Professional Documents
Culture Documents
Directory Rights Management Services
Lab: Implementing AD RMS
Exercise 1: Installing and Configuring Active Directory® Rights
Management Services (AD RMS)
Task 1: Configure DNS and configure an AD RMS service account
1. Sign in to LONDC1 with the Adatum\Administrator account and the password
Pa$$w0rd.
2. In Server Manager, click Tools, and then click Active Directory Administrative
Center.
3. Select and then rightclick Adatum (local), click New, and then click Organizational
Unit.
4. In the Create Organizational Unit dialog box, in the Name text box, type Service
Accounts, and then click OK.
5. Rightclick the Service Accounts OU, click New, and then click User.
6. On the Create User dialog box, enter the following details, and then click OK:
• First name: ADRMSSVC
• User UPN logon: ADRMSSVC
• Password: Pa$$w0rd
• Confirm Password: Pa$$w0rd
• Password never expires: Enabled
• User cannot change password: Enabled
7. Rightclick the Users container, click New, and then click Group.
8. In the Create Group dialog box, enter the following details, and then click OK:
• Group name: ADRMS_SuperUsers
• Email: ADRMS_SuperUsers@adatum.com
9. Rightclick the Users container, click New, and then click Group.
10. In the Create Group dialog box, enter the following details, and then click OK.
• Group name: Executives
• Email: executives@adatum.com
11. Doubleclick the Managers OU.
12. Press and hold the Ctrl key, and click the following users:
• Aidan Delaney
• Bill Malone
13. In the tasks pane, click Add to group.
14. In the Select Groups dialog box, type Executives, and then click OK.
15. Close the Active Directory Administrative Center.
16. In Server Manager, click Tools, and then click DNS.
17. In the DNS Manager console, expand LONDC1, and then expand Forward Lookup
Zones.
18. Select and then rightclick Adatum.com, and then click New Host (A or AAAA).
19. In the New Host dialog box, enter the following information, and then click Add Host:
• Name: adrms
• IP address: 172.16.0.21
20. Click OK, and then click Done.
21. Close the DNS Manager console.
Task 2: Install and configure the AD RMS server role
1. Sign in to LONSVR1 with the Adatum\Administrator account and the password
Pa$$w0rd.
2. In the Server Manager, click Manage, and then click Add roles and features.
3. In the Add Roles and Features Wizard, click Next three times.
4. On the Server Roles page, click Active Directory Rights Management Services.
5. In the Add Roles and Features dialog box, click Add Features, and then click Next
four times.
6. Click Install, and then click Close.
7. In Server Manager, click the AD RMS node.
8. Next to Configuration required for Active Directory Rights Management Services
at LONSVR1, click More.
9. On the All Servers Task Details and Notifications page, click Perform Additional
Configuration.
10. In the AD RMS Configuration: LONSVR1.Adatum.com dialog box, click Next.
11. On the AD RMS Cluster page, click Create a new AD RMS root cluster, and then
click Next.
12. On the Configuration Database page, click Use Windows Internal Database on this
server, and then click Next.
13. On the Service Account page, click Specify.
14. In the Windows Security dialog box, enter the following details, click OK, and then
click Next:
• Username: ADRMSSVC
• Password: Pa$$w0rd
15. On the Cryptographic Mode page, click Cryptographic Mode 2, and then click Next.
16. On the Cluster Key Storage page, click Use AD RMS centrally managed key
storage, and then click Next.
17. On the Cluster Key Password page, enter the password Pa$$w0rd twice, and then
click Next.
18. On the Cluster Web Site page, verify that Default Web Site is selected, and then click
Next.
19. On the Cluster Address page, provide the following information, and then click Next:
• Connection Type: Use an unencrypted connection (http://)
• Fully Qualified Domain Name: adrms.adatum.com
• Port: 80 (Note that in production, we would use an encrypted, that is, https
connection)
20. On the Licensor Certificate page, type Adatum AD RMS, and then click Next.
21. On the SCP Registration page, click Register the SCP now, and then click Next.
22. Click Install, close All Servers Task Details dialog box and then click Close.
Note: The installation may take several minutes.
23. In the Server Manager, click Tools, and then click Internet Information Services (IIS)
Manager.
