ADRMS_DB_Relo_SxS
-
Upload
bunea-petrica -
Category
Documents
-
view
215 -
download
2
description
Transcript of ADRMS_DB_Relo_SxS
AD RMS Database Relocation with a CNAME Record – Step-by-Step
Microsoft Corporation
Published: April 2010
Author: Bill Mathers
Acknowledgements
Special thanks to the following people for reviewing and providing invaluable feedback for this
document:
Jason Tyler, Microsoft Corporation.
Jody Hendrix, Microsoft Corporation
Manthan Maru, Microsoft Corporation
Pat Hoffer, Microsoft Corporation
.
AbstractThis document will assist architects, consultants, system engineers, and system administrators in
moving the Active Directory Rights Management Services (AD RMS) databases from one server
to another. This guide only covers the step-by-step procedures of moving the database when a
CNAME record was used prior to installing AD RMS. If a CNAME record was not used please
see the AD RMS Database Relocation without a CNAME Record – Step-by-Step
(http://go.microsoft.com/fwlink/?LinkID=188464).
Copyright
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place
or event is intended or should be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
AD RMS Database Relocation with a CNAME Record Step-by-Step.............................................5
About this Guide.......................................................................................................................... 5
What This Guide Does Not Provide.........................................................................................5
Requirements for this Document....................................................................................................6
The Scenario.................................................................................................................................. 7
Scenario description.................................................................................................................... 7
The testing environment...........................................................................................................7
Required Groups...................................................................................................................... 8
Required accounts................................................................................................................... 9
Required CNAME Records......................................................................................................9
The Importance of CNAME Records.............................................................................................10
What are CNAME Records?......................................................................................................10
Why are CNAME Records important to AD RMS?.....................................................................11
SQL Server and CNAME Records.............................................................................................11
Implementing the Procedures in this Document...........................................................................12
Step 1 - Create FabrikamUsers Organizational Unit.....................................................................13
Step 2 - Create Test Users............................................................................................................14
Step 3 - Create Test Groups.........................................................................................................17
Step 4 - Add Users to Groups.......................................................................................................22
Step 5 - Create MachineGPO.......................................................................................................24
Step 6 - Create FabrikamDocuments Shared Folder....................................................................27
Step 7 - Create an All Staff Rights Protected Word Document.....................................................28
Step 8 - Consume AllStaffTest Document as Britta Simon............................................................29
Step 9 - Export the Trusted User Domain and Trusted Publishing Domain...................................30
Step 10 - Stop IIS......................................................................................................................... 32
Step 11 - Verify MSMQ is Empty and Stop the AD RMS Logging Service....................................33
Step 12 - Create database backups.............................................................................................35
Step 13 - Restore the database to the new SQL Server...............................................................42
Step 14 - Add DisableStrictNameChecking Registry Key.............................................................49
Step 15 - Enable SQL Firewall Ports............................................................................................50
Step 16 - Enable SQL Server Network Protocols..........................................................................56
Step 17 - Add ADRMSService to SQL Logins...............................................................................60
Step 18 - Change the CNAME Record in DNS.............................................................................62
Step 19 - Restart IIS and AD RMS Logging Service.....................................................................63
Testing the Implementation...........................................................................................................65
Step 1 - Create an All FTE Rights Protected Word Document......................................................66
Step 2 - Consume AllFTETest Document as Britta Simon............................................................67
Step 3 - Consume AllFTETest Document as Lola Jacobson.........................................................68
Step 4 - Consume AllStaffTest Document as Lola Jacobson........................................................69
Appendix A - How to Install AD RMS with a CNAME Record........................................................69
Installing AD RMS using a CNAME Record...............................................................................69
The environment.................................................................................................................... 69
CNAME Records....................................................................................................................71
Additional Information............................................................................................................71
Step 1 - Create CNAME Records.................................................................................................71
Step 2 - Install AD RMS................................................................................................................75
AD RMS Database Relocation with a CNAME Record Step-by-Step
About this GuideThis step-by-step guide walks you through the process of moving the AD RMS databases from
one SQL Server 2008 SP1 server to another SQL Server 2008 SP1 server. This is done in a test
environment so that you may be familiar with the process before attempting it in a production
environment. The first part of this guide deals with setting up a working AD RMS test
environment. It is this environment that will be used to verify that the databases have been
moved successfully. The final parts of this guide deal with the actual moving of the databases.
As you complete the steps in this guide, you will:
Backup the AD RMS database.
Restore the AD RMS database.
Verify that the move was successful and that AD RMS is up and running again. This is done
by testing the ability to create new rights-protected content once the databases have been
moved, consume the newly created rights-protected content, and consume existing rights-
protected content.
What This Guide Does Not ProvideThis guide does not provide the following:
Guidance for setting up and configuring Active Directory Domain Service in either a
production or test environment. This guide assumes that Active Directory Domain Services is
already configured in the test environment. For more information about configuring Active
Directory Domain Services see, AD DS Installation and Removal Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=154567).
Guidance for setting up and configuring Active Directory Certificate Services in either a
production or test environment. This guide assumes that Active Directory Certificate Services
is already configured and working in the test environment. You must ensure that you have a
valid SSL certificate and that it is bound properly in IIS to the default website. For more
information about configuring Active Directory Certificate Services, see the Active Directory
Certificate Services (http://go.microsoft.com/fwlink/?LinkId=179761).
Guidance for setting up and configuring AD RMS in either a production or test environment.
This guide assumes that AD RMS is already configured and working in the test environment.
For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkID=154256).
5
Guidance for setting up and configuring Exchange Server 2007 SP1 in either a production or
test environment. This guide assumes that Exchange 2007 SP1 is already setup and
configured in the test environment. For more information about configuring Exchange Server
2007 SP1, see Microsoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?
LinkId=154564).
Requirements for this Document
The following table will provide a summary of the Microsoft software that was used in this guide.
Software Additional Information
Windows Server® 2008 Enterprise 64-bit
edition
Windows Server® 2008 Enterprise
(http://go.microsoft.com/fwlink/?LinkId=156710)
Windows Server® 2008 R2 Enterprise 64-bit Windows Server® 2008 R2
(http://go.microsoft.com/fwlink/?LinkId=165669)
Windows® 7 Enterprise Windows® 7 Enterprise
(http://go.microsoft.com/fwlink/?LinkId=160776)
Active Directory Domain Service Active Directory
(http://go.microsoft.com/fwlink/?LinkId=156712)
Active Directory Certificate Services Active Directory Certificate Services
(http://go.microsoft.com/fwlink/?LinkId=179761)
Active Directory Rights Management Services
(AD RMS)
Active Directory Rights Management Services
(AD RMS) (http://go.microsoft.com/fwlink/?
