AD RMS Step-By-Step Guide

AD RMS Step-by-Step Guide
Microsoft Corporation
Published: March 2008
Author: Brian Lich
Editor: Carolyn Eller
Abstract
This step-by-step guide provides instructions for setting up a test environment to deploy and
evaluate Active Directory Rights Management Services (AD RMS) in Windows Server® 2008. It
includes the necessary information for preparing the AD RMS infrastructure, installing and
configuring AD RMS, and verifying AD RMS features after configuration is complete.
Copyright Information
This document is provided for informational purposes only and Microsoft makes no warranties,
either express or implied, in this document. Information in this document, including URL and other
Internet Web site references, is subject to change without notice. The entire risk of the use or the
results from the use of this document remains with the user. Unless otherwise noted, the example
companies, organizations, products, domain names, e-mail addresses, logos, people, places, and
events depicted herein are fictitious, and no association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be
inferred. Complying with all applicable copyright laws is the responsibility of the user. Without
limiting the rights under copyright, no part of this document may be reproduced, stored in or
introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express
written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Windows Server, Windows Vista, and Active
Directory are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
All other trademarks are property of their respective owners.

Contents
AD RMS Step-by-Step Guide..........................................................................................................1
Abstract....................................................................................................................................1
Copyright Information......................................................................................................................2
Contents..........................................................................................................................................3
Windows Server Active Directory Rights Management Services Step-by-Step Guide....................4

About This Guide.........................................................................................................................4
What This Guide Does Not Provide..........................................................................................4
Deploying AD RMS in a Test Environment...................................................................................4
Step 1: Setting up the Infrastructure...............................................................................................6

Configure the domain controller (CPANDL-DC).......................................................................7
Configure a Windows Server 2003–based domain controller...............................................7
Configure a Windows Server 2008–based domain controller...............................................9
Configure user accounts and groups..................................................................................10
Configure the AD RMS database computer (ADRMS-DB).....................................................12
Configure the AD RMS root cluster computer (ADRMS-SRV)................................................15
Configure AD RMS client computer (ADRMS-CLNT).............................................................16
Step 2: Installing and Configuring AD RMS on ADRMS-SRV.......................................................18
Step 3: Verifying AD RMS Functionality on ADRMS-CLNT...........................................................20

Windows Server Active Directory Rights
Management Services Step-by-Step Guide
About This Guide

This step-by-step walks you through the process of setting up a working Active Directory Rights
Management Services (AD RMS) infrastructure in a test environment. During this process you
create an Active Directory® domain, install a database server, install the AD RMS server role,
configure the AD RMS cluster, and configure the AD RMS-enabled client computer.
Once complete, you can use the test lab environment to learn about AD RMS technology on
Windows Server® 2008 and assess how it might be deployed in your organization.
As you complete the steps in this guide, you will:
• Prepare the AD RMS infrastructure.
• Install and configure AD RMS.
• Verify AD RMS functionality after you complete the configuration.
The goal of an AD RMS deployment is to be able to protect information, no matter where it goes.
Once AD RMS protection is added to a digital file, the protection stays with the file. By default,
only the content owner is able to remove the protection from the file. The owner grants rights to
other users to perform actions on the content, such as the ability to view, copy, or print the file.
For more information about the business reasons behind an AD RMS deployment, see the white
paper "Windows Rights Management Services: Helping Organizations Safeguard Digital
Information from Unauthorized Use" (http://go.microsoft.com/fwlink/?LinkId=64636).
Note
This guide is considered the basic AD RMS step-by-step guide. All other step-by-step
guides developed for AD RMS will assume that this guide has been completed first.
What This Guide Does Not Provide

This guide does not provide the following:
• An overview of AD RMS. For more information about the advantages that AD RMS can
bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
• Guidance for setting up and configuring AD RMS in a production environment
• Complete technical reference for AD RMS
Deploying AD RMS in a Test Environment

We recommend that you first use the steps provided in this guide in a test lab environment. Step-
by-step guides are not necessarily meant to be used to deploy Windows Server features without
4
additional deployment documentation and should be used with discretion as a stand-alone
document.
Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure. You
can then test and verify AD RMS functionality as follows:
• Restrict permissions on a Microsoft Office Word 2007 document
• Have an authorized user open and work with the document.
• Have an unauthorized user attempt to open and work with the document.
The test environment described in this guide includes four computers connected to a private
network and using the following operating systems, applications, and services:
Computer Name Operating System Applications and Services
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information

