AD RMS installations can be complex to prepare, but
after you have worked with the proper installation preparation process,
your installations will be flawless. After your servers are installed,
however, you must complete the configuration of the AD RMS cluster and
prepare the usage policies you want to implement in your network. This
involves several tasks:
If you want to make AD RMS available outside your network, you must add an extranet cluster URL to your configuration.
If
you want to integrate AD RMS services with partners, you must configure
proxy settings and install Identity Federation Support. Remember that
you must have a working AD FS implementation to add these components to
your infrastructure. You must also configure trust policies for the
interoperation of your AD RMS cluster with other clusters.
You must configure the AD RMS certificates to ensure that you set up proper validation periods.
If
your organization has decided that your rights-protection policies will
not affect the entire organization and will target only a specific
group of users or departments, such as the legal department, you must
configure exclusion policies.
You must prepare user accounts for integration with AD RMS.
You
must prepare policy templates for your organization to use. These
templates facilitate the rights-protection process for your users.
You must be familiar with the various AD RMS clients so that you can support them if your users experience problems.
AD
RMS relies on three databases for operation. You must be aware of these
databases and maintain them for a proper AD RMS operation.
Configuring AD RMS
AD RMS configuration, unlike Windows
Rights Management Services, is performed through the MMC. This console
is integrated in Server Manager but is also available as a stand-alone
console through Remote Server Administration Tools (RSAT). Each of the
tasks you need to perform to finalize your configuration is available
through this console.
Note:
MORE INFO CONFIGURE AD RMS
For more information on configuring AD RMS, go to http://technet.microsoft.com/en-us/library/cc771603.aspx.
1. Creating an Extranet URL
When you want to extend your
AD RMS infrastructure to mobile users or teleworkers outside your
internal network, you must configure an extranet URL. Use the following
procedure:
Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.
Launch Server Manager from the Administrative Tools program group.
Expand Roles\Active Directory Rights Management Services\servername.
Right-click the server name and click Properties.
On the Cluster URLs tab, enable Extranet URLs and add the appropriate URL data for both Licensing and Certification.
These
URLs must point to a valid IIS installation in the extranet and should
be permanent. Proper DNS registration should also be implemented for
these URLs. Use SSL encryption for the communication through Secure HTTP
or HTTPS connections. Finally, remember to create the appropriate
virtual directories to host the AD RMS data.
Click OK to close the dialog box and apply the change.
Your extranet URLs are ready.
2. Configuring Trust Policies
Although you can’t enable
federation support until you have a working AD FS infrastructure in
place, you can learn about the models that AD RMS supports to provide
federation of your DRM policies. AD RMS can support four trust models:
Trusted user
domains enable your AD RMS cluster to process requests for other AD RMS
clusters located in different AD DS forests. Trusted user domains are
added by importing the server licensor certificate from the AD RMS
cluster you want to trust into your own cluster.
Trusted
publishing domains enable your own AD RMS cluster to issue use licenses
for content that was protected by another AD RMS cluster. To create a
trusted publishing domain, you must import the publishing cluster’s SLC as well as its private key into your own cluster.
Windows
Live ID trusts allow users who have a valid Windows Live ID (formerly
known as Microsoft Passport) to use rights-protected content but not to
create it.
Federated trusts are established through AD FS and extend the operation of your AD RMS cluster to the forests with which you have established a federated trust.
Each of these trust types extends your AD RMS authority beyond the limits of your own forest.
Note:
MORE INFO CREATE AD RMS TRUSTS
To learn more about working with AD RMS trusts, go to http://technet.microsoft.com/en-us/library/cc754459.aspx.
3. Exporting the Server Licensor Certificate
To work with either trusted publishing domains or trusted user domains, you must export the server licensor certificate from your root cluster or from the root cluster to be trusted. Certificates
are exported to be used in establishing trusts. To perform this
procedure, you must be a member of the local AD RMS Enterprise
Administrators or its equivalent.
Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.