24. In the Internet Information Services (IIS) Manager, expand LON
SVR1(ADATUM\Administrator)\Sites\Default Web Site, and then click _wmcs.
25. Under /_wmcs Home, In the details pane, in the IIS section, doubleclick
Authentication, click Anonymous Authentication, and in the Actions pane, click
Enable.
26. In the Connections pane, expand _wmcs, and then click licensing.
27. Under /_wmcs/licensing Home, in the details pane, in the IIS section, doubleclick
Authentication, click Anonymous Authentication, and then in the Actions pane, click
Enable.
28. Click to the Start screen, click Administrator, and then click Sign Out.
Note: You must sign out before you can manage AD RMS.
Task 3: Configure the AD RMS Super Users group
1. Sign in to LONSVR1 with the Adatum\Administrator account and the password
Pa$$w0rd.
2. In Server Manager, click Tools, and then click Active Directory Rights Management
Services.
3. In the Active Directory Rights Management Services console, expand the lon
svr1(Local) node, and then click Security Policies.
4. In the Security Policies area, under Super Users, click Change super user settings.
5. In the Actions pane, click Enable Super Users.
6. In the Super Users area, click Change super user group.
7. In the Super Users dialog box, in the Super user group text box, type
ADRMS_Superusers@adatum.com, and then click OK.
Results: After completing this exercise, you should have installed and configured AD
RMS.
Exercise 2: Configuring AD RMS Templates
Task 1: Configure a new rights policy template
1. Ensure that you are signed in to LONSVR1.
2. In the Active Directory Rights Management Services console, click the lonsvr1
(local)\Rights Policy Templates node.
3. In the Actions pane, click Create Distributed Rights Policy Template.
4. In the Create Distributed Rights Policy Template Wizard, on the Add Template
Identification information page, click Add.
5. On the Add New Template Identification Information page, enter the following
information, and then click Add:
• Language: English (United States)
• Name: ReadOnly
• Description: Read only access. No copy or print
6. Click Next.
7. On the Add User Rights page, click Add.
8. On the Add User or Group page, type executives@adatum.com, and then click OK.
9. When executives@adatum.com is selected, under Rights, click View. Verify that Grant
owner (author) full control right with no expiration is selected, and then click Next.
10. On the Specify Expiration Policy page, choose the following settings, and then click
Next:
• Content Expiration: Expires after the following duration (days): 7
• Use license expiration: Expires after the following duration (days): 7
11.
On the Specify Extended Policy page, click Require a new use license every time
content is consumed (disable clientside caching), click Next, and then click Finish.
Task 2: Configure the rights policy template distribution
1. On LONSVR1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell® prompt, type the following command, and then press
Enter:
3. At the Windows PowerShell prompt, type the following command, and then press Enter:
4. At the Windows PowerShell prompt, type the following command, and then press Enter:
5. At the Windows PowerShell prompt, type the following command, and then press Enter:
6. To exit Windows PowerShell, type exit.
7. Switch to the Active Directory Rights Management Services console.
8.
Click the Rights Policy Templates node, and in the Distributed Rights Policy Templates
area, click Change distributed rights policy templates file location.
9. In the Rights Policy Templates dialog box, click Enable export.
10. In the Specify Templates File Location (UNC) text box, type \\LON
SVR1\RMSTEMPLATES, and then click OK.
11. On the taskbar, click the File Explorer icon.
12. Navigate to the C:\rmstemplates folder, and verify that ReadOnly.xml displays.
13. Close the File Explorer window.
Task 3: Configure an exclusion policy
1. Switch to the Active Directory Rights Management Services console.
2. Click the Exclusion Policies node, and then click Manage application exclusion list.
3. In the Actions pane, click Enable Application Exclusion.
4. In the Actions pane, click Exclude Application.
5. In the Exclude Application dialog box, enter the following information, and then click
Finish:
• Application File name: Powerpnt.exe
• Minimum version: 14.0.0.0
• Maximum version: 16.0.0.0
Results: After completing this exercise, you should have configured AD RMS templates.