Services (IIS) 7.0, World Wide
Web Publishing Service, and
Message Queuing
CPANDL-DC Windows Server 2008 or Active Directory, Domain Name

Windows Server 2003 with System (DNS)
Service Pack 2 (SP2)
Note
Service Pack 2 for
Windows Server 2003 is
not required but will be
used for the purposes of
this guide.
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server® 2005
Standard Edition with Service
Note
Pack 2 (SP2)
Service Pack 2 for
Windows Server 2003 is Note
not required but will be Service Pack 2 for SQL
used for the purposes of Server 2005 Standard
this guide. Edition is not required
but will be used for the
purposes of this guide.
ADRMS-CLNT Windows Vista® Microsoft Office Word 2007

Enterprise Edition
Note
For more information about the system requirements for installing AD RMS, see
http://go.microsoft.com/fwlink/?LinkId=84733.
5
The computers form a private intranet and are connected through a common hub or Layer 2
switch. This configuration can be emulated in a virtual server environment if desired. This step-by-
step exercise uses private addresses throughout the test lab configuration. The private network
ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the
domain named cpandl.com. The following figure shows the configuration of the test environment:
Step 1: Setting up the Infrastructure

To prepare your AD RMS test environment in the CPANDL domain, you must complete the
following tasks:
• Configure the domain controller (CPANDL-DC)
• Configure the AD RMS database computer (ADRMS-DB)
• Configure the AD RMS root cluster computer (ADRMS-SRV)
• Configure the AD RMS client computer (ADRMS-CLNT)
Use the following table as a reference when setting up the appropriate computer names,
operating systems, and network settings that are required to complete the steps in this guide.
Important
Before you configure your computers with static Internet Protocol (IP) addresses, we
recommend that you first complete Windows product activation while each of your
computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).
Computer name Operating system requirement IP settings DNS settings
CPANDL-DC Windows Server 2003 with IP address: Configured by DNS

Service Pack 2 (SP2) or 10.0.0.1 server role.
Windows Server® 2008
Subnet mask:
255.255.255.0
6
Computer name Operating system requirement IP settings DNS settings
ADRMS-SRV Windows Server 2008 IP address: Preferred:

10.0.0.2 10.0.0.1
Subnet mask:
255.255.255.0
ADRMS-DB Windows Server 2003 with IP address: Preferred:

SP2 10.0.0.3 10.0.0.1
Subnet mask:
255.255.255.0
ADRMS-CLNT Windows Vista IP address Preferred:

10.0.0.4 10.0.0.1
Subnet mask:
255.255.255.0
Configure the domain controller (CPANDL-DC)

Depending on your environment, you may evaluate AD RMS in Windows Server 2008 or
Windows Server 2003 domain. Use the appropriate section to configure the domain controller,
depending on the type of domain to be used, and then configure user accounts and groups.
Configure a Windows Server 2003–based domain controller

To configure the domain controller CPANDL-DC using Windows Server 2003, you must:
• Install Windows Server 2003 with SP2.
• Configure TCP/IP properties.
• Install Active Directory.
• Raise the Active Directory domain functional level to Windows Server 2003.
• Create user accounts.
• Create groups for the user accounts.
For each user account and group that you configure with AD RMS, you need to add an e-mail
address and then assign the users to groups.
First, install Windows Server 2003 with SP2 on a stand-alone server.
To install Windows Server 2003 Standard Edition

1. Start your computer by using the Windows Server 2003 product CD. (You can use
any edition of Windows Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your computer screen, and when prompted for
a computer name, type CPANDL-DC.
7
Next, configure TCP/IP properties so that CPANDL-DC has a static IP address of 10.0.0.1. In
addition, configure 10.0.0.1 as the IP address for the DNS server.
To configure TCP/IP properties on CPANDL-DC

1. Log on to CPANDL-DC as a member of the local Administrators group.
2. Click Start, point to Control Panel, point to Network Connections, click Local Area
Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.1.
In the Subnet mask box, type 255.255.255.0.
5. Click OK, and then click Close to close the Local Area Connection Properties
dialog box.
Next, configure the computer as a domain controller.
To configure CPANDL-DC as a domain controller