LinkId=163969)
Microsoft SQL Server 2008 Service Pack 1 –
64-bit edition
Microsoft SQL Server 2008
(http://go.microsoft.com/fwlink/?LinkId=156714)
Microsoft Exchange Server 2007 Service Pack
2 – 64-bit
Microsoft Exchange Server 2007
(http://go.microsoft.com/fwlink/?LinkId=156715)
Microsoft Office 2007 with Service Pack 2 Microsoft Office 2007
(http://go.microsoft.com/fwlink/?LinkId=156717)
Microsoft Hyper-V Microsoft Hyper-V
(http://go.microsoft.com/fwlink/?LinkID=156719)
Internet Information Services (IIS) 7.0 IIS 7.0 (http://go.microsoft.com/fwlink/?
LinkId=160778)
Rights Management Services Administration
Toolkit with SP2
Rights Management Services Administration
Toolkit with SP2
6
(http://go.microsoft.com/fwlink/?LinkID=158667)
The Scenario
Scenario descriptionFabrikam, a fictitious company, wants to move their current AD RMS databases from an existing
Microsoft SQL Server 2008 server to a brand new server. Prior to doing this in production,
Fabrikam would like to setup a test environment that will allow them to walk through the process
of moving the database. This will also allow them to verify that everything is working after the
database move.
The testing environmentThe scenario outlined in this document has been developed and tested on one stand-alone
computer running the 64-bit edition of the Windows Server® 2008 R2 operating system and
Hyper-V. The servers have two 3.0 gigahertz (GHz) dual core processors and 8 gigabytes (GB) of
RAM each. Using Hyper-V, the following six virtual machines were created on the hosts.
7
Figure 1 – The testing environment
Table 1 - Virtual Machines and Roles
Computer
Name
Forest Operating System Memory Applications
and Services
IP Address
DC fabrikam.com Windows
Server 2008 x64
SP2
512 Active
Directory,
DNS,
Certificate
Authority
192.168.100.100
EX fabrikam.net Windows
Server 2008 x64
SP2
2048 Exchange
2007, IIS 7.0.
192.168.100.101
ADRMS fabrikam.com Windows
Server 2008 x64
SP2
1024 AD RMS, IIS
7.0
192.168.100.102
8
Computer
Name
Forest Operating System Memory Applications
and Services
IP Address
SQL1 fabrikam.com Windows
Server 2008 x64
SP2
1024 Microsoft
SQL Server
2008 SP2
192.168.100.103
SQL2 fabrikam.com Windows
Server® 2008 R2
x64
1024 Microsoft
SQL Server
2008 SP2
192.168.100.104
CLT fabrikam.com Windows 7
Enterprise x86
1024 Microsoft
Office 2007
Enterprise
Edition SP2
192.168.100.105
Hyper-V is not a requirement to complete the steps outlined later. These steps can be
implemented on physical computers as long as they reflect the same roles as the preceding table.
Required GroupsThe following table summarizes the universal groups used in this step-by-step guide.
Table 2 - Group Summary
Group Name Group Scope Group Type
All Staff Universal Security
All FTE Universal Security
All Contractors Universal Security
Required accountsThe following table summarizes the accounts used in this step-by-step guide.
Table 3 - Required Accounts
Account Display
name
Forest Group
Membership
Password Description
bsimon Britta
Simon
fabrikam.com All FTE Pass1word$ User account.
ljacobson Lola
Jacobson
fabrikam.com All
Contractors
Pass1word$ User account.
ADRMSService ADRMS fabrikam.com NA Pass1word$ The ADRMS
9
Account Display
name
Forest Group
Membership
Password Description
Service Service
account.
This account
was used
during the
installation of
ADRMS.
Installing
ADRMS is a
prerequisite
to using this
document.
Required CNAME RecordsThe following table summarizes the CNAME records used in this step-by-step guide. These
records were created before installing ADRMS in the test environment.
Table 4 - CNAME Records
Name Record Type FQDN Target Description
RMS CNAME RMS.fabrikam.com adrms.fabrikam.com Alias record for
the ADRMS
Server.
RMS-SQL CNAME RMS-
SQL.fabrikam.com
sql1.fabrikam.com Alias record for
the ADRMS
SQL Server.
The Importance of CNAME Records
What are CNAME Records?CNAME stands for Canonical Name record. It is a type of resource record that is used in the
Domain Name System. In DNS, the CNAME record is used as an alias for another record within
DNS. For example, in our scenario here, we use a CNAME record named ADRMS-SQL to point
to the FQDN of our SQL Server, SQL1.fabrikam.com.
10
Figure 3 - CNAME Records in DNS
Why are CNAME Records important to AD RMS?CNAME records are important for several reasons. First, when you create a piece of content, the
URL for the AD RMS server is embedded into the header of it. When a user attempts to consume
this content, it is this URL that is used to obtain a use license. If you originally installed AD RMS
using the FQDN of the physical AD RMS server as the URL and this were to ever change,
documents with the old URL would be inaccessible.
For example, if we have an AD-RMS server with an FQDN of AD-RMS.fabrikam.com and we use
a URL of https://AD-RMS.fabrikam.com, then all of our content will have https://AD-
RMS.fabrikam.com embedded in the header of all rights protected content. Now say we decide
to change the AD RMS servers name to AD-RMS2.fabrikam.com and our URL is now https://AD-
RMS2.fabrikam.com. Now when a user attempts to consume older rights-protected content, they
will look for a use license at https://AD-RMS.fabrikam.com, not our new URL of https://AD-
RMS2.fabrikam.com. They will not be able to consume this content. Now suppose instead we
had created a CNAME record called RMS. We can point this record at AD-RMS.fabrikam.com.
This record will have an FQDN RMS.fabrikam.com. When we install AD RMS, we will specify
https://RMS.fabrikam.com as the URL. So now if we decide to change the AD RMS servers
name to AD-RMS2.fabrikam.com we can simply edit the CNAME record to point to AD-
RMS2.fabrikam.com.
11
Figure 2 – Sample AD RMS encrypted header
Secondly, if you decide later on down the line that you want to add Network Load Balancing
because the AD RMS infrastructure has grown, it is much simpler to do this with a CNAME
record.
SQL Server and CNAME RecordsIn order to use a CNAME record with a SQL Server, the DisableStrictNameChecking registry key
must be added and the value set to 1. This allows for the SQL Server to be called something
other than its proper name when a connection attempt is being made. Step 14 – Add
DisableStrictNameChecking of this guide describes how to do this in detail. This is disabled by
default.
Figure 4 – DisableStrictNameChecking Registry Key
12
Implementing the Procedures in this Document
The following steps will guide you through setting up the initial environment.
