Configuring and

Troubleshooting Identity and

Access Solutions with
Windows Server® 2008
Active Directory®
Module 6: Configuring AD RMS
• Overview of AD RMS

• Installing and Configuring AD RMS Server Components

• Administering AD RMS

• Implementing AD RMS Trust Policies

Lesson 1: Overview of AD RMS
• How Access Management Is Enforced by Using AD RMS

• Usage Scenarios of AD RMS

• Comparing Technologies Used to Protect Information

• Identifying AD RMS Components

• AD RMS Certificates and Licenses

• Overview of AD RMS Workflow

• How Files Are Protected by Using AD RMS

How Access Management Is Enforced by Using
AD RMS
AD RMS enforces access management by :

Establishing trusted participants within the AD RMS system

Assigning persistent usage rights and conditions on how a trusted participant can
use protected information
Encrypting information and allowing access to users that have the required
components and rights to open and view the information

Types of information that can be protected includes:

Sensitive documents such as plans, proposals, reports

E-mail messages
Content stored in AD RMS-aware intranet services
Usage Scenarios for AD RMS

Usage Scenario Application Features

Microsoft® Office:
Secure Confidential Word® Set rights (View, Change, Print)
Files Excel® Set validity period
PowerPoint®

Help protect sensitive e-mail messages

Microsoft® Office from being sent to the Internet
Outlook®:
Help protect confidential e-mail
Do-Not-Forward/Print Microsoft® messages from being taken outside the
E-Mail Message Exchange Server company
2007 Service Pack
(SP1) Help protect Rights Management
Services (RMS) prelicensing agent

Help Safeguard Intranet Microsoft® Office Help safeguard intranet content by

SharePoint® restricting access to View, Change, and
Content Services Print

All RMS-enabled
application
Identity Federation
Active Directory® Help safeguard data across AD FS trusts
Support
Federation
Services (AD FS)
Comparing Technologies Used to
Protect Information
* With some limitations
Secure/Multipurp Encryptin
ose Internet Mail S/MIME Access control g File
Feature AD RMS
Extension Encryption lists (ACLs) Systems
(S/MIME) Signing (EFS)

Attests to the identity of the

publisher

Differentiates permissions by
a user

Prevents unauthorized
viewing

Encrypts protected content

Offers content expiration

Controls content reading *

Modifying, or printing by user

Extends protection beyond

initial publication *
Identifying AD RMS Components

AD RMS
Licensing-
AD RMS only Cluster
AD RMS
Client Root Cluster
Web Server Active
(IIS) Directory® SQL Server™
Domain
Services (AD AD RMS Client
DS)
AD RMS SQL Server™
Client Configuration
Data Logging
AD RMS Client
 AD RMS Certificates and Licenses
Server Licensor Certificate
Gets created when the AD RMS server role is installed and configured on the first server of an
AD RMS Root Cluster

Machine Certificate
Identifies a trusted computer and contains the unique public key for that machine, on a per user
per computer basis

Rights Account Certificate

Names a trusted user identity by using the e-mail address or SID of the user on a per user
basis
Client Licensor Certificate
Names a trusted user that is authorized to publish RMS-protected information without requiring
connectivity to an RMS server. This naming is based on per user on a computer

Publishing License
Sets the policy for acquiring a used license for rights-protected information

Use License
Grants an authorized user with valid RAC rights to consume rights-protected information based
on policy established in the publishing license
Overview of AD RMS Workflow

Database Server AD RMS Cluster Active Directory®

Publishing Consuming
8
1 6
3 9

2
4 5

Information Author Information Recipient

How Files Are Protected by Using AD RMS

Gets created Gets added to

when file is the file after
Publishing Use the server
protected
License License licenses a user
Gets encrypted to open it
with the public Rights info
key of server Content Key Gets encrypted
with e-mail with the public
addresses key of user
Gets encrypted Rights
with the public information
key of server Gets encrypted
with e-mail Content Key with the public
addresses key of user
Gets encrypted
with 128-bit The content of the file such as text,
AES symmetric pictures, and media.
encryption key

E-mail URLs are stored in the local RMS

license cache, not in e-mail messages directly.
Lesson 2: Installing and Configuring AD RMS
Server Components
• AD RMS Deployment Scenarios

• Preinstallation Considerations

• AD RMS System Requirements

• How to Install the First Server of an AD RMS Cluster

• What Is a Service Connection Point?

