programming4us
           
 
 
Applications Server

Configuring and Using Active Directory Rights Management Services

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
8/8/2011 5:58:52 PM
AD RMS installations can be complex to prepare, but after you have worked with the proper installation preparation process, your installations will be flawless. After your servers are installed, however, you must complete the configuration of the AD RMS cluster and prepare the usage policies you want to implement in your network. This involves several tasks:

  • If you want to make AD RMS available outside your network, you must add an extranet cluster URL to your configuration.

  • If you want to integrate AD RMS services with partners, you must configure proxy settings and install Identity Federation Support. Remember that you must have a working AD FS implementation to add these components to your infrastructure. You must also configure trust policies for the interoperation of your AD RMS cluster with other clusters.

  • You must configure the AD RMS certificates to ensure that you set up proper validation periods.

  • If your organization has decided that your rights-protection policies will not affect the entire organization and will target only a specific group of users or departments, such as the legal department, you must configure exclusion policies.

  • You must prepare user accounts for integration with AD RMS.

  • You must prepare policy templates for your organization to use. These templates facilitate the rights-protection process for your users.

  • You must be familiar with the various AD RMS clients so that you can support them if your users experience problems.

  • AD RMS relies on three databases for operation. You must be aware of these databases and maintain them for a proper AD RMS operation.


Configuring AD RMS

AD RMS configuration, unlike Windows Rights Management Services, is performed through the MMC. This console is integrated in Server Manager but is also available as a stand-alone console through Remote Server Administration Tools (RSAT). Each of the tasks you need to perform to finalize your configuration is available through this console.

Note:

MORE INFO CONFIGURE AD RMS

For more information on configuring AD RMS, go to http://technet.microsoft.com/en-us/library/cc771603.aspx.

1. Creating an Extranet URL

When you want to extend your AD RMS infrastructure to mobile users or teleworkers outside your internal network, you must configure an extranet URL. Use the following procedure:

  1. Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Rights Management Services\servername.

  4. Right-click the server name and click Properties.

  5. On the Cluster URLs tab, enable Extranet URLs and add the appropriate URL data for both Licensing and Certification.

    These URLs must point to a valid IIS installation in the extranet and should be permanent. Proper DNS registration should also be implemented for these URLs. Use SSL encryption for the communication through Secure HTTP or HTTPS connections. Finally, remember to create the appropriate virtual directories to host the AD RMS data.

  6. Click OK to close the dialog box and apply the change.

    Your extranet URLs are ready.

2. Configuring Trust Policies

Although you can’t enable federation support until you have a working AD FS infrastructure in place, you can learn about the models that AD RMS supports to provide federation of your DRM policies. AD RMS can support four trust models:

  • Trusted user domains enable your AD RMS cluster to process requests for other AD RMS clusters located in different AD DS forests. Trusted user domains are added by importing the server licensor certificate from the AD RMS cluster you want to trust into your own cluster.

  • Trusted publishing domains enable your own AD RMS cluster to issue use licenses for content that was protected by another AD RMS cluster. To create a trusted publishing domain, you must import the publishing cluster’s SLC as well as its private key into your own cluster.

  • Windows Live ID trusts allow users who have a valid Windows Live ID (formerly known as Microsoft Passport) to use rights-protected content but not to create it.

  • Federated trusts are established through AD FS and extend the operation of your AD RMS cluster to the forests with which you have established a federated trust.

Each of these trust types extends your AD RMS authority beyond the limits of your own forest.

Note:

MORE INFO CREATE AD RMS TRUSTS

To learn more about working with AD RMS trusts, go to http://technet.microsoft.com/en-us/library/cc754459.aspx.

3. Exporting the Server Licensor Certificate

To work with either trusted publishing domains or trusted user domains, you must export the server licensor certificate from your root cluster or from the root cluster to be trusted. Certificates are exported to be used in establishing trusts. To perform this procedure, you must be a member of the local AD RMS Enterprise Administrators or its equivalent.

  1. Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Rights Management Services\servername.

  4. Right-click the server name and click Properties.

  5. On the Server Certificate Tab, click Export Certificate.

  6. In the Export Server Certificate As dialog box, type a valid name, such as the name of your cluster, and select a proper location (such as your Documents folder) to create the .bin file. Click Save.

  7. Close the Properties dialog box.

    Protect this certificate thoroughly, because it controls access to your AD RMS cluster.

