ADRMS_DB_Relo_SxS

AD RMS Database Relocation with a CNAME Record – Step-by-Step

Microsoft Corporation

Published: April 2010

Author: Bill Mathers

Acknowledgements

Special thanks to the following people for reviewing and providing invaluable feedback for this

document:

Jason Tyler, Microsoft Corporation.

Jody Hendrix, Microsoft Corporation

Manthan Maru, Microsoft Corporation

Pat Hoffer, Microsoft Corporation

.

AbstractThis document will assist architects, consultants, system engineers, and system administrators in

moving the Active Directory Rights Management Services (AD RMS) databases from one server

to another. This guide only covers the step-by-step procedures of moving the database when a

CNAME record was used prior to installing AD RMS. If a CNAME record was not used please

see the AD RMS Database Relocation without a CNAME Record – Step-by-Step

(http://go.microsoft.com/fwlink/?LinkID=188464).

http://go.microsoft.com/fwlink/?LinkID=188464

Copyright

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a

retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission

of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place

or event is intended or should be inferred.

© 2009 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

Contents

AD RMS Database Relocation with a CNAME Record Step-by-Step.............................................5

About this Guide.......................................................................................................................... 5

What This Guide Does Not Provide.........................................................................................5

Requirements for this Document....................................................................................................6

The Scenario.................................................................................................................................. 7

Scenario description.................................................................................................................... 7

The testing environment...........................................................................................................7

Required Groups...................................................................................................................... 8

Required accounts................................................................................................................... 9

Required CNAME Records......................................................................................................9

The Importance of CNAME Records.............................................................................................10

What are CNAME Records?......................................................................................................10

Why are CNAME Records important to AD RMS?.....................................................................11

SQL Server and CNAME Records.............................................................................................11

Implementing the Procedures in this Document...........................................................................12

Step 1 - Create FabrikamUsers Organizational Unit.....................................................................13

Step 2 - Create Test Users............................................................................................................14

Step 3 - Create Test Groups.........................................................................................................17

Step 4 - Add Users to Groups.......................................................................................................22

Step 5 - Create MachineGPO.......................................................................................................24

Step 6 - Create FabrikamDocuments Shared Folder....................................................................27

Step 7 - Create an All Staff Rights Protected Word Document.....................................................28

Step 8 - Consume AllStaffTest Document as Britta Simon............................................................29

Step 9 - Export the Trusted User Domain and Trusted Publishing Domain...................................30

Step 10 - Stop IIS......................................................................................................................... 32

Step 11 - Verify MSMQ is Empty and Stop the AD RMS Logging Service....................................33

Step 12 - Create database backups.............................................................................................35

Step 13 - Restore the database to the new SQL Server...............................................................42

Step 14 - Add DisableStrictNameChecking Registry Key.............................................................49

Step 15 - Enable SQL Firewall Ports............................................................................................50

Step 16 - Enable SQL Server Network Protocols..........................................................................56

Step 17 - Add ADRMSService to SQL Logins...............................................................................60

Step 18 - Change the CNAME Record in DNS.............................................................................62

Step 19 - Restart IIS and AD RMS Logging Service.....................................................................63

Testing the Implementation...........................................................................................................65

Step 1 - Create an All FTE Rights Protected Word Document......................................................66

Step 2 - Consume AllFTETest Document as Britta Simon............................................................67

Step 3 - Consume AllFTETest Document as Lola Jacobson.........................................................68

Step 4 - Consume AllStaffTest Document as Lola Jacobson........................................................69

Appendix A - How to Install AD RMS with a CNAME Record........................................................69

Installing AD RMS using a CNAME Record...............................................................................69

The environment.................................................................................................................... 69

CNAME Records....................................................................................................................71

Additional Information............................................................................................................71

Step 1 - Create CNAME Records.................................................................................................71

Step 2 - Install AD RMS................................................................................................................75

AD RMS Database Relocation with a CNAME Record Step-by-Step

About this GuideThis step-by-step guide walks you through the process of moving the AD RMS databases from

one SQL Server 2008 SP1 server to another SQL Server 2008 SP1 server. This is done in a test

environment so that you may be familiar with the process before attempting it in a production

environment. The first part of this guide deals with setting up a working AD RMS test

environment. It is this environment that will be used to verify that the databases have been

moved successfully. The final parts of this guide deal with the actual moving of the databases.

As you complete the steps in this guide, you will:

Backup the AD RMS database.

Restore the AD RMS database.

Verify that the move was successful and that AD RMS is up and running again. This is done

by testing the ability to create new rights-protected content once the databases have been

moved, consume the newly created rights-protected content, and consume existing rights-

protected content.

What This Guide Does Not ProvideThis guide does not provide the following:

Guidance for setting up and configuring Active Directory Domain Service in either a

production or test environment. This guide assumes that Active Directory Domain Services is

already configured in the test environment. For more information about configuring Active

Directory Domain Services see, AD DS Installation and Removal Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkId=154567).

Guidance for setting up and configuring Active Directory Certificate Services in either a

production or test environment. This guide assumes that Active Directory Certificate Services

is already configured and working in the test environment. You must ensure that you have a

valid SSL certificate and that it is bound properly in IIS to the default website. For more

information about configuring Active Directory Certificate Services, see the Active Directory

Certificate Services (http://go.microsoft.com/fwlink/?LinkId=179761).

Guidance for setting up and configuring AD RMS in either a production or test environment.

This guide assumes that AD RMS is already configured and working in the test environment.

For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkID=154256).

5


http://go.microsoft.com/fwlink/?LinkId=179761


Guidance for setting up and configuring Exchange Server 2007 SP1 in either a production or

test environment. This guide assumes that Exchange 2007 SP1 is already setup and

configured in the test environment. For more information about configuring Exchange Server

2007 SP1, see Microsoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?

LinkId=154564).

Requirements for this Document

The following table will provide a summary of the Microsoft software that was used in this guide.

Software Additional Information

Windows Server® 2008 Enterprise 64-bit

edition

Windows Server® 2008 Enterprise

(http://go.microsoft.com/fwlink/?LinkId=156710)

Windows Server® 2008 R2 Enterprise 64-bit Windows Server® 2008 R2


Windows® 7 Enterprise Windows® 7 Enterprise


Active Directory Domain Service Active Directory


Active Directory Certificate Services Active Directory Certificate Services


Active Directory Rights Management Services

(AD RMS)

Active Directory Rights Management Services

(AD RMS) (http://go.microsoft.com/fwlink/?

