2.4. Moving AD RMS to Windows Server 2008 R2
If your organization is already
running AD RMS on Windows Server 2008 and wants to move its
installation to Windows Server 2008 R2, you have two options:
Upgrading the
installation means performing an operating system upgrade to Windows
Server 2008 R2, then upgrading the AD RMS installation after the
operating system upgrade is complete. Most organizations and IT
administrators balk at the idea of performing an operating system
upgrade. Upgrades are more reliable now that Microsoft has changed the
operating system installation process—this change occurred with the
release of Windows Vista—but many administrators still don’t trust them.
If this is the case in your organization, you’ll have to rely on the
second option to move to an AD RMS installation on Windows Server 2008
R2.
Migrating the installation is
often simpler than upgrading. That’s because you begin with a brand-new
operating system installation on either a physical or virtual machine.
Use the following process:
Install Windows Server 2008 R2 on a new computer.
Add
the AD RMS role and join the existing AD RMS cluster. This makes all of
the core components of your AD RMS available on the new server.
Add new servers running Windows Server 2008 R2 to the AD RMS cluster. This provides high availability and further protection for the core components of the AD RMS installation.
Decommission and remove the AD RMS cluster members that are not running Windows Server 2008 R2.
As you can see, migrating
is as simple as upgrading and may provide better results. However,
consider the following when you perform the move with whichever
procedure you decide to rely on:
Back up the AD RMS configuration database prior to the move. This provides additional protection during the move.
Export the server licensor certificate. The SLC decrypts all encrypted content. Place it in a safe location.
Export
and install the CSP key. The CSP key stores the AD RMS private key and
therefore is required on all cluster members. Export it from an existing
server, and import it on all new cluster members running Windows Server
2008 R2.
Using these measures during a
move protects your installation and allows you to roll back to the
existing installation should a mishap occur during the move.
After the move is complete, you must also perform the following tasks:
Update
the CNAME record for the AD RMS cluster. Make sure that you remove the
decommissioned server names from this record and add the new server
names running Windows Server 2008 R2.
Run the AD RMS console to make sure everything is okay with the updated cluster.
Test AD RMS connectivity by using an AD RMS client.
Performing these final tasks ensures that your new AD RMS cluster is ready for business.
Note:
MORE INFO MOVING FROM AN AD RMS INSTALLATION ON WINDOWS SERVER 2008 TO WINDOWS SERVER 2008 R2
For more information on how to upgrade AD RMS on Windows Server 2008 to Windows Server 2008 R2, go to http://technet.microsoft.com/en-us/library/ff770805%28WS.10%29.aspx.
2.5. Working with Windows PowerShell
AD RMS can be both
installed and administered with Windows PowerShell on Windows Server
2008 or Windows Server 2008 R2. There are two modules for AD RMS:
AdRmsInstall, which supports the installation and configuration of AD RMS components
AdRmsAdmin, which controls the administration of installed AD RMS components
Run the following cmdlets to import both modules:
Import-Module AdRms
Import-Module AdRmsAdmin
You can also import all available PowerShell modules to gain access to AD RMS cmdlets.
After the modules are imported, you can manage and administer AD RMS installations and components through PowerShell. One great advantage of PowerShell is that you can easily automate AD RMS administration and deployment through its cmdlets.
Note:
MORE INFO AD RMS AND WINDOWS POWERSHELL
For more information on how to use PowerShell to work with AD RMS, see http://go.microsoft.com/fwlink/?LinkId=136806.
2.5.1. Practice Installing AD RMS
In this practice, you install AD
RMS into a new cluster. First you must add a DNS record. In the
following exercises, you create the service account and the AD RMS role
groups in the directory, create and install a Web Server certificate,
and then proceed to the installation.
EXERCISE 1 Prepare the DNS Record
In this exercise, you create a CNAME record to prepare for the AD RMS cluster URL.
Log on to SERVER01, using the domain Administrator account.
Launch Server Manager from the Administrative Tools program group.
Expand Roles\DNS Server\DNS\SERVER01\Forward Lookup Zones and select contoso.com.
Right-click in the details pane and click New Alias (CNAME).
