – Click Close when installation successful…
12 – Next, on the All Servers Task Details page, click Perform Additional Configuration…
13 – In the AD RMS Configuration: SVR01.comsys.local box, click Next…
14 – On the AD RMS Cluster box, click Create a new AD RMS root cluster, and then click Next…
15 – On the Configuration Database box, click Use Windows Internal Database on this server, and then click Next to proceed…
16 – On the Service Account page, click Specify, then in the Windows Security box enter ADRMSVC as a Username and enter the password, then click OK and Next…
17 – On the Cryptographic Mode box, click Cryptographic Mode 2, and then click Next…
18 – On the Cluster Key Storage box, click Use AD RMS centrally managed key storage, and then click Next…
19 – On the Cluster Key Password box, enter the password and then click Next…
20 – On the Cluster Web Site box, verify that Default Web Site is selected, and then click Next…
21 – On the Cluster Address box, provide the following information, and then click Next to proceed :
– Connection Type: Use an unencrypted connection (http://)
– Fully Qualified Domain Name: comsys.local
– Port: 80
22 – On the Licensor Certificate box, type Comsys ADRMS, and then click Next…
23 – On the SCP Registration box, click Register the SCP now, and then click Next to proceed…
24 – Click Install, and then click Close when installation successful…
25 – Next, open Internet Information Services (IIS) Manager…
26 – In Internet Information Services (IIS) Manager, expand Sites\Default Web Site and click _wmcs, then under /_wmcs Home, double-click Authentication…
27 – Then right-click Anonymous Authentication and click Enable…
28 – In the Connections pane, expand _wmcs and click licensing and double-click Authentication…
29 – Right-click Anonymous Authentication and click Enable, then close IIS Manager…
** You must sign out before you can manage AD RMS…
Next, lets configure AD RMS super users group for SVR01…
30 – In Server Manager, click Tools, and then click Active Directory Rights Management Services…
31 – In the Active Directory Rights Management Services console, expand the SVR01 node, and then click Security Policies…
32 – In the Security Policies area, under Super Users, click Change super user group…
33 – In the Super Users box, in the Super user group text box,type ADRMS_Superusers@comsys.local, and then click OK…
Orait guyz.. we done for now.. anyway we still have long way to go to setup & configure our ADRMS Server…
ADRMS rights policy template configuration…
1 – On the SVR01 server, open Active Directory Rights Management Services console, then click Rights Policy Templates node and then in the Actions pane, click Create Distributed Rights Policy Template…
2 – In the Create Distributed Rights Policy Template Wizard box, on the Add Template Identification information box, click Add…
3 – On the Add New Template Identification Information box, enter the following information and then click Add and click Next to proceed…
— Language: English (United States)
— Name: ReadOnly
4 – On the Add User Rights box, click Add, then on the Add User or Group page, type executives@comsys.local and then click OK to proceed…
5 – When executives@comsys.local is selected, under Rights, click View. Verify that Grant owner (author) full control right with no expiration is selected, and then click Next…
6 – On the Specify Expiration Policy box, choose the following settings and then click Next:
— Content Expiration: Expires after the following duration (days): 14
— Use license expiration: Expires after the following duration (days): 14
7 – On the Specify Extended Policy box, click Require a new use license every time content is consumed (disable client-side caching), click Next, and then click Finish…
Next step, lets configure the rights policy template distribution…
8 – On the SVR01 Server, open Windows PowerShell, and type : New-Item c:\RMSTemplates -ItemType Directory
9 – Next, type New-SmbShare -Name RMSTEMPLATES -Path c:\RMSTemplates -FullAccess Comsys\ADRMSVC
10- Next type : New-Item c:\DocShare -ItemType Directory
11 – Next type : New-SmbShare -Name docshare -Path c:\DocShare -FullAccess Everyone
12 – Exit PowerShell and open Active Directory Rights Management Services console.
On the ADRMS console, click the Rights Policy Templates node, and in the Distributed Rights Policy Templates area, click Change distributed rights policy templates file location, then in the Rights Policy Templates dialog box, click Enable Export…
13 – Next, in the Specify Templates File Location (UNC), type \\svr01\RMSTEMPLATES, and then click OK…
14 – Next, open Windows Exporer and navigate to the C:\rmstemplates folder, and verify that ReadOnly.xml is present…
15 – Next, on the ADRMS Console, click the Exclusion Policies node, and then click Manage application exclusion list…
16 – In the Actions pane, click Enable Application Exclusion…
17 – In the Actions pane, click Exclude Application and enter the following information, and then click Finish:
— Application File name: Powerpnt.exe
— Minimum version: 14.0.0.0
— Maximum version: 16.0.0.0
— Minimum version: 14.0.0.0
— Maximum version: 16.0.0.0
Orait, we done for now, we have successfully configured AD RMS templates.. remember that we still have long to go to complete our ADRMS configuration.
Wait for my next post, part 3.. which is AD RMS Trust Policies implementation. :-)