1. Click Start, and then click Run. In the Open box, type dcpromo, and then click OK.
2. On the Welcome page of the Active Directory Installation Wizard, click Next.
3. Click the Domain controller for a new domain option, and then click Next.
4. Click the Domain in a new forest option, and then click Next.
5. Click the No, just install and configure DNS on this computer option, and then
click Next.
6. In the Full DNS name for new domain box, type cpandl.com, and then click Next.
7. In the Domain NetBIOS name box, type CPANDL, and then click Next three times.
8. Select the Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems option, and then click Next.
9. In the Restore Mode Password and Confirm password boxes, type a strong
password. Click Next.
10. Click Next again.
11. When the Active Directory Installation Wizard is done, click Finish.
12. Click Restart Now.
Note
You must restart the computer after you complete this procedure.
Next, you must raise the domain functional level to Windows Server 2003 so that Active Directory
Universal groups can be used.
To raise the domain functional level to Windows Server 2003

1. Log on to CPANDL-DC with the CPANDL\Administrator account.
2. Click Start, point to Administrative Tools, and then click Active Directory Users
8
and Computers.
3. Right-click cpandl.com, and then click Raise domain functional level.
4. In the list under Select an available domain functional level, click Windows
Server 2003, and then click Raise.
5. Click OK to confirm the selection.
Note
You cannot change the domain functional level once you have raised it.
6. Close the Active Directory Users and Computers console.
Configure a Windows Server 2008–based domain controller

To configure the domain controller CPANDL-DC using Windows Server 2008, you must:
• Install Windows Server 2008.
• Configure TCP/IP properties.
• Install Active Directory Domain Services (AD DS).
First, install Windows Server 2008 on a stand-alone server.
To install Windows Server 2008

1. Start your computer by using the Windows Server 2008 product CD.
2. When prompted for a computer name, type CPANDL-DC.
3. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that CPANDL-DB has a IPv4 static IP address of 10.0.0.1
and a IPv6 static IP address of FEC0:0:0:1::.
To configure TCP/IP properties

1. Log on to CPANDL-DC with the CPANDL-DC\Administrator account.
2. Click Start, click Control Panel, click Network and Internet, click Network and
Sharing Center, click Manage Network Connections, right-click Local Area
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then
click Properties.
In the Subnet mask box, type 255.255.255.0, and then click OK.
5. On the Networking tab, clear the Internet Protocol Version 6 (TCP/IPv6) check
box, and then click OK.
6. Click OK to close the Local Area Connection Properties dialog box.
Next, configure the computer as a domain controller using Windows Server 2008.
9
To configure CPANDL-DC as a domain controller using Windows Server 2008
1. Click Start, and then click Run. In the Open box, type dcpromo, and then click OK.
2. On the Welcome to the Active Directory Domain Services Installation Wizard
page, click Next.
3. Click the Domain controller for a new domain option, and then click Next.
4. Click the Create a new domain in a new forest option, and then click Next.
5. In the FQDN of the forest root domain box, type cpandl.com, and then click Next.
6. In the Forest functional level box, select Windows Server 2003, and then click
Next.
7. In the Domain functional level box, select Windows Server 2003, and then click
Next.
8. Ensure that the DNS server check box is selected, and then click Next.
9. Click Yes, confirming that you want to create a delegation for this DNS server.
10. On the Location for Database, Log Files, and SYSVOL page, click Next.
11. In the Password and Confirm password boxes, type a strong password, and then
click Next.
12. On the Summary page, click Next to start the installation.
13. When the installation is complete, click Finish, and then click Restart Now.
Note
You must restart the computer after you complete this procedure.
Configure user accounts and groups

In this section you create the user accounts and groups in the CPANDL domain.
First, add the user accounts shown in the following table to Active Directory or AD DS. Use the
procedure following the table to create the user accounts.
Account Name User Logon Name E-mail address Group
ADRMSSRVC ADRMSSRVC
ADRMSADMIN ADRMSADMIN Enterprise Admins
Nicole Holliday NHOLLIDA nhollida@cpandl.com Employees,

Finance
Limor Henig LHENIG lhenig@cpandl.com Employees,

Marketing
Stuart Railson SRAILSON srailson@cpandl.com Employees,

Engineering
10
To add new user accounts
and Computers.
2. In the console tree, expand cpandl.com.
3. Right-click Users, point to New, and then click User.
4. In the New Object – User dialog box, type ADRMSSRVC in the Full name and User
logon name boxes, and then click Next.
5. In the New Object – User dialog box, type a password of your choice in the
Password and Confirm password boxes. Clear the User must change password at
next logon check box, click Next, and then click Finish.
6. Perform steps 3-6 for each of the following users: ADRMSADMIN, Nicole Holliday,
Limor Henig, and Stuart Railson.
Next, add e-mail addresses to all user accounts.
To add e-mail addresses to user accounts

1. In the Active Directory Users and Computers console, right-click Nicole Holliday,
click Properties, type nhollida@cpandl.com in the E-mail box, and then click OK.
2. Repeat step 1 for Limor Henig and Stuart Railson, using the e-mail addresses for
each account from the table.
Once the user accounts have been created, Active Directory Universal groups should be created
and these users added to them. The following table lists the Universal groups that should be
added to Active Directory. Use the procedure following the table to create the Universal groups.
Group Name E-mail address
Finance finance@cpandl.com
Marketing marketing@cpandl.com
Engineering engineering@cpandl.com
Employees employees@cpandl.com
To add new group objects to Active Directory

1. In the Active Directory Users and Computers console, right-click Users, point to
New, and then click Group.
2. In the New Object – Group dialog box, type Finance in Group name, select the
Universal option for the Group Scope, and then click OK.
3. Perform the above steps 1-2 for each of the remaining groups: Marketing,
Engineering, and Employees.
11
Next, add e-mail addresses to group objects:
To add e-mail addresses to group objects

1. In the Active Directory Users and Computers console, double-click Users, right-
click Finance, and then click Properties.
2. Type finance@cpandl.com in the E-mail box, and then click OK.
3. Perform the above steps 1-2 for each of the remaining groups: Marketing,
Engineering, and Employees.
Finally, add the user accounts to their appropriate groups. In this guide, we will add Nicole
Holliday, Limor Henig, and Stuart Railson to the Employees group. Then, we will add Nicole
Holliday to the Finance group, Limor Henig to the Marketing group, and finally add Stuart Railson
to the Engineering group. To add the user accounts to their respective groups, you should follow
these steps:
To add user accounts to groups

1. In the Active Directory Users and Computers console, double-click Users, and
then double-click Employees.
2. Click Members, and then click Add.
3. Type nhollida@cpandl.com;lhenig@cpandl.com;srailson@cpandl.com, and then
click OK.
4. Perform the above steps 2-4 to add one member to each of the remaining groups as
follows:
• Nicole Holliday—Finance
• Limor Henig—Marketing
• Stuart Railson—Engineering
Configure the AD RMS database computer (ADRMS-DB)

First, install Windows Server 2003 on the computer that will be hosting the AD RMS databases.
To install Windows Server 2003 Standard Edition

1. Start your computer using the Windows Server 2003 product CD. (You can use any
edition of Windows Server 2003 except the Web Edition to establish the domain.)
2. Follow the instructions that appear on your computer screen, and when prompted for
a computer name, type ADRMS-DB.
In this step, configure TCP/IP properties so that ADRMS-DB has a static IP address of 10.0.0.3.
To configure TCP/IP properties on ADRMS-DB

1. Log on to ADRMS-DB with the ADRMS-DB\Administrator account or another user
12
account in the local Administrators group.
2. Click Start, point to Control Panel, point to Network Connections, click Local Area
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
In the Subnet mask box, type 255.255.255.0.
dialog box.
Next, join the AD RMS database server (ADRMS-DB) computer to the CPANDL domain:
To join ADRMS-DB to the CPANDL domain

1. Click Start, right-click My Computer, and then click Properties.
2. Click Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, select the Domain option, and then
type cpandl.com.
4. Click More, and then type cpandl.com in the Primary DNS suffix of this computer
box.
5. Click OK twice.
6. When a Computer Name Changes dialog box appears prompting you for
administrative credentials, provide the credentials for CPANDL\Administrator, and then
click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the
cpandl.com domain, click OK.
8. When a Computer Name Changes dialog box appears telling you that the computer
must be restarted, click OK, and then click OK again.
9. Click Yes to restart the computer.
Next, install Microsoft SQL Server 2005 Standard Edition:
To install Microsoft SQL Server 2005

1. Log on to ADRMS-DB with the CPANDL\Administrator account or another user
2. Insert the Microsoft SQL Server 2005 product CD. The installation will start
automatically.
3. Click the I accept the licensing terms and conditions check box, and then click
Next.
4. On the Installing Prerequisites page, click Install.
5. Click Next.
6. On the Welcome to the Microsoft SQL Server Installation Wizard page, click
Next, and then click Next again.
13
7. In the Name box, type your name. In the Company box, type the name of your
organization, and then type in the appropriate product key. Click Next.
8. Select the SQL Server Database Services, and Workstation components, Books
Online, and development tools check boxes, and then click Next.
9. Select the Default instance option, and then click Next.
10. Click the Use the built-in System account option, and then click Next.
11. Click the Windows Authentication Mode option, and then click Next.
12. Click Next, accepting the default Collation Settings, and then click Next again.
13. Click Install. When the status of all the selected components is finished, click Next.
14. Click Finish.
Next, add ADRMSADMIN to the local Administrators group on ADRMS-DB. The AD RMS
installing user account needs this membership in order to create the AD RMS databases. After
AD RMS installed, ADRMSADMIN can be removed from this group.
To add ADRMSADMIN to local Administrators group