In the New Resource Record dialog box, type the alias name RightsManagement
and assign it to SERVER04.contoso.com in the Fully Qualified Domain
Name (FQDN) For Target Host section of the dialog box. Click OK.
You
have created a new record for the AD RMS cluster URL. It will be
updated to other servers as you perform the other exercises.
EXERCISE 2 Prepare the Directory
In this exercise, you create a service account and four groups for AD RMS administration delegation.
Log on to SERVER01, using the domain Administrator account, if you haven’t done so already.
Launch Server Manager from the Administrative Tools program group.
Expand
Roles\Active Directory Domain Services\Active Directory Users and
Computers\contoso.com. Create the Admins\Service Identities OU structure
if it doesn’t already exist.
Right-click the Service Identities OU, point to New, and then click User.
Name the user ADRMSService, and use this name for both the logon and the pre–Windows 2000 logon names. Click Next.
Assign
a complex password, clear User Must Change Password At Next Logon, and
select Password Never Expires. Click Next, and then click Finish to
create the account.
Note:
LEGACY SERVICE ACCOUNTS
You must create the service
account as directed in these steps because you cannot use a managed
service account in this instance. Managed service accounts do not work
when the account is shared by multiple computers or when the account is
used for a service running on multiple computers, such as for a cluster.
Create the AD
RMS administration groups under the contoso.com\Admins\Server
Delegations OU. Create these OUs if they are not already created.
Create
four global security groups. Right-click in the details pane, point to
New, and then click Group. Type the name and click OK. Create the
following four groups:
Right-click
the AD RMS Service Account group and click Properties. On the Members
tab, add the ADRMSService account to this group and click OK.
Log on to SERVER04, using the domain Administrator account, if you have not done so already.
Launch Server Manager from the Administrative Tools program group.
Expand Configuration\Local Users And Groups and select Groups.
Double-click the Administrators group to open it.
Add the AD RMS Service Account group to this group, and click OK.
EXERCISE 3 Prepare a Web Server Certificate
Because AD RMS requires
SSL-encrypted web connections, you must create and install a web server
certificate before you can proceed with the installation. Note that for
this practice to work. You can use a self-signed certificate, but by using real certificates you learn to integrate AD CS with AD RMS.
Log on to SERVER04, using the domain Administrator account.
This
grants you Enterprise Administrator credentials, which are required to
create the SCP. These rights are required for Exercise 4.
Launch Server Manager from the Administrative Tools program group.
Expand
Roles\Active Directory Certificate Services and select Certificate
Templates. The node shows that you are connected to
SERVER01.contoso.com.
Note that all the existing templates are listed in the details pane.
Select the Web Server template in the details pane, right-click it, and then click Duplicate Template.
Select the version of Windows Server to support, in this case Windows Server 2008 Enterprise, and click OK.
Name the template Web Server WS08 and set the following options. Leave all other options as they are.
On the General tab, select Publish Certificate In Active Directory.
On
the Security tab, add the computer account for SERVER04. To do so,
click Add, click Object Types, select Computers, and then click OK. Type
SERVER04, click Check Names, and then click OK again.
Grant SERVER04 the Allow::Read and Allow::Enroll permissions.
Click OK.
Template issuance is performed in the Certification Authority console section of Server Manager.
Expand Roles\Active Directory Certificate Services\Contoso-Issuing-CA01 and click Certificate Templates.
To issue a template, right-click Certificate Templates, point to New, and then click Certificate Template To Issue.
In the Enable Certificate Templates dialog box, select Web Server WS08 and click OK.
You are ready to proceed with the installation.
EXERCISE 4 Install a Web Server Certificate
Now you need to request and install the certificate.
Staying on SERVER04, click the Start menu, type mmc in the Search box, and then press Enter.
On
the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins
dialog box, select the Certificates snap-in and click Add.
Choose Computer Account and click Next.
Make sure Local Computer is selected, click Finish, and then click OK.
On the File menu, click Save As, navigate to your Documents folder, and name it Computer Certificates02. Click Save.
Expand Certificates (Local Computer)\Personal and select Certificates.
Right-click
Certificates, point to All Tasks, and then click Request New
Certificate. Click Next. Make sure Active Directory Enrollment Policy is
selected and click Next.