LinkId=163969)

Microsoft SQL Server 2008 Service Pack 1 –

64-bit edition

Microsoft SQL Server 2008


Microsoft Exchange Server 2007 Service Pack

2 – 64-bit

Microsoft Exchange Server 2007


Microsoft Office 2007 with Service Pack 2 Microsoft Office 2007


Microsoft Hyper-V Microsoft Hyper-V

(http://go.microsoft.com/fwlink/?LinkID=156719)

Internet Information Services (IIS) 7.0 IIS 7.0 (http://go.microsoft.com/fwlink/?

LinkId=160778)

Rights Management Services Administration

Toolkit with SP2

Rights Management Services Administration

Toolkit with SP2

6
















(http://go.microsoft.com/fwlink/?LinkID=158667)

The Scenario

Scenario descriptionFabrikam, a fictitious company, wants to move their current AD RMS databases from an existing

Microsoft SQL Server 2008 server to a brand new server. Prior to doing this in production,

Fabrikam would like to setup a test environment that will allow them to walk through the process

of moving the database. This will also allow them to verify that everything is working after the

database move.

The testing environmentThe scenario outlined in this document has been developed and tested on one stand-alone

computer running the 64-bit edition of the Windows Server® 2008 R2 operating system and

Hyper-V. The servers have two 3.0 gigahertz (GHz) dual core processors and 8 gigabytes (GB) of

RAM each. Using Hyper-V, the following six virtual machines were created on the hosts.

7


Figure 1 – The testing environment

Table 1 - Virtual Machines and Roles

Computer

Name

Forest Operating System Memory Applications

and Services

IP Address

DC fabrikam.com Windows

Server 2008 x64

SP2

512 Active

Directory,

DNS,

Certificate

Authority

192.168.100.100

EX fabrikam.net Windows

Server 2008 x64

SP2

2048 Exchange

2007, IIS 7.0.

192.168.100.101

ADRMS fabrikam.com Windows

Server 2008 x64

SP2

1024 AD RMS, IIS

7.0

192.168.100.102

8

Computer

Name

Forest Operating System Memory Applications

and Services

IP Address

SQL1 fabrikam.com Windows

Server 2008 x64

SP2

1024 Microsoft

SQL Server

2008 SP2

192.168.100.103


Server® 2008 R2

x64

1024 Microsoft

SQL Server

2008 SP2

192.168.100.104

CLT fabrikam.com Windows 7

Enterprise x86

1024 Microsoft

Office 2007

Enterprise

Edition SP2

192.168.100.105

Hyper-V is not a requirement to complete the steps outlined later. These steps can be

implemented on physical computers as long as they reflect the same roles as the preceding table.

Required GroupsThe following table summarizes the universal groups used in this step-by-step guide.

Table 2 - Group Summary

Group Name Group Scope Group Type

All Staff Universal Security

All FTE Universal Security

All Contractors Universal Security

Required accountsThe following table summarizes the accounts used in this step-by-step guide.

Table 3 - Required Accounts

Account Display

name

Forest Group

Membership

Password Description

bsimon Britta

Simon

fabrikam.com All FTE Pass1word$ User account.

ljacobson Lola

Jacobson

fabrikam.com All

Contractors

Pass1word$ User account.

ADRMSService ADRMS fabrikam.com NA Pass1word$ The ADRMS

9

Account Display

name

Forest Group

Membership

Password Description

Service Service

account.

This account

was used

during the

installation of

ADRMS.

Installing

ADRMS is a

prerequisite

to using this

document.

Required CNAME RecordsThe following table summarizes the CNAME records used in this step-by-step guide. These

records were created before installing ADRMS in the test environment.

Table 4 - CNAME Records

Name Record Type FQDN Target Description

RMS CNAME RMS.fabrikam.com adrms.fabrikam.com Alias record for

the ADRMS

Server.

RMS-SQL CNAME RMS-

SQL.fabrikam.com

sql1.fabrikam.com Alias record for

the ADRMS

SQL Server.

The Importance of CNAME Records

What are CNAME Records?CNAME stands for Canonical Name record. It is a type of resource record that is used in the

Domain Name System. In DNS, the CNAME record is used as an alias for another record within

DNS. For example, in our scenario here, we use a CNAME record named ADRMS-SQL to point

to the FQDN of our SQL Server, SQL1.fabrikam.com.

10

Figure 3 - CNAME Records in DNS

Why are CNAME Records important to AD RMS?CNAME records are important for several reasons. First, when you create a piece of content, the

URL for the AD RMS server is embedded into the header of it. When a user attempts to consume

this content, it is this URL that is used to obtain a use license. If you originally installed AD RMS

using the FQDN of the physical AD RMS server as the URL and this were to ever change,

documents with the old URL would be inaccessible.

For example, if we have an AD-RMS server with an FQDN of AD-RMS.fabrikam.com and we use

a URL of https://AD-RMS.fabrikam.com, then all of our content will have https://AD-

RMS.fabrikam.com embedded in the header of all rights protected content. Now say we decide

to change the AD RMS servers name to AD-RMS2.fabrikam.com and our URL is now https://AD-

RMS2.fabrikam.com. Now when a user attempts to consume older rights-protected content, they

will look for a use license at https://AD-RMS.fabrikam.com, not our new URL of https://AD-

RMS2.fabrikam.com. They will not be able to consume this content. Now suppose instead we

had created a CNAME record called RMS. We can point this record at AD-RMS.fabrikam.com.

This record will have an FQDN RMS.fabrikam.com. When we install AD RMS, we will specify

https://RMS.fabrikam.com as the URL. So now if we decide to change the AD RMS servers

name to AD-RMS2.fabrikam.com we can simply edit the CNAME record to point to AD-

RMS2.fabrikam.com.

11

Figure 2 – Sample AD RMS encrypted header

Secondly, if you decide later on down the line that you want to add Network Load Balancing

because the AD RMS infrastructure has grown, it is much simpler to do this with a CNAME

record.

SQL Server and CNAME RecordsIn order to use a CNAME record with a SQL Server, the DisableStrictNameChecking registry key

must be added and the value set to 1. This allows for the SQL Server to be called something

other than its proper name when a connection attempt is being made. Step 14 – Add

DisableStrictNameChecking of this guide describes how to do this in detail. This is disabled by

default.