This section is comprised of the following steps:
1. Step 1 – Create FabrikamUsers Organizational Unit
2. Step 2 – Create Test Users
3. Step 3 – Create Test Groups
4. Step 4 – Add Users to Groups
5. Step 5 – Create MachineGPO
6. Step 6 – Create FabrikamDocuments Shared Folder
7. Step 7 – Create an All Staff Rights Protected Word Document
8. Step 8 – Consume AllStaffTest Document as Britta Simon
9. Step 9 – Export the Trusted User Domain and Trusted Publishing Domain
10. Step 10 – Stop IIS
11. Step 11 – Verify MSMQ is Empty and Stop the AD RMS Logging Service
12. Step 12 – Create database backups
13. Step 13 – Restore the database to the new SQL Server
14. Step 14 – Add DisableStrictNameChecking Registry Key
15. Step 15 – Enable SQL Firewall Ports
16. Step 16 – Enable SQL Server Network Protocols
17. Step 17 – Add ADRMSService to SQL Logins
18. Step 18 – Change the CNAME Record in DNS
19. Step 19 – Restart IIS and the AD RMS Logging Service
Step 1 - Create FabrikamUsers Organizational Unit
This step explains how to create an organizational unit in fabrikam.com. This organizational unit
will store all of the test users.
1. Log on to DC.fabrikam.com as Administrator
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers. This will open the Active Directory Users and Computers mmc.
To create the organizational unit
13
3. In the Active Directory Users and Computers mmc, from the tree-view on the left,
right-click fabrikam.com, select New, and then Organizational Unit.
4. In the Name textbox, type FabrikamUsers. Click OK.
5. Close Active Directory Users and Computers.
Figure 5 – FabrikamUsers Organizational Unit
Step 2 - Create Test Users
This step explains how to create and mailbox-enable the test users in fabrikam.com. These
accounts will be used to verify that users are able to create and consume content once the
databases have been moved.
Table 5 - Required Accounts
First Name Last Name User logon
name
Display name Forest Password
Britta Simon bsimon Britta Simon fabrikam.com Pass1word$
14
First Name Last Name User logon
name
Display name Forest Password
Lola Jacobson ljacobson Lola
Jacobson
fabrikam.com Pass1word$
1. Log on to the DC.corp.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select User.
This will bring up the New Object – User window.
4. On the New Object – User screen, in the First Name box, enter Britta.
5. On the New Object – User screen, in the Last Name box, enter Simon.
6. On the New Object – User screen, in the User logon name: box, enter bsimon and
click Next.
7. On the New Object – User screen, in the Password box, enter Pass1word!.
8. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.
9. On the New Object – User screen, remove the check from User must change
password at next logon.
10. On the New Object – User screen, add a check to Password never expires and click
Next.
11. Click Finish.
12. Repeat these steps for all of the accounts listed in the Account Summary table.
To create the test User Accounts
15
Figure 6 – Fabrikam Users
1. Log on to the EX.fabrikam.com Server as Administrator
2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click
Exchange Management Console.
3. In the Exchange Management Console, expand Recipient Configuration, and click
Mailbox.
4. On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.
5. On the Introduction screen, select User Mailbox and click Next.
6. On the User Type screen, select Existing users and click Add. This will bring up the
Select User – fabrikam.com screen.
7. From the list, using the Ctrl key, select Britta Simon and Lola Jacobson then click OK.
8. Click Next.
9. On the Group Information click Next.
10. On the Mailbox Settings screen, under Mailbox database click Browse. This will bring
up the Select Mailbox Database screen.
11. Select the Mailbox Database and click OK. Click Next.
12. On the New Mailbox screen, click Next.
To Mailbox-Enable the User Accounts
16
13. On the Completion screen, verify that it was successful and click Finish
14. Close Exchange Management Console
Figure 7 – New mailbox wizard
Step 3 - Create Test Groups
This step explains how to create and mail-enable the test groups in fabrikam.com. It also
explains how to make certain groups members of other groups. These groups will be used to
determine who has usage rights to the protected content created later in this guide.
17
Table 6 - Group Summary
Group Name Group Scope Group Type
All Staff Universal Security
All FTE Universal Security
All Contractors Universal Security
1. Log on to the DC.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select Group.
This will bring up the New Object – Group window.
4. On the New Object – Group screen, in the Group Name box, enter All Staff.
5. On the New Object – Group screen, under Group scope, select Universal.
6. On the New Object – Group screen, under Group type, select Security.
7. Click Ok.
8. Repeat these steps for all of the groups listed in the Group Summary table.
To create the test Groups
18
Figure 8 – Fabrikam Groups
1. Log on to the EX.fabrikam.com Server as Administrator
2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click
Exchange Management Console.
3. In the Exchange Management Console, expand Recipient Configuration, and click
Distribution Group.
4. On the right, in the Actions pane, click New Distribution Group… to start the New
Distribution Group wizard.
5. On the Introduction screen, select Existing group and click Browse. This will bring up
the Select Group – fabrikam.com screen.
6. From the list, select All Staff and click OK.
7. Click Next.
8. On the Group Information click Next.
9. On the New Distribution Group screen click New.
10. On the Completion screen, verify that it was successful and click Finish
11. Close Exchange Management Console
12. Repeat these steps for all of the groups listed in the Group Summary table.
To Mail-Enable the Security Groups
19
Figure 9 – New Distribution Group Wizard
20
Figure 10 – Fabrikam Distribution Groups
1. Log on to the DC.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, select FabrikamUsers, right-click All Staff, and select
Properties. This will bring up the All Staff Properties window.
4. On the Members tab, click Add. This will bring up the Select Groups dialog box.
5. On the Select Groups dialog box, under Enter the object names to select (examples)
box, enter All FTE and click Check Names. This should resolve with an underline.
6. Click Ok. This will close the Select Groups dialog box.
7. On the Members tab, click Add. This will bring up the Select Groups dialog box.
8. On the Select Groups dialog box, under Enter the object names to select (examples)
box, enter All Contractors and click Check Names. This should resolve with an
underline.
9. Click Ok. This will close the Select Groups dialog box.
10. On the All Staff Properties window, click Apply.
11. Click Ok. This will close the All Staff Properties dialog box.
Add All FTE group and All Contractors group to All Staff group
21
12. Close Active Directory Users and Computers.
Figure 11 – All Staff Properties
Step 4 - Add Users to Groups
This step explains how to add the previously created users to the previously created security
groups. The group membership will be used to determine whether or not a user will be able to
access a piece of rights-protected e-mail.
Table 7 - Account Summary
First Name Last Name User logon name Member of
Britta Simon bsimon All FTE
22
First Name Last Name User logon name Member of
Lola Jacobson ljacobson All Contractors
1. Log on to the DC.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and
Computers.
3. Expand fabrikam.com, select FabrikamUsers, right-click Britta Simon, and select
Properties. This will bring up the Britta Simon Properties window.
