Table of Contents Active Directory Rights Management Services

Table Of Contents Active Directory Rights Management Services
Table Of Contents Active Directory Rights Management Services ....................................................................................................................................................................... 1

Active Directory Rights Management Services Overview...................................................................................................................................................................................... 3
What is Active Directory Rights Management Services? .............................................................................................................................................................................. 3
Features in AD RMS........................................................................................................................................................................................................................................... 4
Hardware and software considerations .......................................................................................................................................................................................................... 4
Installing AD RMS .............................................................................................................................................................................................................................................. 6
Managing AD RMS ............................................................................................................................................................................................................................................ 6

AD RMS Deployment in an Extranet Step-by-Step Guide .................................................................................................................................................................................... 6
About this Guide................................................................................................................................................................................................................................................ 6
What This Guide Does Not Provide ............................................................................................................................................................................................................ 7
Deploying AD RMS in a Test Environment..................................................................................................................................................................................................... 7
Step 1: Configuring AD RMS to Work in an Extranet ............................................................................................................................................................................................ 9
To configure the AD RMS extranet cluster URLs ......................................................................................................................................................................................... 10

To export the ADRMS-SRV server authentication certificate with private key........................................................................................................................................ 10
Step 2: Installing and Configuring ISA-SRV ......................................................................................................................................................................................................... 11
Configure the ISA Server (ISA-SRV) .............................................................................................................................................................................................................. 11
To install Windows Server 2003, Standard Edition ................................................................................................................................................................................. 11
To configure TCP/IP properties on ISA-SRV ............................................................................................................................................................................................ 11
To join ISA-SRV to the cpandl.com domain............................................................................................................................................................................................. 12

To import the server authentication certificate to the ISA-SRV computer .......................................................................................................................................... 12
To install ISA Server 2006 Standard Edition ............................................................................................................................................................................................. 12
Publish AD RMS cluster to extranet .............................................................................................................................................................................................................. 13
To publish AD RMS in ISA Server 2006 Standard Edition ...................................................................................................................................................................... 13

To move the ADRMS-SRV server authentication certificate .................................................................................................................................................................. 14
Step 3: Configuring AD RMS Extranet Client ....................................................................................................................................................................................................... 14
To install Windows Vista ................................................................................................................................................................................................................................. 14
To configure TCP/IP properties ..................................................................................................................................................................................................................... 14
To create an entry in the HOSTS file for AD RMS extranet cluster URL ................................................................................................................................................... 15
To import the server authentication certificate to the ADRMS-EXCLNT computer ............................................................................................................................... 15
To install Microsoft Office Word 2007 Enterprise ....................................................................................................................................................................................... 16
Step 4: Verifying AD RMS Functionality using ADRMS-CLNT ............................................................................................................................................................................. 16
To restrict permissions on a Microsoft Word document ........................................................................................................................................................................... 17

To view a protected document...................................................................................................................................................................................................................... 17
Deploying Active Directory Rights Management Services with Active Directory Federation Services ............................................................................................................. 18
Steps to complete this AD RMS with AD FS deployment .......................................................................................................................................................................... 19
Step 1: Preparing the resource partner organization (Contoso) ........................................................................................................................................................... 21
Step 2: Preparing the account partner organization (Trey Research)................................................................................................................................................... 24
Step 3: Deploying the PKI certificates ....................................................................................................................................................................................................... 27

Step 4: Installing and configuring AD RMS in the resource partner organization (Contoso) ........................................................................................................... 31
Step 5: Installing and configuring AD FS for both organizations ......................................................................................................................................................... 35
Step 6: Preparing the Trey Research client for AD RMS: Configuring the Federation Home Realm................................................................................................ 45
Step 7: Verifying the AD RMS and AD FS deployment........................................................................................................................................................................... 46
Installing an AD RMS Cluster ................................................................................................................................................................................................................................ 47
See Also ............................................................................................................................................................................................................................................................ 48

Removing an AD RMS Cluster .............................................................................................................................................................................................................................. 48
Decommission AD RMS ........................................................................................................................................................................................................................................ 49
Remove the AD RMS Server Role......................................................................................................................................................................................................................... 51
Active Directory Rights Management Services
Overview
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information
through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as
financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.
For information about AD RMS, see the Active Directory Rights Management Services TechCenter page at http://go.microsoft.com/fwlink/?LinkId=80907.
In the following sections, learn more about AD RMS, the required and optional features in AD RMS, and hardware and software used for running AD RMS. At the end of this
topic, learn how to open the AD RMS console and how to find more information about AD RMS.
What is Active Directory Rights Management Services?

An AD RMS system includes a Windows Server® 2008 R2-based server running the Active Directory Rights Management Services (AD RMS) server role that handles
certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows® 7 and Windows Vista®
operating systems. The deployment of an AD RMS system provides the following benefits to an organization:
 Safeguard sensitive information . Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard
sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage
policy templates such as "confidential - read only" that can be applied directly to the information.
 Persistent protection . AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information
protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
 Flexible and customizable technology . Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as
content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs
are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems,
automated workflows, and content inspection.
AD RMS provides developer tools and industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable
information protection solutions. For creating customized AD RMS solutions, an AD RMS software development kit (SDK) is available.
Features in AD RMS
By using Server Manager, you can set up the following components of AD RMS:
 Active Directory Rights Management Services . The Active Directory Rights Management Services (AD RMS) role service is a required role service that installs the
AD RMS components used to publish and consume rights-protected content.
 Identity Federation Support . The identity federation support role service is an optional role service that allows federated identities to consume rights-protected
content by using Active Directory Federation Services.
 Microsoft Federation Gateway Support . The Microsoft Federation Gateway is an identity service that runs over the Internet and mediates between an organization
or business and the external services that the organization wants to use. The gateway connects users and other identities to the services that it works with, so that an
organization only has to manage a single identity-federation relationship to enable its identities to access all Microsoft and Microsoft-based services they want to
use.
Hardware and software considerations

AD RMS runs on a computer running the Windows Server 2008 R2 operating system. When the AD RMS server role is installed, the required services are installed, one of
which is Internet Information Services (IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the same server as AD RMS or on a
remote server, and an Active Directory Domain Services forest.
The following table describes the minimum hardware requirements and recommendations for running Windows Server 2008 R2-based servers with the AD RMS server role.
Requirement Recommendation
One Pentium 4 3 GHz processor or higher Two Pentium 4 3 GHz processors or higher
512 MB of RAM 1024 MB of RAM
40 GB of free hard disk space 80 GB of free hard disk space
Note
A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows Server 2008 for Itanium-Based
Systems.
To assist with your hardware considerations, use testing in a lab environment, data from existing hardware in a production environment, and pilot roll-outs to determine the
capacity needed for your server.
The following table describes the software requirements for running Windows Server 2008 R2-based servers with the AD RMS server role. For requirements that can be met
by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.
Software Requirement
Operating system Windows Server 2008 R2
File system NTFS file system is recommended
Messaging Message Queuing
Web services Internet Information Services (IIS).

ASP.NET must be enabled.
Active Directory or AD RMS must be installed in an Active Directory domain in which the domain controllers are running Windows Server 2000
Active Directory Domain with Service Pack 3 (SP3), Windows Server 2003, Windows Server® 2008, or Windows Server 2008 R2. All users and groups
Services who use AD RMS to acquire licenses and publish content must have an e-mail address configured in Active Directory.
Database server AD RMS requires a database server, such as Microsoft SQL Server 2005 or Microsoft SQL Server 2008, and stored procedures
to perform operations. The AD RMS server role on Windows Server 2008 R2 does not support Microsoft SQL Server 2000.
The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. These
applications require the Enterprise, Professional Plus, or Ultimate versions of Microsoft Office 2007 to create rights-protected content. For additional security, AD RMS can be
integrated with other technologies such as smart cards.
Windows 7 and Windows Vista include the AD RMS client by default, but other client operating systems must have the RMS client installed. The RMS client with Service
Pack 2 (SP2) can be downloaded from the Microsoft Download Center and works on versions of the client operating system earlier than Windows Vista and Windows
Server 2008.
For more detailed information about hardware and software considerations with AD RMS, see the Pre-installation Information for Active Directory Rights Management
Services topic on the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=84733).
Installing AD RMS
After you finish installing the operating system, you can use Initial Configuration Tasks or Server Manager to install server roles. To install AD RMS, in the list of tasks,
click Add roles , and then click the Active Directory Rights Management Services check box.
For detailed instructions about installing and configuring AD RMS in a test environment, see the AD RMS installation Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=72134).
Managing AD RMS
Server roles are managed by using a Microsoft Management Console (MMC) snap-in. Use the Active Directory Rights Management Services console to manage AD RMS. To
open the Active Directory Rights Management console, click Start , point to Administrative Tools , and then click Active Directory Rights Management Services .
AD RMS Deployment in an Extranet Step-by-Step

Guide
Applies To: Windows Server 2008, Windows Server 2008 R2
About this Guide
This step-by-step guide walks you through the process of configuring Active Directory Rights Management Services (AD RMS) in a test environment that
includes an extranet. An extranet is an extension of your organization's network to an external source. In this guide, the AD RMS cluster is extended to the
Internet so that users can consume rights-protected content when not connected to the internal network. During this process, you install Microsoft Internet
Security and Acceleration (ISA) Server 2006 Standard Edition, integrate it with AD RMS, and verify that you can open a rights-protected document from a
computer that is not a member of your organizational network.
Once complete, you can use the test AD RMS lab environment to assess how AD RMS on Windows Server® 2008 can be created and deployed within your
organization to accommodate for extranet users.
As you complete the steps in this guide, you will:
 Install and configure ISA Server 2006 Standard Edition with AD RMS.
 Verify AD RMS functionality after you complete the configuration.

Note
ISA Server 2006 Standard Edition is not required for AD RMS. Any reverse proxy server that has the ability to listen on TCP ports 80 and 443 can be
used. For the purposes of this guide, we will use ISA Server 2006 Standard Edition.
What This Guide Does Not Provide

This guide does not provide the following:
 Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured
for a test environment. For more information about configuring AD RMS, see the Windows Server Active Directory Rights Management Services
Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134).
 Complete technical reference for AD RMS or Microsoft ISA Server 2006 Standard Edition. For more information about Microsoft ISA Server 2006
Standard Edition, visit the ISA Server 2006 Technical Library (http://go.microsoft.com/fwlink/?LinkId=90738).
Deploying AD RMS in a Test Environment

We recommend that you use the steps provided in the "Windows Server Active Directory Rights Management Services Step-by-Step Guide" before
completing the steps in this guide. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional
documentation and should be used with discretion as a stand-alone document.
Upon completion of this Step-by-Step guide, you will have a working AD RMS test lab environment configured for use in an extranet scenario. You can then
test and verify AD RMS extranet functionality through the simple task of restricting permissions on a Microsoft Office Word 2007 document and attempting
to open this document from a client computer that is not part of your organization's network.
The test environment described in this guide includes six computers that use the following operating systems, applications, and services:
Note
You will also need a USB flash drive or another medium to copy the files from the AD RMS-enabled client to the AD RMS-enabled extranet client.
Computer
Operating System Applications and Services
Name
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information Services (IIS) 7.0,
Message Queuing, and Windows Internal Database
CPANDL-DC Windows Server 2003 with Service Pack 1 (SP1) Active Directory, Domain Name System (DNS)
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server™ 2005 Standard Edition
ISA-SRV Windows Server 2003 with SP1 Microsoft ISA Server 2006 Standard Edition
Note
This computer must have two network adapters so that ISA Server 2006 can
distinguish between the public and private IP addresses.
ADRMS- Windows Vista® Microsoft Office Word 2007 Enterprise Edition

CLNT
ADRMS- Windows Vista Microsoft Office Word 2007 Enterprise Edition

EXCLNT
The first five computers in the table form a private intranet and are connected through a common hub or Layer 2 switch. Additionally, ISA-SRV has a second
network adapter installed that is exposed to the Internet. This allows for the ISA Server to accept requests from the Internet and forward them to the AD RMS
server. ADRMS-EXCLNT is a computer that is not part of the same network. This configuration can be emulated in a virtual server environment if desired.
This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain
controller is named CPANDL-DC for the domain named cpandl.com. ADRMS-EXCLNT is configured with an IP address of 10.0.100.2/24 in order to
simulate a client computer on an extranet. The following figure shows the configuration of the test environment:
Note
In a production environment, the ISA server's external address would be an IP address available to the Internet, giving extranet users the ability to consume rights-
protected content.
Step 1: Configuring AD RMS to Work in an Extranet

In addition to the steps outlined in the "Windows Server Active Directory Rights Management Services Step-by-Step Guide," you must also do the following:
 Configure the extranet cluster URL in the Active Directory Rights Management Services console.
 Export the server authentication certificate, including the private key, on ADRMS-SRV. This will be imported into the Personal certificate store on the ISA server (ISA-
SRV).
In order for users who are not connected to your organization's internal network to consume rights-protected content, you must configure the AD RMS extranet cluster
URLs. These URLs are included in the AD RMS client licensor certificate and published with all rights-protected content. These URLs should be an address that is available to
all computers on the Internet.
Note
You must configure the extranet cluster URLs before you can rights-protect content. If you already have rights-protected content, the AD RMS-enabled
client must download a new client licensor certificate that includes the extranet cluster URL.
Configuring the extranet cluster URLs is done through the Active Directory Rights Management Services console. You should follow these steps to accomplish this task:
To configure the AD RMS extranet cluster URLs

1. Log on to ADRMS-SRV as CPANDL\ADRMSADMIN.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Right-click ADRMS-SRV (Local), and then click Properties.
5. Click the Cluster URLs tab, and then select the Extranet URLs check box.
6. In the Licensing box, select https://, and then type adrms-srv.cpandl.com.
7. In the Certification box, select https://, and then type adrms-srv.cpandl.com.
8. Click OK.
Next, export the ADRMS-SRV server authentication certificate with its private key. This is required so that ISA-SRV can pass HTTPS requests from ADRMS-EXCLNT to the
AD RMS cluster.
To export the ADRMS-SRV server authentication certificate with private key

1. Click Start, type mmc.exe, and then press ENTER.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. Click File, and then click Add/Remove Snap-in.
4. Click Certificates, and then click Add.
5. Select the Computer account option, and then click Next.
6. Click Finish, and then click OK.
7. Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates in the console tree.
8. Right-click ADRMS-SRV.cpandl.com, point to All Tasks, and then click Export.
9. On the Welcome to the Certificate Export Wizard page, click Next.
10. Select the Yes, export the private key option, and then click Next.
11. On the Export File Format page, click Next, accepting the default selections.
12. In the Password and Type and confirm password boxes, type the same strong password, and then click Next.
13. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, and then click Next.
14. Click Finish.
15. Click OK, confirming that the export was successful.
Step 2: Installing and Configuring ISA-SRV

ISA Server 2006 Standard Edition is an integrated edge security gateway that can be used with AD RMS to restrict Internet access to the AD RMS cluster. The ISA server
handles all requests from the Internet to the AD RMS extranet cluster URLs and passes them to the AD RMS cluster, when necessary.
To install and configure ISA Server 2006 Standard Edition to work with AD RMS, you must complete the following steps:
 Configure the ISA Server (ISA-SRV)
 Publish AD RMS cluster to extranet
Configure the ISA Server (ISA-SRV)

First, install Windows Server 2003 on a stand-alone server.
To install Windows Server 2003, Standard Edition

1. Start your computer by using the Windows Server 2003 product CD.
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ISA-SRV.
Next, configure TCP/IP properties so that ISA-SRV has a static IP address of 10.0.0.5 and preferred DNS server with IP address 10.0.0.1 on the first network adapter. On the
second network adapter, use 10.0.100.1 as the IP address.
To configure TCP/IP properties on ISA-SRV

1. Log on to ISA-SRV as a member of the local Administrators group.
2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.5. In the Subnet mask box, type 255.255.255.0. In the Preferred DNS
server box, type 10.0.0.1.
5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
6. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection 2, and then click Properties.
7. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
8. Click the Use the following IP address option. In the IP address box, type 10.0.100.1. In the Subnet mask box, type 255.255.255.0.
9. Click OK, and then click Close to close the Local Area Connection 2 Properties dialog box.
Next, join ISA-SRV to the cpandl.com domain.
To join ISA-SRV to the cpandl.com domain

1. Click Start, right-click MyComputer, and then click Properties.
2. Click the Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, select the Domain option, and then type cpandl.com.
4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
5. Click OK, and then click OK again.
6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials for CPANDL\Administrator, and then
clickOK.
7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK.
8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
9. Click Restart Now.
Next, import the server authentication certificate that contains the private key into the Trusted Certification Authorities store on ISA-SRV.
To import the server authentication certificate to the ISA-SRV computer

1. Log on to ISA-SRV with as a member of the local Administrators group.
2. Click Start, click Run, type mmc.exe, and then press ENTER.
3. Click File, and then click Add/Remote Snap-in.
4. Click Add, select Certificates, and then click Add.
5. Select the Computer Account option, click Next, and then click Finish.
6. Click Close, and then click OK.
7. Expand Certificates, and then expand Personal.
8. Right-click Certificates in the console tree, point to All Tasks, and then click Import.
9. On the Welcome to the Certificate Import wizard page, click Next.
10. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, click OK, and then click Next.
11. Type the password used to export the certificate, and then click Next.
12. Click Next, and then click Finish.
13. Click OK confirming that the import was successful.
14. Close the Certificates console.
Finally, install ISA Server 2006 Standard Edition.
To install ISA Server 2006 Standard Edition

1. Log on to ISA-SRV as a member of the local Administrators group.
2. Insert the ISA Server 2006 Standard Edition product CD.
3. Click Install ISA Server 2006.
4. On the Welcome to the Installation Wizard for Microsoft ISA Server 2006 page, click Next.
5. Select the I accept the terms in the license agreement option, and then click Next.
6. Type your ISA Server product key in the Product Serial Number box, and then click Next.
7. Select the Typical option, and then click Next.
8. Click Add, click Add Adapter, select the Local Area Connection check box, click OK, and then click OK again.
9. Click Next three times, and then click Install.
10. When the installation is complete, click Finish.
11. Click OK. Read the information if desired, and then close Internet Explorer.
12. Click Exit to close Microsoft ISA Server 2006 Setup.
Publish AD RMS cluster to extranet

ISA Server 2006 Standard Edition requires that a Web listener be configured for a specified port. In this guide, you use TCP port 443 (SSL) in order to help make data
transmission secure between the clients and ISA server. In this section, you publish the AD RMS Web site through the ISA server. This involves publishing the AD RMS
extranet cluster URL to this ISA Server and then allowing the ISA server to pass the user credentials directly to the AD RMS server. Because a self-signed certificate is used for
the AD RMS cluster in this guide, you must move it from the Personal certificate store to the Trusted Certification Root Authorities store.
First, publish the AD RMS cluster on ISA-SRV.
To publish AD RMS in ISA Server 2006 Standard Edition

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand ISA-SRV, and then click Firewall Policy.
3. Click the Tasks tab, and then click Publish Web Sites.
4. In the Web publishing rule name box, type AD RMS Extranet, and then click Next.
5. Click Next twice accepting the default selections.
6. Select the Use SSL to connect to the published Web server or server farm option, and then click Next.
7. In the Internal Site Name box, type adrms-srv.cpandl.com.
8. Select the Use a computer name of IP address to connect to the published server check box, type 10.0.0.2 in the Computer name or IP address box, and then
click Next.
9. In the Path (optional) box, type /*, select the Forward the original host header instead of the actual one specified in the Internal site name field on the
previous page check box, and then click Next.
10. In the Public name box, type adrms-srv.cpandl.com, and then click Next.
11. Click New to create a new Web listener.
12. In the Web listener name box, type HTTPS Port 443, and then click Next.
13. Select the Require SSL secured connections with clients option, and then click Next.
14. Select the External check box, and then click Next.
15. Select the Use a single certificate for this Web listener option, and then click Select Certificate.
16. Click the ADRMS-SRV.cpandl.com certificate, click Select, and then click Next.
17. In the Select how clients will provide credentials to ISA Server box, select No Authentication, click Next, and then click Next again.
18. Click Finish to close the New Web Listener Wizard.
19. Click Next.
20. Click No delegation, but client may authenticate directly, and then click Next.
21. Click Next to apply this Web publishing rule to all users.
22. Click Finish.
23. Click Apply to save changes and update your configuration, and then click OK.
Finally, move the ADRMS-SRV server authentication certificate from the Personal certificate store to the Trusted Root Certification Authorities store:
To move the ADRMS-SRV server authentication certificate
1. Click Start, and then click Run.
2. Type mmc.exe, and then click OK.
3. Click File, and then click Add/Remove Snap-in.
4. Click Add, click Certificates, click Add, select the Computer account option, and then click Next.
5. Click Finish, click Close, and then click OK.
6. Expand Certificates (Local computer), expand Personal, and then expand Trusted Root Certification Authorities.
7. Click Certificates under Personal in the console tree.
8. Select the ADRMS-SRV.cpandl.com certificate in the details pane and drag it to the Certificates folder under Trusted Root Certification Authorities.
9. Close the Certificates console.
Step 3: Configuring AD RMS Extranet Client

To configure the AD RMS extranet client computer (ADRMS-EXCLNT), you must install Windows Vista, configure TCP/IP properties, create an entry in the local HOSTS file,
import the ADRMS-SRV server authentication certificate, and then install an AD RMS enabled application. In this example, Microsoft Office Word 2007 is installed on ADRMS-
EXCLNT.
To install Windows Vista

1. Start your computer using the Windows Vista product CD.
2. Follow the instructions that appear on your screen, and when prompted for a computer name, type ADRMS-EXCLNT.
Next, configure TCP/IP properties so that ADRMS-EXCLNT has a static IP address of 10.0.100.2.
To configure TCP/IP properties

1. Click Start, click Control Panel, click Network and Internet, double-click Network and Sharing Center, click Manage Network Connections in the left pane,
right-click Local Area Connection, and then click Properties.
2. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
3. Select the Use the following IP address option. In IP address, type 10.0.100.2, in Subnet mask, type 255.255.255.0.
4. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
5. Close the other open windows and return to the desktop.
In this guide, a test environment without an external DNS server is used. In order for the extranet cluster URLs to resolve to its appropriate IP address, you must create a
manual entry in the HOSTS file that points to ISA-SRV.
Note
In a production environment, this step is not required because the extranet client computer's Internet Service Provider will handle the DNS resolution.
To create an entry in the HOSTS file for AD RMS extranet cluster URL
1. Log on to ADRMS-EXCLNT as a member of the local Administrators group.
2. Click Start, point to All Programs, click Accessories, and then click Notepad.
3. Within Notepad, click File, and then click Open.
4. Navigate to C:\windows\System32\drivers\etc\HOSTS, and then click Open.
Note
To show the HOSTS file, when you get to the etc folder you must select All Files (above the Open button).
5. On a new line at the bottom of the file, type 10.0.100.1 adrms-srv.cpandl.com.