Figure 4 – DisableStrictNameChecking Registry Key

12

Implementing the Procedures in this Document

The following steps will guide you through setting up the initial environment.

This section is comprised of the following steps:

1. Step 1 – Create FabrikamUsers Organizational Unit

2. Step 2 – Create Test Users

3. Step 3 – Create Test Groups

4. Step 4 – Add Users to Groups

5. Step 5 – Create MachineGPO

6. Step 6 – Create FabrikamDocuments Shared Folder

7. Step 7 – Create an All Staff Rights Protected Word Document

8. Step 8 – Consume AllStaffTest Document as Britta Simon

9. Step 9 – Export the Trusted User Domain and Trusted Publishing Domain

10. Step 10 – Stop IIS

11. Step 11 – Verify MSMQ is Empty and Stop the AD RMS Logging Service

12. Step 12 – Create database backups

13. Step 13 – Restore the database to the new SQL Server

14. Step 14 – Add DisableStrictNameChecking Registry Key

15. Step 15 – Enable SQL Firewall Ports

16. Step 16 – Enable SQL Server Network Protocols

17. Step 17 – Add ADRMSService to SQL Logins

18. Step 18 – Change the CNAME Record in DNS

19. Step 19 – Restart IIS and the AD RMS Logging Service

Step 1 - Create FabrikamUsers Organizational Unit

This step explains how to create an organizational unit in fabrikam.com. This organizational unit

will store all of the test users.

1. Log on to DC.fabrikam.com as Administrator

2. Click Start, select Administrative Tools, and click Active Directory Users and

Computers. This will open the Active Directory Users and Computers mmc.

To create the organizational unit

13

3. In the Active Directory Users and Computers mmc, from the tree-view on the left,

right-click fabrikam.com, select New, and then Organizational Unit.

4. In the Name textbox, type FabrikamUsers. Click OK.

5. Close Active Directory Users and Computers.

Figure 5 – FabrikamUsers Organizational Unit

Step 2 - Create Test Users

This step explains how to create and mailbox-enable the test users in fabrikam.com. These

accounts will be used to verify that users are able to create and consume content once the

databases have been moved.

Table 5 - Required Accounts

First Name Last Name User logon

name

Display name Forest Password

Britta Simon bsimon Britta Simon fabrikam.com Pass1word$

14

First Name Last Name User logon

name

Display name Forest Password

Lola Jacobson ljacobson Lola

Jacobson

fabrikam.com Pass1word$

1. Log on to the DC.corp.fabrikam.com Server as Administrator.


Computers.

3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select User.

This will bring up the New Object – User window.

4. On the New Object – User screen, in the First Name box, enter Britta.

5. On the New Object – User screen, in the Last Name box, enter Simon.

6. On the New Object – User screen, in the User logon name: box, enter bsimon and

click Next.

7. On the New Object – User screen, in the Password box, enter Pass1word!.

8. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.

9. On the New Object – User screen, remove the check from User must change

password at next logon.

10. On the New Object – User screen, add a check to Password never expires and click

Next.

11. Click Finish.

12. Repeat these steps for all of the accounts listed in the Account Summary table.

To create the test User Accounts

15

Figure 6 – Fabrikam Users

1. Log on to the EX.fabrikam.com Server as Administrator

2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click

Exchange Management Console.

3. In the Exchange Management Console, expand Recipient Configuration, and click

Mailbox.

4. On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.

5. On the Introduction screen, select User Mailbox and click Next.

6. On the User Type screen, select Existing users and click Add. This will bring up the

Select User – fabrikam.com screen.

7. From the list, using the Ctrl key, select Britta Simon and Lola Jacobson then click OK.

8. Click Next.

9. On the Group Information click Next.

10. On the Mailbox Settings screen, under Mailbox database click Browse. This will bring

up the Select Mailbox Database screen.

11. Select the Mailbox Database and click OK. Click Next.

12. On the New Mailbox screen, click Next.

To Mailbox-Enable the User Accounts

16

13. On the Completion screen, verify that it was successful and click Finish

14. Close Exchange Management Console

Figure 7 – New mailbox wizard

Step 3 - Create Test Groups

This step explains how to create and mail-enable the test groups in fabrikam.com. It also

explains how to make certain groups members of other groups. These groups will be used to

determine who has usage rights to the protected content created later in this guide.

17

Table 6 - Group Summary

Group Name Group Scope Group Type

All Staff Universal Security

All FTE Universal Security

All Contractors Universal Security

1. Log on to the DC.fabrikam.com Server as Administrator.


Computers.

3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select Group.

This will bring up the New Object – Group window.

4. On the New Object – Group screen, in the Group Name box, enter All Staff.

5. On the New Object – Group screen, under Group scope, select Universal.

6. On the New Object – Group screen, under Group type, select Security.

7. Click Ok.

8. Repeat these steps for all of the groups listed in the Group Summary table.

To create the test Groups

18

Figure 8 – Fabrikam Groups

1. Log on to the EX.fabrikam.com Server as Administrator

2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click

Exchange Management Console.

3. In the Exchange Management Console, expand Recipient Configuration, and click

Distribution Group.

4. On the right, in the Actions pane, click New Distribution Group… to start the New

Distribution Group wizard.

5. On the Introduction screen, select Existing group and click Browse. This will bring up

the Select Group – fabrikam.com screen.

6. From the list, select All Staff and click OK.

7. Click Next.

8. On the Group Information click Next.

9. On the New Distribution Group screen click New.

10. On the Completion screen, verify that it was successful and click Finish

11. Close Exchange Management Console

12. Repeat these steps for all of the groups listed in the Group Summary table.

To Mail-Enable the Security Groups

19

Figure 9 – New Distribution Group Wizard

20

Figure 10 – Fabrikam Distribution Groups



Computers.

3. Expand fabrikam.com, select FabrikamUsers, right-click All Staff, and select

Properties. This will bring up the All Staff Properties window.

4. On the Members tab, click Add. This will bring up the Select Groups dialog box.

5. On the Select Groups dialog box, under Enter the object names to select (examples)

box, enter All FTE and click Check Names. This should resolve with an underline.