4. On the Member of tab, click Add. This will bring up the Select Groups dialog box.
5. On the Select Groups dialog box, under Enter the object names to select (examples)
box, enter All FTE and click Check Names. This should resolve with an underline.
6. Click Ok. This will close the Select Groups dialog box.
7. On the Britta Simon Properties window, click Apply.
8. Click Ok. This will close the Britta Simon Properties dialog box.
9. Repeat these steps for all of the accounts listed in the Account Summary table,
substituting the appropriate Member of value.
10. Close Active Directory Users and Computers.
To add test user accounts to test groups
23
Figure 12 – Britta Simon’s Group Membership
Step 5 - Create MachineGPO
This step explains how to create a Group Policy Object that will be applied to all of our machines
in the test environment. The purpose of this GPO is to add the AD RMS URL to the local intranet
sites in Internet Explorer. This allows for a more seamless experience for the users as they will
not be prompted for credentials when attempting to create or consume protected content.
24
Figure 13 – Group Policy Management
1. Log on to DC.fabrikam.com as Administrator.
2. Open the Group Policy Management console. Click Start, point to Administrative Tools,
and then click Group Policy Management.
3. In the Group Policy Management console, expand Forest: fabrikam.com, expand
Domains, right-click fabrikam.com, and select Create a GPO in this domain, and Link
it here. This will bring up a New GPO dialog box.
4. In the New GPO box, enter LocalIntranetMachineGPO under Name: and click OK. This
will close the dialog box.
5. On the left, expand fabrikam.com, right-click LocalIntranetMachineGPO and select
Edit. This will bring up the Group Policy Management Editor.
6. In the Group Policy Management Editor, under User Configuration, expand Policies,
expand Windows Settings, expand Internet Explorer Maintenance and click Security.
7. On the right, double-click Security Zones and Content Ratings. This will bring up the
Security Zones and Content Ratings box.
8. On the Security Zones and Content Ratings box, select Import the current security
zones and privacy settings radio button.
9. This will bring up an Internet Explorer Enhanced Security Configuration box. Click
To create the LocalIntranetMachineGPO
25
Continue to close this box.
10. On the Security Zones and Content Ratings box, click the Modify Settings button. This
will bring up the Internet Properties box.
11. On the Internet Properties box, click the Security tab, select Local intranet and click the
Sites button. This will bring up the Local intranet box.
12. On the Local intranet box, enter https://rms.fabrikam.com and click Add. Click Close.
This will close the second Local intranet box.
Important
This document assumes that, prior to installing AD RMS, a CNAME record called
RMS was created and pointed to ADRMS.fabrikam.com.
13. Click OK to close the Internet Properties box.
14. Click OK to close the Security Zones and Content Ratings box.
Figure 14 – Group Policy Management Editor
26
Figure 15 – Security Zones and Content Ratings
Step 6 - Create FabrikamDocuments Shared Folder
This step explains how to create the FabrikamDocuments shared folder. This is the folder that
will store our test documents.
1. Log on to ADRMS.fabrikam.com as Administrator
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. Click File, point to New, and then click Folder.
4. Type FabrikamDocuments for the new folder, and then press ENTER.
5. Right-click FabrikamDocuments, click Share with, and then click Specific people.
6. On the File Sharing window, in the box under Type a name and then click Add, or
click the arrow to find someone select Everyone, then and click Add. The Everyone
group should now appear in the box below. Under Permission Level, select
Read/Write.
7. Click Share. The window should change and you should now see Your folder is
To create the FabrikamDocuments Shared Folder
27
shared.
8. Click Done.
Step 7 - Create an All Staff Rights Protected Word Document
This section explains how to create a rights protected Word document that is only accessible by
members of the All Staff group.
1. Log on to the CLT.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office
Word 2007. This will bring up Word 2007 with a blank document.
3. On the blank document type the words This is an All Staff test.
4. At the top, click the Office button, select Prepare from the drop-down, select Restrict
Permission, and select Restrict Access. This will bring up the Permission window.
5. On the Permission window, place a check in Restrict permission to this document.
Next, click Read. This will bring up a Select Names window. Choose All Staff and click
OK. This will close the Select Names window.
6. On the Permission window, click OK.
Figure 16 – Permission Window
7. At the top, click the Office button and select Save As from the drop-down.
8. At the top, remove Libraries -> Documents from the location and enter \\
To create an All Staff Rights Protected Word Document
28
ADRMS.fabrikam.com\FabrikamDocuments.
9. Under File Name:, enter AllStaffTest.
10. Click Save.
11. Close Word.
Step 8 - Consume AllStaffTest Document as Britta Simon
In this step, Britta Simon will consume the AllStaffTest document. This will validate the AD RMS
environment prior to moving the AD RMS databases.
1. Log on to CLT.fabrikam.com as fabrikam\bsimon
2. Click the Windows button.
3. In the search box, type \\adrms.fabrikam.com\FabrikamDocuments. This will open the
FabrikamDocuments share.
4. Double-click AllStaffTest. This will launch the Configuring your computer for
Information Rights Management box.
Figure 17 – Configuring your computer for Information Rights Management
5. Once this completes, you should see a pop-up box that says Permissions to this
document is currently restricted. Microsoft Office must connect to
https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and
download your permissions. Click OK.
6. Once this completes, you should be able to view AllStaffTest.
To consume AllStaffTest document as Britta Simon
29
Step 9 - Export the Trusted User Domain and Trusted Publishing Domain
This step explains how to export the Trusted User Domain and the Trusted Publishing Domain.
This is done for backup and disaster recovery purposes.
1. Log on to ADRMS.fabrikam.com as Administrator.
2. On the Desktop, right-click and select New and select Folder from the drop-down.
3. Rename the new folder, ADRMSBackup.
4. Open the Active Directory Rights Management Services Administration console. Click
Start, point to Administrative Tools, and then click Active Directory Rights
Management Services.
5. In the Active Directory Rights Management Services Administration console, expand the
cluster name.
6. Expand Trusted Policies and select Trusted User Domains.
7. On the right, select Export Trusted User Domain. This will will bring up the Export
Trusted User Domain As box.
8. From the Export Trusted User Domain As box, on the left, select Desktop and select the
ADRMSBackup folder.
9. Under File name enter ADRMSTUD and make sure Binary File (*.bin) is selected for
Save As Type. Click Save. This will close the Export Trusted User Domain As box.
Figure 18 – Trusted User Domain
To export the Trusted User Domain and the Trusted Publishing Domain
30
10. In the Active Directory Rights Management Services Administration console select
Trusted Publishing Domains.
11. On the right, select Export Trusted Publishing Domain. This will bring up the Export
Trusted Publishing Domain box.
12. From the Export Trusted Publishing Domain, click Save As. This will bring up the Export
Trusted Publishing Domain File As box. From the Export Trusted Publishing Domain
As box, on the left, select Desktop and select the ADRMSBackup folder.
13. Under File name enter ADRMSTPD and make sure XML File (*.xml) is selected for Save
As Type. Click Save. This will close the Export Trusted Publishing Domain As box.
14. From the Export Trusted Publishing Domain box, enter Pass1word$ in the Password
box. Enter Pass1word$ in the Confirm Password box.
15. Click Finish. Close the Active Directory Rights Management Services Administration
console.
Figure 19 – Trusted Publishing Domain Wizard
31
Step 10 - Stop IIS
This step explains how to stop the Internet Information Server that is running on the AD RMS
databases.
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.
3. From the Internet Information Services (IIS) Manager, on the left, select ADRMS
(FABRIKAM\Administrator). On the right, under Actions select Stop.
4. Close the Internet Information Services (IIS) Manager.
To stop IIS
32
Figure 20 – Internet Information Services (IIS) Manager
Step 11 - Verify MSMQ is Empty and Stop the AD RMS Logging Service
This step explains how to verify the Microsoft Message Queuing is emptied and stop the AD RMS
Logging Service. AD RMS uses MSMQ on each server in the AD RMS cluster to send
information to the logging database. This needs to be done prior to backing up the AD RMS
Logging database.
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. On the left, expand Features, expand Message Queuing, expand Private Queues,
expand drms_logging_rms_fabrikam_com_443, and select Queue messages. This
will populate the middle pane with Queue messages.
4. Verify there are no messages in Queue messages. Close Server Manager.
To verify the MSMQ is empty
33
Figure 21 – MSMQ
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click Services.
3. On the Services screen, right-click AD RMS Logging Service, and select Stop.
4. Close Services.
To stop the AD RMS Logging Service
34
Figure 22 – Stop the AD RMS Logging Service
Step 12 - Create database backups
This step explains how to backup the SQL databases. There are three databases that will be
backed up as part of this step.
1. Log on to SQL1.fabrikam.com as Administrator
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. Click File, point to New, and then click Folder.
4. Type DBBackup for the new folder, and then press ENTER.
To create the DBBackup Folder
35
Figure 23 – Create DBBackup Folder
1. Log on to SQL1.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL
Server Management Studio. This will bring up the Connect to Server dialog box.
Ensure that the Server name is SQL1 and that Authentication is set to Windows
Authentication. Click Connect.
Figure 24 – Connect to SQL Server
To back up the DRMS_Config_rms_fabrikam_com_443 database
36
3. On the right, expand Databases. Right-click DRMS_Config_rms_fabrikam_com_443,
select Tasks and choose Back Up. This will bring up the Back Up Database –
DRMS_Config_rms_fabrikam_com_443 windows.
Figure 25 – Backup Database
4. From Back Up Database – DRMS_Config_rms_fabrikam_com_443, down under
Destination, highlight the entry and click Remove. Click Add. This will bring up the
Select Backup Destination box.
5. Click the … box. This will bring up the Locate Database Files – SQL1 window. Navigate
to the folder that was created above. Enter DRMS_Config for the File Name and click
OK.
Figure 26 – Locate Database Files
37
6. On the Select Backup Destination screen, click OK.
Figure 27 – Select Backup Destination
38
7. On the Back Up Database – DRMS_Config_rms_fabrikam_com_443 screen, click OK.
Figure 28 – How Back Up Database should look before clicking OK
39
8. Once this has completed, a pop-up will say the database has been backed up
successfully. Click OK.
Figure 29 – Backup Successful
1. Log on to SQL1.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL
To back up the DRMS_DirectoryServices_rms_fabrikam_com_443 database
40
Server Management Studio. This will bring up the Connect to Server dialog box.
Ensure that the Server name is SQL1 and that Authentication is set to Windows
Authentication. Click Connect.
3. On the right, expand Databases. Right-click
DRMS_DirectoryServices_rms_fabrikam_com_443, select Tasks and choose Back
Up. This will bring up the Back Up Database –
DRMS_DirectoryServices_rms_fabrikam_com_443 windows.
4. From Back Up Database – DRMS_DirectoryServices_rms_fabrikam_com_443, down
under Destination, highlight the entry and click Remove. Click Add. This will bring up
the Select Backup Destination box.
5. Click the … box. This will bring up the Locate Database Files – SQL1 window. Navigate
to the folder that was created above. Enter DRMS_Directory for the File Name and click
OK.
6. On the Select Backup Destination screen, click OK.
7. On the Back Up Database – DRMS_DirectoryServices_rms_fabrikam_com_443 screen,
click OK.
8. Once this has completed, a pop-up will say the database has been backed up
successfully. Click OK.
1. Log on to SQL1.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL
Server Management Studio. This will bring up the Connect to Server dialog box.
Ensure that the Server name is SQL1 and that Authentication is set to Windows
Authentication. Click Connect.
3. On the right, expand Databases. Right-click
DRMS_Logging_rms_fabrikam_com_443, select Tasks and choose Back Up. This
will bring up the Back Up Database – DRMS_Logging_rms_fabrikam_com_443 windows.
4. From Back Up Database – DRMS_Logging_rms_fabrikam_com_443, down under
Destination, highlight the entry and click Remove. Click Add. This will bring up the
Select Backup Destination box.
5. Click the … box. This will bring up the Locate Database Files – SQL1 window. Navigate
to the folder that was created above. Enter DRMS_Logging for the File Name and click
OK.
6. On the Select Backup Destination screen, click OK.
7. On the Back Up Database – DRMS_Logging_rms_fabrikam_com_443 screen, click OK.
8. Once this has completed, a pop-up will say the database has been backed up
successfully. Click OK.
To back up the DRMS_Logging_rms_fabrikam_com_443 database
41
Step 13 - Restore the database to the new SQL Server
This step explains how restore the databases that were backed up from SQL1 in the last step.
1. Log on to SQL2.fabrikam.com as Administrator
2. Click Start, select Run and enter \\SQL1\C$ in the box. Click OK.
3. Navigate to C:\DBBackup on SQL1. Copy the entire folder to C:\DBBackup on SQL2.
4. When the copy is complete you can close the SQL1\C$ window.
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL
Server Management Studio. This will bring up the Connect to Server dialog box.
Ensure that the Server name is SQL2 and that Authentication is set to Windows
Authentication. Click Connect.
3. On the right, right-click Databases and select Restore Database. This will bring up the
Restore Database window.
Figure 30 – Restore Database
To copy the databases over to SQL2
To restore the DRMS_Config_rms_fabriakam_com_443 databases from SQL1
42
4. On the Restore Database screen, select the From Device radio button and click the …
box. This will bring up the Specify Backup screen.
Figure 31 – Select From Device
5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File –
SQL2 screen.
Figure 32 – Specify Backup
43
Select the DBBackup folder. Enter DRMS_Config for the File Name and click OK.
Figure 33 – Locate Backup File – SQL2
44
6. On the Specify Backup screen click OK.
7. On the Restore Database screen, in the drop-down beside To database: select
DRMS_Config_rms_fabrikam_com_443.
8. On the Restore Database screen, under Select the backup sets to restore: place a
check in the Restore box, next to DRMS_Config_rms_fabrikam_com_443-Full
Database Backup. Click OK.
Figure 34 - Restore
45
9. Once this has completed, a pop-up will say the database has been restored successfully.
Click OK.
Figure 35– Restore Successful
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL
To restore the DRMS_DirectoryServices_rms_fabriakam_com_443 databases from SQL1
46
Server Management Studio. This will bring up the Connect to Server dialog box.
Ensure that the Server name is SQL2 and that Authentication is set to Windows
Authentication. Click Connect.
3. On the right, right-click Databases and select Restore Database. This will bring up the
Restore Database window.
4. On the Restore Database screen, select the From Device radio button and click the …
box. This will bring up the Specify Backup screen.
5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File –
SQL2 screen. Select the DBBackup folder. Enter DRMS_Directory for the File Name
and click OK.
6. On the Specify Backup screen click OK.
7. On the Restore Database screen, in the drop-down beside To database: select
DRMS_DirectoryServices_rms_fabrikam_com_443.
8. On the Restore Database screen, under Select the backup sets to restore: place a
check in the Restore box, next to DRMS_DirectoryServices_rms_fabrikam_com_443-
Full Database Backup. Click OK.
9. Once this has completed, a pop-up will say the database has been restored successfully.
Click OK.
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL
Server Management Studio. This will bring up the Connect to Server dialog box.
Ensure that the Server name is SQL2 and that Authentication is set to Windows
Authentication. Click Connect.
3. On the right, right-click Databases and select Restore Database. This will bring up the
Restore Database window.
4. On the Restore Database screen, select the From Device radio button and click the …
box. This will bring up the Specify Backup screen.
5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File –
SQL2 screen. Select the DBBackup folder. Enter DRMS_Logging for the File Name
and click OK.
6. On the Specify Backup screen click OK.
7. On the Restore Database screen, in the drop-down beside To database: select
DRMS_Logging_rms_fabrikam_com_443.
8. On the Restore Database screen, under Select the backup sets to restore: place a
check in the Restore box, next to DRMS_Logging_rms_fabrikam_com_443-Full
Database Backup. Click OK.
9. Once this has completed, a pop-up will say the database has been restored successfully.
To restore the DRMS_Logging_rms_fabriakam_com_443 databases from SQL1
47
Click OK.
Step 14 - Add DisableStrictNameChecking Registry Key
This step explains how to add the DisableStrictNameChecking registry key. This key allows
connections to be made to the SQL server by names other than the proper name. By default,
SQL Server 2008 will not allow this.
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, type regedit.exe in the Start Search box, and then press ENTER.
3. Expand the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\
Parameters
4. Right-click Parameters, click New, and then click DWORD (32-bit) Value.
5. In the Value name box, type DisableStrictNameChecking, and then press ENTER.
6. Double-click the DisableStrictNameChecking registry value and type 1 in the Value
data box, and then click OK.
7. Close Registry Editor.
To add the DisableStrictNameChecking Registry Key
48
Figure 36 - DisableStrictNameChecking
Step 15 - Enable SQL Firewall Ports
This step explains how to enable the firewall rules on the new SQL server. These rules are
required to allow the AD RMS cluster to communicate with the SQL Server.
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, select Administrative Tools and click Windows Firewall with Advanced
Security. This will bring up the Windows Firewall with Advanced Security mcc.
Figure 37 – Windows Firewall with Advanced Security
To enable the firewall ports on SQL2
49
3. On the left, select Inbound Rules and on the right click New Rule. This will bring up the
New Inbound Rule Wizard.
Figure 38 – New Inbound Rule Wizard
50
4. On the Rule Type screen, select Port and click Next.
Figure 39 – Protocols and Ports
51
5. On the Protocol and ports screen, select TCP and enter 445 in the box next to Specific
local ports: and click Next.
6. On the Action screen, select Allow the connection and click Next.
Figure 40 - Action
52
7. On the Profile screen, select Domain, Private, and Public then click Next.
Figure 41 - Profile
53
8. On the Name screen, enter SQL Server Named Pipes in the box and click Finish.
9. Repeat these steps for all of the entries in the table below.
Table 8 – SQL Server Firewall Port Exceptions
Protocol Port Number Name
TCP 445 SQL Server Named Pipes
TCP 1433 SQL Server Listening Port
UDP 1434 SQL Server Browser Service
54
Step 16 - Enable SQL Server Network Protocols
This step explains how to enable the allowed network protocols for SQL2. This is done so that
the AD RMS Server can communicate with the database server.
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008, click Configuration
Tools, and select SQL Server Configuration Manager. This will bring up the SQL
Server Configuration Manager.
Figure 42 – SQL Server Configuration Manager
3. In SQL Server Configuration Manager, on the left, expand SQL Server Network
Configuration and click Protocols for MSSQLSERVER. This will populate the right
pane with four protocols and their status.
Figure 43 – Protocols for MSSQLSERVER
To enable SQL Server Network Protocols
55
4. On the right, right-click Disabled next to Named Pipes and select Enable. This will bring
up a pop-up box that says Any changes made will be saved; however, they will not
take effect until the service is stopped and restarted. Click OK.
Figure 44 – Enable Protocols
56
Figure 45 – Restart box
5. On the right, right-click Disabled next to TCP/IP and select Enable. This will bring up a
pop-up box that says Any changes made will be saved; however, they will not take
effect until the service is stopped and restarted. Click OK.
Figure 46 – Protocol Summary
57
6. In SQL Server Configuration Manager, on the left, click SQL Server Services. This will
populate the right pane with three services and their state.
Figure 47 – SQL Server Services
58
7. On the right, right-click SQL Server (MSSQLSERVER) and select Stop. This will stop
the SQL Server service.
8. On the right, right-click SQL Server (MSSQLSERVER) and select Start. This will start
the SQL Server service.
9. Close SQL Server Configuration Manager.
Step 17 - Add ADRMSService to SQL Logins
This step explains how to add the AD RMS Service Account (ADRMSService) to SQL Logins on
SQL2. This allows the service account to connect to SQL2.
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL
Server Management Studio. This will bring up the Connect to Server dialog box.
Ensure that the Server name is SQL2 and that Authentication is set to Windows
Authentication. Click Connect.
3. On the right, expand Security, right-click Logins, and select New Login. This will bring
To add ADRMSService to SQL Logins
59
up the Login – New screen.
Figure 48 – Login - New
4. On the Login – New screen, click Search. This will bring up a Select User or Group
box.
5. On the Select User or Group box, enter fabrikam\ADRMSService in the box below
Enter the object name to select (examples) and click Check Names. This should
resolve with an underline. Click Ok.
Figure 49 – Name Resolved
60
6. On the Login – New screen, click OK. This will close the Login – New screen.
7. Close SQL Server Management Studio.
Step 18 - Change the CNAME Record in DNS
This step explains how to change the CNAME record in DNS.
1. Log on to DC.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click DNS. This will bring up the
DNS Manager.
3. From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, and
click fabrikam.com. On the right, right-click the CNAME record ADRMS-SQL and select
Properties. This will bring up the ADRMS-SQL Properties.
4. On the ADRMS-SQL properties, enter sql2.fabrikam.com under Fully qualified domain
name (FQDN) for target host: and click OK.
5. Close DNS Manager.
To change the CNAME Record
61
Figure 50 – Change CNAME Record
Step 19 - Restart IIS and AD RMS Logging Service
This step explains how to start the Internet Information Server and the AD RMS Logging Service.
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager. This will bring up the Internet Infromation Services (IIS) Manager.
3. From the Internet Information Services (IIS) Manager, on the left, select ADRMS
(FABRIKAM\Administrator). On the right, under Actions select Start.
4. Close the Internet Information Services (IIS) Manager.
To start IIS
62
Figure 51 – Restart IIS
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click Services.
3. On the Services screen, right-click AD RMS Logging Service, and select Start.
4. Close Services.
To start the AD RMS Logging Service
63
Figure 52 – Start AD RMS Logging Service
Testing the Implementation
The following steps will guide you through testing the AD RMS environment now that the
databases have been successfully moved. The following tests will verify that existing users are
able to create and consume new rights-protected content and that new users are able to
consume existing rights-protected content.
This section is comprised of the following steps:
1. Step 1 – Create an All FTE Rights Protected Word Document
2. Step 2 – Consume AllFTETest Document as Britta Simon
3. Step 3 – Consume AllFTETest Document as Lola Jacobson
4. Step 4 – Consume AllStaffTest Document as Lola Jacobson
64
Step 1 - Create an All FTE Rights Protected Word Document
This section explains how to create a rights protected Word document that is only accessible by
members of the All FTE group.
1. Log on to the CLT.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office
Word 2007. This will bring up Word 2007 with a blank document.
3. On the blank document type the words This is an All FTE test.
4. At the top, click the Office button, select Prepare from the drop-down, select Restrict
Permission, and select Restrict Access. This will bring up the Permission window.
5. On the Permission window, place a check in Restrict permission to this document.
Next, click Read. This will bring up a Select Names window. Choose All FTE and click
OK. This will close the Select Names window.
6. On the Permission window, click OK.
Figure 53 – Permission Window
To create an All FTE Rights Protected Word Document
65
7. At the top, click the Office button and select Save As from the drop-down.
8. At the top, remove Libraries -> Documents from the location and enter \\
ADRMS.fabrikam.com\FabrikamDocuments.
9. Under File Name:, enter AllFTETest.
10. Click Save.
11. Close Word.
Step 2 - Consume AllFTETest Document as Britta Simon
In this step, Britta Simon will consume the AllFTETest document. This will validate that an
existing user is able to consume newly created rights-protected content after the database has
been successfully moved.
1. Log on to CLT.fabrikam.com as fabrikam\bsimon
2. Click the Windows button.
3. In the search box, type \\adrms.fabrikam.com\FabrikamDocuments. This will open the
FabrikamDocuments share.
4. Double-click AllFTETest.
5. This will take a moment, then you will see the Permissions to this document is
currently restricted. Microsoft Office must connect to
https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and
download your permissions box. Click OK.
Figure 54 – Permission to this document is currently restricted box
6. Once this completes, you should be able to view AllFTETest.
7. Close Word.
To consume AllFTETest document as Britta Simon
66
Step 3 - Consume AllFTETest Document as Lola Jacobson
In this step, Lola Jacobson will attempt to consume the AllFTETest document. Lola, remember is
not a member of the All FTE group. Also, Lola has never attempted to create or consume a
rights-protected document, so she is new to AD RMS. This step will validate that a new user can
successfully enroll and that document restrictions are enforced.
1. Log on to CLT.fabrikam.com as fabrikam\ljacobson
2. Click the Windows button.
3. In the search box, type \\adrms.fabrikam.com\FabrikamDocuments. This will open the
FabrikamDocuments share.
4. Double-click AllFTETest. This will launch the Configuring your computer for
Information Rights Management box.
5. This will take a moment, then you will see the Permissions to this document is
currently restricted. Microsoft Office must connect to
https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and
download your permissions box. Click OK.
6. This will bring up a box that says You do not have credentials that allow you to open
this document. You can request updated permission from
[email protected]. Do you want to request updated permissions? Click
No.
Figure 55 – You do not have credentials
7. Close Word.
To consume AllFTETest document as Lola Jacobson
67
Step 4 - Consume AllStaffTest Document as Lola Jacobson
In this step, Lola Jacobson will consume the AllStaffTest document. This will validate that a newly
enrolled user is able to consume existing rights-protected content after the database has been
successfully moved.
1. Log on to CLT.fabrikam.com as fabrikam\ljacobson
2. Click the Windows button.
3. In the search box, type \\adrms.fabrikam.com\FabrikamDocuments. This will open the
FabrikamDocuments share.
4. Double-click AllStaffTest.
5. This will take a moment, then you will see the Permissions to this document is
currently restricted. Microsoft Office must connect to
https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and
download your permissions box. Click OK.
6. Once this completes, you should be able to view AllStaffTest.
7. Close Word.
Appendix A - How to Install AD RMS with a CNAME Record
Installing AD RMS using a CNAME RecordThe following Appendix can be used to provide guidance for installing AD RMS using a CNAME
record. This appendix is provided for individuals who may not be totally familiar with this process.
The environmentThe following three virtual machines are used to complete the steps outlined in this Appendix.
To consume AllStaffTest document as Lola Jacobson
68
Figure 55 – The testing environment
Table 9 - Virtual Machines and Roles
Computer
Name
Forest Operating
System
Memory Applications
and Services
IP Address
DC fabrikam.com Windows
Server 2008
x64 SP2
512 Active
Directory,
DNS,
Certificate
Authority
192.168.100.1
ADRMS fabrikam.com Windows
Server 2008
x64 SP2
1024 AD RMS, IIS
7.0
192.168.100.2
SQL1 fabrikam.com Windows
Server 2008
x64 SP2
1024 Microsoft SQL
Server 2008
SP2
192.168.100.10
69
CNAME RecordsThe following two CNAME records will be created in the steps outlined by this appendix.
