Beruflich Dokumente
Kultur Dokumente
Abstract
This step-by-step guide provides instructions for setting up a test environment to deploy and
evaluate Active Directory Rights Management Services (AD RMS) in Windows Server® 2008. It
includes the necessary information for preparing the AD RMS infrastructure, installing and
configuring AD RMS, and verifying AD RMS features after configuration is complete.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the example
companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Windows Vista, and Active
Directory are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Note
This guide is considered the basic AD RMS step-by-step guide. All other step-by-step
guides developed for AD RMS will assume that this guide has been completed first.
4
additional deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure. You
can then test and verify AD RMS functionality as follows:
• Restrict permissions on a Microsoft Office Word 2007 document
• Have an authorized user open and work with the document.
• Have an unauthorized user attempt to open and work with the document.
The test environment described in this guide includes four computers connected to a private
network and using the following operating systems, applications, and services:
Note
Service Pack 2 for
Windows Server 2003 is
not required but will be
used for the purposes of
this guide.
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server® 2005
Standard Edition with Service
Note
Pack 2 (SP2)
Service Pack 2 for
Windows Server 2003 is Note
not required but will be Service Pack 2 for SQL
used for the purposes of Server 2005 Standard
this guide. Edition is not required
but will be used for the
purposes of this guide.
Note
For more information about the system requirements for installing AD RMS, see
http://go.microsoft.com/fwlink/?LinkId=84733.
5
The computers form a private intranet and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment if desired. This step-by-
step exercise uses private addresses throughout the test lab configuration. The private network
ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the
domain named cpandl.com. The following figure shows the configuration of the test environment:
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
6
Computer name Operating system requirement IP settings DNS settings
7
for a computer name, type CPANDL-DC.
Next, configure TCP/IP properties so that CPANDL-DC has a static IP address of 10.0.0.1. In
addition, configure 10.0.0.1 as the IP address for the DNS server.
Note
You must restart the computer after you complete this procedure.
Next, you must raise the domain functional level to Windows Server 2003 so that Active Directory
Universal groups can be used.
8
To raise the domain functional level to Windows Server 2003
1. Log on to CPANDL-DC with the CPANDL\Administrator account.
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. Right-click cpandl.com, and then click Raise domain functional level.
4. In the list under Select an available domain functional level, click Windows
Server 2003, and then click Raise.
5. Click OK to confirm the selection.
Note
You cannot change the domain functional level once you have raised it.
6. Close the Active Directory Users and Computers console.
Next, configure TCP/IP properties so that CPANDL-DB has a IPv4 static IP address of 10.0.0.1
and a IPv6 static IP address of FEC0:0:0:1::.
9
6. Click OK to close the Local Area Connection Properties dialog box.
Next, configure the computer as a domain controller using Windows Server 2008.
Note
You must restart the computer after you complete this procedure.
ADRMSSRVC ADRMSSRVC
10
Account Name User Logon Name E-mail address Group
Marketing
Once the user accounts have been created, Active Directory Universal groups should be created
and these users added to them. The following table lists the Universal groups that should be
added to Active Directory. Use the procedure following the table to create the Universal groups.
Finance finance@cpandl.com
Marketing marketing@cpandl.com
Engineering engineering@cpandl.com
Employees employees@cpandl.com
11
To add new group objects to Active Directory
1. In the Active Directory Users and Computers console, right-click Users, point
to New, and then click Group.
2. In the New Object – Group dialog box, type Finance in Group name, select the
Universal option for the Group Scope, and then click OK.
3. Perform the above steps 1-2 for each of the remaining groups: Marketing,
Engineering, and Employees.
Finally, add the user accounts to their appropriate groups. In this guide, we will add Nicole
Holliday, Limor Henig, and Stuart Railson to the Employees group. Then, we will add Nicole
Holliday to the Finance group, Limor Henig to the Marketing group, and finally add Stuart Railson
to the Engineering group. To add the user accounts to their respective groups, you should follow
these steps:
12
any edition of Windows Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your computer screen, and when prompted
for a computer name, type ADRMS-DB.
In this step, configure TCP/IP properties so that ADRMS-DB has a static IP address of 10.0.0.3.
Next, join the AD RMS database server (ADRMS-DB) computer to the CPANDL domain:
13
automatically.
3. Click the I accept the licensing terms and conditions check box, and then
click Next.
4. On the Installing Prerequisites page, click Install.
5. Click Next.
6. On the Welcome to the Microsoft SQL Server Installation Wizard page, click
Next, and then click Next again.
7. In the Name box, type your name. In the Company box, type the name of your
organization, and then type in the appropriate product key. Click Next.
8. Select the SQL Server Database Services, and Workstation components,
Books Online, and development tools check boxes, and then click Next.
9. Select the Default instance option, and then click Next.
10. Click the Use the built-in System account option, and then click Next.
11. Click the Windows Authentication Mode option, and then click Next.
12. Click Next, accepting the default Collation Settings, and then click Next again.
13. Click Install. When the status of all the selected components is finished, click
Next.
14. Click Finish.
Next, add ADRMSADMIN to the local Administrators group on ADRMS-DB. The AD RMS
installing user account needs this membership in order to create the AD RMS databases. After
AD RMS installed, ADRMSADMIN can be removed from this group.