6. Click Ok. This will close the Select Groups dialog box.

7. On the Members tab, click Add. This will bring up the Select Groups dialog box.


box, enter All Contractors and click Check Names. This should resolve with an

underline.


10. On the All Staff Properties window, click Apply.

11. Click Ok. This will close the All Staff Properties dialog box.

Add All FTE group and All Contractors group to All Staff group

21


Figure 11 – All Staff Properties

Step 4 - Add Users to Groups

This step explains how to add the previously created users to the previously created security

groups. The group membership will be used to determine whether or not a user will be able to

access a piece of rights-protected e-mail.

Table 7 - Account Summary

First Name Last Name User logon name Member of

Britta Simon bsimon All FTE

22

First Name Last Name User logon name Member of

Lola Jacobson ljacobson All Contractors



Computers.

3. Expand fabrikam.com, select FabrikamUsers, right-click Britta Simon, and select

Properties. This will bring up the Britta Simon Properties window.

4. On the Member of tab, click Add. This will bring up the Select Groups dialog box.


box, enter All FTE and click Check Names. This should resolve with an underline.


7. On the Britta Simon Properties window, click Apply.

8. Click Ok. This will close the Britta Simon Properties dialog box.

9. Repeat these steps for all of the accounts listed in the Account Summary table,

substituting the appropriate Member of value.


To add test user accounts to test groups

23

Figure 12 – Britta Simon’s Group Membership

Step 5 - Create MachineGPO

This step explains how to create a Group Policy Object that will be applied to all of our machines

in the test environment. The purpose of this GPO is to add the AD RMS URL to the local intranet

sites in Internet Explorer. This allows for a more seamless experience for the users as they will

not be prompted for credentials when attempting to create or consume protected content.

24

Figure 13 – Group Policy Management

1. Log on to DC.fabrikam.com as Administrator.

2. Open the Group Policy Management console. Click Start, point to Administrative Tools,

and then click Group Policy Management.

3. In the Group Policy Management console, expand Forest: fabrikam.com, expand

Domains, right-click fabrikam.com, and select Create a GPO in this domain, and Link

it here. This will bring up a New GPO dialog box.

4. In the New GPO box, enter LocalIntranetMachineGPO under Name: and click OK. This

will close the dialog box.

5. On the left, expand fabrikam.com, right-click LocalIntranetMachineGPO and select

Edit. This will bring up the Group Policy Management Editor.

6. In the Group Policy Management Editor, under User Configuration, expand Policies,

expand Windows Settings, expand Internet Explorer Maintenance and click Security.

7. On the right, double-click Security Zones and Content Ratings. This will bring up the

Security Zones and Content Ratings box.

8. On the Security Zones and Content Ratings box, select Import the current security

zones and privacy settings radio button.

9. This will bring up an Internet Explorer Enhanced Security Configuration box. Click

To create the LocalIntranetMachineGPO

25

Continue to close this box.

10. On the Security Zones and Content Ratings box, click the Modify Settings button. This

will bring up the Internet Properties box.

11. On the Internet Properties box, click the Security tab, select Local intranet and click the

Sites button. This will bring up the Local intranet box.

12. On the Local intranet box, enter https://rms.fabrikam.com and click Add. Click Close.

This will close the second Local intranet box.

Important

This document assumes that, prior to installing AD RMS, a CNAME record called

RMS was created and pointed to ADRMS.fabrikam.com.

13. Click OK to close the Internet Properties box.

14. Click OK to close the Security Zones and Content Ratings box.

Figure 14 – Group Policy Management Editor

26

Figure 15 – Security Zones and Content Ratings

Step 6 - Create FabrikamDocuments Shared Folder

This step explains how to create the FabrikamDocuments shared folder. This is the folder that

will store our test documents.

1. Log on to ADRMS.fabrikam.com as Administrator

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. Click File, point to New, and then click Folder.

4. Type FabrikamDocuments for the new folder, and then press ENTER.

5. Right-click FabrikamDocuments, click Share with, and then click Specific people.

6. On the File Sharing window, in the box under Type a name and then click Add, or

click the arrow to find someone select Everyone, then and click Add. The Everyone

group should now appear in the box below. Under Permission Level, select

Read/Write.

7. Click Share. The window should change and you should now see Your folder is

To create the FabrikamDocuments Shared Folder

27

shared.

8. Click Done.

Step 7 - Create an All Staff Rights Protected Word Document

This section explains how to create a rights protected Word document that is only accessible by

members of the All Staff group.

1. Log on to the CLT.fabrikam.com as Administrator.

2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office

Word 2007. This will bring up Word 2007 with a blank document.

3. On the blank document type the words This is an All Staff test.

4. At the top, click the Office button, select Prepare from the drop-down, select Restrict

Permission, and select Restrict Access. This will bring up the Permission window.

5. On the Permission window, place a check in Restrict permission to this document.

Next, click Read. This will bring up a Select Names window. Choose All Staff and click

OK. This will close the Select Names window.

6. On the Permission window, click OK.

Figure 16 – Permission Window

7. At the top, click the Office button and select Save As from the drop-down.

8. At the top, remove Libraries -> Documents from the location and enter \\

To create an All Staff Rights Protected Word Document

28

ADRMS.fabrikam.com\FabrikamDocuments.

9. Under File Name:, enter AllStaffTest.

10. Click Save.

11. Close Word.

Step 8 - Consume AllStaffTest Document as Britta Simon

In this step, Britta Simon will consume the AllStaffTest document. This will validate the AD RMS

environment prior to moving the AD RMS databases.

1. Log on to CLT.fabrikam.com as fabrikam\bsimon

2. Click the Windows button.

3. In the search box, type \\adrms.fabrikam.com\FabrikamDocuments. This will open the

FabrikamDocuments share.

4. Double-click AllStaffTest. This will launch the Configuring your computer for

Information Rights Management box.

Figure 17 – Configuring your computer for Information Rights Management

5. Once this completes, you should see a pop-up box that says Permissions to this

document is currently restricted. Microsoft Office must connect to

https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and

download your permissions. Click OK.

6. Once this completes, you should be able to view AllStaffTest.

To consume AllStaffTest document as Britta Simon

29

Step 9 - Export the Trusted User Domain and Trusted Publishing Domain

This step explains how to export the Trusted User Domain and the Trusted Publishing Domain.

This is done for backup and disaster recovery purposes.