1. Click Start, point to Administrative Tools, and then click Computer Management.
2. Expand System Tools, expand Local Users and Groups, and then click Groups.
3. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in
Enter the object names to select (examples) box, and then click OK.
4. Click OK, and then close Computer Management.
Finally, create a shared folder on ADRMS-DB so that other users can find documents saved to
the network.
To create a shared network folder that can be modified by CP&L employees

1. Click Start, click My Computer, and then double-click Local Disk (C:).
2. Click File, point to New, and then click Folder.
3. Type Public for the new folder, and then press ENTER.
4. Right-click Public, and then click Sharing and Security.
5. On the Sharing tab click the Share this folder option, and ensure that Public is in
the Share name box.
6. Click Permissions.
7. In the Group or user name box click Everyone.
8. Select the Full Control check box in the Allow column of the Permissions for
Everyone box.
9. Click OK.
10. Click the Security tab, and then click Users (ADRMS-DB\Users) in the Group or
user name box.
11. In the Permissions for Users box select the Full Control check box in the Allow
14
column.
12. Click OK.
Configure the AD RMS root cluster computer (ADRMS-SRV)

To configure the member server, ADRMS-SRV, you must install Windows Server 2008, configure
TCP/IP properties, and then join ADRMS-SRV to the domain cpandl.com. You must also add the
account ADRMSADMIN as a member to the local administrators group. This is needed for
ADRMSADMIN to install AD RMS on ADRMS-SRV.
Installing the AD RMS server role will also install Internet Information Services (IIS) 7.0 and
Message Queuing.
First, install Windows Server 2008 as a stand-alone server.
To install Windows Server 2008

1. Start your computer by using the Windows Server 2008 product CD.
2. When prompted for a computer name, type ADRMS-SRV.
3. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that ADRMS-SRV has a static IP address of 10.0.0.2. In
addition, configure the DNS server by using the IP address of CPANDL-DC (10.0.0.1).
To configure TCP/IP Properties

1. Log on to ADRMS-SRV with the ADRMS-SRV\Administrator account or another user
2. Click Start, click Control Panel, double-click Network and Sharing Center, click
Manage Network Connections, right-click Local Area Connection, and then click
Properties.
click Properties.
4. Click the Use the following IP address option. In IP address, type 10.0.0.2, in
Subnet mask, type 255.255.255.0.
5. Click the Use the following DNS server addresses option. In Preferred DNS
server, type 10.0.0.1.
dialog box.
Next, join ADRMS-SRV to the cpandl.com domain.
To join ADRMS-SRV to the cpandl.com domain

1. Click Start, right-click Computer, and then click Properties.
2. Click Change settings (at the right side under Computer name, domain, and
workgroup settings), and then click Change.
15
3. In the Computer Name/Domain Changes dialog box, select the Domain option, and
then type cpandl.com.
4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
5. Click OK, and then click OK again.
6. When a Computer Name/Domain Changes dialog box appears prompting you for
administrative credentials, provide the credentials for CPANDL\Administrator, and then
click OK.
7. When a Computer Name/Domain Changes dialog box appears welcoming you to
the cpandl.com domain, click OK.
8. When a Computer Name/Domain Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click Close.
9. Click Restart Now.
After the computer has restarted, add ADRMSADMIN to the local administrators group on
ADRMS-SRV.
To add ADRMSADMIN to the local administrators group

1. Log on to ADRMS-SRV with the CPANDL\Administrator account.
2. Click Start, click Administrative Tools, and then click Computer Management.
3. Expand System Tools, expand Local User and Groups, and then click Groups.
4. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in
Enter the object names to select (examples) box, and then click OK.
5. Click OK, and then close Computer Management.
Configure AD RMS client computer (ADRMS-CLNT)

To configure ADRMS-CLNT, you must install Windows Vista, configure TCP/IP properties, and
then join ADRMS-CLNT to the domain cpandl.com. You must also install an AD RMS-enabled
application. In this example, Microsoft Office Word 2007 Enterprise Edition is installed on
ADRMS-CLNT.
To install Windows Vista