Launch Server Manager from the Administrative Tools program group.
Expand Roles\Active Directory Rights Management Services\servername.
Right-click the server name and click Properties.
On the Server Certificate Tab, click Export Certificate.
In
the Export Server Certificate As dialog box, type a valid name, such as
the name of your cluster, and select a proper location (such as your
Documents folder) to create the .bin file. Click Save.
Close the Properties dialog box.
Protect this certificate thoroughly, because it controls access to your AD RMS cluster.
4. Preparing AD RMS Certificates
Certificates are created by
default during the installation of AD RMS. However, you must configure
appropriate certificate duration based on your rights-protection
policies. Four activities can be performed in terms of certificate
administration:
Specify the duration of rights account certificates.
Enable certification for mobile devices.
Enable certification of server services.
Authenticate clients through smart cards.
Of these, the one you must
absolutely set is the validation period for the RAC. Others are optional
operations that depend on your rights-protection policies. To modify
the duration of the RAC, use the following procedure:
Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.
Launch Server Manager from the Administrative Tools program group.
Expand Roles\Active Directory Rights Management Services\servername and click Rights Account Certificate Policies.
In the details pane, click the Change Standard RAC Validity Period link.
On the Standard RAC tab, in the Standard RAC Validity Period box, set the number of days to enable the certificate.
On the Temporary RAC tab, in the Temporary RAC Validity Period box, set the number of minutes to enable the certificate.
Click OK to close the dialog box.
Note that standard RACs are
valid for 365 days by default, and temporary RACs last only 15 minutes.
You might want to extend the duration of a temporary RAC, but be careful
about extending the validity of a standard RAC because one year is
already a considerable time.
Note that if you are using
federated trusts, you will need to modify the RAC validity period under
the Federated Identity Support node, not under the Rights Account
Certificate Policies.
Note:
MORE INFO MANAGING CERTIFICATES
For more information on working with the other certificate types, go to http://technet.microsoft.com/en-us/library/cc730842.aspx.
5. Preparing Exclusion Policies
When you decide the scope
of your rights-protection policy implementation, you can configure
exclusion policies, or policies that exclude users and computers from
participating in your AD
RMS implementation. You can create exclusion policies for four
entities: users, applications, lockboxes, and Windows operating systems.
When you do so, the list of the specified exclusion members is included
in the use license for the content. You can remove an excluded entity
from an exclusion list, but remember that if you remove the entity from
the list, it will no longer be added to the use licenses. Existing
content, however, will already contain it because use licenses are
issued only once, by default. Because of this, follow these
recommendations when preparing exclusion lists:
Assign only exclusions that will be as permanent as possible.
If you change your mind, wait until existing use licenses have expired before removing entities from an exclusion list.
Rely
on exclusion lists if the credentials of one of the supported entities,
such as a user, have been compromised and your rights-protected content
is at risk.
When you have decided to create an exclusion list, use the following procedure. In this case, you exclude users from AD RMS.
Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.
Launch Server Manager from the Administrative Tools program group.
Expand Roles\Active Directory Rights Management Services\servername\Exclusion Policies and click Users.
In the Actions pane, click the Enable User Exclusion link. This enables exclusion.
To exclude users, click the Exclude User link in the Actions pane. This launches the Exclude User Account Wizard.
You
can exclude a user either through the email address or through the
public key assigned to the user. The first is for users included in your
AD DS directory, and the second is for external users who might not
have an account in your AD DS directory. If you exclude users in your AD
DS directory, make sure you exclude a group so that it is easier to
manage as time goes on.
Select
the appropriate exclusion method and either locate the user account or
type in the public key string, and then click Next.
Click Finish to close the wizard.
Note:
MORE INFO EXCLUSION POLICIES
To learn more about exclusion policies, go to http://technet.microsoft.com/en-us/library/cc771228.aspx.