Select the Web Server WS08 certificate, and then click the More Information Is Required To Enroll For This Certificate link.
In the Certificate Properties dialog box, on the Subject tab:
In the Subject Name area, ensure that Full DN is selected, type CN=SERVER04,DC=Contoso,DC=com as the Value, and then click Add.
In the Alternative Name area, choose URL in the Type drop-down list, type RightsManagement.contoso.com in the Value field, and then click Add.
On the General tab, type Contoso DRM in the Friendly Name field and Web Server Certificate in the Description field.
On
the Private Key tab, click the double down arrow icon on the right to
expand the Key Options section and select the Make Private Key
Exportable and Allow Private Key To Be Archived check boxes.
Click OK, and then click Enroll. Click Finish.
To
verify that the certificate has been issued, click Certificates under
the Personal node in the tree pane and view the certificate in the
details pane. The certificate will be named with the server name only.
Close the Certificates console.
You are ready to install AD RMS.
EXERCISE 5 Install an AD RMS Root Cluster
Ensure that you have at least SERVER01 and SERVER04 running.
Log
on to SERVER04, using the domain Administrator account. This grants you
Enterprise Administrator credentials, which are required to create the
SCP.
Launch Server Manager from the Administrative Tools program group.
Right-click the Roles node in the tree pane and click Add Roles.
Review the Before You Begin information and click Next.
On the Select Server Roles page, select Active Directory Rights Management Services.
The Add Role Wizard asks you to add the Web Server (IIS) role with the required features, and Message Queuing.
Click Add Required Role Services if these services weren’t installed prior to the installation of AD RMS. Click Next.
On the Active Directory Rights Management Services page, review the information about the selected role and click Next.
On the Select Role Services page, ensure that Active Directory Rights Management Server is selected and click Next.
On the Create Or Join An AD RMS Cluster page, select Create A New AD RMS Cluster and click Next.
On the Select Configuration Database page, select Use Windows Internal Database On This Server and click Next.
You
choose to use Windows Internal Database to host the AD RMS database
because this is a single-server installation. Remember: Using WID is
valid for test purposes only.
On the Specify Service Account page, click Specify, type ADRMSService and its password, click OK, and then click Next.
On the Configure AD RMS Cluster Key Storage page, select Use AD RMS Centrally Managed Key Storage and click Next.
You
choose to protect the AD RMS cluster key by using this option because
it simplifies the exercise and does not require additional components;
however, normally, you should provide the best protection for this key,
through a CSP provider.
On the Specify AD RMS Cluster Key Password page, type a strong password, confirm it, and then click Next.
On the Select AD RMS Cluster Web Site page, select Default Web Site and click Next.
On the Specify Cluster Address page, select Use An SSL-Encrypted Connection (Https://).
As a security best practice, the AD RMS cluster should be provisioned by using an SSL-encrypted connection.
In the Internal Address section, type RightsManagement.contoso.com,
leave the port number as is, and click Validate. When the validation
succeeds, the wizard updates the preview of the cluster address at the
bottom of the page. Click Next.
On
the Choose A Server Authentication Certificate For SSL Encryption page,
select Choose An Existing Certificate For SSL Encryption (Recommended),
select the SERVER04 certificate, and click Next.
On the Name The Server Licensor Certificate page, type Contoso DRM to identify the AD RMS cluster and click Next.
On the Register AD RMS Service Connection Point page, select Register The AD RMS Service Connection Point Now and click Next.
This action registers the AD RMS service connection point (SCP) in AD DS.
On the Web Server (IIS) page, review the information about IIS and click Next.
On the Select Role Services page, keep the Web Server default selections and click Next.
On the Confirm Installation Selections page, review your choices and click Install.
When the installation is complete, click Close to close the installation wizard.
Log off and log back on to update the permissions granted to the logged-on user account.
The
user account that is logged on when the AD RMS server role is installed
is automatically made a member of the AD RMS Enterprise Administrators
group. This gives you access to all AD RMS operations. Your installation
is complete.
Warning:
IMPORTANT AD RMS ADMINISTRATION GROUPS
To render the administration
groups you created in AD DS operational, you must add them to the
respective local groups on each AD RMS server. In a production
environment, you must perform this additional step to complete your
setup.