Step 2: Setting up the Trey Research Domain

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Before you install AD FS and the AD RMS Federation Identity Support role service, you should install and configure the Trey Research infrastructure. In this step, you will install the required computers that make up the Trey Research domain:

  • Configure the domain controller (TREY-DC)

  • Create user accounts

  • Configure the federation account partner (ADFS-ACCOUNT)

  • Configure the AD RMS-enabled client computer (ADRMS-CLNT2)

Use the following table as reference when setting up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.

Important

Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows product activation while each of your computers still has Internet connectivity.

Computer name Operating system requirement IP settings DNS settings

TREY-DC

Windows Server 2003 with Service Pack 2 (SP2) or Windows Server® 2008

IP address:

10.0.0.30

Subnet mask:

255.255.255.0

Configured by DNS server role.

ADFS-ACCOUNT

Windows Server 2008 Enterprise or Windows Server 2003 R2 Enterprise Edition with Service Pack 2 (SP2)

IP address:

10.0.0.31

Subnet mask:

255.255.255.0

Preferred:

10.0.0.30

ADRMS-CLNT2

Windows Vista

IP address

10.0.0.32

Subnet mask:

255.255.255.0

Preferred:

10.0.0.30

Configure the domain controller (TREY-DC)

Depending on your environment, you can evaluate AD RMS in either a Windows Server 2008 domain or a Windows Server 2003 domain. Use one of the following sections depending on the domain to be used.

  • Configure the Windows Server 2003–based domain controller

  • Configure the Windows Server 2008–based domain controller

Configure the Windows Server 2003–based domain controller

To configure the domain controller TREY-DC, you must install Windows Server 2003, configure TCP/IP properties, install Active Directory, and raise the Active Directory domain functional level to Windows Server 2003.

First, install Windows Server 2003 with SP2 on the TREY-DC computer.

To install Windows Server 2003 Standard Edition

  1. Start your computer by using the Windows Server 2003 product CD. (You can use any edition of Windows Server 2003 except the Web Edition to establish the domain)

  2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type TREY-DC.

In this step configure TCP/IP properties so that TREY-DC has a static IP address of 10.0.0.30.

To configure TCP/IP properties on TREY-DC

  1. Log on to TREY-DC with the TREY-DC\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.

  3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

  4. Click the Use the following IP address option. In the IP address box, type 10.0.0.30. In the Subnet mask box, type 255.255.255.0.

  5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Install Active Directory

In this step, you are going to create a domain controller for Trey Research. It is important that you first configure the IP addresses as specified in the previous table before you attempt to install Active Directory. This helps ensure that DNS records are configured appropriately.

Note

If you need to use fewer computers to test this scenario, you can use the Dcpromo tool to create two new Active Directory forests on both of the federation servers rather than configuring separate domain controllers. As a security best practice, domain controllers should not run as both federation servers and domain controllers in a production environment.

To configure TREY-DC as a domain controller

  1. Click Start, and click Run. In the Open box, type dcpromo, and then click OK.

  2. On the Welcome page of the Active Directory Installation Wizard, click Next.

  3. Click Next, select the Domain controller for a new domain option, and then click Next.

  4. Select the Domain in a new forest option, and click Next.

  5. In Full DNS name for new domain, type treyresearch.net and then click Next.

  6. In Domain NetBIOS name, type treyresearch, and then click Next three times.

  7. Select the Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server option, and then click Next.

  8. Select the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option, and then click Next.

  9. In the Restore Mode Password and Confirm Password boxes, type a strong password, and then click Next.

  10. Click Next.

  11. When the Active Directory Installation Wizard is done, click Finish.

  12. Click Restart Now.

Raise the domain functional level to Windows Server 2003

In this step, we will raise the Active Directory domain functional level to Windows Server 2003. This functional level allows the use of Active Directory universal groups.

To raise the domain functional level to Windows Server 2003

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Right-click treyresearch.net, and then click Raise Domain Functional Level.

  4. In the list under Select an available domain functional level, click Windows Server 2003, and then click Raise.

Note

You cannot change the domain functional level once you have raised it.

  1. Click OK, and then click OK again.

Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the treyresearch.net domain to the cpandl.com domain, and vice versa.

To configure a DNS forwarder on a Windows Server 2003–based computer

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click DNS.

  3. Right-click TREY-DC, and then click Properties.

  4. Click the Forwarders tab.

  5. In the Selected domain's forward IP address list section, type 10.0.0.1, and then click Add.

  6. Click OK.

Configure the Windows Server 2008–based domain controller

To configure the domain controller TREY-DC, you must install Windows Server 2008, configure TCP/IP properties, and install Active Directory Domain Services.

First, install Windows Server 2008.

To install Windows Server 2008

  1. Start your computer by using the Windows Server 2008 product CD.

  2. Follow the instructions that appear on your screen, and when prompted for a computer name, type TREY-DC.

Next, configure TCP/IP properties so that TREY-DC has a IPv4 static IP address of 10.0.0.30.

To configure TCP/IP properties on TREY-DC

  1. Log on to TREY-DC with the TREY-DC\Administrator account or another user account in the local Administrators group.

  2. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.

  3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Click the Use the following IP address option. In IP address, type 10.0.0.30, in Subnet mask, type 255.255.255.0.

  5. Click the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30, and then click OK.

  6. On the Networking tab, clear the Internet Protocol Version 6 (TCP/IPv6) check box.

Note

If you want to leave IPv6 enabled, you must assign a static IPv6 address before configuring the computer as a domain controller.

  1. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Install Active Directory Domain Services

In this step, you are going to create a domain controller for Trey Research. It is important that you first configure the IP addresses as specified in the previous procedure before you attempt to install Active Directory Domain Services (AD DS). This helps ensure that DNS records are configured appropriately.

Note

If you need to use fewer computers to test this scenario, you can use the Dcpromo tool to create two new Active Directory forests on both of the federation servers rather than configuring separate domain controllers. As a security best practice, domain controllers should not run as both federation servers and domain controllers in a production environment.

To configure TREY-DC as a domain controller

  1. Click Start, and then click Run.

  2. In the Open box, type dcpromo, and then click OK.

  3. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

  4. Click the Domain controller for a new domain option, and then click Next.

  5. Click the Create a new domain in anew forest option, and then click Next.

  6. In the FQDN of the forest root domain box, type treyresearch.net, and then click Next.

  7. In the Forest functional level box, click Windows Server 2003, and then click Next.

  8. In the Domain functional level box, click Windows Server 2003, and then click Next.

  9. Ensure that the DNS server check box is selected, and then click Next.

  10. Click Yes, confirming that you want to create a delegation for this DNS server.

  11. On the Location for Database, Log Files, and SYSVOL page, click Next.

  12. In the Password and Confirm password boxes, type a strong password, and then click Next.

  13. On the Summary page, click Next to start the installation.

  14. When the installation is complete, click Finish, and then click Restart Now.

Note

You must restart the computer after you complete this procedure.

Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the treyresearch.net domain to the cpandl.com domain, and vice versa.

To configure a DNS forwarder on a Windows Server 2008–based computer

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click DNS.

  3. Right-click TREY-DC, and then click Properties.

  4. Click the Forwarders tab.

  5. Click Edit.

  6. Type 10.0.0.1, and then click OK.

  7. Click OK to close the properties sheet.

Create user accounts

In this section, add the user accounts shown in the following table to Active Directory. Use the procedure following the table to create the user accounts.

Account Name User Logon Name E-mail address

ADFSADMIN

ADFSADMIN

 

Terrence Philip

tphilip

tphilip@treyresearch.net

To add new user accounts to the TREYRESEARCH domain

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand treyresearch.net.

  4. Right-click Users, point to New, and then click User.

  5. In the New Object – User dialog box, type ADFSADMIN in the Full name and User logon name boxes, and then click Next.

  6. In the New Object – User dialog box, type a password of your choice in the Password and Confirm password boxes. Clear the User must change password at next logon check box, click Next, and then click Finish.

  7. Perform steps 3-6 for Terrence Philip (tphilip).

Next, add an e-mail address for Terrence Philip.

To add e-mail addresses to user accounts

  1. In the Active Directory Users and Computers console, right-click Terrence Philip, click Properties, type tphilip@treyresearch.net in the E-mail box, and then click OK.

  2. Close the Active Directory Users and Computers console.

Configure the federation account partner (ADFS-ACCOUNT)

AD RMS can use federation servers that are running either Windows Server 2003 R2 Enterprise Edition or Windows Server 2008 Enterprise. Use one of the following sections depending on the requirements in your organization.

  • Configure the Configure the Windows Server 2003–based AD FS account partner

  • Configure the Configure the Windows Server 2008–based AD FS account partner

Configure the Windows Server 2003–based AD FS account partner

In this section you will install Windows Server 2003 R2 Enterprise Edition, configure TCP/IP properties, add ADFS-ACCOUNT to the TreyResearch domain, and then add the Application server role.

First, install Windows Server 2003 R2 Enterprise Edition as a stand-alone server on ADFS-ACCOUNT.

Important

Windows Server 2003 R2 Enterprise Edition is required for the federation servers.

To install Windows Server 2003 R2 Enterprise Edition

  1. Start your computer by using the Windows Server 2003 R2 Enterprise Edition product CD.

  2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ADFS-ACCOUNT.

In this step configure TCP/IP properties so that ADFS-ACCOUNT has a static IP address of 10.0.0.31.

To configure TCP/IP properties on ADFS-ACCOUNT

  1. Log on to ADFS-ACCOUNT as a member of the local Administrators group.

  2. Click Start, point to Control Panel, and then double-click Network Connections.

  3. Right-click Local Area Connection, and then click Properties.

  4. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

  5. Click the Use the following IP address option. In the IP address box, type 10.0.0.31. In the Subnet mask box, type 255.255.255.0.

  6. Click the Use the following DNS server addresses option. In the Preferred DNS server box, type 10.0.0.30.

  7. Click OK, and then click OK to close the Local Area Connection Properties dialog box.

Next, join the federation account partner (ADFS-ACCOUNT) computer to the TreyResearch domain:

To join ADFS-ACCOUNT to TREYRESEARCH domain

  1. Log on to ADFS-ACCOUNT as a member of the local administrators group.

  2. Click Start, right-click My Computer, and then click Properties.

  3. Click Computer Name tab, and then click Change.

  4. In the Computer Name Changes dialog box, click Domain, and then type treyresearch.net.

  5. Click More, and then type treyresearch.net in Primary DNS suffix of this computer box.

  6. Click OK twice.

  7. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials, and then click OK.

  8. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK.

  9. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

Next, add the application server role on the ADFS-ACCOUNT computer.

To add the application server role

  1. Log on to ADFS-ACCOUNT as TREYRESEARCH\Administrator. The Manage Your Server window appears.

  2. Click Add or remove a role.

  3. On the Preliminary Steps page of the Configure your Server Wizard, click Next.

  4. Click Application Server (IIS, ASP.NET), and then click Next.

  5. Select the Enable ASP.NET check box, and then click Next twice.

  6. When asked for files from the Windows Server 2003 product CD, insert it into the CD drive of the computer.

  7. Click Finish to complete the installation.

Finally, add the ADFSADMIN user account to the local Administrators group on ADFS-ACCOUNT.

To add ADFSADMIN to the Administrators group

  1. Log on to ADFS-RESOURCE as cpandl\administrator.

  2. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

  3. Expand System Tools, expand Local Users and Groups, and then click Groups.

  4. Right-click Administrators, and then click Add to Group.

  5. Click Add.

  6. In the Select Users, Computers, or Groups window, type cpandl\adfsadmin, and then click OK.

  7. Click OK to close the Administrators properties sheet.

Configure the Windows Server 2008–based AD FS account partner

First, install Windows Server 2008 Enterprise as a stand-alone server on ADFS-ACCOUNT.

Important

Windows Server 2008 Enterprise is required for the federation servers.

To install Windows Server 2008 Enterprise

  1. Start your computer by using the Windows Server 2008 product CD.

  2. When prompted for the installation type, choose Custom Installation.

  3. When prompted for a computer name, type ADFS-ACCOUNT.

  4. Follow the rest of the instructions that appear on your screen to finish the installation.

In this step configure TCP/IP properties so that the ADFS-ACCOUNT computer has a static IP address of 10.0.0.31.

To configure TCP/IP properties on the ADFS-ACCOUNT computer

  1. Log on to ADFS-ACCOUNT with the ADFS-ACCOUNT\Administrator account or another user account in the local Administrators group.