Finally, create a shared folder on ADRMS-DB so that other users can find documents saved to
the network.
14
5. On the Sharing tab click the Share this folder option, and ensure that Public is
in the Share name box.
6. Click Permissions.
7. In the Group or user name box click Everyone.
8. Select the Full Control check box in the Allow column of the Permissions for
Everyone box.
9. Click OK.
10. Click the Security tab, and then click Users (ADRMS-DB\Users) in the Group
or user name box.
11. In the Permissions for Users box select the Full Control check box in the
Allow column.
12. Click OK.
Next, configure TCP/IP properties so that ADRMS-SRV has a static IP address of 10.0.0.2. In
addition, configure the DNS server by using the IP address of CPANDL-DC (10.0.0.1).
15
Subnet mask, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In Preferred DNS
server, type 10.0.0.1.
6. Click OK, and then click Close to close the Local Area Connection Properties
dialog box.
After the computer has restarted, add ADRMSADMIN to the local administrators group on
ADRMS-SRV.
Next, configure TCP/IP properties so that ADRMS-CLNT has a static IP address of 10.0.0.4. In
addition, configure the DNS server of CPANDL-DC (10.0.0.1).
17
for administrative credentials, provide the credentials, and then click OK.
9. When a Computer Name/Domain Changes dialog box appears welcoming you
to the cpandl.com domain, click OK.
10. When a Computer Name/Domain Changes dialog box appears telling you that
the computer must be restarted, click OK, and then click Close.
11. In the System Settings Change dialog box, click Yes to restart the computer.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007
allow you to create rights-protected content. All editions will allow you to consume rights-
protected content.
Important
Access to the Enterprise Admins group should be granted only while AD RMS is being
installed. After installation is complete, the cpandl\ADRMSADMIN account should be
removed from this group.
18
account in the Domain Admins group.
2. Click Start, point to Administrative Tools, and then click Active Directory
Users and Computers.
3. In the console tree, expand cpandl.com, double-click Users, and then double-
click Enterprise Admins.
4. Click the Members tab, and then click Add.
5. Type adrmsadmin@cpandl.com, and then click OK.
19
Web Site.
19. Click the Use an SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain Name box, type adrms-srv.cpandl.com, and
then click Validate. If validation succeeds, the Next button becomes available. Click
Next.
21. Click the Choose an existing certificate for SSL encryption option, click the
certificate that has been imported for this AD RMS cluster, and then click Next.
22. Type a name that will help you identify the AD RMS cluster in the Friendly name
box, and then click Next.
23. Ensure that the Register the AD RMS service connection point now option is
selected, and then click Next to register the AD RMS service connection point (SCP)
in Active Directory during installation.
24. Read the Introduction to Web Server (IIS) page, and then click Next.
25. Keep the Web server default check box selections, and then click Next.
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes
to complete the installation.
27. Click Close.
28. Log off the server, and then log on again to update the security token of the
logged-on user account. The user account that is logged on when the AD RMS
server role is installed is automatically made a member of the AD RMS Enterprise
Administrators local group. A user must be a member of that group to administer
AD RMS.
Note
At this point in the guide, you can remove cpandl\ADRMSADMIN from the local
Administrators group on ADRMS-DB.
Your AD RMS root cluster is now installed and configured.
Further management of AD RMS is done by using the Active Directory Rights Management
Services console.
From the console, you can configure trust policies, configure exclusion policies, and create rights
policy templates.
20
Step 3: Verifying AD RMS Functionality on
ADRMS-CLNT
The AD RMS client is included in the default installation of Windows Vista and Windows
Server 2008. Previous versions of the client are available for download for some earlier versions
of the Windows operating system. For more information, see the Windows Server 2003 Rights
Management Services page on the Microsoft Windows Server TechCenter
(http://go.microsoft.com/fwlink/?LinkId=68637).
Before you can consume rights-protected content, you must add the AD RMS cluster URL to the
Local Intranet security zone.
Add the AD RMS cluster URL to the Local Intranet security zone for all users who will be
consuming rights-protected content.
To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then
restrict permissions on a Microsoft Word 2007 document so that members of the CP&L
Engineering group are able to read the document but unable to change, print, or copy. You will
then log on as Stuart Railson, verifying that the proper permission to read the document has been
granted, and nothing else. Then, you will log on as Limor Henig. Since Limor is not a member of
the Engineering group, he should not be able to consume the rights-protected file.
21
6. In the Read box, type engineering@cpandl.com, and then click OK to close the
Permission dialog box.
7. Click the Microsoft Office Button, click Save As, and then save the file as
\\ADRMS-DB\Public\ADRMS-TST.docx.
8. Log off as Nicole Holliday.
Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.
22
to open this document. You can request updated permission from
nhollida@cpandl.com. Do you want to request updated permission?"
6. Click No, and then close Microsoft Word.
You have successfully deployed and demonstrated the functionality of AD RMS, using the simple
scenario of applying restricted permissions to a Microsoft Word 2007 document. You can also use
this deployment to explore some of the additional capabilities of AD RMS through additional
configuration and testing.
23