• Implementing an AD RMS Client

• Configuring Client Service Discovery

AD RMS Deployment Scenarios

Deploying AD RMS in a single Forest

Deploying an AD RMS Licensing-Only cluster

Deploying AD RMS in a Multi-Forest environment

Deploying AD RMS in an Extranet

Deploying AD RMS with AD FS

AD RMS AD FS
Preinstallation Considerations
Consider the following points before deploying AD RMS:

Install AD RMS on a member server in the same domain as the user accounts

that will participate in AD RMS.

Determine whether to use an external database or the internal database


provided by Windows Server® 2008.

 Create a specific AD RMS service account with standard user permissions.

Make the account used to install AD RMS, as the member of the Enterprise

Admins group or equivalent, if the service connection point is to be registered
during installation.

 Create a DNS alias (CNAME) record for the AD RMS cluster URL, and a
CNAME record for the computer hosting the configuration database.

 Obtain an Secure Socket Layer (SSL) certificate from a trusted Certification Authority,
if secure communication to and from the AD RMS cluster is required.
 AD RMS System Requirements
Hardware Requirements

Required Recommended
•One Pentium 4 processor (3Ghz or higher)
Two Pentium 4 processors (3Ghz or higher)
•512 MB RAM 1024 MB RAM
•40 GB free disk space 80 GB free disk space

Software Requirements

Software Requirement
Operating System Windows Server® 2008

File System NTFS file system is recommended

Messaging Message Queuing

Internet Information Services (IIS)

Web Services
ASP.NET must be enabled

AD RMS must be installed in an Active Directory® domain. The domain

Active Directory® or controllers should run Windows Server® 2000 with Service Pack 3, Windows
Server® 2003, or Windows Server® 2008.
AD DS All users and groups who use AD RMS to acquire licenses and publish content
must have an e-mail address configured in Active Directory®

Database Server Microsoft® SQL Server™ 2005 or equivalent, and stored procedures

Demonstration: How to Install the First Server of
an AD RMS Cluster
• To use DNS to configure a CNAME for the AD RMS cluster

• To use Server Manager to install the AD RMS server role

What Is a Service Connection Point?
A service connection point:
Provides automatic ADSI Edit
discovery of the AD RMS
cluster URL
Contains only one SCP per
Active Directory® forest
Requires AD RMS
management console to be
registered or removed
Requires ADSI Edit to be
viewed and modified
Configuration [SEC-DC.Adatum.com]
CN=Configuration, DC=Adatum, DC=com
CN=Display Specifiers
CN=Extended-Rights
CN=ForestUpdates
CN=Services
CN=MsmqServices
CN=NetServices
CN=Public Key Services
CN=Rights Management Services
CN=SCP
CN=RRAS
CN=Windows NT
Implementing an AD RMS Client
The AD RMS client creates and manages the machine
certificate and lockbox.

The AD RMS client works with AD RMS-compatible

applications such as the 2007 Office System.

The AD RMS client is integrated with the Windows Vista®

and Windows Server® 2008 operating systems.

The AD RMS client is downloaded from the Microsoft®

Download center for earlier versions of Windows®.

The AD RMS client is deployed manually or automated

using Active Directory® Group Policy.
Configuring Client Service Discovery

AD RMS clients discover the AD RMS cluster using the following

methods:

AD DS service connection point

AD RMS client registry override
HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation
Activation (syntax: http(s):// <cluster>/_wmcs/ certification)
EnterprisePublishing (syntax: http(s):// <cluster> /_wmcs
/certification)
Lesson 3: Administering AD RMS
• AD RMS Administration Tasks

• What Is a Rights Policy Template?

• How To Create a Rights Policy Template

• Providing Rights Policy Templates for Offline Use

• What Are Exclusion Policies?