6. Preparing Accounts and Access Rights
To ensure that your users
can work with AD RMS, you must prepare their accounts. When you do so,
AD RMS includes the account within its own database. However, when you
remove an account, AD RMS disables the account but does not
automatically remove it from its database. Because of this, the database
can become large and contain obsolete data. To protect against this,
either create a stored procedure in SQL Server that automatically
removes the account when you delete it or create a script that does this
on a scheduled basis.
In addition, you might need to create a special Super
Users group that contains operators who have full access to all the
content protected by your AD RMS implementation. Members of this Super
Users group are much like the recovery agents you would use for the
Encrypting File System (EFS). These users can recover or modify any data
that is managed by your AD RMS infrastructure and can, therefore,
recover data from users who have left the organization. You should
usually assign a Universal
Group from your directory to this role. Prepare the Universal Group
before enabling Super Users in AD RMS. To configure a Super Users group
to work with AD RMS, use the following procedure:
Log on to a server that is a member of the root cluster, using AD RMS Enterprise Administrators credentials.
Launch Server Manager from the Administrative Tools program group.
Expand Roles\Active Directory Rights Management Services\servername and click Security Policies.
Click the Change Super Users Settings link in the details pane.
In the Actions pane, click the Enable Super Users link.
Click the Change Super User Group link in the details pane to view the Super User Group property sheet.
Type the email address of a mail-enabled universal distribution group from your forest or use the Browse button to locate it.
Click OK to close the property sheet.
Members of this group will now have access to all AD
RMS content. Select these members very carefully and ensure that they
are completely trustworthy. In fact, for security purposes you might
prefer to keep the Super Users group disabled and enable it only when you need it.
Note:
MORE INFO ACCOUNT PREPARATION
To learn more about account preparation, go to http://technet.microsoft.com/en-us/library/cc754120.aspx.
7. Preparing Policy Templates
To facilitate the
rights-protection application by your users, prepare policy templates.
These templates will save considerable time for your users and ensure
that you maintain the standards you set in your rights-protection
policies. You must perform several activities with policy templates.
First, you must create the template. Next, you must specify a location
for the template.
Locations are usually
shared folders contained within your network. However, for users to rely
on the template to create content, they must have access to it. Offline
users will not have access to the templates unless you configure the
offline folder settings for the shared folder so that the content of the
folder will automatically be available locally to the user. In
addition, relying on offline folders will ensure that when you modify,
add, or update templates, they will automatically be updated on the
client computer the next time the user connects to the network. Offline
folders, however, will not work for external users who do not have
access to your internal network. You will have to consider an alternate
delivery method if you choose to allow external users to create content.
Users who have access only to pre-created content do not require access
to the policy templates. To create a policy template, use the following
procedure:
Log on to a server that is a member of the root cluster, using AD RMS Template Administrators credentials.
Launch Server Manager from the Administrative Tools program group.
Expand Roles\Active Directory Rights Management Services\servername and click Rights Policy Templates.
In the Actions pane, click the Create Distributed Rights Policy Template link. This launches the wizard.
On the Add Template Identification Information page, click Add.
Specify the language, type the name and description for the new template, click Add, and then click Next.
On the Add User Rights page, you must perform several activities:
Click Add to select the user or group that will have access to the template.
Selecting
Anyone allows any user to request a use license for the content. If you
want to select a specific group, use the Browse button.
Click OK when done.
Under
Users And Rights, you must first select the user and then assign the
rights to that particular user or group in the Rights For user area. You can also create a custom right for the user.
Note that the Grant Owner (Author) Full Control Right With No Expiration check box is selected by default.
In
the Rights Request URL, type the appropriate URL. This gives users the
ability to request additional rights by going to the URL.
On
the Specify Expiration Policy page, select one of the three available
options and type a value in days. If you need to ensure that content
expires automatically after a number of days, select Expires After The
Following Duration (Days) and type the number of days. Click Next.
On the Specify Extended Policy page, you can assign the following settings:
Choose Enable Users To View Protected Content Using A Browser Add-On. This allows users who do not have AD RMS–enabled applications to view protected content by automatically installing the required add-on.