1. Start your computer by using the Windows Vista product CD.
2. Follow the instructions that appear on your screen, and when prompted for a
computer name, type ADRMS-CLNT.
Next, configure TCP/IP properties so that ADRMS-CLNT has a static IP address of 10.0.0.4. In
addition, configure the DNS server of CPANDL-DC (10.0.0.1).
To configure TCP/IP properties

1. Log on to ADRMS-CLNT with the ADRMS-CLNT\Administrator account or another
user account in the local Administrators group.
16
2. Click Start, click Control Panel, click Network and Internet, and then click Network
and Sharing Center.
3. Click Manage Network Connections, right-click Local Area Connection, and then
click Properties.
4. If the User Account Control dialog box appears, confirm that the action it displays is
what you want, and then click Continue.
click Properties.
6. Click the Use the following IP address option. In IP address, type 10.0.0.4, in
Subnet mask, type 255.255.255.0.
7. Click the Use the following DNS server addresses option. In Preferred DNS
server, type 10.0.0.1.
dialog box.
Next, join ADRMS-CLNT to the cpandl.com domain.
To join ADRMS-CLNT to the cpandl.com domain

1. Click Start, right-click Computer, and then click Properties.
2. Under Computer name, domain, and workgroup settings, click Change settings.
4. On the Computer Name tab, click Change.
5. In the Computer Name/Domain Changes dialog box, select the Domain option, and
then type cpandl.com.
6. Click More, and in the Primary DNS suffix of this computer box, type cpandl.com.
7. Click OK, and then click OK again.
8. When a Computer Name/Domain Changes dialog box appears prompting you for
administrative credentials, provide the credentials, and then click OK.
9. When a Computer Name/Domain Changes dialog box appears welcoming you to
the cpandl.com domain, click OK.
10. When a Computer Name/Domain Changes dialog box appears telling you that the
computer must be restarted, click OK, and then click Close.
11. In the System Settings Change dialog box, click Yes to restart the computer.
Finally, install Microsoft Office Word 2007 Enterprise.
To install Microsoft Office Word 2007 Enterprise

1. Log on to ADRMS-CLNT with the CPANDL\Administrator account or another user
2. Double-click setup.exe from the Microsoft Office 2007 Enterprise product disc.
17
3. Click Customize as the installation type, set the installation type to Not Available for
all applications except Microsoft Office Word 2007 Enterprise, and then click Install Now.
This might take several minutes to complete.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007
allow you to create rights-protected content. All editions will allow you to consume rights-
protected content.
Step 2: Installing and Configuring AD RMS

on ADRMS-SRV
To install and configure AD RMS, you must add the AD RMS server role.
Windows Server 2008 includes the option to install AD RMS as a server role through Server
Manager. Both installation and configuration of AD RMS are handled through Server Manager.
The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is
composed of one or more AD RMS servers configured in a load-balancing environment. This
step-by-step guide will install and configure a single-server AD RMS root cluster.
Registering the AD RMS service connection point (SCP) requires that the installing user account
be a member of the Active Directory Enterprise Admins group.
Important
Access to the Enterprise Admins group should be granted only while AD RMS is being
installed. After installation is complete, the cpandl\ADRMSADMIN account should be
removed from this group.
To add ADRMSADMIN to the Enterprise Admins group

1. Log on to CPANDL-DC with the cpandl\Administrator account or another user
account in the Domain Admins group.
and Computers.
3. In the console tree, expand cpandl.com, double-click Users, and then double-click
Enterprise Admins.
4. Click the Members tab, and then click Add.
5. Type adrmsadmin@cpandl.com, and then click OK.
Install and configure AD RMS as a root cluster.
To add the AD RMS Server Role