  2. Click Start, click Network, click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.

  3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select the Use the following IP address option. In IP address, type 10.0.0.31, in Subnet mask, type 255.255.255.0.

  5. Select the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30.

  6. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the ADFS-ACCOUNT computer to the TREYRESEARCH domain:

To join ADFS-ACCOUNT to the treyresearch.net domain

  1. Click Start, right-click Computer, and then click Properties.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Click Change settings (at the right side), and then click Change.

  4. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type treyresearch.net.

  5. Click More, and type treyresearch.net in Primary DNS suffix of this computer box.

  6. Click OK, and then click OK again.

  7. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for TREYRESEARCH\Administrator, and click OK.

  8. When a Computer Name/Domain Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.

  9. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

  10. Click Restart Now.

Finally, add the ADFSADMIN user account to the local Administrators group on ADFS-ACCOUNT.

To add ADFSADMIN to the Administrators group

  1. Log on to ADFS-ACCOUNT with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.

  2. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.

  3. Expand Configuration, expand Local Users and Groups, and then click Groups.

  4. Double-click Administrators, click Add, type TREYRESEARCH\ADFSADMIN, click OK, and then click OK again.

Configure the AD RMS-enabled client computer (ADRMS-CLNT2)

To configure the ADRMS-CLNT2 client computer in the TREYRESEARCH domain, you must install Windows Vista, configure TCP/IP properties, and then join the computer to the TREYRESEARCH domain. You must also install an AD RMS-enabled application and configure this computer for AD RMS federation support. In this example, Microsoft Office Word 2007 Enterprise Edition is installed on the client.

To install Windows Vista

  1. Start your computer by using the Windows Vista product CD.

  2. Follow the instructions that appear on your screen, and when prompted for a computer name, type ADRMS-CLNT2.

Next, configure TCP/IP properties so that ADRMS-CLNT2 has a static IP address of 10.0.0.32. In addition, configure the DNS server of TREY-DC (10.0.0.30).

To configure TCP/IP properties

  1. Log on to ADRMS-CLNT2 with the ADRMS-CLNT2\Administrator account or another user account in the local Administrators group.

  2. Click Start, click Network, and then click Network and Sharing Center.

  3. Click Manage Network Connections, right-click Local Area Connection, and then click Properties.

  4. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  5. Select the Use the following IP address option. In IP address, type 10.0.0.32, in Subnet mask, type 255.255.255.0.

  6. Select the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30.

  7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the ADRMS-CLNT2 to the TREYRESEARCH domain.

To join ADRMS-CLNT2 to the TREYRESEARCH domain

  1. Click Start, right-click Computer, and then click Properties.

  2. Under Computer name, domain, and workgroup settings, click Change settings.

  3. On the Computer Name tab, click Change.

  4. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type treyresearch.net.

  5. Click More, and in the Primary DNS suffix of this computer box, type treyresearch.net.

  6. Click OK, and click OK again.

  7. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for treyresearch\administrator, and then click OK.

  8. When a Computer Name/Domain Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.

  9. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

  10. In the System Settings Change dialog box, click Yes to restart the computer.

Next, we need to configure ADRMS-CLNT2 for federation support with AD RMS. This registry entry assigns the AD FS home realm for AD RMS.

To configure ADRMS-CLNT2 for federation support

  1. Log on to ADRMS-CLNT2 with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.

  2. Click Start, type regedit.exe, and then press Enter.

  3. Expand HKEY_LOCAL_MACHINE, expand Software, and then expand Microsoft.

  4. Right-click Microsoft, point to New, click Key, type MSDRM and then press Enter.

  5. Right-click MSDRM, point to New, click Key, type Federation and then press Enter.

  6. Right-click Federation, point to New, click String Value, type FederationHomeRealm, and then press ENTER.

  7. Double-click FederationHomeRealm, type urn:federation:treyresearch.net, and then click OK.

Finally, install Microsoft Office Word 2007 Enterprise Edition on ADRMS-CLNT2.

To install Microsoft Office Word 2007 Enterprise

  1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.

  2. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office Word 2007 Enterprise, and then click Install Now. This might take several minutes to complete.

Important

Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content. All editions will allow you to consume rights-protected content.