4. Preparing AD RMS Certificates

Certificates are created by default during the installation of AD RMS. However, you must configure appropriate certificate duration based on your rights-protection policies. Four activities can be performed in terms of certificate administration:

  • Specify the duration of rights account certificates.

  • Enable certification for mobile devices.

  • Enable certification of server services.

  • Authenticate clients through smart cards.

Of these, the one you must absolutely set is the validation period for the RAC. Others are optional operations that depend on your rights-protection policies. To modify the duration of the RAC, use the following procedure:

  1. Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Rights Management Services\servername and click Rights Account Certificate Policies.

  4. In the details pane, click the Change Standard RAC Validity Period link.

  5. On the Standard RAC tab, in the Standard RAC Validity Period box, set the number of days to enable the certificate.

  6. On the Temporary RAC tab, in the Temporary RAC Validity Period box, set the number of minutes to enable the certificate.

  7. Click OK to close the dialog box.

Note that standard RACs are valid for 365 days by default, and temporary RACs last only 15 minutes. You might want to extend the duration of a temporary RAC, but be careful about extending the validity of a standard RAC because one year is already a considerable time.

Note that if you are using federated trusts, you will need to modify the RAC validity period under the Federated Identity Support node, not under the Rights Account Certificate Policies.

Note:

MORE INFO MANAGING CERTIFICATES

For more information on working with the other certificate types, go to http://technet.microsoft.com/en-us/library/cc730842.aspx.

5. Preparing Exclusion Policies

When you decide the scope of your rights-protection policy implementation, you can configure exclusion policies, or policies that exclude users and computers from participating in your AD RMS implementation. You can create exclusion policies for four entities: users, applications, lockboxes, and Windows operating systems. When you do so, the list of the specified exclusion members is included in the use license for the content. You can remove an excluded entity from an exclusion list, but remember that if you remove the entity from the list, it will no longer be added to the use licenses. Existing content, however, will already contain it because use licenses are issued only once, by default. Because of this, follow these recommendations when preparing exclusion lists:

  • Assign only exclusions that will be as permanent as possible.

  • If you change your mind, wait until existing use licenses have expired before removing entities from an exclusion list.

  • Rely on exclusion lists if the credentials of one of the supported entities, such as a user, have been compromised and your rights-protected content is at risk.

When you have decided to create an exclusion list, use the following procedure. In this case, you exclude users from AD RMS.

  1. Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Rights Management Services\servername\Exclusion Policies and click Users.

  4. In the Actions pane, click the Enable User Exclusion link. This enables exclusion.

  5. To exclude users, click the Exclude User link in the Actions pane. This launches the Exclude User Account Wizard.

    You can exclude a user either through the email address or through the public key assigned to the user. The first is for users included in your AD DS directory, and the second is for external users who might not have an account in your AD DS directory. If you exclude users in your AD DS directory, make sure you exclude a group so that it is easier to manage as time goes on.

  6. Select the appropriate exclusion method and either locate the user account or type in the public key string, and then click Next.

  7. Click Finish to close the wizard.

Note:

MORE INFO EXCLUSION POLICIES

To learn more about exclusion policies, go to http://technet.microsoft.com/en-us/library/cc771228.aspx.

6. Preparing Accounts and Access Rights

To ensure that your users can work with AD RMS, you must prepare their accounts. When you do so, AD RMS includes the account within its own database. However, when you remove an account, AD RMS disables the account but does not automatically remove it from its database. Because of this, the database can become large and contain obsolete data. To protect against this, either create a stored procedure in SQL Server that automatically removes the account when you delete it or create a script that does this on a scheduled basis.

In addition, you might need to create a special Super Users group that contains operators who have full access to all the content protected by your AD RMS implementation. Members of this Super Users group are much like the recovery agents you would use for the Encrypting File System (EFS). These users can recover or modify any data that is managed by your AD RMS infrastructure and can, therefore, recover data from users who have left the organization. You should usually assign a Universal Group from your directory to this role. Prepare the Universal Group before enabling Super Users in AD RMS. To configure a Super Users group to work with AD RMS, use the following procedure:

  1. Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Rights Management Services\servername and click Security Policies.

  4. Click the Change Super Users Settings link in the details pane.

  5. In the Actions pane, click the Enable Super Users link.

  6. Click the Change Super User Group link in the details pane to view the Super User Group property sheet.

  7. Type the email address of a mail-enabled universal distribution group from your forest or use the Browse button to locate it.

  8. Click OK to close the property sheet.

Members of this group will now have access to all AD RMS content. Select these members very carefully and ensure that they are completely trustworthy. In fact, for security purposes you might prefer to keep the Super Users group disabled and enable it only when you need it.

Note:

MORE INFO ACCOUNT PREPARATION

To learn more about account preparation, go to http://technet.microsoft.com/en-us/library/cc754120.aspx.

7. Preparing Policy Templates

To facilitate the rights-protection application by your users, prepare policy templates. These templates will save considerable time for your users and ensure that you maintain the standards you set in your rights-protection policies. You must perform several activities with policy templates. First, you must create the template. Next, you must specify a location for the template.

Locations are usually shared folders contained within your network. However, for users to rely on the template to create content, they must have access to it. Offline users will not have access to the templates unless you configure the offline folder settings for the shared folder so that the content of the folder will automatically be available locally to the user. In addition, relying on offline folders will ensure that when you modify, add, or update templates, they will automatically be updated on the client computer the next time the user connects to the network. Offline folders, however, will not work for external users who do not have access to your internal network. You will have to consider an alternate delivery method if you choose to allow external users to create content. Users who have access only to pre-created content do not require access to the policy templates. To create a policy template, use the following procedure:

  1. Log on to a server that is a member of the root cluster, using AD RMS Template Administrators credentials.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Rights Management Services\servername and click Rights Policy Templates.

  4. In the Actions pane, click the Create Distributed Rights Policy Template link. This launches the wizard.

  5. On the Add Template Identification Information page, click Add.

  6. Specify the language, type the name and description for the new template, click Add, and then click Next.

  7. On the Add User Rights page, you must perform several activities:

    1. Click Add to select the user or group that will have access to the template.

      Selecting Anyone allows any user to request a use license for the content. If you want to select a specific group, use the Browse button.

      Click OK when done.

    2. Under Users And Rights, you must first select the user and then assign the rights to that particular user or group in the Rights For user area. You can also create a custom right for the user.

    3. Note that the Grant Owner (Author) Full Control Right With No Expiration check box is selected by default.

    4. In the Rights Request URL, type the appropriate URL. This gives users the ability to request additional rights by going to the URL.

  8. Click Next.

  9. On the Specify Expiration Policy page, select one of the three available options and type a value in days. If you need to ensure that content expires automatically after a number of days, select Expires After The Following Duration (Days) and type the number of days. Click Next.

  10. On the Specify Extended Policy page, you can assign the following settings:

    • Choose Enable Users To View Protected Content Using A Browser Add-On. This allows users who do not have AD RMS–enabled applications to view protected content by automatically installing the required add-on.

    • Select Require A New Use License Every Time Content Is Consumed (Disable Client-Side Caching) if you need authentication against the AD RMS servers each time content is consumed. Note that this will not work for offline users.

    • Select If You Would Like To Specify Additional Information For Your AD RMS-Enabled Applications, You Can Specify Them Here As Name-Value Pairs if you need to add specific data to the protected content. This option is usually reserved for developers, however.

  11. Click Next. On the Specify Revocation Policy page, you can enable revocation by selecting the Require Revocation check box and then:

    1. In the URL Of The Location Where The Revocation List Is Published area, specifying http:// or https:// and typing the revocation URL.

      If you use a URL and you have both internal and external users, the URL should be accessible from both network locations.

    2. In the Refresh Interval For Revocation List (Days) box, typing the number of days the revocation list will be maintained.

      This determines when users must update their revocation list when viewing content.

    3. In the File Containing Public Key Corresponding To The Signed Revocation List, specifying a file.

  12. Click Finish.

Note that when you implement revocation, you must be careful with its settings. To make revocation practical, you must publish the revocation list on a regular basis.

Note:

MORE INFO POLICY TEMPLATES

To learn more about policy templates, go to http://technet.microsoft.com/en-us/library/cc731599.aspx.

8. Working with AD RMS Clients

AD RMS relies on a local client to give users access to its capabilities. Two clients exist: the built-in client included in Windows 7, Windows Vista, and Windows Server 2008 R2, and a client that runs on Windows 2000, Windows 2003, and Windows XP. The last of these must be downloaded and installed on each client computer to work. Three versions of this client exist: x86, x64, and Itanium to support all Windows version platforms.