Select
Require A New Use License Every Time Content Is Consumed (Disable
Client-Side Caching) if you need authentication against the AD RMS servers each time content is consumed. Note that this will not work for offline users.
Select If You Would Like To Specify Additional Information For Your AD
RMS-Enabled Applications, You Can Specify Them Here As Name-Value Pairs
if you need to add specific data to the protected content. This option
is usually reserved for developers, however.
Click
Next. On the Specify Revocation Policy page, you can enable revocation
by selecting the Require Revocation check box and then:
In
the URL Of The Location Where The Revocation List Is Published area,
specifying http:// or https:// and typing the revocation URL.
If you use a URL and you have both internal and external users, the URL should be accessible from both network locations.
In the Refresh Interval For Revocation List (Days) box, typing the number of days the revocation list will be maintained.
This determines when users must update their revocation list when viewing content.
In the File Containing Public Key Corresponding To The Signed Revocation List, specifying a file.
Note that when you
implement revocation, you must be careful with its settings. To make
revocation practical, you must publish the revocation list on a regular
basis.
Note:
MORE INFO POLICY TEMPLATES
To learn more about policy templates, go to http://technet.microsoft.com/en-us/library/cc731599.aspx.
8. Working with AD RMS Clients
AD
RMS relies on a local client to give users access to its capabilities.
Two clients exist: the built-in client included in Windows 7, Windows
Vista, and Windows Server 2008 R2, and a client that runs on Windows
2000, Windows 2003, and Windows XP. The last of these must be downloaded
and installed on each client computer to work. Three versions of this
client exist: x86, x64, and Itanium to support all Windows version
platforms.
Clients automatically discover the AD RMS cluster through one of three methods:
They can rely on the AD DS Service Connection Point created during the AD RMS installation.
In
complex, multiforest AD RMS deployments, they must rely on registry
overrides, which are placed directly on the client computer. This is
especially true for earlier versions of Windows operating systems.
They can rely on the URLs included in the issuance licenses for the content.
Each of these methods provides redundancy to ensure that clients can always access content.
Note:
MORE INFO AD RMS AND WINDOWS RMS CLIENTS
To learn more about AD RMS clients and obtain the Windows RMS clients, go to http://technet.microsoft.com/en-us/library/dd772753(WS.10).aspx.
9. Managing Databases
AD RMS relies on three
databases to operate. Familiarize yourself with these databases and
their operation to ensure the proper functioning of your AD RMS cluster.
These databases include:
The configuration
database, which is used to store all AD RMS configuration data. This
database is accessed by AD RMS servers to provide rights-protection
services and information to clients.
The
logging database, which stores data about every activity in either a
root or a licensing-only cluster. This database is useful for auditing
AD RMS events.
The
directory services database, which stores information about users and
all their corresponding data. This information is accessed from AD DS
directories through the Lightweight Directory Access Protocol (LDAP).
This database requires regular maintenance if you remove users from AD
RMS, as mentioned earlier in this lesson.
In addition to these databases,
AD RMS relies on the Message Queuing service to send events to the
logging database. If you are concerned about auditing AD RMS usage (and
you should be), perform regular checks and verifications of this service
to ensure its proper operation.
In addition to the
different functionalities available within the AD RMS console, Microsoft
provides a special RMS toolkit that contains a series of utilities for
AD RMS administration and operation. Download this toolkit and add it to
your AD RMS administration kit to control your deployment fully.
Note:
MORE INFO RIGHTS MANAGEMENT SERVICES ADMINISTRATION TOOLKIT
To download the RMS toolkit with utilities for RMS management, go to http://www.microsoft.com/downloads/details.aspx?FamilyID=bae62cfc-d5a7-46d2-9063-0f6885c26b98&DisplayLang=en.
Note:
MORE INFO ADDITIONAL AD RMS RESOURCES
To access additional AD RMS resources, go to http://technet.microsoft.com/en-us/library/cc771334.aspx.