1. Log on to ADRMS-SRV as cpandl\ADRMSADMIN.
2. Click Start, point to Administrative Tools, and then click Server Manager.
18
4. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens.
5. Read the Before You Begin section, and then click Next.
6. On the Select Server Roles page, select the Active Directory Rights Management
Services check box.
7. The Role Services page appears informing you of the AD RMS dependent role
services and features. Make sure that Web Server (IIS), Windows Process Activation
Service (WPAS), and Message Queuing are listed, and then click Add Required Role
Services. Click Next.
8. Read the AD RMS introduction page, and then click Next.
9. On the Select Role Services page, verify that the Active Directory Rights
Management Server check box is selected, and then click Next.
10. Click the Create a new AD RMS cluster option, and then click Next.
11. Click the Use a different database server option.
12. Click Select, type ADRMS-DB in the Select Computer dialog box, and then click
OK.
13. In Database Instance, click Default, and then click Validate.
14. Click Next.
15. Click Specify, type CPANDL\ADRMSSRVC, type the password for the account, click
OK, and then click Next.
16. Ensure that the Use AD RMS centrally managed key storage option is selected,
and then click Next.
17. Type a strong password in the Password box and in the Confirm password box,
and then click Next.
18. Choose the Web site where AD RMS will be installed, and then click Next. In an
installation that uses default settings, the only available Web site should be Default Web
Site.
19. Click the Use an SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain Name box, type adrms-srv.cpandl.com, and then
click Validate. If validation succeeds, the Next button becomes available. Click Next.
21. Click the Choose an existing certificate for SSL encryption option, click the
certificate that has been imported for this AD RMS cluster, and then click Next.
22. Type a name that will help you identify the AD RMS cluster in the Friendly name
box, and then click Next.
23. Ensure that the Register the AD RMS service connection point now option is
selected, and then click Next to register the AD RMS service connection point (SCP) in
Active Directory during installation.
24. Read the Introduction to Web Server (IIS) page, and then click Next.
19
25. Keep the Web server default check box selections, and then click Next.
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes to
complete the installation.
27. Click Close.
28. Log off the server, and then log on again to update the security token of the logged-
on user account. The user account that is logged on when the AD RMS server role is
installed is automatically made a member of the AD RMS Enterprise Administrators local
group. A user must be a member of that group to administer AD RMS.
Note
At this point in the guide, you can remove cpandl\ADRMSADMIN from the local
Administrators group on ADRMS-DB.
Your AD RMS root cluster is now installed and configured.
Further management of AD RMS is done by using the Active Directory Rights Management
Services console.
To open the Active Directory Rights Management Services console

1. Click Start, point to Administrative Tools, and then click Active Directory Rights
Management Services.
From the console, you can configure trust policies, configure exclusion policies, and create rights
policy templates.
Step 3: Verifying AD RMS Functionality on

ADRMS-CLNT
The AD RMS client is included in the default installation of Windows Vista and Windows
Server 2008. Previous versions of the client are available for download for some earlier versions
of the Windows operating system. For more information, see the Windows Server 2003 Rights
Management Services page on the Microsoft Windows Server TechCenter
(http://go.microsoft.com/fwlink/?LinkId=68637).
Before you can consume rights-protected content, you must add the AD RMS cluster URL to the
Local Intranet security zone.
Add the AD RMS cluster URL to the Local Intranet security zone for all users who will be
consuming rights-protected content.
To add AD RMS cluster to Local Intranet security zone

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).
20
2. Click Start, click All Programs, and then click Internet Explorer.
3. Click Tools, and then click Internet Options.
4. Click the Security tab, click Local intranet, and then click Sites.
5. Click Advanced.
6. In the Add this website to the zone, type https://adrms-srv.cpandl.com, and then
click Add.
7. Click Close.
8. Repeat steps 1–7 for Stuart Railson and Limor Henig.
To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then
restrict permissions on a Microsoft Word 2007 document so that members of the CP&L
Engineering group are able to read the document but unable to change, print, or copy. You will
then log on as Stuart Railson, verifying that the proper permission to read the document has been
granted, and nothing else. Then, you will log on as Limor Henig. Since Limor is not a member of
the Engineering group, he should not be able to consume the rights-protected file.
To restrict permissions on a Microsoft Word document

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).
2. Click Start, point to All Programs, point to Microsoft Office, and then click
Microsoft Office Word 2007.
3. Type CP&L engineering employees can read this document, but they cannot
change, print, or copy it on the blank document page.
4. Click the Microsoft Office Button, click Prepare, click Restrict Permission, and
then click Restricted Access.
5. Click the Restrict permission to this document check box.
6. In the Read box, type engineering@cpandl.com, and then click OK to close the
Permission dialog box.
7. Click the Microsoft Office Button, click Save As, and then save the file as
\\ADRMS-DB\Public\ADRMS-TST.docx.
8. Log off as Nicole Holliday.
Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.
To view a rights-protected document