1. Log on to ADRMS.fabrikam.com as Administrator.

2. On the Desktop, right-click and select New and select Folder from the drop-down.

3. Rename the new folder, ADRMSBackup.

4. Open the Active Directory Rights Management Services Administration console. Click

Start, point to Administrative Tools, and then click Active Directory Rights

Management Services.

5. In the Active Directory Rights Management Services Administration console, expand the

cluster name.

6. Expand Trusted Policies and select Trusted User Domains.

7. On the right, select Export Trusted User Domain. This will will bring up the Export

Trusted User Domain As box.

8. From the Export Trusted User Domain As box, on the left, select Desktop and select the

ADRMSBackup folder.

9. Under File name enter ADRMSTUD and make sure Binary File (*.bin) is selected for

Save As Type. Click Save. This will close the Export Trusted User Domain As box.

Figure 18 – Trusted User Domain

To export the Trusted User Domain and the Trusted Publishing Domain

30

10. In the Active Directory Rights Management Services Administration console select

Trusted Publishing Domains.

11. On the right, select Export Trusted Publishing Domain. This will bring up the Export

Trusted Publishing Domain box.

12. From the Export Trusted Publishing Domain, click Save As. This will bring up the Export

Trusted Publishing Domain File As box. From the Export Trusted Publishing Domain

As box, on the left, select Desktop and select the ADRMSBackup folder.

13. Under File name enter ADRMSTPD and make sure XML File (*.xml) is selected for Save

As Type. Click Save. This will close the Export Trusted Publishing Domain As box.

14. From the Export Trusted Publishing Domain box, enter Pass1word$ in the Password

box. Enter Pass1word$ in the Confirm Password box.

15. Click Finish. Close the Active Directory Rights Management Services Administration

console.

Figure 19 – Trusted Publishing Domain Wizard

31

Step 10 - Stop IIS

This step explains how to stop the Internet Information Server that is running on the AD RMS

databases.


2. Click Start, point to Administrative Tools, and then click Internet Information Services

(IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.

3. From the Internet Information Services (IIS) Manager, on the left, select ADRMS

(FABRIKAM\Administrator). On the right, under Actions select Stop.

4. Close the Internet Information Services (IIS) Manager.

To stop IIS

32

Figure 20 – Internet Information Services (IIS) Manager

Step 11 - Verify MSMQ is Empty and Stop the AD RMS Logging Service

This step explains how to verify the Microsoft Message Queuing is emptied and stop the AD RMS

Logging Service. AD RMS uses MSMQ on each server in the AD RMS cluster to send

information to the logging database. This needs to be done prior to backing up the AD RMS

Logging database.


2. Click Start, point to Administrative Tools, and then click Server Manager.

3. On the left, expand Features, expand Message Queuing, expand Private Queues,

expand drms_logging_rms_fabrikam_com_443, and select Queue messages. This

will populate the middle pane with Queue messages.

4. Verify there are no messages in Queue messages. Close Server Manager.

To verify the MSMQ is empty

33

Figure 21 – MSMQ


2. Click Start, point to Administrative Tools, and then click Services.

3. On the Services screen, right-click AD RMS Logging Service, and select Stop.

4. Close Services.

To stop the AD RMS Logging Service

34

Figure 22 – Stop the AD RMS Logging Service

Step 12 - Create database backups

This step explains how to backup the SQL databases. There are three databases that will be

backed up as part of this step.

1. Log on to SQL1.fabrikam.com as Administrator

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. Click File, point to New, and then click Folder.

4. Type DBBackup for the new folder, and then press ENTER.

To create the DBBackup Folder

35

Figure 23 – Create DBBackup Folder

1. Log on to SQL1.fabrikam.com as Administrator.

2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL

Server Management Studio. This will bring up the Connect to Server dialog box.

Ensure that the Server name is SQL1 and that Authentication is set to Windows

Authentication. Click Connect.

Figure 24 – Connect to SQL Server

To back up the DRMS_Config_rms_fabrikam_com_443 database

36

3. On the right, expand Databases. Right-click DRMS_Config_rms_fabrikam_com_443,

select Tasks and choose Back Up. This will bring up the Back Up Database –

DRMS_Config_rms_fabrikam_com_443 windows.

Figure 25 – Backup Database

4. From Back Up Database – DRMS_Config_rms_fabrikam_com_443, down under

Destination, highlight the entry and click Remove. Click Add. This will bring up the

Select Backup Destination box.

5. Click the … box. This will bring up the Locate Database Files – SQL1 window. Navigate

to the folder that was created above. Enter DRMS_Config for the File Name and click

OK.

Figure 26 – Locate Database Files

37

6. On the Select Backup Destination screen, click OK.

Figure 27 – Select Backup Destination

38

7. On the Back Up Database – DRMS_Config_rms_fabrikam_com_443 screen, click OK.

Figure 28 – How Back Up Database should look before clicking OK

39

8. Once this has completed, a pop-up will say the database has been backed up

successfully. Click OK.

Figure 29 – Backup Successful



To back up the DRMS_DirectoryServices_rms_fabrikam_com_443 database

40




3. On the right, expand Databases. Right-click

DRMS_DirectoryServices_rms_fabrikam_com_443, select Tasks and choose Back

Up. This will bring up the Back Up Database –

DRMS_DirectoryServices_rms_fabrikam_com_443 windows.

4. From Back Up Database – DRMS_DirectoryServices_rms_fabrikam_com_443, down

under Destination, highlight the entry and click Remove. Click Add. This will bring up

the Select Backup Destination box.


to the folder that was created above. Enter DRMS_Directory for the File Name and click

OK.


7. On the Back Up Database – DRMS_DirectoryServices_rms_fabrikam_com_443 screen,

click OK.








3. On the right, expand Databases. Right-click

DRMS_Logging_rms_fabrikam_com_443, select Tasks and choose Back Up. This

will bring up the Back Up Database – DRMS_Logging_rms_fabrikam_com_443 windows.

4. From Back Up Database – DRMS_Logging_rms_fabrikam_com_443, down under

Destination, highlight the entry and click Remove. Click Add. This will bring up the

Select Backup Destination box.


to the folder that was created above. Enter DRMS_Logging for the File Name and click

OK.


7. On the Back Up Database – DRMS_Logging_rms_fabrikam_com_443 screen, click OK.



To back up the DRMS_Logging_rms_fabrikam_com_443 database

41

Step 13 - Restore the database to the new SQL Server

This step explains how restore the databases that were backed up from SQL1 in the last step.