AD RMS Administration Tasks

AD RMS

Rights Policy Template Exclusion Policies Trust Policies

 What Is a Rights Policy Template?
Specifies users
Uses Online or groups
Certificate who
Status
must have
Protocol rights toand
validation work with
content protected
revocation checking with the HTTP
using
template

Rights include Full Control,

View, Edit, Save, or Print,
Forward, Reply

Stores in the configuration

database or a shared folder on
the network for offline
publishing

Author selects Rights Policy

Rights Policy Template during document
Template creation to apply rights to the
content

Configures as a distributed or
archived template
Demonstration: How To Create a Rights
Policy Template
• To configure a distributed rights policy template

• To manage archived rights policy templates

 Providing Rights Policy Templates for Offline Use
1
Create a shared folder on the server to be used to store the exported rights policy
templates.

2
Use the AD RMS console to export the templates to the folder location.

3
Deploy the exported templates to a local folder on each client.

4
Modify the client registry to specify where to find the policy templates on the client.

Example: For Office 2007

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Common\DRM\AdminiTemplat
ePath
Type: REG_EXPAND_SZ
Recommended Value:
%allusersprofile%\Application Data\Microsoft\DRM\<templatefoldername>
What Are Exclusion Policies?

Prevent compromised principles from acquiring new use license;

however, existing licenses associated with excluded principals
are still valid.

Administrators can exclude following principles:

User IDs
Applications
Lockbox versions
Windows® versions
Lesson 4: Implementing AD RMS Trust Policies
• Methods of Defining Trust Policies

• Overview of Trusted User Domain Interaction

• Overview of Trusted Publishing Domain Interaction

• How To configure Trust Policies

• Deploying AD RMS with AD FS

Methods of Defining Trust Policies

Trust Policies help an AD RMS cluster to process licensing

requests for content that are rights-protected by another AD
RMS cluster.

Trust policies can be defined for the following:

Trusted user
domains

Trusted publishing
domains

Windows Live™ ID

Federated Trust
Overview of Trusted User Domain Interaction
Contoso
Northwind Traders
1
Contoso sends SLC
2 Northwind Traders to Northwind Traders
imports Server
Licensor Certificate
(SLC)

5 Server uses imported SLC

to verify Bob’s Rights account
certificate (RAC) and returns
UL

3
Alice@nwtraders.msft sends RM
4
Bob@contoso.com sends PL and
content to Bob@contoso.com RAC with request for UL from
Northwind Traders
Overview of Trusted Publishing
Domain Interaction
Northwind Traders Contoso
1
Contoso imports
2 private key and SLC
Northwind Traders
exports private key
and SLC

5
Contoso uses imported
private key to decrypt PL and
issues UL

3
Alice@nwtraders.msft sends RM 4
Bob@contoso.com sends PL and
content to Bob@contoso.com RAC with request for UL from
Northwind Traders
Demonstration: How To Configure Trust Policies
• To export a trusted user domain certificate

• To import a trusted user domain certificate

• To configure trusted publishing domains

Deploying AD RMS with AD FS

1. Assign an SSL certificate to the

Web site that hosts the AD RMS
cluster.
2. Install and configure AD RMS.
3. Grant the AD RMS service
account permissions to generate
security audits.
AD RMS
4. On the AD FS resource partner,
create a claims-aware
Manufacturer Supplier application for the AD RMS
certification and licensing
pipelines.
5. Configure the AD RMS extranet
cluster URL.
6. Install the AD RMS Identity
Resource Partner
Account Partner
AD FS
Federation Role service.
Lab 6: Configuring AD RMS
• Exercise1: Installing the AD RMS Server Role

• Exercise 2: Managing AD RMS rights policy templates

• Exercise 3: Configuring Trust Policies

• Exercise 4: Testing AD RMS functionality

Logon information
6426A-NYC-DC1
Virtual machine 6426A-NYC-SVR1
6426A-NYC-CL1
User name Administrator

Domain woodgrovebank

Password Pa$$w0rd
Estimated time: 60 minutes