1. Log on to ADRMS-CLNT as Stuart Railson (cpandl\SRAILSON).
3. Click the Microsoft Office Button, and then click Open.
4. In the File name box, type \\ADRMS-DB\Public\ADRMS-TST.docx, and then click
Open.
The following message appears: "Permission to this document is currently restricted.
21
Microsoft Office must connect to https://adrms-
srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your
permission."
5. Click OK.
The following message appears: "Verifying your credentials for opening content with
restricted permissions…".
6. When the document opens, click the Microsoft Office Button. Notice that the Print
option is not available.
7. Close Microsoft Word.
8. Log off as Stuart Railson.
Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.
To attempt to view a rights-protected document

1. Log on to ADRMS-CLNT as Limor Henig (cpandl\LHENIG).
3. Click the Microsoft Office Button, click Open, and then double-click \\ADRMS-
DB\Public\ADRMS-TST.docx.
The following message appears: "Permission to this document is currently restricted.
Microsoft Office must connect to https://adrms-
srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your
permission."
4. Click OK.
5. The following message appears: "You do not have credentials that allow you to
open this document. You can request updated permission from
nhollida@cpandl.com. Do you want to request updated permission?"
6. Click No, and then close Microsoft Word.
You have successfully deployed and demonstrated the functionality of AD RMS, using the simple
scenario of applying restricted permissions to a Microsoft Word 2007 document. You can also use
this deployment to explore some of the additional capabilities of AD RMS through additional
configuration and testing.
22

AD RMS Step-By-Step Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AD RMS Step-By-Step Guide

Uploaded by

Copyright:

Available Formats

AD RMS Step-by-Step Guide

© 2008 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Windows Server Active Directory Rights Management Services Step-by-Step Guide....................4

Step 1: Setting up the Infrastructure...............................................................................................6

Step 2: Installing and Configuring AD RMS on ADRMS-SRV.......................................................18

Step 3: Verifying AD RMS Functionality on ADRMS-CLNT...........................................................20

About This Guide

What This Guide Does Not Provide

Deploying AD RMS in a Test Environment

Computer Name Operating System Applications and Services

ADRMS-SRV Windows Server 2008 AD RMS, Internet Information

CPANDL-DC Windows Server 2008 or Active Directory, Domain Name

ADRMS-CLNT Windows Vista® Microsoft Office Word 2007

Step 1: Setting up the Infrastructure

Computer name Operating system requirement IP settings DNS settings

CPANDL-DC Windows Server 2003 with IP address: Configured by DNS

ADRMS-SRV Windows Server 2008 IP address: Preferred:

ADRMS-DB Windows Server 2003 with IP address: Preferred:

ADRMS-CLNT Windows Vista IP address Preferred:

Configure the domain controller (CPANDL-DC)

Configure a Windows Server 2003–based domain controller

To install Windows Server 2003 Standard Edition

To configure TCP/IP properties on CPANDL-DC

Next, configure the computer as a domain controller.

To configure CPANDL-DC as a domain controller

To raise the domain functional level to Windows Server 2003

Configure a Windows Server 2008–based domain controller

To install Windows Server 2008

To configure TCP/IP properties

Configure user accounts and groups

Account Name User Logon Name E-mail address Group

ADRMSADMIN ADRMSADMIN Enterprise Admins

Nicole Holliday NHOLLIDA nhollida@cpandl.com Employees,

Limor Henig LHENIG lhenig@cpandl.com Employees,

Stuart Railson SRAILSON srailson@cpandl.com Employees,

Next, add e-mail addresses to all user accounts.

To add e-mail addresses to user accounts

Group Name E-mail address

To add new group objects to Active Directory

To add e-mail addresses to group objects

To add user accounts to groups

Configure the AD RMS database computer (ADRMS-DB)

To install Windows Server 2003 Standard Edition

To configure TCP/IP properties on ADRMS-DB

To join ADRMS-DB to the CPANDL domain

To install Microsoft SQL Server 2005

To add ADRMSADMIN to local Administrators group

To create a shared network folder that can be modified by CP&L employees

Configure the AD RMS root cluster computer (ADRMS-SRV)

To install Windows Server 2008

To configure TCP/IP Properties

Next, join ADRMS-SRV to the cpandl.com domain.

To join ADRMS-SRV to the cpandl.com domain

To add ADRMSADMIN to the local administrators group

Configure AD RMS client computer (ADRMS-CLNT)

To install Windows Vista

To configure TCP/IP properties

Next, join ADRMS-CLNT to the cpandl.com domain.

To join ADRMS-CLNT to the cpandl.com domain

Finally, install Microsoft Office Word 2007 Enterprise.

To install Microsoft Office Word 2007 Enterprise

Step 2: Installing and Configuring AD RMS