Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
• Administering AD RMS
All RMS-enabled
application
Identity Federation
Active Directory® Help safeguard data across AD FS trusts
Support
Federation
Services (AD FS)
Comparing Technologies Used to
Protect Information
* With some limitations
Secure/Multipurp Encryptin
ose Internet Mail S/MIME Access control g File
Feature AD RMS
Extension Encryption lists (ACLs) Systems
(S/MIME) Signing (EFS)
Differentiates permissions by
a user
Prevents unauthorized
viewing
AD RMS
Licensing-
AD RMS only Cluster
AD RMS
Client Root Cluster
Web Server Active
(IIS) Directory® SQL Server™
Domain
Services (AD AD RMS Client
DS)
AD RMS SQL Server™
Client Configuration
Data Logging
AD RMS Client
AD RMS Certificates and Licenses
Server Licensor Certificate
Gets created when the AD RMS server role is installed and configured on the first server of an
AD RMS Root Cluster
Machine Certificate
Identifies a trusted computer and contains the unique public key for that machine, on a per user
per computer basis
Publishing License
Sets the policy for acquiring a used license for rights-protected information
Use License
Grants an authorized user with valid RAC rights to consume rights-protected information based
on policy established in the publishing license
Overview of AD RMS Workflow
Publishing Consuming
8
1 6
3 9
2
4 5
• Preinstallation Considerations
Install AD RMS on a member server in the same domain as the user accounts
that will participate in AD RMS.
Make the account used to install AD RMS, as the member of the Enterprise
Admins group or equivalent, if the service connection point is to be registered
during installation.
Create a DNS alias (CNAME) record for the AD RMS cluster URL, and a
CNAME record for the computer hosting the configuration database.
Obtain an Secure Socket Layer (SSL) certificate from a trusted Certification Authority,
if secure communication to and from the AD RMS cluster is required.
AD RMS System Requirements
Hardware Requirements
Required Recommended
•One Pentium 4 processor (3Ghz or higher)
Two Pentium 4 processors (3Ghz or higher)
•512 MB RAM 1024 MB RAM
•40 GB free disk space 80 GB free disk space
Software Requirements
Software Requirement
Operating System Windows Server® 2008
AD RMS
Configures as a distributed or
archived template
Demonstration: How To Create a Rights
Policy Template
• To configure a distributed rights policy template
2
Use the AD RMS console to export the templates to the folder location.
3
Deploy the exported templates to a local folder on each client.
4
Modify the client registry to specify where to find the policy templates on the client.
User IDs
Applications
Lockbox versions
Windows® versions
Lesson 4: Implementing AD RMS Trust Policies
• Methods of Defining Trust Policies
Trusted user
domains
Trusted publishing
domains
Windows Live™ ID
Federated Trust
Overview of Trusted User Domain Interaction
Contoso
Northwind Traders
1
Contoso sends SLC
2 Northwind Traders to Northwind Traders
imports Server
Licensor Certificate
(SLC)
3
Alice@nwtraders.msft sends RM
4
Bob@contoso.com sends PL and
content to Bob@contoso.com RAC with request for UL from
Northwind Traders
Overview of Trusted Publishing
Domain Interaction
Northwind Traders Contoso
1
Contoso imports
2 private key and SLC
Northwind Traders
exports private key
and SLC
5
Contoso uses imported
private key to decrypt PL and
issues UL
3
Alice@nwtraders.msft sends RM 4
Bob@contoso.com sends PL and
content to Bob@contoso.com RAC with request for UL from
Northwind Traders
Demonstration: How To Configure Trust Policies
• To export a trusted user domain certificate
Domain woodgrovebank
Password Pa$$w0rd
Estimated time: 60 minutes