Test Lab Guide: Deploying an AD RMS Cluster

  • Article

 

Applies To: Windows Server 2012

Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft Azure identity solutions.

Create a hybrid identity solution in Microsoft Azure:
- Learn how to configure Azure Rights Management.
- Deploying the Azure Rights Management Connector.

The purpose of this Test Lab Guide (TLG) is to enable you to set up a working Active Directory Rights Management Services (AD RMS) infrastructure in a test environment. During this process you create an Active Directory® domain, install a database server, install the AD RMS server role, configure the AD RMS cluster, and configure an AD RMS-enabled client computer.

Once complete, you can use the test lab environment to learn about AD RMS technology on Windows Server® 2012 and assess how it might be deployed in your organization.

As you complete the steps in this guide, you will:

  • Prepare the AD RMS infrastructure.

  • Install and configure AD RMS.

  • Verify AD RMS functionality after you complete the configuration.

The goal of an AD RMS deployment is to be able to protect information, no matter where it goes. Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the content owner is able to remove the protection from the file. The owner grants rights to other users to perform actions on the content, such as the ability to view, copy, or print the file. For more information about the business reasons behind an AD RMS deployment, see the white paper "Windows Rights Management Services: Helping Organizations Safeguard Digital Information from Unauthorized Use".

Note


This guide is considered the basic AD RMS TLG. All other TLGs developed for AD RMS will assume that this guide has been completed first.

In this guide

This document contains instructions for extending the Windows Server® 2012 Base Configuration Test Lab Guide (TLG) to include an AD RMS cluster server on the APP1 server computer. In addition to extending APP1 to host the AD RMS server role, you will also need to configure the domain controller (DC1) and a desktop client computer (CLIENT1) As described in the instructions provided with the Base Configuration TLG.

In this guide you will deploy an additional SQL server computer (SQL1) which will be used to support the AD RMS configuration and logging databases, however, you will not need to configure the INET1 or EDGE1 computers from the Base Configuration TLG as they are not required for the purposes of establishing a working lab environment for testing AD RMS deployment.

Important


The configuration of the computers and network in this guide was designed to give you hands-on practice in creating an AD RMS test environment. The design decisions made in this guide were geared toward increasing your hands-on experience and to some degree reflect AD RMS best practices configuration. For full best practices and design and planning information related to AD RMS, see AD RMS Prerequisites, AD RMS Performance and Logging Best Practices, and AD RMS Architecture Design and Secure Collaboration Scenarios.

What this guide does not provide

This guide does not provide the following:

  • An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see Active Directory Rights Management Services Overview.

  • Guidance for setting up and configuring AD RMS in a production environment.

  • Complete technical reference for AD RMS.

Test lab overview

The test lab configuration demonstrated in this guide extends the Windows Server 2012 Base Configuration TLG by one server computer. The additional computer will serve as a SQL server computer and be named SQL1. There are four major steps in this test lab guide to complete that contain multiple procedures as a part of completing each step.

  1. Complete installation and configuration of DC1, APP1 and CLIENT 1 as described in the Base TLG Configuration.

  2. Configure SQL1 as a SQL server database server.

  3. Install Office 2010 trial version on CLIENT1.

  4. Configure APP1 as the AD RMS root cluster server.

  5. Verify AD RMS functionality at CLIENT1.

We recommend that you first use the steps provided in this guide in a test lab environment. Test lab guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a stand-alone document.

Upon completion of this test lab guide, you will have a working AD RMS infrastructure. You can then test and verify AD RMS functionality as follows:

  • Restrict permissions on a Microsoft Office Word 2010 document.

  • Have an authorized user open and work with the document.

  • Have an unauthorized user attempt to open and work with the document.

The test environment described in this guide includes four computers connected to a private network and using the operating systems, applications, and services summarized in the following table.

Computer name Operating system Applications and services
APP1 Windows Server 2012 AD RMS, Web Server (IIS)
DC1 Windows Server 2012 Active Directory Domain Services (AD DS), Domain Name System (DNS)
SQL1 Windows Server 2012 Microsoft SQL Server 2012
CLIENT1 Windows 8 Microsoft Office Word 2010 Professional

Note


For more information about the system requirements for installing AD RMS, see Pre-installation Information for Active Directory Rights Management Services.