Exercise 3: Implementing the AD RMS Trust Policies
Task 1: Export the Trusted User Domains policy
1. On LONSVR1, on the taskbar, click the Windows PowerShell icon.
2. At the Windows PowerShell prompt, type the following command, and then press Enter:
3. At the Windows PowerShell prompt, type the following command, and then press Enter:
4. Close the Windows PowerShell window.
5. In the Active Directory Rights Management Services console, expand the Trust Policies
node, and then click the Trusted User Domains node.
6. In the Actions pane, click Export Trusted User Domains.
7. In the Export Trusted User Domains As dialog box, navigate to \\LONSVR1\export,
set the file name to ADATUMTUD.bin, and then click Save.
8. Sign in to TREYDC1 with the TREYRESEARCH\Administrator account and the
password Pa$$w0rd.
9. In the Server Manager, click Tools, and then click Active Directory Rights
Management Services.
10. In the Active Directory Rights Management Services console, expand treydc1(local),
expand the Trust Policies node, and then click the Trusted User Domains node.
11. In the Actions pane, click Export Trusted User Domains.
12. In the Export Trusted User Domains As dialog box, navigate to \\LONSVR1\export,
set the file name to TREYRESEARCHTUD.bin, and then click Save.
13. On TREYDC1, on the taskbar, click the Windows PowerShell icon.
14. At the Windows PowerShell command prompt, type the following command, and then
press Enter:
Add-DnsServerConditionalForwarderZone -MasterServers
172.16.0.10 -Name adatum.com
15. Close the Windows PowerShell window.
Task 2: Export the Trusted Publishing Domains policy
1. Switch to LONSVR1.
2. In the Active Directory Rights Management Services console, under the Trust Policies
node, click the Trusted Publishing Domains node.
3. In the Actions pane, click Export Trusted Publishing Domains.
4. In the Export Trusted Publishing Domain dialog box, click Save As.
5. In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON
SVR1\export, set the file name to ADATUMTPD.xml, and then click Save.
6. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd
twice, and then click Finish.
7. Switch to TREYDC1.
8. In the Active Directory Rights Management Services console, under the Trust Policies
node, click the Trusted Publishing Domains node.
9. In the Actions pane, click Export Trusted Publishing Domains.
10. In the Export Trusted Publishing Domain dialog box, click Save As.
11. In the Export Trusted Publishing Domain File As dialog box, navigate to \\LON
SVR1\export, set the file name to TREYRESEARCHTPD.xml, and then click Save.
12. In the Export Trusted Publishing Domain dialog box, enter the password Pa$$w0rd
twice, and then click Finish.
Task 3: Import the Trusted User Domain policy from the partner domain
1. Switch to LONSVR1.
2. In the Active Directory Rights Management Services console, under the Trust Policies
node, click the Trusted User Domains node.
3. In the Actions pane, click Import Trusted User Domain.
4. In the Import Trusted User Domain dialog box, enter the following details, and then
click Finish:
• Trusted user domain file: \\LONSVR1\Export\TREYRESEARCHTUD.bin
• Display Name: Trey Research
5. Switch to TREYDC1.
6. In the Active Directory Rights Management Services console, under the Trust Policies
node, click the Trusted User Domains node.
7. In the Actions pane, click Import Trusted User Domain.
8. In the Import Trusted User Domain dialog box, enter the following details, and then
click Finish:
• Trusted user domain file: \\LONSVR1\Export\ADATUMTUD.bin
• Display Name: Adatum
Task 4: Import the Trusted Publishing Domains policy from the partner domain
1. Switch to LONSVR1.
2. In the Active Directory Rights Management Services console, under the Trust policies
node, click the Trusted Publishing Domains node.
3. In the Actions pane, click Import Trusted Publishing Domain.
4. In the Import Trusted Publishing Domain dialog box, enter the following information,
and then click Finish:
• Trusted publishing domain file: \\LONSVR1\export\TREYRESEARCHTPD.xml
• Password: Pa$$w0rd
• Display Name: Trey Research
5. Switch to TREYDC1.
6. In the Active Directory Rights Management Services console, under the Trust policies
node, click the Trusted Publishing Domains node.
7. In the Actions pane, click Import Trusted Publishing Domain.
8. In the Import Trusted Publishing Domain dialog box, provide the following
information, and then click Finish:
• Trusted publishing domain file: \\LONSVR1\export\adatumtpd.xml
• Password: Pa$$w0rd
• Display Name: Adatum
Results: After completing this exercise, you should have implemented the AD RMS trust
policies.