1. Log on to SQL2.fabrikam.com as Administrator

2. Click Start, select Run and enter \\SQL1\C$ in the box. Click OK.

3. Navigate to C:\DBBackup on SQL1. Copy the entire folder to C:\DBBackup on SQL2.

4. When the copy is complete you can close the SQL1\C$ window.






3. On the right, right-click Databases and select Restore Database. This will bring up the

Restore Database window.

Figure 30 – Restore Database

To copy the databases over to SQL2

To restore the DRMS_Config_rms_fabriakam_com_443 databases from SQL1

42

4. On the Restore Database screen, select the From Device radio button and click the …

box. This will bring up the Specify Backup screen.

Figure 31 – Select From Device

5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File –

SQL2 screen.

Figure 32 – Specify Backup

43

Select the DBBackup folder. Enter DRMS_Config for the File Name and click OK.

Figure 33 – Locate Backup File – SQL2

44

6. On the Specify Backup screen click OK.

7. On the Restore Database screen, in the drop-down beside To database: select

DRMS_Config_rms_fabrikam_com_443.

8. On the Restore Database screen, under Select the backup sets to restore: place a

check in the Restore box, next to DRMS_Config_rms_fabrikam_com_443-Full

Database Backup. Click OK.

Figure 34 - Restore

45

9. Once this has completed, a pop-up will say the database has been restored successfully.

Click OK.

Figure 35– Restore Successful



To restore the DRMS_DirectoryServices_rms_fabriakam_com_443 databases from SQL1

46









SQL2 screen. Select the DBBackup folder. Enter DRMS_Directory for the File Name

and click OK.



DRMS_DirectoryServices_rms_fabrikam_com_443.


check in the Restore box, next to DRMS_DirectoryServices_rms_fabrikam_com_443-

Full Database Backup. Click OK.


Click OK.











SQL2 screen. Select the DBBackup folder. Enter DRMS_Logging for the File Name

and click OK.



DRMS_Logging_rms_fabrikam_com_443.


check in the Restore box, next to DRMS_Logging_rms_fabrikam_com_443-Full

Database Backup. Click OK.


To restore the DRMS_Logging_rms_fabriakam_com_443 databases from SQL1

47

Click OK.

Step 14 - Add DisableStrictNameChecking Registry Key

This step explains how to add the DisableStrictNameChecking registry key. This key allows

connections to be made to the SQL server by names other than the proper name. By default,

SQL Server 2008 will not allow this.


2. Click Start, type regedit.exe in the Start Search box, and then press ENTER.

3. Expand the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\

Parameters

4. Right-click Parameters, click New, and then click DWORD (32-bit) Value.

5. In the Value name box, type DisableStrictNameChecking, and then press ENTER.

6. Double-click the DisableStrictNameChecking registry value and type 1 in the Value

data box, and then click OK.

7. Close Registry Editor.

To add the DisableStrictNameChecking Registry Key

48

Figure 36 - DisableStrictNameChecking

Step 15 - Enable SQL Firewall Ports

This step explains how to enable the firewall rules on the new SQL server. These rules are

required to allow the AD RMS cluster to communicate with the SQL Server.


2. Click Start, select Administrative Tools and click Windows Firewall with Advanced

Security. This will bring up the Windows Firewall with Advanced Security mcc.

Figure 37 – Windows Firewall with Advanced Security

To enable the firewall ports on SQL2

49

3. On the left, select Inbound Rules and on the right click New Rule. This will bring up the

New Inbound Rule Wizard.

Figure 38 – New Inbound Rule Wizard

50

4. On the Rule Type screen, select Port and click Next.

Figure 39 – Protocols and Ports

51

5. On the Protocol and ports screen, select TCP and enter 445 in the box next to Specific

local ports: and click Next.

6. On the Action screen, select Allow the connection and click Next.

Figure 40 - Action

52

7. On the Profile screen, select Domain, Private, and Public then click Next.

Figure 41 - Profile

53

8. On the Name screen, enter SQL Server Named Pipes in the box and click Finish.

9. Repeat these steps for all of the entries in the table below.

Table 8 – SQL Server Firewall Port Exceptions

Protocol Port Number Name

TCP 445 SQL Server Named Pipes

TCP 1433 SQL Server Listening Port

UDP 1434 SQL Server Browser Service

54

Step 16 - Enable SQL Server Network Protocols

This step explains how to enable the allowed network protocols for SQL2. This is done so that

the AD RMS Server can communicate with the database server.


2. Click Start, select All Programs, click Microsoft SQL Server 2008, click Configuration

Tools, and select SQL Server Configuration Manager. This will bring up the SQL

Server Configuration Manager.

Figure 42 – SQL Server Configuration Manager

3. In SQL Server Configuration Manager, on the left, expand SQL Server Network

Configuration and click Protocols for MSSQLSERVER. This will populate the right

pane with four protocols and their status.

Figure 43 – Protocols for MSSQLSERVER

To enable SQL Server Network Protocols

55

4. On the right, right-click Disabled next to Named Pipes and select Enable. This will bring

up a pop-up box that says Any changes made will be saved; however, they will not

take effect until the service is stopped and restarted. Click OK.

Figure 44 – Enable Protocols

56

Figure 45 – Restart box

5. On the right, right-click Disabled next to TCP/IP and select Enable. This will bring up a

pop-up box that says Any changes made will be saved; however, they will not take

effect until the service is stopped and restarted. Click OK.

Figure 46 – Protocol Summary

57

6. In SQL Server Configuration Manager, on the left, click SQL Server Services. This will

populate the right pane with three services and their state.

Figure 47 – SQL Server Services

58

7. On the right, right-click SQL Server (MSSQLSERVER) and select Stop. This will stop

the SQL Server service.

8. On the right, right-click SQL Server (MSSQLSERVER) and select Start. This will start

the SQL Server service.

9. Close SQL Server Configuration Manager.

Step 17 - Add ADRMSService to SQL Logins

This step explains how to add the AD RMS Service Account (ADRMSService) to SQL Logins on

SQL2. This allows the service account to connect to SQL2.






3. On the right, expand Security, right-click Logins, and select New Login. This will bring

To add ADRMSService to SQL Logins

59

up the Login – New screen.

Figure 48 – Login - New

4. On the Login – New screen, click Search. This will bring up a Select User or Group

box.

5. On the Select User or Group box, enter fabrikam\ADRMSService in the box below

Enter the object name to select (examples) and click Check Names. This should

resolve with an underline. Click Ok.

Figure 49 – Name Resolved

60

6. On the Login – New screen, click OK. This will close the Login – New screen.

7. Close SQL Server Management Studio.

Step 18 - Change the CNAME Record in DNS

This step explains how to change the CNAME record in DNS.


2. Click Start, point to Administrative Tools, and then click DNS. This will bring up the

DNS Manager.

3. From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, and

click fabrikam.com. On the right, right-click the CNAME record ADRMS-SQL and select

Properties. This will bring up the ADRMS-SQL Properties.

4. On the ADRMS-SQL properties, enter sql2.fabrikam.com under Fully qualified domain

name (FQDN) for target host: and click OK.

5. Close DNS Manager.

To change the CNAME Record

61

Figure 50 – Change CNAME Record

Step 19 - Restart IIS and AD RMS Logging Service

This step explains how to start the Internet Information Server and the AD RMS Logging Service.


2. Click Start, point to Administrative Tools, and then click Internet Information Services

(IIS) Manager. This will bring up the Internet Infromation Services (IIS) Manager.

3. From the Internet Information Services (IIS) Manager, on the left, select ADRMS

(FABRIKAM\Administrator). On the right, under Actions select Start.

4. Close the Internet Information Services (IIS) Manager.

To start IIS

62

Figure 51 – Restart IIS


2. Click Start, point to Administrative Tools, and then click Services.

3. On the Services screen, right-click AD RMS Logging Service, and select Start.

4. Close Services.

To start the AD RMS Logging Service

63

Figure 52 – Start AD RMS Logging Service

Testing the Implementation

The following steps will guide you through testing the AD RMS environment now that the

databases have been successfully moved. The following tests will verify that existing users are

able to create and consume new rights-protected content and that new users are able to

consume existing rights-protected content.

This section is comprised of the following steps:

1. Step 1 – Create an All FTE Rights Protected Word Document

2. Step 2 – Consume AllFTETest Document as Britta Simon

3. Step 3 – Consume AllFTETest Document as Lola Jacobson

4. Step 4 – Consume AllStaffTest Document as Lola Jacobson

64

Step 1 - Create an All FTE Rights Protected Word Document

This section explains how to create a rights protected Word document that is only accessible by

members of the All FTE group.

1. Log on to the CLT.fabrikam.com as Administrator.

2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office

Word 2007. This will bring up Word 2007 with a blank document.

3. On the blank document type the words This is an All FTE test.

4. At the top, click the Office button, select Prepare from the drop-down, select Restrict

Permission, and select Restrict Access. This will bring up the Permission window.

5. On the Permission window, place a check in Restrict permission to this document.

Next, click Read. This will bring up a Select Names window. Choose All FTE and click

OK. This will close the Select Names window.

6. On the Permission window, click OK.

Figure 53 – Permission Window

To create an All FTE Rights Protected Word Document

65

7. At the top, click the Office button and select Save As from the drop-down.

8. At the top, remove Libraries -> Documents from the location and enter \\

ADRMS.fabrikam.com\FabrikamDocuments.

9. Under File Name:, enter AllFTETest.

10. Click Save.

11. Close Word.

Step 2 - Consume AllFTETest Document as Britta Simon

In this step, Britta Simon will consume the AllFTETest document. This will validate that an

existing user is able to consume newly created rights-protected content after the database has

been successfully moved.

1. Log on to CLT.fabrikam.com as fabrikam\bsimon




4. Double-click AllFTETest.

5. This will take a moment, then you will see the Permissions to this document is

currently restricted. Microsoft Office must connect to


download your permissions box. Click OK.

Figure 54 – Permission to this document is currently restricted box

6. Once this completes, you should be able to view AllFTETest.

7. Close Word.

To consume AllFTETest document as Britta Simon

66

Step 3 - Consume AllFTETest Document as Lola Jacobson

In this step, Lola Jacobson will attempt to consume the AllFTETest document. Lola, remember is

not a member of the All FTE group. Also, Lola has never attempted to create or consume a

rights-protected document, so she is new to AD RMS. This step will validate that a new user can

successfully enroll and that document restrictions are enforced.

1. Log on to CLT.fabrikam.com as fabrikam\ljacobson




4. Double-click AllFTETest. This will launch the Configuring your computer for

Information Rights Management box.





6. This will bring up a box that says You do not have credentials that allow you to open

this document. You can request updated permission from

[email protected]. Do you want to request updated permissions? Click

No.

Figure 55 – You do not have credentials

7. Close Word.

To consume AllFTETest document as Lola Jacobson

67

Step 4 - Consume AllStaffTest Document as Lola Jacobson

In this step, Lola Jacobson will consume the AllStaffTest document. This will validate that a newly

enrolled user is able to consume existing rights-protected content after the database has been

successfully moved.

1. Log on to CLT.fabrikam.com as fabrikam\ljacobson




4. Double-click AllStaffTest.





6. Once this completes, you should be able to view AllStaffTest.

7. Close Word.

Appendix A - How to Install AD RMS with a CNAME Record

Installing AD RMS using a CNAME RecordThe following Appendix can be used to provide guidance for installing AD RMS using a CNAME

record. This appendix is provided for individuals who may not be totally familiar with this process.

The environmentThe following three virtual machines are used to complete the steps outlined in this Appendix.

To consume AllStaffTest document as Lola Jacobson

68

Figure 55 – The testing environment

Table 9 - Virtual Machines and Roles

Computer

Name

Forest Operating

System

Memory Applications

and Services

IP Address

DC fabrikam.com Windows

Server 2008

x64 SP2

512 Active

Directory,

DNS,

Certificate

Authority

192.168.100.1

ADRMS fabrikam.com Windows

Server 2008

x64 SP2

1024 AD RMS, IIS

7.0

192.168.100.2


Server 2008

x64 SP2

1024 Microsoft SQL

Server 2008

SP2

192.168.100.10

69

CNAME RecordsThe following two CNAME records will be created in the steps outlined by this appendix.