The computers form a private intranet and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment if desired. This test lab exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named DC1 for the domain named corp.contoso.com. The following figure shows the configuration of the test environment:

AD RMS test lab overview

Hardware and software requirements

The following are the minimum required components of the test lab:

  1. The product disc or files for Windows Server 2012.

  2. The product disc or files for Windows® 8.

  3. Three computers that meet the minimum hardware requirements for Windows Server 2012.

  4. One computer that meets the minimum hardware requirements for Windows 8.

  5. If you wish to deploy the Base Configuration test lab in a virtualized environment, your virtualization solution must support Windows Server 2012 64-bit virtual machines. The server hardware must support the amount of RAM required to run the virtual operating systems included in the Base Configuration test lab and any other virtual machines that may be required by additional TLGs.

Important


Run Windows Update on all computers or virtual machines either during the installation or immediately after installing the operating systems. After running Windows Update, you can isolate your physical or virtual test lab from your production network.

Note


If you will be installing and using the trial version of Microsoft Office 2010 Professional with the CLIENT1 computer, its best to download and complete the installation process on CLIENT1 while it is still configured with Internet access. Once Microsoft Office 2010 is installed, along with any Office updates and with activation online completed, you can finish configuring CLIENT1 by joining it to the CORP domain and then reconfiguring CLIENT1 to limit network access to only your test lab private network.

To install Office Professional Plus 2010 on CLIENT1

  1. Log on to CLIENT1 with Internet access.

  2. Locate your Microsoft Office Professional Plus 2010 product media or optionally, you can download Microsoft Office Professional Plus 2010 for trial installation from the Microsoft Web site. Be sure to download the Professional Plus edition because other editions might not support information rights management (IRM) using AD RMS.

  3. Launch the installer for Microsoft Office 2010 to begin installation.

  4. Click Customize as the installation type, set the installation type to Not Available for all applications except Word 2010, and then click Install Now. This might take several minutes to complete.

Step 1: Complete the Base TLG Configuration and add users and groups

Begin by completing the configuration of DC1, APP1, CLIENT1 virtual machines as described in the Windows Server 2012 Base Configuration Test Lab Guide (TLG). The Base TLG is located at https://go.microsoft.com/fwlink/p/?LinkId=236358.

Once you have completed the configuration of DC1 using the Base TLG instructions, you will want to configure the following additional user accounts for use with testing your AD RMS installation. The following table lists the user accounts that you will need to create at this time.

Account Name User Logon Name E-mail Address Group
ADRMSSVC ADRMSSVC
ADRMSADMIN ADRMSADMIN Enterprise Admins
Nicole Holliday NHOLLIDA nhollida@contoso.com Employees, Finance
Limor Henig LHENIG lhenig@contoso.com Employees, Marketing
Stuart Railson SRAILSON srailson@contoso.com Employees, Engineering

To add new user accounts

  1. Log on to DC1 using the CORP\Administrator account.

  2. In Server Manager, click Local Server in the console tree, then click Tools, and then select Active Directory Users and Computers.

  3. In the console tree, expand corp.contoso.com.

  4. Right-click Users, point to New, and then click User.

  5. In the New Object – User dialog box, type ADRMSSVC in the First name and User logon name boxes, and then click Next.

  6. In the New Object – User dialog box, type a password of your choice in the Password and Confirm password boxes. Clear the User must change password at next logon check box, click Next, and then click Finish.

  7. Perform steps 3-6 for each of the following users: ADRMSADMIN, Nicole Holliday, Limor Henig, and Stuart Railson.

To add e-mail addresses to user accounts

  1. In the Active Directory Users and Computers console, right-click Nicole Holliday, click Properties, type nhollida@cpandl.com in the E-mail box, and then click OK.