6. Save and close the HOSTS file.
Next, import the ADRMS-SRV server authentication certificate into the Trusted Root Certification store on ADRMS-EXCNT. This is only required when using self-signed
certificates. In a production environment, the certificate should be trusted by a certification authority.
To import the server authentication certificate to the ADRMS-EXCLNT computer

1. Log on to ADRMS-EXCLNT with a user account that is a member of the local Administrators group.
2. Click Start, point to All Programs, and then click Internet Explorer.
3. In the Address bar, type https://adrms-srv.cpandl.com/_wmcs/licensing/license.asmx, and then press ENTER.
4. On the Certificate Error: Navigation Blocked Web page, click Continue to this website (not recommended).
5. In the User name box, type CPANDL\srailson. In the Password box, type the password for Stuart Railson, and then click OK.
6. In the Address Bar, click Certificate Error, and then click View Certificates.
7. On the Certificate Information page, click Install Certificate.
8. On the Welcome to the Certificate Import Wizard page, click Next.
9. Select the Place all certificates in the following store option, click Browse, click Trusted Root Certification Authorities, and then click OK.
10. Click Next, and then click Finish.
11. Click Yes, accepting the security warning. This only happens because self-signed certificates are used.
12. Click OK, confirming that the certificate import was successful.
13. Click OK to close the Certificate Information window.
14. Close Internet Explorer.
Finally, install Microsoft Office Word 2007 Enterprise.
To install Microsoft Office Word 2007 Enterprise

1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.
2. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office Word 2007 Enterprise, and then
click Install Now. This might take several minutes to complete.
Important
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content. All editions will allow
you to consume rights-protected content.
Step 4: Verifying AD RMS Functionality using ADRMS-

CLNT
To verify the functionality of the AD RMS deployment, you will log on to ADRMS-CLNT as Nicole Holliday and then restrict permissions on a Microsoft Word 2007 document
so that Stuart Railson is only able to read the document but unable to change, print, or copy. You will then copy this document to a removable device (for example, a USB
flash drive) and log on to a client computer that is not part of the organizational network, such as a home computer. In this example, ADRMS-EXCLNT serves as the home
computer. After the file is copied to the USB flash drive, Stuart Railson logs on to the extranet client computer (ADRMS-EXCLNT) and verifies that he is able to open the
rights-protected document from the USB flash drive.
Note
A USB flash drive is not required in this scenario. Any means of getting the document to the extranet client computer will work, such as attaching the
document to an e-mail message and sending it to Stuart. In that example, Stuart would then open the document contained in the e-mail message on the
extranet client computer.
Use the following steps to restrict permissions on a Microsoft Word document:
To restrict permissions on a Microsoft Word document

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\nhollida).
2. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3. Type This is a test of AD RMS Extranet functionality.into the blank document page, click the Microsoft Office Button, point to Prepare, point to Restrict
Permission, and then click Restricted Access.
4. Select the Restrict permission to this document check box.
5. In the Read box, type srailson@cpandl.com, and then click OK to close the Permission dialog box.
6. Click the Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.
7. Copy ADRMS-TST.docx to a USB flash drive.
8. Log off as Nicole Holliday.
Finally, open the document, ADRMS-TST.docx, on ADRMS-EXCLNT from the USB flash drive.
To view a protected document

1. Log on to ADRMS-EXCLNT with the local user account that you want to use for consuming the rights-protected document.
Caution
Once this document has been consumed, any other user who logs on to the computer with the same user account will also be able to consume the
document.
2. Insert the USB flash drive, and then double-click the ADRMS-TST.docx file.
3. In the User name box, type cpandl\srailson. In the Password box, type the password for Stuart Railson, and then click OK.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-
srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permissions."
4. Click OK.
The following message appears: "You are attempting to send information to an Internet site (https://adrms-srv.cpandl.com) that is not in your Local,
Intranet, or Trusted zones. This could pose a security risk. Do you want to send the information anyway?"
5. Click Yes.
The following message appears: "Verifying your credentials for opening content with restricted permissions…".
6. When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.
7. Click View Permission in the message bar. You can see that srailson@cpandl.com (Stuart Railson) has been restricted to so that he can only read the document.
8. Click OK to close the My Permissions dialog box, and then close Microsoft Word.
You have successfully deployed and demonstrated the functionality of AD RMS in an extranet, using the simple scenario of applying restricted permissions to a Microsoft
Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.
Deploying Active Directory Rights Management

Services with Active Directory Federation Services
Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2012 R2
Use this step-by-step guide to help you deploy Active Directory Rights Management Services (AD RMS) with Active Directory Federation Services (AD FS) in a test
environment, as a proof of concept. The instructions cover how to install and configure AD RMS to use AD FS to establish a federated trust that can be used over the Internet
with another organization that has not deployed AD RMS. This solution lets this other organization consume content that your organization has protected by using AD RMS.
When you’ve completed the instructions in this guide, the final step includes a simple verification that somebody from the other organization can read but cannot print a
document that you’ve protected. However, you can then go on to explore some of the additional capabilities of AD RMS by doing your own testing and additional
configuration, and if required, plan a deployment on your production network.
Tip
If you are unfamiliar with AD RMS or AD FS:
 For more information about AD RMS, see Active Directory Rights Management Services Overview.
 For background information about AD FS, and to help explain some of the terms used in this guide, see Understanding Key AD FS Concepts.
 For more information about AD FS deployment, see Deploying a Federation Server Farm.
For technical support, use the TechNet forum for AD RMS: Active Directory Rights Management Services (On Premises)
Overview of this deployment:
The computers form two private intranets to represent two independent forests. In a production environment, these would be connected by using the Internet with a more
complex network topology, but for the purposes of this test network, the two forests are connected by using a common hub or Layer 2 switch. This configuration makes it
easier to deploy in a virtual server environment.
In addition, in a production environment, as a security best practice, these computers would be behind a firewall and the two AD FS servers would communicate by using
Web Application Proxy, or a similar proxy technology. Communication between the two organizations uses HTTPS (typically, using TCP port 443). In our example, HTTP is also
used for certificate revocation checking to the other organization’s CA. For more information about how to deploy Web Application Proxy, see Planning to Publish
Applications Using Web Application Proxy.
Steps to complete this AD RMS with AD FS deployment

Use the following table as an overview and summary of the steps required for this deployment.
Before you start, make sure that you have seven computers (real or virtual) with access to the source files for the operating systems that are listed in the Applies to list at the
beginning of this topic. The instructions are specific to the operating system versions listed and will not work with earlier versions. In addition, to verify the deployment (the
final step), you will need access to the source files to install Microsoft Office (Office 2013, Office 2010, or Office 2007).
Deployment steps Summary
Step 1: Preparing the resource partner Creates the Contoso.com domain, with three servers and one Windows client computer. One server is the
organization (Contoso) domain controller with DNS and an enterprise CA, another server is for SQL Server and AD RMS, and the
third server is for AD FS.
Additionally: DNS is configured, the AD FS URL and RMS service URL is added to the Intranet zone for
clients, and user accounts are created that will be used for this deployment.
Step 2: Preparing the account partner Creates the Trey.net domain, with two servers and one Windows client computer. One server is the domain
organization (Trey Research) controller with DNS and an enterprise CA, and the second server is for AD FS.
Additionally: DNS is configured, the AD FS URL is added to the local intranet zone for clients, and user
accounts are created that will be used for this deployment.
Step 3: Deploying the PKI certificates Deploys three PKI server certificates to support this test deployment and creates a PKI trust between the two
internal enterprise CAs so that a server certificate that is issued by one organization is trusted by the other
organization. If you purchase these certificates from a public CA, you can skip this step.
Step 4: Installing and configuring AD Configures the member server for Contoso to run AD RMS with IIS and SQL Server. AD RMS is configured
RMS in the resource partner organization to support Identify Federation. Additional configuration is required for AD RMS.
(Contoso)
Step 5: Installing and configuring AD FS Installs and configures AD FS in both organizations. Because we’re using self-signed certificates rather than
for both organizations PKI certificates to sign the tokens, the token signing certificates are exported and imported to the computers
that need to trust these certificates.
AD FS configuration:
 Two relying party trusts are created in the resource organization (one for RMS certification and the other for
RMS licensing) for the Active Directory store with two claim rules for LDAP attributes and email addresses.
 A claims provider trust is created in the resource organization with one claim rule for email.
 A relying party trust is created in the account organization (for RMS certification) for the Active Directory store
with one claim rule for LDAP attributes.
Step 6: Preparing the Trey Research Configures the client in the Trey Research organization so that Office uses the federation home realm for
client for AD RMS: Configuring the AD FS.
Federation Home Realm
Step 7: Verifying the AD RMS and AD Tests AD RMS and AD FS by protecting a Word document in the Contoso organization such that a user in the
FS deployment Trey Research organization can open the document but as read-only.
Step 1: Preparing the resource partner organization (Contoso)

Summary of computer configuration:
Host name IP address Roles in the resource forest
ContosoDC 192.168.111.1/24 Active Directory Domain Services with DNS

Active Directory Certificate Services
ContosoRMS 192.168.111.2/24 Member server onto which we’ll later install AD RMS.
ContosoFS 192.168.111.3/24 Active Directory Federation Services
ContosoClient 192.168.111.10/24 Client to protect content

Use the following steps to prepare the resource forest and domain for AD RMS and AD FS.
Install and configure the domain (Contoso.com)

1. Install a full version of Windows Server that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 32 GB of available hard
disk space.
Configure this computer as follows:
o Computer name: ContosoDC
o IP address of 192.168.111.1, subnet mask of 255.255.255.0, and preferred DNS server of 127.0.0.1.
2. Add the Active Directory Domain Services role and make the computer a domain controller with default settings except for the following configuration:
o New forest with root domain name of contoso.com
3. Configure DNS for the following:
o Resolve names for Trey Research (trey.net): Forwarder of 192.168.111.100
o For AD RMS: New host (A) record with name of rmsservice and IP address of 192.168.111.2 (associated PTR record is optional)
o For AD FS: New host (A) record with name of ContosoADFS and IP address of 192.168.111.3 (associated PTR record is optional)
4. Add the Active Directory Certificate Services role with the following configuration:
o Certification Authority as an Enterprise CA, root CA named ContosoRootCA. Accept all installation defaults except for the following:
a. Add the Certification Authority Web Enrollment role service. This provides a quick and convenient method to publish the certificate revocation list
(CRL) over HTTP so that it’s accessible to computers in the Trey Research organization.
b. After the install, configure the CA properties, Extension tab: Make sure that CRL Distribution Point (CDP) is selected, select the http:// entry in the
list box, and then select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates.
These two options are required so that computers in the Trey Research organization can locate this CRL for the issuing CA in the Contoso
organization. Restart Active Directory Certificate Services when prompted.
Note
In a production environment, do not use this configuration, which increases the attack surface. Instead, install the CA on a separate server from the
domain controller, and publish the CRL on a separate web server. The configuration that we use here reduces the number of computers required and the
number of configuration steps required to support this test network. If you purchase PKI server certificates, you do not even need to install the
certification authority role.
5. For all clients, add the URL for the local federation server and the RMS service to the local intranet zone, by configuring the following Group Policy for all client
computers (for example, in our test environment, you can edit the Default Domain Policy, or create a new Group Policy object that’s linked to the domain):
o Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security
Page > Site to Zone Assignment List:
 Enable and add ContosoADFS.contoso.com with the value of 1.
 Enable and add RMSService.contoso.com with the value of 1.
This setting enables Windows integrated authentication, so that users are not prompted for their credentials.
Add the following user accounts to the contoso.com domain, with the additional following configuration choices:
Clear the User must change password at next logon check box.
Select Password never expires.
Account name User logon name Email address Make member of domain group
AdrmsSvc AdrmsSvc Not needed Default
AdfsAdmin AdfsAdmin Not needed Default
AdrmsAdmin AdrmsAdmin Not needed Enterprise Admins¹
Nicole Holliday nhollida nhollida@contoso.com Default

¹After you have installed SQL Server and AD RMS, you can remove this account from the Enterprise Admins group as a security best practice so that the account
does not have more privileges than it needs. The only time you would need to add the account back to the Enterprise Admins group for AD RMS is if you have to
make a change to the Service Connection Point, which is not required for this scenario.
Install a server for AD RMS (ContosoRMS)

disk space.
o Computer name: ContosoRMS
2. Join the computer to the Contoso.com domain, and then add the CONTOSO\AdrmsAdmin account to the local Administrators group.
We’ll configure this server for AD RMS later.
Install and configure a server for AD FS (ContosoFS)

disk space.
o Computer name: ContosoFS
o IP address of 192.168.111.3, subnet mask of 255.255.255.0 and preferred DNS server of 192.168.111.1.
2. Join this computer to the contoso.com domain.

We’ll configure this server for AD FS later.
Install and configure a client computer for AD RMS (ContosoClient)

1. Install a client operating system that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 20 GB of available hard disk
space.
o Computer name: ContosoClient
o Local account, user name: LocalAdmin
2. Join this computer to the contoso.com domain.

3. Sign in on the computer as ContosoClient\LocalAdmin, and install Microsoft Office, so that this computer can later use Word to test the deployment. Make sure that
you install the latest service pack available for the version of Office that you install.
Although you can use Office 2013, Office 2010, or Office 2007, the verification steps use Office 2013.
Step 2: Preparing the account partner organization (Trey Research)

Host name IP address Roles in the account forest
TreyDC 192.168.111.100/24 Active Directory Domain Services with DNS

Active Directory Certificate Services
TreyFS 192.168.111.101/24 Active Directory Federation Services
TreyClient 192.168.111.110/24 Client to consume protected content

