AD RMS with Active Directory Domain Services and Networks

Applies To: Windows Server 2008, Windows Server 2008 R2

The following sections describe various environmental considerations that need to be taken into account when developing an AD RMS design.

AD RMS Active Directory Design Considerations

AD RMS requires Active Directory to manage users and groups to assign specific privileges to the documents. The healthy management of Active Directory is critical for an AD RMS deployment.

When designing your AD RMS environment, you should consider the following aspects of your Active Directory implementation:

• The scope of an Active Directory Rights Management Services installation is the Active Directory forest. If you have users deployed in multiple forests, then each forest requires its own AD RMS server.

• It is good practice to use a virtual name for Active Directory Rights Management Services Certification Cluster. Typically this name can be a load balancing cluster name.

• Group expansion across forests in multiple forest environments. Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 (ILM 2007 FP1) or Identity Integration Feature Pack Service Pack 2 (IIFP SP2) provides GAL Synchronization between forests. This is required for group expansion across forests when permissions will be validated.

For additional information on Active Directory Domain Services see Active Directory Domain Services (https://go.microsoft.com/fwlink/?LinkId=154905).

DNS, FQDN, and Server Name Design Considerations

It is a best practice to use a FQDN CNAME record or an A-record for an AD RMS cluster URL, not the NetBIOS name. If a CNAME record or an A-record is used and the AD RMS cluster URL changes, you can update the CNAME record or an A-record to point to the new cluster URL. Otherwise, you must reprovision AD RMS with the new cluster URL.

It is also a best practice to use a FQDN CNAME or an A-record record for your SQL cluster name when provisioning AD RMS. This is primarily for disaster recovery purposes.

For AD RMS, you will need to change the following registry key on the SQL server in order to force the SQL server to use the CNAME record. Change the Value from 0 to 1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

DWORD: DisableStrictNameChecking

Value: 1

You will need to restart your SQL Server for these changes to take effect.

For additional information on DNS see DNS Technical Reference (https://go.microsoft.com/fwlink/?LinkId=154906).

SSL / TLS Security

It is recommended that Secure Socket Layer / Transport Layer Security (SSL/TLS) is used to provide server authentication and data encryption for the users connecting to the AD RMS server. SSL is not required but it is highly recommended in order to encrypt traffic over the wire. If SSL is not used, the traffic will be in clear text. This will protect the client from man-in-the-middle attacks and ensure the confidentiality of any data collected during the card management workflows. It is required for ADFS.

SSL requires that your server have a valid SSL certificate installed for the Web site. The required Web Server certificates may be issued by the customer’s PKI itself or purchased externally. When planning the solution deployment you should consider how these certificates will be made available to the AD RMS servers.

For information on setting up SSL on IIS 7.0 see, How to Setup SSL on IIS 7.0 (https://go.microsoft.com/fwlink/?LinkId=154906) and Import an SSL Certificate Using Internet Information Services (IIS) Manager(https://go.microsoft.com/fwlink/?LinkId=154912).

Windows Firewall

The Microsoft Windows Firewall is a host-based firewall application that is installed and turned on by default in Windows Server 2008. If you want to use the functionality of the Windows Firewall within your Active Directory Rights Management Services (AD RMS) infrastructure, you must create a few firewall exceptions.

The following table shows the port exceptions that should be made on each AD RMS server in the cluster. It is not necessary to open both ports at the same time. For HTTP transmission, you should only open TCP port 80. If your AD RMS environment is using Secure Sockets Layer (SSL) or HTTPS, you should only open TCP port 443. The default port for SSL is TCP port 443. If your organization is using a port number for SSL other than the default, you should use that port instead.

If there is more than one server in the AD RMS cluster, or the AD RMS database server is not on the AD RMS in a single-server deployment, the following port exceptions should be created on the database server that is hosting the AD RMS databases. This table assumes that you are using Microsoft SQL Server 2005 or later.

The AD RMS cluster must be able to communicate with an Active Directory Global Catalog server. The following port exception should be enabled on the Active Directory Global Catalog server to enable the AD RMS cluster to communicate with it.

In addition to creating these port exceptions, special considerations should be taken when configuring the firewall scope. Unless your AD RMS environment is used in an extranet scenario, you should restrict all traffic to your organization's network. If your AD RMS environment needs to be available to client computers outside of your organization's network, you should allow any computer on the Internet to connect to only TCP port 443 or TCP port 80.

For information on setting using AD RMS with a firewall see, Configure Windows Firewall(https://go.microsoft.com/fwlink/?LinkId=154913) and AD RMS Firewall Considerations AD RMS Firewall Considerations(https://go.microsoft.com/fwlink/?LinkId=154916).