Clients automatically discover the AD RMS cluster through one of three methods:

  • They can rely on the AD DS Service Connection Point created during the AD RMS installation.

  • In complex, multiforest AD RMS deployments, they must rely on registry overrides, which are placed directly on the client computer. This is especially true for earlier versions of Windows operating systems.

  • They can rely on the URLs included in the issuance licenses for the content.

Each of these methods provides redundancy to ensure that clients can always access content.

Note:

MORE INFO AD RMS AND WINDOWS RMS CLIENTS

To learn more about AD RMS clients and obtain the Windows RMS clients, go to http://technet.microsoft.com/en-us/library/dd772753(WS.10).aspx.
9. Managing Databases

AD RMS relies on three databases to operate. Familiarize yourself with these databases and their operation to ensure the proper functioning of your AD RMS cluster. These databases include:

  • The configuration database, which is used to store all AD RMS configuration data. This database is accessed by AD RMS servers to provide rights-protection services and information to clients.

  • The logging database, which stores data about every activity in either a root or a licensing-only cluster. This database is useful for auditing AD RMS events.

  • The directory services database, which stores information about users and all their corresponding data. This information is accessed from AD DS directories through the Lightweight Directory Access Protocol (LDAP). This database requires regular maintenance if you remove users from AD RMS, as mentioned earlier in this lesson.

In addition to these databases, AD RMS relies on the Message Queuing service to send events to the logging database. If you are concerned about auditing AD RMS usage (and you should be), perform regular checks and verifications of this service to ensure its proper operation.

In addition to the different functionalities available within the AD RMS console, Microsoft provides a special RMS toolkit that contains a series of utilities for AD RMS administration and operation. Download this toolkit and add it to your AD RMS administration kit to control your deployment fully.

Note:

MORE INFO RIGHTS MANAGEMENT SERVICES ADMINISTRATION TOOLKIT

To download the RMS toolkit with utilities for RMS management, go to http://www.microsoft.com/downloads/details.aspx?FamilyID=bae62cfc-d5a7-46d2-9063-0f6885c26b98&DisplayLang=en.

Note:

MORE INFO ADDITIONAL AD RMS RESOURCES

To access additional AD RMS resources, go to http://technet.microsoft.com/en-us/library/cc771334.aspx.
Other -----------------
- Microsoft Dynamics GP 2010 : Installing the Dynamics GP 2010 application
- Microsoft Dynamics GP 2010 : Installing Microsoft SQL Server for Dynamics GP
- Starting a New BizTalk 2009 Project : BizTalk Naming Conventions
- Starting a New BizTalk 2009 Project : BizTalk Assembly Naming and Versioning
- Microsoft Dynamics AX 2009 : Working with Forms - Adding form splitters
- Microsoft Dynamics AX 2009 : Working with Forms - Building dynamic form
- Starting a New BizTalk 2009 Project : Creating a Build-and-Integration Environment (part 2) - Using Test-Driven Development & Creating a BizTalk Installation Package
- Starting a New BizTalk 2009 Project : Creating a Build-and-Integration Environment (part 1) - Five-Step Build Process
- Exchange Server 2010 : Manage Database Redundancy (part 3) - Manage Database Availability
- Exchange Server 2010 : Manage Database Redundancy (part 2) - Manage Database Replication
- Exchange Server 2010 : Manage Database Redundancy (part 1) - Configure Redundant Databases
- Extending Microsoft Dynamics CRM 4.0 : Customization Options by CRM Version & Customizing Navigation
- Extending Microsoft Dynamics CRM 4.0 : Limitations and Licensing Considerations
- Microsoft Dynamics AX 2009 : Working with Forms - Creating dynamic menu buttons
- Microsoft Dynamics AX 2009 : Working with Forms - Handling dialog events
- Microsoft Dynamics AX 2009 : Working with Forms - Creating Dialogs
- Performing On-Demand Exchange Server 2003 Monitoring and Maintenance
- Performing Scheduled Exchange Server 2003 Monitoring and Maintenance (part 2) - Using Performance and Protocol Logs and Managing Mailbox Limits
- Performing Scheduled Exchange Server 2003 Monitoring and Maintenance (part 1)
- Microsoft Dynamics GP 2010 : Populating Initial Data - Inventory items
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us