Table 10 - CNAME Records

Name Record Type FQDN Target Description

RMS CNAME RMS.fabrikam.com adrms.fabrikam.com Alias record for

the ADRMS

Server.

RMS-SQL CNAME RMS-

SQL.fabrikam.com

sql1.fabrikam.com Alias record for

the ADRMS

SQL Server.

Additional InformationThe following additional information is assumed for completion of the steps outlined in this

Appendix.

1. The AD RMS Service account used is fabrikam\ADRMSService. The password for this

account is Pass1word$.

2. Prior to installing AD RMS, SQL1 has had the proper network protocols enabled, firewall ports

opened, and the DisableStrictNameChecking registry key has been added.

Step 1 - Create CNAME Records

This step explains how to create the CNAME records in DNS.



DNS Manager.

3. From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-

click fabrikam.com and select New Alias (CNAME) from the menu. This will bring up

the New Resource Record dialog box.

Figure 56 – New Alias (CNAME)

To create the RMS CNAME Record

70

4. On the New Resource Record box, under Alias name (uses parent domain if left

blank): enter RMS.

5. On the New Resource Record box, under Fully qualified domain name (FQDN) for

target host:, click Browse, double-click DC, double-click Forward Lookup Zones,

double-click fabrikam.com and select the ADRMS Host record. Click OK.

Figure 57 – RMS CNAME Record

71

6. Click OK.




DNS Manager.

3. From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-

click fabrikam.com and select New Alias (CNAME) from the menu. This will bring up

the New Resource Record dialog box.

4. On the New Resource Record box, under Alias name (uses parent domain if left

blank): enter RMS-SQL.

5. On the New Resource Record box, under Fully qualified domain name (FQDN) for

target host:, click Browse, double-click DC, double-click Forward Lookup Zones,

To create the RMS-SQL CNAME Record

72

double-click fabrikam.com and select the SQL1 Host record. Click OK.

Figure 58 – RMS-SQL CNAME Record

6. Click OK.


73

Figure 59 – DNS Summary

Step 2 - Install AD RMS

This step explains how to install AD RMS using the CNAME records.


2. Click Start, point to Administrative Tools, and then click Server Manager. This will

bring up the Server Manager.

3. From the Server Manager, on the left, select Roles. This will populate the right pane with

a Roles Summary.

Figure 60 – Server Manager

To install AD RMS using CNAME Records

74

4. On the right, select Add Roles. This will bring up the Add Roles Wizard.

Figure 61 – Add Roles Wizard

75

5. On the Add Roles Wizard, click Next. This will bring up the Server Roles screen.

6. From Server Roles, place a check in Active Directory Rights Management Services.

This will bring up a box that says Add role services and features required for Active

Directory Rights Management Services? Click Add Required Roles Services.

Figure 62 – Select Server Roles

76

Figure 63 – Add role services and features

7. Once this is complete, click Next. This will bring up the Active Directory Rights

77

Management Services introductory screen. Click Next. This will bring up the Role

Services screen.

Figure 64 – Active Directory Rights Management Services Introductory Screen

8. On the Roles Services screen, leave the defaults and click Next. This will bring up the

AD RMS Cluster screen.

Figure 65 – Role Services

78

9. On the AD RMS Cluster screen, leave the default of Create a new AD RMS cluster and

click Next. Because this is the root cluster, the other option will be greyed out. This will

bring up the Configuration Database screen.

Figure 66 – AD RMS Cluster

79

10. On the Configuration Database screen, select Use a different database server. Under

Server enter RMS-SQL.fabrikam.com and click Get Database Instances. From the

drop-down, select Default. Click Validate. If this is successful, there should be no error

message. Click Next. This will bring up the Service Account screen.

Figure 67 – Configuration Database

80

11. On the Service Account screen, click Specify. This will bring up a Windows Security box.

For User name enter ADRMSService and for Password enter Pass1word$. Click OK.

On the Service Account screen, click Next. This will bring up the Cluster Key Storage

screen.

Figure 68 – Service Account

81

12. On the Cluster Key Storage screen, leave the default of Use AD RMS centrally

managed key storage and click Next. This will bring up the Cluster Key Password

screen.

Figure 69 – Cluster Key Storage

82

13. On the Cluster Key Password screen, for Password enter Pass1word$, for Confirm

Password enter Pass1word$. Click Next. This will bring up the Cluster Web Site

screen.

Figure 70 – Cluster Key Password

83

14. On the Cluster Web Site screen, leave the default of Default Web Site and click Next.

This will bring up the Cluster Address screen.

Figure 71 – Cluster Web Site

84

15. On the Cluster Address screen, leave the default of Use an SSL-encrypted connection

(https://) and under Internal Address enter RMS.fabrikam.com. Leave the default port

of 443. Click Validate. If this is successful, https://RMS.fabrikam.com should appear

under Preview of cluster address for clients on the network. Click Next. This will

bring up the Server Authentication Certificate screen.

Figure 72 – Cluster Address

85

16. On the Server Authentication Certificate screen, select Choose a certificate for SSL

encryption later. This will bring up the Licensor Certificate Name screen. Once the

installation is complete, a SSL certificate can be requested through IIS. For information

on how to do this, see Import an SSL Certificate Using Internet Information Services (IIS)

Manager (http://go.microsoft.com/fwlink/?LinkID=154912).

Figure 73 – Server Authentication Certificate

86


17. On the Licensor Certificate Name screen, leave the default Name of ADRMS and click

Next. This will bring up the SCP Registration screen.

Figure 74 – Licensor Certificate Name

87

18. On the SCP Registration screen, leave the default of Register the AD RMS service

connection point now and click Next. This will bring up the Web Server (IIS) screen.

Figure 75 – SCP Registration

88

19. On the Web Server (IIS) screen, click Next. This will bring up the Role Services for IIS

screen.

Figure 76 – Web Server (IIS)

89

20. On the Role Services for IIS screen, leave the defaults and click Next. This will bring up

the Confirmation screen.

Figure 77 – Role Services (IIS)

90

21. On the Confirmation screen, click Install. This will bring up Progress screen.

Figure 78 – Confirmation

91

22. Once the Progress screen has completed the installation has completed. Click Close.

79 - Progress

92

Warning

Before you administer AD RMS, you will need to log off and then log on again.

Figure 79 - Results

93

ADRMS_DB_Relo_SxS

Documents

Transcript of ADRMS_DB_Relo_SxS