Programming4us
         
 
 
Applications Server

Understanding and Installing Active Directory Rights Management Services (part 3)

7/14/2011 11:22:34 AM
2.4. Moving AD RMS to Windows Server 2008 R2

If your organization is already running AD RMS on Windows Server 2008 and wants to move its installation to Windows Server 2008 R2, you have two options:

  • Upgrade the installation.

  • Migrate the installation.

Upgrading the installation means performing an operating system upgrade to Windows Server 2008 R2, then upgrading the AD RMS installation after the operating system upgrade is complete. Most organizations and IT administrators balk at the idea of performing an operating system upgrade. Upgrades are more reliable now that Microsoft has changed the operating system installation process—this change occurred with the release of Windows Vista—but many administrators still don’t trust them. If this is the case in your organization, you’ll have to rely on the second option to move to an AD RMS installation on Windows Server 2008 R2.

Migrating the installation is often simpler than upgrading. That’s because you begin with a brand-new operating system installation on either a physical or virtual machine. Use the following process:

  1. Install Windows Server 2008 R2 on a new computer.

  2. Add the AD RMS role and join the existing AD RMS cluster. This makes all of the core components of your AD RMS available on the new server.

  3. Add new servers running Windows Server 2008 R2 to the AD RMS cluster. This provides high availability and further protection for the core components of the AD RMS installation.

  4. Decommission and remove the AD RMS cluster members that are not running Windows Server 2008 R2.

As you can see, migrating is as simple as upgrading and may provide better results. However, consider the following when you perform the move with whichever procedure you decide to rely on:

  • Back up the AD RMS configuration database prior to the move. This provides additional protection during the move.

  • Export the server licensor certificate. The SLC decrypts all encrypted content. Place it in a safe location.

  • Export and install the CSP key. The CSP key stores the AD RMS private key and therefore is required on all cluster members. Export it from an existing server, and import it on all new cluster members running Windows Server 2008 R2.

Using these measures during a move protects your installation and allows you to roll back to the existing installation should a mishap occur during the move.

After the move is complete, you must also perform the following tasks:

  1. Update the CNAME record for the AD RMS cluster. Make sure that you remove the decommissioned server names from this record and add the new server names running Windows Server 2008 R2.

  2. Run the AD RMS console to make sure everything is okay with the updated cluster.

  3. Test AD RMS connectivity by using an AD RMS client.

Performing these final tasks ensures that your new AD RMS cluster is ready for business.


Note:

MORE INFO MOVING FROM AN AD RMS INSTALLATION ON WINDOWS SERVER 2008 TO WINDOWS SERVER 2008 R2

For more information on how to upgrade AD RMS on Windows Server 2008 to Windows Server 2008 R2, go to http://technet.microsoft.com/en-us/library/ff770805%28WS.10%29.aspx.


2.5. Working with Windows PowerShell

AD RMS can be both installed and administered with Windows PowerShell on Windows Server 2008 or Windows Server 2008 R2. There are two modules for AD RMS:

  • AdRmsInstall, which supports the installation and configuration of AD RMS components

  • AdRmsAdmin, which controls the administration of installed AD RMS components

Run the following cmdlets to import both modules:

Import-Module AdRms

Import-Module AdRmsAdmin

You can also import all available PowerShell modules to gain access to AD RMS cmdlets.

After the modules are imported, you can manage and administer AD RMS installations and components through PowerShell. One great advantage of PowerShell is that you can easily automate AD RMS administration and deployment through its cmdlets.


Note:

MORE INFO AD RMS AND WINDOWS POWERSHELL

For more information on how to use PowerShell to work with AD RMS, see http://go.microsoft.com/fwlink/?LinkId=136806.


2.5.1. Practice Installing AD RMS

In this practice, you install AD RMS into a new cluster. First you must add a DNS record. In the following exercises, you create the service account and the AD RMS role groups in the directory, create and install a Web Server certificate, and then proceed to the installation.

EXERCISE 1 Prepare the DNS Record

In this exercise, you create a CNAME record to prepare for the AD RMS cluster URL.

  1. Log on to SERVER01, using the domain Administrator account.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\DNS Server\DNS\SERVER01\Forward Lookup Zones and select contoso.com.

  4. Right-click in the details pane and click New Alias (CNAME).

  5. In the New Resource Record dialog box, type the alias name RightsManagement and assign it to SERVER04.contoso.com in the Fully Qualified Domain Name (FQDN) For Target Host section of the dialog box. Click OK.

    You have created a new record for the AD RMS cluster URL. It will be updated to other servers as you perform the other exercises.

EXERCISE 2 Prepare the Directory

In this exercise, you create a service account and four groups for AD RMS administration delegation.

  1. Log on to SERVER01, using the domain Administrator account, if you haven’t done so already.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Domain Services\Active Directory Users and Computers\contoso.com. Create the Admins\Service Identities OU structure if it doesn’t already exist.