  2. Repeat step 1 for Limor Henig and Stuart Railson, using the e-mail addresses for each account from the table.

  3. Close the Active Directory Users and Computers console.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-ADUser -Name ADRMSSVC -GivenName ADRMSSVC -UserPrincipalName ADRMSSVC -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true
New-ADUser -Name ADRMSADMIN -GivenName ADRMSADMIN -UserPrincipalName ADRMSADMIN -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true
New-ADUser -Name NHOLLIDA -GivenName "Nicole Holliday" -UserPrincipalName NHOLLIDA -EmailAddress nhollida@contoso.com -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true
New-ADUser -Name LHENIG -GivenName "Limor Henig " -UserPrincipalName LHENIG -EmailAddress lhenig@contoso.com -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true
New-ADUser -Name SRAILSON -GivenName "Stuart Railson" -UserPrincipalName SRAILSON -EmailAddress srailson@contoso.com -ChangePasswordAtLogon $false -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true

Once you have completed the creating the additional user accounts for your AD RMS infrastructure, you will need to create some additional Active Directory groups to assign users to as well to demonstrate restricted rights and permissions in later steps as you are testing out your AD RMS installation. The following table lists the groups that you will need to create at this time.

Group Name E-mail Address
Finance finance@contoso.com
Marketing marketing@contoso.com
Engineering engineering@contoso.com
Employees employees@contoso.com

To add new groups to Active Directory

  1. In Active Directory Users and Computers console, right-click Users, point to New, and then click Group.

  2. In the New Object – Group dialog box, type Finance in Group name, select the Universal option for Group Scope, and then click OK.

  3. Perform the above steps 1-2 for each of the remaining groups: Marketing, Engineering, and Employees.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

New-ADGroup -Name Finance -SamAccountName Finance -GroupCategory Security -GroupScope Universal
New-ADGroup -Name Marketing -SamAccountName Marketing -GroupCategory Security -GroupScope Universal
New-ADGroup -Name Engineering -SamAccountName Engineering -GroupCategory Security -GroupScope Universal
New-ADGroup -Name Employees -SamAccountName Employees -GroupCategory Security -GroupScope Universal

Next, add e-mail addresses to group objects:

To add e-mail addresses to group objects

  1. In Active Directory Users and Computers console, double-click Users, click Finance, and then click Properties.

  2. Type finance@contoso.com in the E-mail box and then click OK.

  3. Perform the above steps 1-2 for each of the remaining groups: Marketing, Engineering, and Employees.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Set-ADGroup Finance -Add @{mail='finance@contoso.com'}
Set-ADGroup Marketing -Add @{mail='marketing@contoso.com'}
Set-ADGroup Engineering -Add @{mail='engineering@contoso.com'}
Set-ADGroup Employees -Add @{mail='employees@contoso.com'}

Finally, add the user accounts to their appropriate groups. In this guide, we will add Nicole Holliday, Limor Henig, and Stuart Railson to the Employees group. Then, we will add Nicole Holliday to the Finance group, Limor Henig to the Marketing group, and finally add Stuart Railson to the Engineering group.

To add the user accounts to their respective groups, you should follow these steps:

To add user accounts to groups

  1. In the Active Directory Users and Computers console, double-click Users, and then double-click Employees.

  2. Click Members, and then click Add.

  3. Type nhollida@contoso.com;lhenig@contoso.com;srailson@contoso.com. and then click OK.

  4. Perform the above steps 2 & 3 to add one member to each of the remaining groups as follows:

    • Nicole Holliday—Finance

    • Limor Henig—Marketing

    • Stuart Railson—Engineering

  5. Double-click Enterprise Admins.

  6. Click Members, and then click Add.

  7. Type adrmsadmin@contoso.com. and then click OK.

  8. Close the Active Directory Users and Computers console.

  9. Log out of DC1.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Add-ADGroupMember -Identity Employees -Members nhollida,lhenig,srailson
Add-ADGroupMember -Identity Finance -Members nhollida
Add-ADGroupMember -Identity Marketing -Members lhenig
Add-ADGroupMember -Identity Engineering -Members srailson
Add-ADGroupMember -Identity "Enterprise Admins" -Members adrmsadmin

Step 2: Prepare SQL1 as a SQL Server database server for supporting AD RMS

SQL1 provides the following services:

  • A SQL Server installation on a member server within corp.contoso.com domain that will host the AD RMS configuration and logging databases.

The procedures to complete the configuration of the AD RMS SQL server computer, named SQL1, include:

  • Install the Operating system on SQL1 and download SQL Server 2012 trial version software.

  • Install SQL Server 2012 trial version.

  • Configure TCP/IP and rename computer to SQL1.

  • Join the SQL1 computer to the corp.contoso.com domain.

To install the operating system and download SQL Server evaluation on to SQL1

  1. Start the installation of Windows Server 2012.

  2. Follow the instructions to complete the installation, specifying a strong password for the local Administrator account. Log on using the local Administrator account.

  3. Connect SQL1 to a network that has Internet access and run Windows Update to install the latest updates for Windows Server 2012.

    Tip


    To access Windows Update, you can do the following: Type CTRL+ALT+DELETE and then select Task Manager. From Task Manager, click More details. From the File menu, select Run new task. In the Run dialog, type "control", select Create this task with administrative privileges and then click OK. In Control Panel, type in the search box "Windows Update" to return Windows Update. Click Windows Update in the search results and then update your settings to install the latest updates for Windows Server 2012.

  4. Download SQL Server 2012 trial version software to the SQL1 computer.

    You can download the Microsoft SQL Server 2012 trial version software from Microsoft SQL Server 2012 Evaluation. To install the trial version later, at a minimum, you will need the following files to be downloaded at this time to a temporary directory on the SQL1 computer: SQLFULL_architecture_language_Lang.box, SQLFULL_architecture_language_Install.exe, SQLFULL_architecture_language_Core.box.

SQL Server 2012 will require that the .NET Framework 3.5 features are first installed. To avoid problem with installing these features later, install these features now while you have Internet access configured for the SQL1 computer.

To enable .NET Framework 3.5 Features

  1. Log on to SQL1 using the local Administrator account.

  2. In Server Manager, click Local Server in the console tree, then click Manage, and then select Add Roles and Features.

  3. In Add Roles and Features wizard, click Next.

  4. In Select Installation Type, select Role-based or feature-based installation and then click Next.

  5. In Select Destination Server, verify that the local server is in the pool and that Select a server from the server pool is selected, and then click Next.

  6. In Select Server Roles, click Next.

  7. In Select Features, select .NET Framework 3.5 Features, and then click Next.

  8. In Confirm Installation Options, verify that .NET Framework 3.5 Features is selected, and then click Install.

Next, configure the TCP/IP protocol for SQL1 with a static IP address of 10.0.0.5 and the subnet mask of 255.255.255.0.

To configure TCP/IP for SQL1

  1. In Server Manager, click Local Server in the console tree. Click the link next to Wired Ethernet Connection.

    Note


    The link may not immediately appear. Wait for the network interfaces to be enumerated.

  2. In Network Connections, right-click Wired Ethernet Connection, and then click Properties. Note that the "Wired Ethernet Connection" interface name may be different on your computer.

  3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Select Use the following IP address. In IP address, type 10.0.0.5. In Subnet mask, type 255.255.255.0. Select Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1.

  5. Click OK and then close the Wired Ethernet Properties dialog.

  6. Close the Network Connections window.

  7. In Server Manager, click Local Server in the console tree. Click the link next to Computer name in the Properties tile.

  8. On the Computer Name tab of the System Properties dialog, click Change.

  9. In Computer name, type SQL1, click OK twice, and then click Close. When you are prompted to restart the computer, click Restart Now.

  10. After restarting, login using the local Administrator account.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. Use the ipconfig /all command to list all the interfaces.

New-NetIPAddress -InterfaceAlias "Wired Ethernet Connection" -IPv4Address 10.0.0.5 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias "Wired Ethernet Connection" -ServerAddresses 10.0.0.1
Rename-Computer SQL1
Restart-Computer

To join SQL1 to the corp.contoso.com domain

  1. In Server Manager, click Local Server in the console tree. Click the link next to Computer name in the Properties tile.

  2. In the System Properties dialog box, click the Computer Name tab. On the Computer Name tab, click Change.

  3. On the Computer Name tab, under Member of, click Domain, and then type corp.contoso.com.

  4. Click OK.

  5. When you are prompted for a user name and password, type User1 and its password, and then click OK.

  6. When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.

  7. When you are prompted that you must restart the computer, click OK.

  8. On the System Properties dialog box, click Close.

  9. When you are prompted to restart the computer, click Restart Now.

  10. After the computer restarts, click the Switch User arrow icon, then click Other User and log on to the CORP domain with the domain Administrator account.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints. Note that you must supply domain credentials after entering the Add-Computer command below.

Add-Computer -DomainName corp.contoso.com
Restart-Computer

To install SQL Server 2012 on the SQL1 computer

  1. Verify that you are logged on as CORP\Administrator to the SQL1 computer.

  2. Open Windows Explorer.

  3. Navigate to the temporary directory (such as C:\temp) where you downloaded SQL Server 2012 installation files previously.

  4. Double-click SQLFULL_architecture_language_Install.exe to extract the SQL Server installation files.

    You will see the Unloading the Box progress dialog box as files and folder structure for setup files are being unpacked. After the files are extracted you will have a subfolder named (such as C:\temp\**SQLFULL_**architecture_language) containing the installation files for SQL Server 2012.

  5. Navigate to the subfolder and double-click Setup to launch the SQL Server Installation Center. When prompted for administrative credentials to launch SQL Server 2012 Setup provide the current credentials for CORP\Administrator.

    In the SQL Server 2012 Installation Center, from the navigation menu on the left, click Installation, and then click New SQL Server installation or add features to an existing installation.

    SQL Server 2012 Setup will launch and run Setup Support Rules to determine that all SQL prerequisites have been met.

  6. Click OK after the Setup Support Rules check has successfully completed.

  7. In Product Key, if you are installing a trial version, under Specify a free edition, select Evaluation and then click Next.

  8. In License Terms, read the license terms and then click the I accept the license terms checkbox and then click Next.

  9. In Product Key, if you are installing a trial version, under Specify a free edition, select Evaluation and then click Next.

  10. In Product Updates, SQL Server Setup will not be able to connect to the Windows Update service. Click Next to continue setup and begin installing setup files.

  11. In Setup Support Rules, note the results of the rules check will typically indicate that all pre-checks have passed with warnings about Microsoft .NET Application Security and Windows Firewall. Click Next to continue SQL Server setup.

  12. In Setup Role, select SQL Server Feature Installation and then click Next.

  13. In Feature Selection, select Database Engine Services and Management Tools - Basic, accept the defaults for shared feature directory and then click Next.

  14. In Installation Rules, verify that all rules have passed and then click Next.

  15. In Instance Configuration, accept the Default instance, as well as the default values for Instance ID and Instance root directory and then click Next.

  16. In Disk Space Requirements, review the disk space summary for the features selected is sufficient and then click Next.

  17. In Server Configuration, accept the defaults and then click Next.

  18. In Database Engine Configuration, accept the default authentication type (Windows authentication) and then for Specify SQL Server Administrators, click Add Current User to add CORP\Administrator to the list and then click Next.

  19. In Error Reporting, click Next.

  20. In Installation Configuration Rules, verify that all rules have passed and then click Next.

  21. In Ready to Install, review installation selections and then click Install.

  22. Click Close after installation has successfully completed.

Next, because ADRMSADMIN is the account you will be using as well to install and configure AD RMS in Step 2, you will want to add this account to the local Administrators group on APP1 where the AD RMS server is to be located.

To add ADRMSADMIN to the local Administrators group on APP1

  1. Log on to the APP1 computer as a local administrator (APP1\Administrator).

  2. In Server Manager, click Local Server in the console tree, then click Tools, and then select Computer Management.

  3. Expand System Tools, expand Local Users and Groups, and then click Groups.

  4. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in Enter the object names to select (examples) box, and then click OK.

  5. Click OK, and then close Computer Management.

  6. Log out as APP1\Administrator.

Finally, create a shared folder on SQL1 so that other domain users can find documents saved to the network.

To create a shared network folder that can be modified by domain users

  1. Verify that you are logged on as CORP\Administrator to the SQL1 computer.

  2. From the server desktop, open Windows Explorer and then right-click Local Disk (C:).

  3. Point to New, and then click Folder.

  4. Type Public for the new folder, and then press ENTER.

  5. Right-click Public, point to Share with, and then click Specific people.

    The File Sharing wizard opens.

  6. For Choose people on your network to share with, click the arrow and select Everyone, and then click Add.

  7. In the list, click the arrow for Permission Level on the group Everyone and select Read/Write.

  8. Click Share, then click Done.

  9. Right-click Public and then click Properties.

  10. On the Sharing tab, click Advanced Sharing, then click Permissions, and then click Add.

  11. In Select Users, Computers, Service Accounts or Groups, type Domain Users and then click Check Names.

  12. Click OK.

  13. On the Share Permissions tab, verify that Domain Users (CORP\Domain Users) is selected in the Group or user name box.

  14. In the Permissions for Users box select the Full Control check box in the Allow column.

  15. Click OK twice and then Close to close file sharing wizard.

Next, we will want to continue working on SQL1 using SQL Server Management Studio and other administrative tools to make some configuration changes to support SQL Server access before we install AD RMS in the next step. First, the ADRMSADMIN account needs to be given SysAdmin rights on the SQL Server instance in order to be able to create the AD RMS databases during AD RMS setup.

Add the CORP\ADRMSADMIN user as a SQL login and assign it SysAdmin rights

  1. While logged on to SQL1 as CORP\Administrator, press CTRL+ALT+DEL and select Task Manager.

  2. In Task Manager, from the File menu, select Run new task, type in the following to open SQL Server Management Studio and then click OK:

    C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\Management Studio\Ssms.exe

  3. Click Connect to connect to the SQL Server instance on SQL1.

  4. In the console tree, expand SQL1, then expand Security, and then click Logins.

  5. Right-click and select New Login.

  6. For Login Name, click Search.

  7. In Select User or Group, type CORP\ADRMSADMIN and then click Check Names, then click OK.

  8. In Login - New, in the navigation pane, select Server Roles.

  9. In the list of server roles, click the sysadmin checkbox.

  10. Click OK.

  11. Close SQL Server Management Studio.

Start the SQL Server Browser service on SQL1

  1. While logged on to SQL1 as CORP\Administrator, in Task Manager, from the File menu, select Run new task, type in the following to open the Services console and then click OK:

    Services.msc

  2. Scroll in the list of services and select SQL Server Browser.

  3. Right-click and select Properties.

  4. In SQL Server Browser Properties, for Startup type, select Automatic and then click Apply.

  5. Click Start to start the SQL Server Browser service.

  6. Click OK and then close the Services console.

Add Windows Firewall exceptions for SQL Server ports

  1. While logged on to SQL1 as CORP\Administrator, in Task Manager, from the File menu, select Run new task, type the following to open the Windows Firewall with Advanced Security console and then click OK.

    Wf.msc

  2. In the console tree, select Inbound Rules and then right-click and select New Rule.

  3. For Rule Type, select Port and then click Next.

  4. For Protocols and Ports, select TCP and then select Specific local ports, type in 1433 and then click Next.

  5. For Action, select Allow the connection and then click Next.

  6. For Profile, accept the defaults (Domain, Private and Public are all selected) and then click Next.

  7. For Name, type SQL_1433 and then click Finish.

  8. Repeat steps 2-7.

    For step 4, modify Protocols and Ports to select UDP and for specific local ports type in 1434. For step 7, in the Name page type SQL_1434 to name the second rule then click Finish.

  9. Close the Windows Firewall with Advanced Security console.

Step 3: Install and configure AD RMS on APP1

To install and configure AD RMS, you must add the AD RMS server role.

Windows Server 2012 includes the option to install AD RMS as a server role through Server Manager. Both installation and configuration of AD RMS are handled through Server Manager. The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment. This test lab guide will install and configure a single-server AD RMS root cluster.

To add the AD RMS server role

  1. Log on to the APP1 computer as the AD RMS enterprise administrator (CORP\ADRMSADMIN).

    Note


    The ADRMSADMIN account was created for use in installing and managing the AD RMS server deployment. To ensure it has sufficient rights to accomplish its purpose, such as the ability to register the service connection point (SCP), it needs to be made a member of the Enterprise Admins group for the corp.contoso.com domain. To install the AD RMS role on APP1, the ADRMSADMIN account also needs to be added to the local Administrators group on APP1. These account and group management details are important to successfully complete the configuration of the AD RMS cluster and allow for further management of the AD RMS server.

  2. In the Dashboard console of Server Manager, click Add roles and features.

  3. Click Next three times to get to the server role selection screen.

  4. In the Select server roles dialog, select Active Directory Rights Management Services, and then click Next.

  5. When prompted to add features that are required for AD RMS, click Add Features.

  6. In the Select features dialog, select .NET Framework 3.5 Features, and then click Next.

    Note


    You must install .NET Framework 3.5 prior to installing the Microsoft Report Viewer 2008 used to generate troubleshooting and system health reports on AD RMS in Windows Server 2012.

  7. In Active Directory Rights Management Services, click Next.

  8. In Select role services, verify that Active Directory Rights Management Server is selected, and then click Next.

  9. Click Install to add the role.

  10. Allow the installation to complete and then click Close.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Install-WindowsFeature ADRMS -IncludeManagementTools
Install-WindowsFeature NET-Framework-Core

In Windows Server 2012, adding the AD RMS role and configuration of a new AD RMS cluster are two separate processes. After you have completed adding the role, additional configuration is required to deploy the AD RMS role.

To configure a new AD RMS root cluster

  1. In Server Manager, click the Notifications icon.

  2. For the task event labeled Configuration required for Active Directory Rights Management Services at APP1, click Perform additional configuration.

    The AD RMS Configuration wizard opens.

  3. In the configuration wizard, click Next.

  4. For AD RMS Cluster, accept the default selection (Create a new AD RMS root cluster) and click Next.

  5. For Configuration Database, accept the default selection (Specify a database server and a database instance) and click Select.

  6. In Select Computer, for the object name to select, type SQL1, click Check Names and then click OK.

  7. Click List to list the database instances for SQL1. After the list is populated, select DefaultInstance from the drop-down list options and click Next.

  8. In Specify Service Account, click Specify and in the Windows Security dialog, type ADRMSSVC and the currently set password ("p@ssw0rd") and click OK.

  9. Verify that the Domain User Account is set to CORP\ADRMSSVC and then click Next.

  10. For Cryptographic Mode, accept the default (Cryptographic Mode 2) and then click Next.

  11. For Cluster Key Storage, accept the default (Use AD RMS centrally managed key storage) and then click Next.

  12. For Cluster Key Password, type and confirm a password ("p@ssw0rd") and then click Next.

  13. For Cluster Web Site, accept the default (Default Web Site) and then click Next.

  14. For Cluster Address, accept the default (Use an SSL-encrypted connection (https://)), for Fully Qualified Domain Name type in app1.corp.contoso.com and then click Next.

  15. For Server Certificate, accept the default (Create a self-signed certificate for SSL encryption) and then click Next.

    Tip


    When using a self-signed certificate for the cluster, you can put a copy of that certificate in the Trusted Root Certification Authorities store so that it will be trusted. A copy can also be put in that same certificates store on the client computer so that the web site is trusted.

  16. For Licensor Certificate, accept the default name (APP1) and then click Next.

  17. For SCP Registration, accept the default (Register the SCP now) and then click Next.

  18. For Confirmation, review your installation selections and then click Install.

  19. Click Close.

  20. Log off the server, and then log on again to update the security token of the logged-on user account.

    The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS.

Your AD RMS root cluster is now installed and configured.

Once you have completed logging in again, you can further manage AD RMS using the Active Directory Rights Management Services console.

  Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

Import-Module ADRMS
New-PSDrive -PSProvider ADRMSInstall -Name RC -Root RootCluster
# Set the AD RMS service account
$adrmssvc = Get-Credential
Set-ItemProperty –Path RC:\ -Name ServiceAccount -Value $svcacct
# Configure the AD RMS server to use the SQL1 server and the default instance
Set-ItemProperty –Path RC:\ClusterDatabase -Name ServerName -Value SQL1
Set-ItemProperty –Path RC:\ClusterDatabase -Name InstanceName -Value MSSQLSERVER
# Securely store the cluster key password string in a variable and assign it to your AD RMS installation
$password = Read-Host -AsSecureString -Prompt "Password:"
Set-ItemProperty -Path RC:\ClusterKey -Name CentrallyManagedPassword -Value $password
# Set the AD RMS cluster address
Set-ItemProperty -Path RC:\ -Name ClusterURL -Value "https://app1.corp.contoso.com:80"
# Set the SLC name for your AD RMS installation
Set-ItemProperty -Path RC:\ -Name SLCName -Value "APP1"
# Register the SCP connection point
Set-ItemProperty -Path RC:\ -Name RegisterSCP -Value $true
# Install the AD RMS root cluster using the settings provided
Set-Location RC:\
Install-ADRMS –Path.

To open the Active Directory Rights Management Services console

  1. In Server Manager, click Local Server in the console tree, then click Tools, and then click Active Directory Rights Management Services.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

From the console, you can configure trust policies, configure exclusion policies, and create rights policy templates.

Step 4: Verify AD RMS configuration after you complete the configuration

The AD RMS Client 1.0 is included in the default installation of Windows 8. Previous versions of the client are available for download for a number of earlier versions of the Windows operating system. For more information, see the AD RMS Client Requirements.

Before you can consume rights-protected content, you must add the AD RMS cluster URL to the Local Intranet security zone.

Add the AD RMS cluster URL to the Local Intranet security zone for all users who will be consuming rights-protected content.

To add AD RMS cluster to Local Intranet security zone

  1. Log on to CLIENT1 as Nicole Holliday (CORP\NHOLLIDA).

  2. From the Taskbar, click Internet Explorer.

  3. Click Tools, and then click Internet Options.

  4. Click the Security tab, click Local intranet, and then click Sites.

  5. Click Advanced.

  6. In the Add this website to the zone, type https://app1.corp.contoso.com, and then click Add.

  7. Click Close.

    Tip


    You can now verify access to the AD RMS licensing site by typing the URL (https://app1.corp.contoso.com) in the Address bar in Internet Explorer. You should also see a warning about the certificates for this site. That is because of the use of a self-signed certificate when AD RMS was configured. In live deployments, it is recommended that you use a signed certificate issued from a trusted Internet issuing certification authority (CA).

  8. Repeat steps 1–7 for Stuart Railson and Limor Henig.

To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then restrict permissions on a Microsoft Word 2010 document so that members of the Engineering group are able to read the document but unable to change, print, or copy. You will then log on as Stuart Railson, verifying that the proper permission to read the document has been granted, and nothing else. Then, you will log on as Limor Henig. Since Limor is not a member of the Engineering group, he should not be able to consume the rights-protected file.

Note


In this test lab guide, when a user restricts permissions on a document or attempts to open a restricted document, a warning appears that informs you that the certificate issuer for the AD RMS Web site is unknown or untrusted. This warning results from using a self-signed certificate instead of a certificate issued by a recognized certification authority. When you receive this warning, click Yes to continue.

To restrict permissions on a Microsoft Word document

  1. Log on to CLIENT1 as Nicole Holliday (CORP\NHOLLIDA).

  2. Open Microsoft Office Word 2010.

  3. Type Engineering employees can read this document, but they cannot change, print, or copy it on the blank document page.

  4. From the File menu, click Protect Document, then point to Restrict Permission by People, and then click Restricted Access.

    When prompted that this page requires secure connection which includes server authentication, click Yes.

  5. In Permissions, click the Restrict permission to this document check box, and then in the Read box, type engineering@corp.contoso.com.

  6. Click OK to close the Permission dialog box.

  7. From the File menu, click Save As, and then save the file as \\SQL1\Public\ADRMS-TST.docx.

  8. Log off as Nicole Holliday.

Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.

To view a rights-protected document

  1. Log on to CLIENT1 as Stuart Railson (CORP\SRAILSON).

  2. Open Windows Explorer and browse to \\SQL1\Public. Double-click ADRMS-TST.docx to open it in Microsoft Word 2010.

    When prompted that this page requires secure connection which includes server authentication, click Yes.

  3. Note that the following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://app1.corp.contoso.com:443/_wmcs/licensing to verify your credentials and download your permission."

  4. Click OK.

    Note that the following message appears: "Verifying your credentials for opening content with restricted permissions…"

  5. When the document opens, click the File menu. Notice that the Print option is not available.

  6. Close Microsoft Word.

  7. Log off as Stuart Railson.

Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.

To attempt to view a rights-protected document

  1. Log on to CLIENT1 as Limor Henig (CORP\LHENIG).

  2. Open Windows Explorer and browse to \\SQL1\Public. Double-click ADRMS-TST.docx to open it in Microsoft Word 2010.

    When prompted that this page requires secure connection which includes server authentication, click Yes.

  3. Note that the following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://app1.corp.contoso.com:443/_wmcs/licensing to verify your credentials and download your permission."

  4. Click OK.

  5. The following message appears: "You do not have credentials that allow you to open this document. You can request updated permission from nhollida@contoso.com. Do you want to request updated permission?"

  6. Click No and then close Microsoft Word.

You have successfully deployed and demonstrated the functionality of AD RMS, using the simple scenario of applying restricted permissions to a Microsoft Word 2010 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.