Exercise 4: Verifying AD RMS on a Client
Task 1: Create a rightsprotected document
1. Sign on to LONCL1 as Adatum\administrator with a password of Pa$$w0rd.
2. On the Start screen, select the Desktop tile.
3. Click the File Explorer icon.
4. In File Explorer, rightclick This PC, and then click Properties.
5. In the System window, in the console tree, click Remote settings.
6. Select the Select Users button.
7. Click the Add button.
8. In the Select Users and Groups, popup, in the Enter the object names to select text
box, type Aidan; Bill; Carol, and then click OK three times.
9. On the taskbar, click the Windows start icon.
10. On the Start screen, click Administrator, and then click Sign out.
11. Sign in to LONCL1 as Adatum\Aidan using the password Pa$$w0rd.
12. On the Start screen, click the Desktop tile.
13. On the taskbar, click the Internet Explorer icon. Close any warnings about addons.
14. In Windows® Internet Explorer®, in the Address bar, type http://adrms.adatum.com,
and then click the arrow immediately to the right of the uniform resource locator (URL)
text box.
15. Click the Gear icon in the far upper right of Internet Explorer.
16. Select Internet Options.
17. Select the Security tab.
18. In the Select a zone to view or change security settings, click the Local intranet icon, and
then click the Sites button.
19. Click the Advanced button.
20. Click the Add button, click Close, and then click OK twice.
21. Close Internet Explorer.
22. Return to the Start screen.
23. On the Start screen, type Word. In the Results area, click Word 2013.
24. In the First things first dialog box, select the Ask me later radio button, and then click
Accept. In the Office dialog box, click the X in the far upper right.
25. In the Word Recent window, click the Blank document icon. In the Microsoft® Word
document, type the following text:
This document is for executives only, it should not be modified.
26. Click File, click Protect Document, click Restrict Access, and then click Connect to
Digital Rights Management Servers and get templates.
27. A Microsoft Word dialog box informing you it is connecting to the server will display.
28. After the dialog box closes, click Protect Document and Restrict Access, and then
click Restricted Access.
29. In the Permission dialog box, enable Restrict Permission to this document.
30. In the Read text box, type bill@adatum.com, and then click OK.
31. Click Save.
32. In the Save As dialog box, click the Browse icon.
33. In the File name text box, type \\lonsvr1\docshare\ExecutivesOnly.docx, and then
click Save.
34. Close Word.
35. Click to the Start screen, click the Aidan Delaney icon, and then click Sign out.
Task 2: Verify internal access to protected content
1. Sign in to LONCL1 as Adatum\Bill using the password Pa$$w0rd.
2. On the Start screen, click the Desktop tile.
3. On the taskbar, click the Internet Explorer icon. Close any warnings about addons.
4. In the URL text box, type http://adrms.adatum.com, click the arrow immediately to
the right of the URL text box.
5. Click the Gear icon in the far upper right of Internet Explorer.
6. Select Internet Options.
7. Select the Security tab.
8. In the Select a zone to view or change security settings, click the Local intranet icon,
and then click the Sites button.
9. Click the Advanced button.
10. Click the Add button, click Close, and then click OK twice.
11. Close Internet Explorer.
12. On the taskbar, click the File Explorer icon.
13. In the File Explorer window, navigate to \\lonsvr1\docshare.
14. In the docshare folder, doubleclick the ExecutivesOnly document.
15. In the First things first dialog box, select the Ask me later radio button, and then click
Accept.
• In the Office dialog box, click the letter X in the far upper right.
16. When the document opens, verify that you are unable to modify or save the document.
17. Select a line of text in the document.
18. Rightclick the text, and verify that you cannot make changes.
19. Click View Permission on the yellow bar, review the permissions, and then click OK.
20. Close Word.
21. Click to the Start screen, click the Bill Malone icon, and then click Sign out.
Task 3: Open the rightsprotected document as an unauthorized user
1. Sign in to LONCL1 as Adatum\Carol using the password Pa$$w0rd.
2. On the Start screen, click the Desktop tile.
3. Open Internet Explorer. Close any warnings about addons.
4. In the URL text box, type http://adrms.adatum.com, and then click the arrow
immediately to the right of the URL text box.