  4. Right-click the Service Identities OU, point to New, and then click User.

  5. Name the user ADRMSService, and use this name for both the logon and the pre–Windows 2000 logon names. Click Next.

  6. Assign a complex password, clear User Must Change Password At Next Logon, and select Password Never Expires. Click Next, and then click Finish to create the account.


    Note:

    LEGACY SERVICE ACCOUNTS

    You must create the service account as directed in these steps because you cannot use a managed service account in this instance. Managed service accounts do not work when the account is shared by multiple computers or when the account is used for a service running on multiple computers, such as for a cluster.


  7. Create the AD RMS administration groups under the contoso.com\Admins\Server Delegations OU. Create these OUs if they are not already created.

  8. Create four global security groups. Right-click in the details pane, point to New, and then click Group. Type the name and click OK. Create the following four groups:

    • AD RMS Enterprise Administrators

    • AD RMS Template Administrators

    • AD RMS Auditors

    • AD RMS Service Account

  9. Right-click the AD RMS Service Account group and click Properties. On the Members tab, add the ADRMSService account to this group and click OK.

  10. Log on to SERVER04, using the domain Administrator account, if you have not done so already.

  11. Launch Server Manager from the Administrative Tools program group.

  12. Expand Configuration\Local Users And Groups and select Groups.

  13. Double-click the Administrators group to open it.

  14. Add the AD RMS Service Account group to this group, and click OK.

EXERCISE 3 Prepare a Web Server Certificate

Because AD RMS requires SSL-encrypted web connections, you must create and install a web server certificate before you can proceed with the installation. Note that for this practice to work. You can use a self-signed certificate, but by using real certificates you learn to integrate AD CS with AD RMS.

  1. Log on to SERVER04, using the domain Administrator account.

    This grants you Enterprise Administrator credentials, which are required to create the SCP. These rights are required for Exercise 4.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Expand Roles\Active Directory Certificate Services and select Certificate Templates. The node shows that you are connected to SERVER01.contoso.com.

    Note that all the existing templates are listed in the details pane.

  4. Select the Web Server template in the details pane, right-click it, and then click Duplicate Template.

  5. Select the version of Windows Server to support, in this case Windows Server 2008 Enterprise, and click OK.

  6. Name the template Web Server WS08 and set the following options. Leave all other options as they are.

    1. On the General tab, select Publish Certificate In Active Directory.

    2. On the Security tab, add the computer account for SERVER04. To do so, click Add, click Object Types, select Computers, and then click OK. Type SERVER04, click Check Names, and then click OK again.

    3. Grant SERVER04 the Allow::Read and Allow::Enroll permissions.

  7. Click OK.

    Template issuance is performed in the Certification Authority console section of Server Manager.

  8. Expand Roles\Active Directory Certificate Services\Contoso-Issuing-CA01 and click Certificate Templates.

  9. To issue a template, right-click Certificate Templates, point to New, and then click Certificate Template To Issue.

  10. In the Enable Certificate Templates dialog box, select Web Server WS08 and click OK.

    You are ready to proceed with the installation.

EXERCISE 4 Install a Web Server Certificate

Now you need to request and install the certificate.

  1. Staying on SERVER04, click the Start menu, type mmc in the Search box, and then press Enter.

  2. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, select the Certificates snap-in and click Add.

  3. Choose Computer Account and click Next.

  4. Make sure Local Computer is selected, click Finish, and then click OK.

  5. On the File menu, click Save As, navigate to your Documents folder, and name it Computer Certificates02. Click Save.

  6. Expand Certificates (Local Computer)\Personal and select Certificates.

  7. Right-click Certificates, point to All Tasks, and then click Request New Certificate. Click Next. Make sure Active Directory Enrollment Policy is selected and click Next.

  8. Select the Web Server WS08 certificate, and then click the More Information Is Required To Enroll For This Certificate link.

  9. In the Certificate Properties dialog box, on the Subject tab:

    1. In the Subject Name area, ensure that Full DN is selected, type CN=SERVER04,DC=Contoso,DC=com as the Value, and then click Add.

    2. In the Alternative Name area, choose URL in the Type drop-down list, type RightsManagement.contoso.com in the Value field, and then click Add.

    3. On the General tab, type Contoso DRM in the Friendly Name field and Web Server Certificate in the Description field.

    4. On the Private Key tab, click the double down arrow icon on the right to expand the Key Options section and select the Make Private Key Exportable and Allow Private Key To Be Archived check boxes.

  10. Click OK, and then click Enroll. Click Finish.

  11. To verify that the certificate has been issued, click Certificates under the Personal node in the tree pane and view the certificate in the details pane. The certificate will be named with the server name only.

  12. Close the Certificates console.

    You are ready to install AD RMS.

EXERCISE 5 Install an AD RMS Root Cluster

Ensure that you have at least SERVER01 and SERVER04 running.

  1. Log on to SERVER04, using the domain Administrator account. This grants you Enterprise Administrator credentials, which are required to create the SCP.