Table 10 - CNAME Records
Name Record Type FQDN Target Description
RMS CNAME RMS.fabrikam.com adrms.fabrikam.com Alias record for
the ADRMS
Server.
RMS-SQL CNAME RMS-
SQL.fabrikam.com
sql1.fabrikam.com Alias record for
the ADRMS
SQL Server.
Additional InformationThe following additional information is assumed for completion of the steps outlined in this
Appendix.
1. The AD RMS Service account used is fabrikam\ADRMSService. The password for this
account is Pass1word$.
2. Prior to installing AD RMS, SQL1 has had the proper network protocols enabled, firewall ports
opened, and the DisableStrictNameChecking registry key has been added.
Step 1 - Create CNAME Records
This step explains how to create the CNAME records in DNS.
1. Log on to DC.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click DNS. This will bring up the
DNS Manager.
3. From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-
click fabrikam.com and select New Alias (CNAME) from the menu. This will bring up
the New Resource Record dialog box.
Figure 56 – New Alias (CNAME)
To create the RMS CNAME Record
70
4. On the New Resource Record box, under Alias name (uses parent domain if left
blank): enter RMS.
5. On the New Resource Record box, under Fully qualified domain name (FQDN) for
target host:, click Browse, double-click DC, double-click Forward Lookup Zones,
double-click fabrikam.com and select the ADRMS Host record. Click OK.
Figure 57 – RMS CNAME Record
71
6. Click OK.
7. Close DNS Manager.
1. Log on to DC.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click DNS. This will bring up the
DNS Manager.
3. From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-
click fabrikam.com and select New Alias (CNAME) from the menu. This will bring up
the New Resource Record dialog box.
4. On the New Resource Record box, under Alias name (uses parent domain if left
blank): enter RMS-SQL.
5. On the New Resource Record box, under Fully qualified domain name (FQDN) for
target host:, click Browse, double-click DC, double-click Forward Lookup Zones,
To create the RMS-SQL CNAME Record
72
double-click fabrikam.com and select the SQL1 Host record. Click OK.
Figure 58 – RMS-SQL CNAME Record
6. Click OK.
7. Close DNS Manager.
73
Figure 59 – DNS Summary
Step 2 - Install AD RMS
This step explains how to install AD RMS using the CNAME records.
1. Log on to ADRMS.fabrikam.com as Administrator.
2. Click Start, point to Administrative Tools, and then click Server Manager. This will
bring up the Server Manager.
3. From the Server Manager, on the left, select Roles. This will populate the right pane with
a Roles Summary.
Figure 60 – Server Manager
To install AD RMS using CNAME Records
74
4. On the right, select Add Roles. This will bring up the Add Roles Wizard.
Figure 61 – Add Roles Wizard
75
5. On the Add Roles Wizard, click Next. This will bring up the Server Roles screen.
6. From Server Roles, place a check in Active Directory Rights Management Services.
This will bring up a box that says Add role services and features required for Active
Directory Rights Management Services? Click Add Required Roles Services.
Figure 62 – Select Server Roles
76
Figure 63 – Add role services and features
7. Once this is complete, click Next. This will bring up the Active Directory Rights
77
Management Services introductory screen. Click Next. This will bring up the Role
Services screen.
Figure 64 – Active Directory Rights Management Services Introductory Screen
8. On the Roles Services screen, leave the defaults and click Next. This will bring up the
AD RMS Cluster screen.
Figure 65 – Role Services
78
9. On the AD RMS Cluster screen, leave the default of Create a new AD RMS cluster and
click Next. Because this is the root cluster, the other option will be greyed out. This will
bring up the Configuration Database screen.
Figure 66 – AD RMS Cluster
79
10. On the Configuration Database screen, select Use a different database server. Under
Server enter RMS-SQL.fabrikam.com and click Get Database Instances. From the
drop-down, select Default. Click Validate. If this is successful, there should be no error
message. Click Next. This will bring up the Service Account screen.
Figure 67 – Configuration Database
80
11. On the Service Account screen, click Specify. This will bring up a Windows Security box.
For User name enter ADRMSService and for Password enter Pass1word$. Click OK.
On the Service Account screen, click Next. This will bring up the Cluster Key Storage
screen.
Figure 68 – Service Account
81
12. On the Cluster Key Storage screen, leave the default of Use AD RMS centrally
managed key storage and click Next. This will bring up the Cluster Key Password
screen.
Figure 69 – Cluster Key Storage
82
13. On the Cluster Key Password screen, for Password enter Pass1word$, for Confirm
Password enter Pass1word$. Click Next. This will bring up the Cluster Web Site
screen.
Figure 70 – Cluster Key Password
83
14. On the Cluster Web Site screen, leave the default of Default Web Site and click Next.
This will bring up the Cluster Address screen.
Figure 71 – Cluster Web Site
84
15. On the Cluster Address screen, leave the default of Use an SSL-encrypted connection
(https://) and under Internal Address enter RMS.fabrikam.com. Leave the default port
of 443. Click Validate. If this is successful, https://RMS.fabrikam.com should appear
under Preview of cluster address for clients on the network. Click Next. This will
bring up the Server Authentication Certificate screen.
Figure 72 – Cluster Address
85
16. On the Server Authentication Certificate screen, select Choose a certificate for SSL
encryption later. This will bring up the Licensor Certificate Name screen. Once the
installation is complete, a SSL certificate can be requested through IIS. For information
on how to do this, see Import an SSL Certificate Using Internet Information Services (IIS)
Manager (http://go.microsoft.com/fwlink/?LinkID=154912).
Figure 73 – Server Authentication Certificate
86
17. On the Licensor Certificate Name screen, leave the default Name of ADRMS and click
Next. This will bring up the SCP Registration screen.
Figure 74 – Licensor Certificate Name
87
18. On the SCP Registration screen, leave the default of Register the AD RMS service
connection point now and click Next. This will bring up the Web Server (IIS) screen.
Figure 75 – SCP Registration
88
19. On the Web Server (IIS) screen, click Next. This will bring up the Role Services for IIS
screen.
Figure 76 – Web Server (IIS)
89
20. On the Role Services for IIS screen, leave the defaults and click Next. This will bring up
the Confirmation screen.
Figure 77 – Role Services (IIS)
90
21. On the Confirmation screen, click Install. This will bring up Progress screen.
Figure 78 – Confirmation
91
22. Once the Progress screen has completed the installation has completed. Click Close.
79 - Progress
92
Warning
Before you administer AD RMS, you will need to log off and then log on again.
Figure 79 - Results
93
94