5. Click the Gear icon in the far upper right of Internet Explorer.
6. Select Internet Options.
7. Select the Security tab.
8. In the Select a zone to view or change security settings, click the Local intranet icon,
and then click the Sites button.
9. Click the Advanced button.
10. Click the Add button, click Close, and then click OK twice.
11. Close Internet Explorer.
12. On the taskbar, click the File Explorer icon.
13. In the File Explorer window, navigate to \\lonsvr1\docshare.
14. In the docshare folder, doubleclick the Executives Only document.
15. Verify that Carol is unable to open the document. You will receive a message with
option to Change User or request access.
16. Click No.
17. Select Ask me later, click Accept, and then select the X in the far upper right of the
Microsoft Office window.
18. Close Word.
19. Click to the Start screen, click the Carol Troup icon, and then click Sign out.
Task 4: Open and edit the rightsprotected document as an authorized user at
Trey Research
1. Sign in to LONCL1 as Adatum\Aidan using the password Pa$$w0rd.
2. On the Start screen, type Word. In the Results area, click Word 2013.
3. In Word, click Blank document.
4. In the Word document, type the following text:
This document is for Trey Research only, it should not be modified.
5. Click File, click Protect Document, click Restrict Access, and then click Connect to
Digital Rights Management Servers and get templates.
6. In the Permission dialog box, enable Restrict Permission to this document.
7. In the Read text box, type april@treyresearch.net, click OK, click Save, and then
click Browse.
8. In the Save As dialog box, save the document to the \\lonsvr1\docshare location as
TreyResearchConfidential.docx. Close Word.
9. Click to the Start screen, click the Aidan Delaney icon, and then click Sign Out.
10. Sign on to TreyCL1 as TREYRESEARCH\administrator with a password of
Pa$$w0rd.
11. On the Start screen, select the Desktop tile.
12. On the taskbar, click the File Explorer icon
13. In File Explorer, rightclick This PC, and then select Properties
14. In the System window, in the console tree, select Remote settings.
15. Select the Select Users button.
16. Click the Add button.
17. In the Select Users and Groups, popup, in the Enter the object names to select text
box, type April, and then click OK three times.
18. On the taskbar, click the Windows start icon.
19. On the Start screen, click Administrator, and then click Sign out.
20. Sign in to TREYCL1 as TREYRESEARCH\APRIL with the password Pa$$w0rd.
21. On the Start screen, select the Desktop tile.
22. On the taskbar, click the Internet Explorer icon. Close any warnings about addons.
23. In the URL text box, type http://adrms.treyresearch.net, and then click the arrow
immediately to the right of the URL text box.
24. Click the Gear icon in the far upper right of Internet Explorer.
25. Select Internet Options.
26. Select the Security tab.
27. In the Select a zone to view or change security settings, click the Local intranet icon,
and then click the Sites button.
28. Click the Advanced button.
29. Click the Add button, click Close, and then click OK twice.
30. Close Internet Explorer.
31. On the taskbar, click the File Explorer icon.
32. In the File Explorer window, navigate to \\lonsvr1\docshare.
33.
In the Windows Security dialog box, enter the following credentials, and then click
OK:
• Username: Adatum\Administrator
• Password: Pa$$w0rd
34. Copy the file TreyResearchConfidential.docx to the desktop.
35. Open the file TreyResearchConfidential.docx.
36. In the Active Directory Rights Management Services popup, click OK.
37. If the First things first page opens, click the Use recommend settings radio button and
then click Accept.
38. When the document opens, verify that you are unable to modify or save the document.
39. Select a line of text in the document and verify that you cannot make any changes.
40. Rightclick the text, and verify that you cannot make changes.
41. Click View Permission, review the permissions, and then click OK.
Task 5: To prepare for the next module
When you finish the lab, revert the virtual machines to their initial state. To do this, complete
the following steps.
1. On the host computer, start Microsoft HyperV® Manager.
2. In the Virtual Machines list, rightclick 20412CLONDC1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20412CLONSVR1, 20412CTREYDC1, 20412CLONCL1,
and 20412C TREYCL1.
Results: After completing this exercise, you should have verified that the AD RMS
deployment is successful.