  2. Launch Server Manager from the Administrative Tools program group.

  3. Right-click the Roles node in the tree pane and click Add Roles.

  4. Review the Before You Begin information and click Next.

  5. On the Select Server Roles page, select Active Directory Rights Management Services.

    The Add Role Wizard asks you to add the Web Server (IIS) role with the required features, and Message Queuing.

  6. Click Add Required Role Services if these services weren’t installed prior to the installation of AD RMS. Click Next.

  7. On the Active Directory Rights Management Services page, review the information about the selected role and click Next.

  8. On the Select Role Services page, ensure that Active Directory Rights Management Server is selected and click Next.

  9. On the Create Or Join An AD RMS Cluster page, select Create A New AD RMS Cluster and click Next.

  10. On the Select Configuration Database page, select Use Windows Internal Database On This Server and click Next.

    You choose to use Windows Internal Database to host the AD RMS database because this is a single-server installation. Remember: Using WID is valid for test purposes only.

  11. On the Specify Service Account page, click Specify, type ADRMSService and its password, click OK, and then click Next.

  12. On the Configure AD RMS Cluster Key Storage page, select Use AD RMS Centrally Managed Key Storage and click Next.

    You choose to protect the AD RMS cluster key by using this option because it simplifies the exercise and does not require additional components; however, normally, you should provide the best protection for this key, through a CSP provider.

  13. On the Specify AD RMS Cluster Key Password page, type a strong password, confirm it, and then click Next.

  14. On the Select AD RMS Cluster Web Site page, select Default Web Site and click Next.

  15. On the Specify Cluster Address page, select Use An SSL-Encrypted Connection (Https://).

    As a security best practice, the AD RMS cluster should be provisioned by using an SSL-encrypted connection.

  16. In the Internal Address section, type RightsManagement.contoso.com, leave the port number as is, and click Validate. When the validation succeeds, the wizard updates the preview of the cluster address at the bottom of the page. Click Next.

  17. On the Choose A Server Authentication Certificate For SSL Encryption page, select Choose An Existing Certificate For SSL Encryption (Recommended), select the SERVER04 certificate, and click Next.

  18. On the Name The Server Licensor Certificate page, type Contoso DRM to identify the AD RMS cluster and click Next.

  19. On the Register AD RMS Service Connection Point page, select Register The AD RMS Service Connection Point Now and click Next.

    This action registers the AD RMS service connection point (SCP) in AD DS.

  20. On the Web Server (IIS) page, review the information about IIS and click Next.

  21. On the Select Role Services page, keep the Web Server default selections and click Next.

  22. On the Confirm Installation Selections page, review your choices and click Install.

  23. When the installation is complete, click Close to close the installation wizard.

  24. Log off and log back on to update the permissions granted to the logged-on user account.

    The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators group. This gives you access to all AD RMS operations. Your installation is complete.


Warning:

IMPORTANT AD RMS ADMINISTRATION GROUPS

To render the administration groups you created in AD DS operational, you must add them to the respective local groups on each AD RMS server. In a production environment, you must perform this additional step to complete your setup.

Other -----------------
- Understanding and Installing Active Directory Rights Management Services (part 2) - Installation Procedure
- Understanding and Installing Active Directory Rights Management Services (part 1) - Understanding AD RMS
- Microsoft Dynamics GP 2010 : Populating Initial Data - Open receivables transactions
- Microsoft Dynamics GP 2010 : Populating Initial Data - Customers
- Exchange Server 2010 : Manage Access for Mobile Devices (part 4) - Monitor Mobile Device Usage
- Exchange Server 2010 : Manage Access for Mobile Devices (part 3) - Protect Mobile Devices
- Exchange Server 2010 : Manage Access for Mobile Devices (part 2) - Manage Mobile Device Features and Settings
- Exchange Server 2010 : Manage Access for Mobile Devices (part 1) - Configure Mobile Device Connectivity
- Exchange Server 2010 : Manage Web-Based Email Access (part 2) - Configure OWA Features
- Exchange Server 2010 : Manage Web-Based Email Access (part 1) - Configure OWA URLs
 
 
Most View
- SQL Azure : Creating Databases, Logins, and Users (part 2)
- Windows Phone 7 : Updating Your Phone Software
- Introducing SharePoint 2010 Installation Types
- The Art of SEO : The Theory Behind Keyword Research
- Windows 7 : Controlling and Customizing Your Website (part 3) - Working Without a Default Document
- Starting a New BizTalk 2009 Project : BizTalk Assembly Naming and Versioning
- Windows Azure : Queue Service Architecture
- Auditing an Existing Site to Identify SEO Problems (part 2) - The Importance of Keyword Reviews
- Parallel Programming with Microsoft .Net : Parallel Aggregation - The Basics
- Windows Server 2008 R2 and Windows 7 : Deploying Branchcache (part 1)
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS