Step 1: Setting up the Trey Research Domain

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

The Trey Research infrastructure contains all of the required components for an AD RMS installation. In this step, you install the required computers that make up the Trey Research domain:

  • Configure the domain controller (TREY-DC)

  • Create user accounts and groups

  • Configure the AD RMS database server (TREY-DB)

  • Configure the AD RMS root cluster computer (TREY-ADRMS)

  • Configure the AD RMS client computer (ADRMS-CLNT2)

Use the following table as reference when setting up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.

Important

Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows product activation while each of your computers still has Internet connectivity.

Computer name Operating system requirement IP settings DNS settings

TREY-DC

Windows Server 2003 with Service Pack 2 (SP2) or Windows Server® 2008

IP address:

10.0.0.30

Subnet mask:

255.255.255.0

Configured by DNS server role.

TREY-ADRMS

Windows Server 2008 Enterprise or Windows Server 2003 R2 Enterprise Edition with SP2

IP address:

10.0.0.33

Subnet mask:

255.255.255.0

Preferred:

10.0.0.30

TREY-DB

Windows Server 2003 with SP2

IP address:

10.0.0.34

Subnet mask:

255.255.255.0

Preferred:

10.0.0.30

ADRMS-CLNT2

Windows Vista

IP address

10.0.0.32

Subnet mask:

255.255.255.0

Preferred:

10.0.0.30

Configure the domain controller (TREY-DC)

Depending on your environment, you can evaluate AD RMS in either a Windows Server 2008 domain or a Windows Server 2003 domain. Use one of the following sections depending on the domain to be used.

  • Configure the Windows Server 2003–based domain controller

  • Configure the Windows Server 2008–based domain controller

Configure the Windows Server 2003–based domain controller

To configure the domain controller TREY-DC, you must install Windows Server 2003, configure TCP/IP properties, install Active Directory, and raise the Active Directory domain functional level to Windows Server 2003.

First, install Windows Server 2003 with SP2 on the TREY-DC computer.

To install Windows Server 2003 Standard Edition

  1. Start your computer by using the Windows Server 2003 product CD. (You can use any edition of Windows Server 2003 except the Web Edition to establish the domain.)

  2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type TREY-DC.

In this step configure TCP/IP properties so that TREY-DC has a static IP address of 10.0.0.30.

To configure TCP/IP properties on TREY-DC

  1. Log on to TREY-DC with the TREY-DC\Administrator account.

  2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.

  3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

  4. Click the Use the following IP address option. In the IP address box, type 10.0.0.30. In the Subnet mask box, type 255.255.255.0.

  5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Install Active Directory

In this step, you are going to create a domain controller for Trey Research. It is important that you first configure the IP addresses as specified in the previous table before you attempt to install Active Directory. This helps ensure that DNS records are configured appropriately.

To configure TREY-DC as a domain controller

  1. Click Start, and then click Run. In the Open box, type dcpromo, and then click OK.

  2. On the Welcome page of the Active Directory Installation Wizard, click Next.

  3. Click Next, click the Domain controller for a new domain option, and then click Next.

  4. Click the Domain in a new forest option, and then click Next.

  5. In Full DNS name for new domain, type treyresearch.net and then click Next.

  6. In Domain NetBIOS name, type treyresearch, and then click Next three times.

  7. Click the Install and configure the DNS server on this computer and set this computer to use this DNS server as its preferred DNS server option, and then click Next.

  8. Click the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option, and then click Next.

  9. In the Restore Mode Password and Confirm Password boxes, type a strong password, and then click Next.

  10. Click Next.

  11. When the Active Directory Installation Wizard is done, click Finish.

  12. Click Restart Now.

Raise the domain functional level to Windows Server 2003

In this step, you raise the Active Directory domain functional level to Windows Server 2003. This functional level allows the use of Active Directory universal groups.

To raise the domain functional level to Windows Server 2003

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Right-click treyresearch.net, and then click Raise Domain Functional Level.

  4. In the list under Select an available domain functional level, click Windows Server 2003, and then click Raise.

Note

You cannot change the domain functional level once you have raised it.

  1. Click OK, and then click OK again.

Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the treyresearch.net domain to the cpandl.com domain, and vice versa.

To configure a DNS forwarder on a Windows Server 2003–based computer

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account.

  2. Click Start, point to Administrative Tools, and then click DNS.

  3. Right-click TREY-DC, and then click Properties.

  4. Click the Forwarders tab.

  5. In the Selected domain's forward IP address list section, type 10.0.0.1, and then click Add.

  6. Click OK.

Configure the Windows Server 2008–based domain controller

To configure the domain controller TREY-DC, you must install Windows Server 2008, configure TCP/IP properties, and install Active Directory Domain Services.

First, install Windows Server 2008.

To install Windows Server 2008

  1. Start your computer by using the Windows Server 2008 product CD.

  2. Follow the instructions that appear on your screen, and when prompted for a computer name, type TREY-DC.

Next, configure TCP/IP properties so that TREY-DC has a IPv4 static IP address of 10.0.0.30.

To configure TCP/IP properties on TREY-DC

  1. Log on to TREY-DC with the TREY-DC\Administrator account.

  2. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.

  3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Click the Use the following IP address option. In IP address, type 10.0.0.30, and in Subnet mask, type 255.255.255.0.

  5. Click the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30, and then click OK.

  6. On the Networking tab, clear the Internet Protocol Version 6 (TCP/IPv6) check box.

  7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Install Active Directory Domain Services

In this step, you are going to create a domain controller for Trey Research. It is important that you first configure the IP addresses as specified in the previous procedure before you attempt to install Active Directory Domain Services (AD DS). This helps ensure that DNS records are configured appropriately.

To configure TREY-DC as a domain controller

  1. Click Start, and then click Run.

  2. In the Open box, type dcpromo, and then click OK.

  3. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

  4. Click the Domain controller for a new domain option, and then click Next.

  5. Click the Create a new domain in anew forest option, and then click Next.

  6. In the FQDN of the forest root domain box, type treyresearch.net, and then click Next.

  7. In the Forest functional level box, click Windows Server 2003, and then click Next.

  8. In the Domain functional level box, click Windows Server 2003, and then click Next.

  9. Ensure that the DNS server check box is selected, and then click Next.

  10. Click Yes, confirming that you want to create a delegation for this DNS server.

  11. On the Location for Database, Log Files, and SYSVOL page, click Next.

  12. In the Password and Confirm password boxes, type a strong password, and then click Next.

  13. On the Summary page, click Next to start the installation.

  14. When the installation is complete, click Finish, and then click Restart Now.

Note

You must restart the computer after you complete this procedure.

Configure a DNS forwarder

DNS forwarders are used in this guide to forward DNS requests that cannot be resolved from the treyresearch.net domain to the cpandl.com domain, and vice versa.

To configure a DNS forwarder

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account or another user account in the local Administrators group.

  2. Click Start, point to Administrative Tools, and then click DNS.

  3. Right-click TREY-DC, and then click Properties.

  4. Click the Forwarders tab.

  5. Click Edit.

  6. Type 10.0.0.1, and then click OK.

  7. Click OK to close the properties sheet.

Create user accounts and groups

In this section, you create the user accounts and groups in the TREYRESEARCH domain.

First, add the user accounts shown in the following table to Active Directory or AD DS. Use the procedure following the table to create the user accounts.

Account Name User Logon Name E-mail address

ADRMSADMIN

ADRMSADMIN

 

ADRMSSRVC

ADRMSSRVC

 

Terrence Philip

tphilip

tphilip@treyresearch.net

To add new user accounts to the TREYRESEARCH domain

  1. Log on to TREY-DC with the TREYRESEARCH\Administrator account.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand treyresearch.net.

  4. Right-click Users, point to New, and then click User.

  5. In the New Object – User dialog box, type ADRMSADMIN in the Full name and User logon name boxes, and then click Next.

  6. In the New Object – User dialog box, type a password of your choice in the Password and Confirm password boxes. Clear the User must change password at next logon check box, click Next, and then click Finish.

  7. Perform steps 3-6 for ADRMSSRVC and Terrence Philip (tphilip).

Next, add an e-mail address for Terrence Philip.

To add e-mail addresses to user accounts

  1. In the Active Directory Users and Computers console, right-click Terrence Philip, click Properties, type tphilip@treyresearch.net in the E-mail box, and then click OK.

  2. Close the Active Directory Users and Computers console.

Once the user accounts have been created, an Active Directory Universal group should be created with Terrence Philip as a member. The following table lists the Universal group that should be added to Active Directory. Use the procedure following the table to create the Universal group.

Group Name E-mail address

Employees

employees@treyresearch.net

To add a new group object to Active Directory

  1. In the Active Directory Users and Computers console, right-click Users, point to New, and then click Group.

  2. In the New Object – Group dialog box, type Employees in Group name, click the Universal option for the Group Scope, and then click OK.

Next, add an e-mail address to the Trey Research employees group:

To add an e-mail address to a group object

  1. In the Active Directory Users and Computers console, double-click Users, right-click Employees, and then click Properties.

  2. Type employees@treyresearch.net in the E-mail box, and then click OK.

Finally, add Terrence Philip to the Employees group by following these steps:

To add Terence Philip to the Employees group

  1. In the Active Directory Users and Computers console, double-click Users, and then double-click Employees.

  2. Click Members, and then click Add.

  3. Type tphilip@treyresearch.net, and then click OK.

  4. Close the Active Directory Users and Computers console.

Configure the AD RMS database server (TREY-DB)

First, install Windows Server 2003 on the computer that will host the AD RMS databases.

To install Windows Server 2003 Standard Edition

  1. Start your computer using the Windows Server 2003 product CD. (You can use any edition of Windows Server 2003 except the Web Edition to establish the domain.)

  2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type TREY-DB.

In this step, configure TCP/IP properties so that TREY-DB has a static IP address of 10.0.0.34.

To configure TCP/IP properties on ADRMS-DB

  1. Log on to TREY-DB with the TREY-DB\Administrator account.

  2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.

  3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

  4. Click the Use the following IP address option. In the IP address box, type 10.0.0.34. In the Subnet mask box, type 255.255.255.0.

  5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the AD RMS database server (TREY-DB) computer to the TREYRESEARCH domain:

To join ADRMS-DB to the TREYRESEARCH domain

  1. Click Start, right-click My Computer, and then click Properties.

  2. Click Computer Name tab, and then click Change.

  3. In the Computer Name Changes dialog box, select the Domain option, and then type treyresearch.net.

  4. Click More, and then type treyresearch.net in the Primary DNS suffix of this computer box.

  5. Click OK twice.

  6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials for TREYRESEARCH\Administrator, and then click OK.

  7. When a Computer Name Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.

  8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click OK again.

  9. Click Yes to restart the computer.

Next, install Microsoft SQL Server 2005 Standard Edition:

To install Microsoft SQL Server 2005

  1. Log on to TREY-DB with the TREYRESEARCH\Administrator account.

  2. Insert the Microsoft SQL Server 2005 product CD. The installation will start automatically.

  3. Click the I accept the licensing terms and conditions check box, and then click Next.

  4. On the Installing Prerequisites page, click Install.

  5. Click Next.

  6. On the Welcome to theMicrosoft SQL Server Installation Wizard page, click Next, and then click Next again.

  7. In the Name box, type your name. In the Company box, type the name of your organization, and then type in the appropriate product key. Click Next.

  8. Select the SQL Server Database Services, and Workstation components, Books Online, and development tools check boxes, and then click Next.

  9. Select the Default instance option, and then click Next.

  10. Click the Use the built-in System account option, and then click Next.

  11. Click the Windows Authentication Mode option, and then click Next.

  12. Click Next, accepting the default Collation Settings, and then click Next again.

  13. Click Install. When the status of all the selected components is finished, click Next.

  14. Click Finish.

Next, add ADRMSADMIN to the local Administrators group on TREY-DB. The AD RMS installing user account needs this membership in order to create the AD RMS databases. After AD RMS installed, ADRMSADMIN can be removed from this group.

To add ADRMSADMIN to local Administrators group

  1. Click Start, point to Administrative Tools, and then click Computer Management.

  2. Expand System Tools, expand Local Users and Groups, and then click Groups.

  3. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in Enter the object names to select (examples) box, and then click OK.

  4. Click OK, and then close Computer Management.

Configure the AD RMS root cluster computer (TREY-ADRMS)

In this section, the AD RMS root cluster computer is installed and the AD RMS role is added.

Install the AD RMS root cluster computer

To configure the AD RMS root cluster computer, TREY-ADRMS, you must install Windows Server 2008, configure TCP/IP properties, and then join TREY-ADRMS to the domain treyresearch.net. You must also add the account ADRMSADMIN as a member to the local administrators group so that an administrator can use the ADRMSADMIN account to install AD RMS on TREY-ADRMS.

First, install Windows Server 2008 as a stand-alone server.

To install Windows Server 2008

  1. Start your computer by using the Windows Server 2008 product CD.

  2. When prompted for a computer name, type TREY-ADRMS.

  3. Follow the rest of the instructions that appear on your screen to finish the installation.

Next, configure TCP/IP properties so that TREY-ADRMS has a static IP address of 10.0.0.33. In addition, configure the DNS server by using the IP address of TREY-DC (10.0.0.30).

To configure TCP/IP Properties

  1. Log on to ADRMS-SRV with the TREY-ADRMS\Administrator account or another user account in the local Administrators group.

  2. Click Start, click Control Panel, double-click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.

  3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  4. Click the Use the following IP address option. In IP address, type 10.0.0.33. In Subnet mask, type 255.255.255.0.

  5. Click the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30.

  6. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join TREY-ADRMS to the treyresearch.net domain.

To join TREY-ADRMS to the treyresearch.net domain

  1. Click Start, right-click Computer, and then click Properties.

  2. Click Change settings (at the right side under Computer name, domain, and workgroup settings), and then click Change.

  3. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type treyresearch.net.

  4. Click More, and type treyresearch.net in Primary DNS suffix of this computer box.

  5. Click OK, and then click OK again.

  6. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for TREYRESEARCH\Administrator, and then click OK.

  7. When a Computer Name/Domain Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.

  8. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

  9. Click Restart Now.

After the computer has restarted, add ADRMSADMIN to the local administrators group on TREY-ADRMS.

To add ADRMSADMIN to the local administrators group

  1. Log on to TREY-ADRMS with the TREYRESEARCH\Administrator account.

  2. Click Start, click Administrative Tools, and then click Computer Management.

  3. Expand System Tools, expand Local User and Groups, and then click Groups.

  4. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in Enter the object names to select (examples) box, and then click OK.

  5. Click OK, and then close Computer Management.

Add the AD RMS server role to TREY-ADRMS

Windows Server 2008 includes the option to install AD RMS as a server role through Server Manager. Both installation and configuration of AD RMS are handled through Server Manager. The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment. This section will install and configure a single-server AD RMS root cluster in the treyresearch.net domain.

Registering the AD RMS service connection point (SCP) requires that the installing user account be a member of the Active Directory Enterprise Admins group.

Important

Access to the Enterprise Admins group should be granted only while AD RMS is being installed. After installation is complete, the TREYRESEARCH\ADRMSADMIN account should be removed from this group.

To add ADRMSADMIN to the Enterprise Admins group

  1. Log on to TREY-DC with the treyresearch\Administrator account.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. In the console tree, expand treyresearch.net, double-click Users, and then double-click Enterprise Admins.

  4. Click the Members tab, and then click Add.

  5. Type adrmsadmin@treyresearch.net, and then click OK.

Install and configure AD RMS as a root cluster.

To add the AD RMS server role

  1. Log on to TREY-ADRMS as treyresearch\ADRMSADMIN.

  2. Click Start, point to Administrative Tools, and then click Server Manager.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  4. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens.

  5. Read the Before You Begin section, and then click Next.

  6. On the Select Server Roles page, select the Active Directory Rights Management Services check box.

  7. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next.

  8. Read the AD RMS introduction page, and then click Next.

  9. On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.

  10. Click the Create a new AD RMS cluster option, and then click Next.

  11. Click the Use a different database server option.

  12. Click Select, type TREY-DB in the Select Computer dialog box, and then click OK.

  13. In Database Instance, click Default, and then click Validate.

  14. Click Next.

  15. Click Specify, type TREYRESEARCH\ADRMSSRVC, type the password for the account, click OK, and then click Next.

  16. Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.

  17. Type a strong password in the Password box and in the Confirm password box, and then click Next.

  18. Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the only available Web site should be Default Web Site.

  19. Click the Use an SSL-encrypted connection (https://) option.

  20. In the Fully-Qualified Domain Name box, type trey-adrms.treyresearch.net, and then click Validate. If validation succeeds, the Next button becomes available. Click Next.

  21. Click the Choose an existing certificate for SSL encryption option, click the certificate that has been imported for this AD RMS cluster, and then click Next.

  22. Type a name that will help you identify the AD RMS cluster in the Friendly name box, and then click Next.

  23. Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation.

  24. Read the Introduction to Web Server (IIS) page, and then click Next.

  25. Keep the Web server default check box selections, and then click Next.

  26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation.

  27. Click Close.

  28. Log off the server, and then log on again to update the security token of the logged-on user account. The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS.

Note

At this point in the guide, you can remove treyresearch\ADRMSADMIN from the local Administrators group on TREY-DB.

Your AD RMS root cluster is now installed and configured.

Configure the AD RMS client computer (ADRMS-CLNT2)

To configure the ADRMS-CLNT2 client computer in the TREYRESEARCH domain, you must install Windows Vista, configure TCP/IP properties, and then join the computer to the TREYRESEARCH domain. You must also install an AD RMS-enabled application In this example, Microsoft Office Word 2007 Enterprise Edition is installed on the client.

To install Windows Vista

  1. Start your computer by using the Windows Vista product CD.

  2. Follow the instructions that appear on your screen, and when prompted for a computer name, type ADRMS-CLNT2.

Next, configure TCP/IP properties so that ADRMS-CLNT2 has a static IP address of 10.0.0.32. In addition, configure the DNS server of TREY-DC (10.0.0.30).

To configure TCP/IP properties

  1. Log on to ADRMS-CLNT2 with the ADRMS-CLNT2\Administrator account or another user account in the local Administrators group.

  2. Click Start, click Network, and then click Network and Sharing Center.

  3. Click Manage Network Connections, right-click Local Area Connection, and then click Properties.

  4. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  5. Select the Use the following IP address option. In IP address, type 10.0.0.32, in Subnet mask, type 255.255.255.0.

  6. Select the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.30.

  7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

Next, join the ADRMS-CLNT2 to the TREYRESEARCH domain.

To join ADRMS-CLNT2 to the TREYRESEARCH domain

  1. Click Start, right-click Computer, and then click Properties.

  2. Under Computer name, domain, and workgroup settings, click Change settings.

  3. On the Computer Name tab, click Change.

  4. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type treyresearch.net.

  5. Click More, and in the Primary DNS suffix of this computer box, type treyresearch.net.

  6. Click OK, and click OK again.

  7. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for treyresearch\administrator, and then click OK.

  8. When a Computer Name/Domain Changes dialog box appears welcoming you to the treyresearch.net domain, click OK.

  9. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

  10. In the System Settings Change dialog box, click Yes to restart the computer.

Finally, install Microsoft Office Word 2007 Enterprise Edition on ADRMS-CLNT2.

To install Microsoft Office Word 2007 Enterprise

  1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.

  2. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office Word 2007 Enterprise, and then click Install Now. This might take several minutes to complete.

Important

Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content. All editions will allow you to consume rights-protected content.