Install and configure the domain (Trey.net)
disk space.
o Computer name: TreyDC
2. Add the Active Directory Domain Services role and make the computer a domain controller with default settings except for the following configuration:
o New forest with root domain name of trey.net
3. Configure DNS for the following:

o Resolve names for Contoso (Contoso.com): Forwarder of 192.168.111.1
o For AD FS: New host (A) record with name of TreyADFS and IP address of 192.168.111.101 (associated PTR record is optional)
4. Add the Active Directory Certificate Services role with the following configuration:
o Certification Authority as an Enterprise CA, root CA named TreyRootCA. Accept all installation defaults except for the following:
a. Add the Certification Authority Web Enrollment role service. This provides a quick and convenient method to publish the certificate revocation list
(CRL) over HTTP so that it’s accessible to computers in the Contoso organization.
b. After the install, configure the CA properties, Extension tab: Make sure that CRL Distribution Point (CDP) is selected, select the http:// entry in the
list box, and then select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates.
These two options are required so that computers in the Contoso organization can locate the CRL for this issuing CA in the Trey Research
organization.
Note
In a production environment, do not use this configuration, which increases the attack surface. Instead, install the CA on a separate server from the
domain controller, and publish the CRL on a separate web server. The configuration that we use here reduces the number of computers required and the
number of configuration steps required to support this test network. If you purchase PKI server certificates, you do not even need to install the
certification authority role.
5. For all clients, add the URL for the local federation server to the local intranet zone, by configuring the following Group Policy for all client computers (for example, in
our test environment, you can edit the Default Domain Policy, or create a new Group Policy object that’s linked to the domain):
o Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security
Page > Site to Zone Assignment List:
 Enable and add TreyADFS.trey.net with the value of 1.
This setting enables Windows integrated authentication, so that users are not prompted for their credentials.
Add the following user accounts to the trey.net domain, with the additional following configuration choices:
Clear the User must change password at next logon check box.
Select Password never expires.
Account name User logon name Email address Make member of domain group
AdfsAdmin AdfsAdmin Not needed Default
Terence Philip tphilip tphilip@trey.net Default
Install and configure a server for AD FS (TreyFS)

disk space.
o Computer name: TreyFS
o IP address of 192.168.111.101, subnet mask of 255.255.255.0 and preferred DNS server of 192.168.111.100.
2. Join this computer to the trey.net domain.

We’ll configure this server for AD FS later.
Install and configure a client computer for AD RMS (TreyClient)
1. Install a client operating system that is listed in the Applies to list at the beginning of this topic. We recommend 1 GB of RAM, and 20 GB of available hard disk
space.
o Computer name: TreyClient
o Local account, user name: LocalAdmin
2. Join this computer to the trey.net domain.

3. Sign in on the computer as TreyClient\LocalAdmin, and install Microsoft Office, so that this computer can later use Microsoft Word to test the deployment. Make
sure that you install the latest service pack available for the version of Office that you install.
Although you can use Office 2013, Office 2010, or Office 2007, the verification steps use Office 2013.
Step 3: Deploying the PKI certificates

To configure AD RMS with AD FS, you need PKI server certificates for the following servers:
 The server (or servers) running AD RMS with Identity Federation Support. In our deployment, this is the ContosoRMS.contoso.com server.
 The server running AD FS in the resource organization. In our deployment, this is the ContosoADFS.contoso.com server.
 The server running AD FS in an account organization. In our deployment, this is the TreyADFS.trey.net server.
For our deployment, this certificate has the following requirements:
 Subject name: Common name of <service name>
For our deployment, this name will be:
o For the RMS service: RMSService.contoso.com
o For the federation service in the resource organization: ContosoADFS.contoso.com
o For the federation service in the account organization: TreyADFS.trey.net
 Extended Key Usage: Server authentication (object identifier 1.3.6.1.5.5.7.3.1)
 Key length: Minimum of 1024 bits but 2048 bits is recommended
 Hash algorithm: Minimum of SHA-1

 Private key
If you purchase the certificates and specify these requirements, follow the instructions from the certification authority provider to install the certificates on the servers. This is
the most likely scenario for a production environment. To use purchased certificates in our testing environment, the computers must have access to the Internet so that they
can access the certificate revocation list (CRL) for the issuing CA. If these conditions are met, go to the next step, Step 4: Installing and configuring AD RMS in the resource
partner organization (Contoso).
However, you can also deploy these certificates yourself by using Active Directory Certificate Services, which is why this step-by-step deployment includes installing this
server role in each organization. If you want to test AD RMS with AD FS and do not want to purchase the PKI certificates, use the following procedures in this step.
The first procedure is to republish the certificate revocation list (CRL) for the issuing CAs to make sure that computers in the other organization can access it by using HTTP.
The next procedure is to copy and modify the Web Server certificate template on the CA for Contoso, and the CA for Trey Research. Then, the certificate template for
Contoso is used to request a certificate for ContosoRMS and a certificate for ContosoFS. You must request these certificate separately because they need a specific value in
the certificate subject that you supply when you request the certificate. Finally, the certificate template for Trey Research is used to request a certificate for TreyFS, also with a
specific value in the certificate subject.
Republish the certificate revocation list (CRL)

1. Sign in on ContosoDC as CONTOSO\Administrator, and start the Certification Authority console.
2. In the console, right-click Revoked Certificates, click All Tasks, and then click Publish.
3. In the Publish CRL dialog box, keep the default option of New CRL, and then click OK.
4. Do not close Certification Authority console.
Repeat this procedure to republish the CRL on TreyDC.
The CRL is now available over HTTP for computers outside the forest.
Modify the Web Server certificate template

1. Back on ContosoDC, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
2. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
3. In the Properties of New Template dialog box, on the General tab, enter a template display name to generate the web certificates that will be used for this AD
RMS and AD FS deployment, such as AD RMS and AD FS Web Server Certificate.
4. Click the Subject Name tab, and confirm that Supply in the request is selected. This is required so that we can supply the service name when we request the
certificate.
5. Click the Security tab, click Add.
6. Click Object Types and in the Object Types dialog box, select Computers, and click OK.
7. Enter or select the computer name of ContosoRMS, and then select Enroll in the Allow column for this account, and do not clear the Read permission.
8. Repeat the preceding step for the computer name of ContosoFS.
9. Click OK, and close the Certificate Templates Console.
10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
11. In the Enable Certificate Templates dialog box, select the new template that you have just created, and then click OK.
12. Close the Certification Authority console.
Repeat this procedure to create a new certificate template on TreyDC, granting Enroll permission to the TreyFS computer.
The CA is now ready to accept certificate requests from the servers.
Request and install the server certificate
1. Sign in on ContosoRMS with CONTOSO\Administrator.
2. Load the Certificates snap-in for the Computer account, Local computer.
3. Expand Certificates (Local Computer), and then click Personal.
4. Right-click Certificates, click All Tasks, and then click Request New Certificate.
5. On the Before You Begin page, click Next.
6. On the Select Certificate Enrollment Policy page, click Next.
7. On the Request Certificates page, identify the certificate template that you created by using the list of displayed certificates, and then click More information is
required to enroll for this certificate. Click here to configure settings.
8. In the Certificate Properties dialog box, in the Subject tab, for the Subject name section:
a. Change the Type: from Full DN to Common name.
b. In the Value box, type: RMSService.contoso.com
c. Click Add.
9. Click OK to close the Certificate Properties dialog box.

10. Back in the Request Certificates page, select the certificate template that you created (for example, AD RMS and AD FS Web Server Certificate), and then
clickEnroll.
11. Wait for the certificate request to complete, and then click Finish.
Sign in on ContosoFS and repeat this procedure, specifying the common name of ContosoADFS.contoso.com for the subject value.
Then sign in on TreyFS and repeat this procedure, specifying the common name of TreyADFS.trey.net for the subject value.
Now that the server certificates are installed, you need to establish a PKI trust between the two organizations. You do this by exporting the root CA from one organization
and adding it to the trusted root CA store for the other organization.
Establish a PKI trust

1. In the Contoso.com domain, sign in on the domain controller (ContosoDC) as CONTOSO\Administrator, and export the CA root certificate by doing the following:
a. Load the Certificates MMC snap-in for the Computer account.
b. Locate and export the CA root certificate to a .cer file format that you save to a USB thumb drive. Do not select the option to export the private key.
Tip
You can identify the correct certificate by checking the certificate properties: On the General tab, it lists All issuance policies and All application
policies.
2. Repeat step 1 for the Trey Research domain.

3. In the Contoso.com domain, sign in on the domain controller (ContosoDC) as CONTOSO\Administrator and configure the following Group Policy for the domain (for
example, edit the Default Domain Policy):
o Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies: Trusted Root Certification Authorities
 Import the exported root CA certificate for the Trey Research forest.
In the Trey.net domain, sign in on the domain controller (TreyDC) as TREY\Administrator and configure the following Group Policy for the domain (for example, edit
the Default Domain Policy):
o Computer Configuration > Policies> Windows Settings > Security Settings > Public Key Policies: Trusted Root Certification Authorities
 Import the exported root CA certificate for the Contoso forest.
Optional verification (repeated later)

 Sign in on ContosoDC as CONTOSO\Administrator and confirm the status of the certificate revocation list (CRL) by using Enterprise PKI (PKIView):
1. From search or Run, type Pkiview.msc.
2. In the console, click ContosoRootCA.
3. In the results pane, confirm that that there is a location that starts with http:// and that its status is OK.
This is the CRL that computers in the other organization will use for certificates that this CA issues, because they cannot use the default CRL that uses an
LDAP location.
4. Sign in on TreyDC as TREY\Administrator and repeat steps 1 through 3.
To extend the CRL verification to make sure that the CRL is accessible from the other organization:
5. Copy the HTTP URL from PKIView and paste it into a browser on a computer in the other organization. You should see a file download dialog box, asking
you whether you want to open or save the file.
6. Click Open, to see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer should be the CA
server from the other organization.
To extend the CRL verification to confirm the certificate chain and certificate revocation status from the CRL, run the certutil -v -urlfetch -verify
[certificate_file]command from the TreyClient computer:
o Example: certutil -v -urlfetch -verify E:\ContosoRMS.cer
o The [certificate_file] is the server certificate that you deployed on the AD RMS server (ContosoRMS), exported to a .cer file and saved to a USB thumb drive
that you then copy to TreyClient.
o Examine the output. It’s expected to see errors for the LDAP URL, because the TreyClient cannot use LDAP to communicate with the CA in Contoso. But you
should see verification for the HTTP URL. The end of the command output should display Leaf certificate revocation check passed.
Repeat this test by exporting the certificate from TreyFS and running the same command on the ContosoClient computer.
Now that the certificates are installed, you’re ready to install and configure AD RMS.
Step 4: Installing and configuring AD RMS in the resource partner organization (Contoso)
Host name IP address Roles in the resource forest
ContosoRMS 192.168.111.2/24 SQL Server

Web Server (IIS)
Active Directory Rights Management:
 Active Directory Rights Management Server
 Identity Federation Support
Note
In this section, we install SQL Server on the same server that runs AD RMS. You wouldn’t usually do this on a production network, but this configuration reduces
the number of configuration steps (and computers needed) for a testing environment.
During the SQL Server installation process, Setup downloads and installs the .NET Framework 3.5 SP1. If you do not have Internet access from this computer, you
can install it as a feature before you install SQL Server. To do this, follow the instructions from Enable .NET Framework 3.5 by using the Add Roles and Features
Wizard (Windows Server 2012 only).
Use the following procedures to first install SQL Server, then install and configure AD RMS, and then prepare for AD FS.
Install SQL Server 2012 on ContosoRMS

1. Sign in on ContosoRMS as CONTOSO\AdrmsAdmin, and run the setup program for SQL Server (Standard Edition or Enterprise Edition) with the following options:
o New SQL Server stand-alone installation
o Install the Setup support rules
o On the Setup Role page, select SQL Server Feature Installation, and then select the following features on the Feature Selection page:
a. Instance Features: Database Engine Services
b. Instance Features: Reporting Services - Native
c. Shared Features: Management Tools – Basic and Management Tools - Complete
o On the Instance Configuration page, keep all default settings (installs a default instance).
o On the Server Configuration page, accept all defaults.
o On the Database Engine Configuration page, select the following:
a. Server Configuration tab: For the Authentication Mode, keep the default of Windows authentication mode and for Specify SQL Server
administrators, click Add Current User
b. Data Directories and FILESTREAM tabs: No changes.
o On the Reporting Services Configuration page, for Reporting Services Native Mode, keep the default of Install and configure.
o On the Error Reporting page, do not select the checkbox to send error reports.
2. Complete the installation and restart the computer if prompted to do so.

3. To verify installation or to help troubleshoot any installation problems, see View and Read SQL Server Setup Log Files.
For full instructions to install SQL Server, see Install SQL Server 2012 from the Installation Wizard (Setup).
Install the AD RMS role on ContosoRMS

1. Still signed in as CONTOSO\AdrmsAdmin, use Server Manager to install the Active Directory Rights Management Services role:
o Select the following role services: Active Directory Rights Management Server and Identity Federation Support.
2. Complete the installation and restart the computer if prompted to do so.

Now that AD RMS is installed, you must configure it.
Configure a new AD RMS root cluster on ContosoRMS

1. In Server Manager, click the Notifications icon and then, for the task event Configuration required for Active Directory Rights Management Services at
ContosoRMS, click Perform additional configuration.
2. In the AD RMS Configuration wizard, specify the following options:
o On the Create or Join an AD RMS Cluster page: Select Create a new AD RMS root cluster.
o On the Configuration Database page: Select Specify a database server and a database instance and then select ContosoRMS for the server,
andDefaultInstance for the Database Instance.
o On the Service Account page: Specify Contoso\AdrmsSvc.
o On the Cryptographic Mode page: Select Cryptographic Mode 2.
o On the Cluster Key Storage page: Select Use AD RMS centrally managed key storage.
o On the Cluster Key Password page: Specify a strong password.
o On the Cluster Web Site page: Select Default Web Site.
o On the Cluster Address page: Select Use an SSL-encrypted connection and type RMSService.contoso.com.
o On the Server Certificate page: Select Choose an existing certificate for SSL encryption, and browse to select the PKI certificate that you installed
previously.
o On the Licensor Certificate page: Accept the default of ContosoRMS.
o On the SCP Registration page: Accept the default of Register the SCP now.
o On the Identify Identity Federation Support page: Type ContosoADFS.contoso.com.
Important
For this value, we recommend that you keep the casing exactly as it appears in the AD FS server certificate. For example, in our guide, this
isContosoADFS.contoso.com and not contosoadfs.contoso.com.
o Sign off and then sign in again, which updates the security token of the signed-in user account. This is required because the user account that is signed in, is
automatically made a member of the AD RMS Enterprise Administrators local group. Membership in this group grants permissions to administer AD RMS.
o Remove CONTOSO\AdrmsAdmin from the Enterprise Admins global group for the forest.
3. Optional verification (repeated later): To confirm that the URLs belonging to the RMS service are reachable inside Contoso:
a. Sign in on ContosoClient as CONTOSO\nhollida.
b. Run gpupdate /force to ensure that all Group Policy settings have been applied.
c. Specify the following URL in Internet Explorer:
 https://RMSservice.contoso.com/_wmcs/licensing/license.asmx
This displays a web page that has the title License and introduction text of The following operations are supported.
4. A successful connection verifies that ContosoClient can communicate with the RMS service.
AD RMS is now installed and configured as an AD RMS root cluster. You must now configure the local security policy so that the AD RMS service account can generate
security audit events for AD FS.
Grant security audit privileges to the AD RMS service account

1. Sign in to ContosoRMS with the CONTOSO\Administrator account.
2. Edit the Local Security Policy > Local Policies > User Rights Assignment > Generate security audits:
o Add CONTOSO\AdrmsSvc
Configure AD RMS: Add the AD RMS extranet cluster URLs

1. Still signed in on ContosoRMS with the CONTOSO\Administrator account, open the Active Directory Rights Management Services console.
If you see a security alert warning about the name of the certificate, you can click Yes to proceed to acknowledge the name mismatch between the server name and
the name in the certificate subject. This name mismatch here doesn’t affect the operation of AD RMS with AD FS.
2. Right-click the ContosoRMS computer name, and then click Properties.
3. Click the Cluster URLs tab, select the Extranet URLs check box, specify the following, and then click OK:
o Licensing: https:// and type RMSService.contoso.com
o Certification: https:// and type RMSService.contoso.com
Configure AD RMS: Enable Identity Federation Support

1.Still in the Active Directory Rights Management Services console, expand the AD RMS cluster, expand Trust Policies, and then click Federated Identity Support.
2.In the Actions pane, click Enable Federated Identity Support.
3.In the Actions pane, click Properties.
4.On the Active Directory Federation Service Policies tab, for the Federated Identity Certificate validity period, type 7, and then click OK. This is the number of
days that federated rights account certificates are valid.
AD RMS is now configured and ready for AD FS.
Step 5: Installing and configuring AD FS for both organizations

This steps installs and configures AD FS, first for the resource organization (Contoso), and then for the account organization (Trey Research).
Install the AD FS role on ContosoFS

1. Sign in on ContosoFS as CONTOSO\Administrator, and use Server Manager to install the Active Directory Federation Services role:
o You do not have to add any specific features for this deployment. Instead, keep the default selections.
2. Complete the installation.
Note
For servers that are not connected to the Internet or are behind a proxy server: If the AD FS service fails to start with Application log errors 352, 102,
or 220 after the computer is restarted, check that the following registry value exists and if not, manually add it:
 HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
 Type: REG_DWORD
 Value name: State
 Value data: 0x23c00
Configure the Federation Service role on ContosoFS

1. In Server Manager, click the Notifications icon and then click Configure the federation service on the server.
2. In the Active Directory Federation Service Configuration Wizard, specify the following options:
o On the Welcome page: Select Create the first federation server in a federation server farm.
o On the Connect to AD DS page: Keep the default account.
o On the Specify Service Properties page:
 Use the drop-down box to select the previously installed certificate.
 Federation Service Name: ContosoADFS.contoso.com
 Federation Service Display Name: Contoso Corporation
o On the Specify Service Account page: Select Use an existing domain user account or group Managed Service Account and
specifyCONTOSO\AdfsAdmin.
For our testing environment, we’re using a domain user account for a simplified deployment. In a production environment, it’s recommended to use a group
Managed Service Account so that you can benefit from capabilities such as automatic password management and a single identity if you have more than
one AD FS server. For more information about group Managed Service Accounts, see Group Managed Service Accounts Overview.
o On the Specify Database page: You can either create a database on this computer by using Windows Internal Database (WID), or you can specify the
location and the instance name of Microsoft SQL Server. For this testing scenario, you can select Create a database on this server using Windows Internal
Database.
Note
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and later versions, including
SQL Server 2012.
For more information about whether to use Windows Internal Database or SQL Server, see the “Determining which type of AD FS configuration
database to use” section in the Plan Your AD FS Deployment Topology topic from the AD FS Design Guide in Windows Server 2012 R2.
That completes the AD FS installation for Contoso.

Optional verification (repeated later):
1. Sign in on TreyFS as TREY\Administrator and run Internet Explorer.

2. Connect to the following URL: https://ContosoADFS.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml
There should be no certificate warnings and a long text should be displayed in the browser window.
Install the AD FS role on TreyFS

1. Still signed in as TREY\Administrator, use Server Manager to install the Active Directory Federation Services role:
o You do not have to add any specific features for this deployment. Instead, keep the default selections.
2. Complete the installation.
Note
For servers that are not connected to the Internet or are behind a proxy server: If the AD FS service fails to start with Application log errors 352, 102,
or 220 after the computer is restarted, check that the following registry value exists and if not, manually add it:
 HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
 Type: REG_DWORD
 Value name: State
 Value data: 0x23c00
Configure the Federation Service role on TreyFS

1. In Server Manager, click the Notifications icon and then click Configure the federation service on the server.
2. In the Active Directory Federation Service Configuration Wizard, specify the following options:
o On the Welcome page: Select Create the first federation server in a federation server farm.
o On the Connect to AD DS page: Keep the default account.
o On the Specify Service Properties page:
 Use the drop-down box to select the previously installed certificate.
 Federation Service Name: TreyADFS.trey.net

 Federation Service Display Name: Trey Research
 On the Specify Service Account page: Select Use an existing domain user account or group Managed Service Account and
specifyTREY\AdfsAdmin.
 On the Specify Database page: You can either create a database on this computer by using Windows Internal Database (WID), or you can specify
the location and the instance name of Microsoft SQL Server. For this testing scenario, you can select Create a database on this server using
Windows Internal Database.
Note
If you want to create an AD FS farm and use SQL Server to store your configuration data, you can use SQL Server 2008 and later versions,
including SQL Server 2012.
For more information about whether to use Windows Internal Database or SQL Server, see the “Determining which type of AD FS
configuration database to use” section in the Plan Your AD FS Deployment Topology topic from the AD FS Design Guide in Windows Server
2012 R2.
That completes the AD FS installation for Trey Research. The two organizations are now ready to exchange certificates for signing and encryption. The procedures in the next
section are necessary when you use self-signed certificates for token signing, instead of using PKI certificates from a well-known external certification authority.
Optional verification (repeated later):
1. Sign in on ContosoFS as CONTOSO\Administrator and run Internet Explorer.
2. Connect to the following URL: https://TreyADFS.trey.net/FederationMetadata/2007-06/FederationMetadata.xml
There should be no certificate warnings and a long text should be displayed in the browser window.
Export and import the token signing certificates from each federation server
1. Still signed in on TreyFS as TREY\Administrator, open the Active Directory Federation Services console.
2. Navigate to AD FS > Service > Certificates.
3. In the results pane, double-click the Token Signing certificate.
4. On the Details tab, click Copy to File and use the wizard to copy the certificate without exporting the private key, to a DER encoded binary X.509 (.CER) file.
5. Save or move the file to a thumb drive. Make sure you choose a file name to help identify which organization the token signing certificate is from.
6. Sign in on ContosoFS as CONTOSO\Administrator and open the Active Directory Federation Services console. Then, repeat steps 2 through 5, so that you have a
second file on the thumb drive.
7. Still signed in on ContosoFS as CONTOSO\Administrator, load the Certificates MMC snap-in for the Computer account.
8. Navigate to Trusted Root Certification Authorities > Certificates, and then right click to choose All Tasks > Import, and use the wizard to import the copied
token signing certificate file from TreyFS.
9. Sign in on TreyFS as TREY\Administrator, load the Certificates MMC snap-in for the Computer account.
token signing certificate file from ContosoFS.
11. Finally, sign in on ContosoRMS as CONTOSO\Administrator, load the Certificates MMC snap-in for the Computer account.
token signing certificate file from ContosoFS.
Create 2 relying party trusts on ContosoFS

1. Sign in on ContosoFS as CONTOSO\Administrator, and load the AD FS Management console.
2. Expand Trust Relationships, and click Relying Party Trusts.
3. From the Actions pane, click Add Relying Party Trust to start the Add Relying Party Trust Wizard.
4. On the Select Data Source page, select Enter data about the relying party manually.
5. On the Specify Display Name page, type a name, such as AD RMS Certification.
6. On the Choose Profile page, select AD FS profile. This option is appropriate because it is supported by the version of AD RMS we’re using, and offers the latest
features.
If the server running AD RMS was running an operating system version earlier than Windows Server 2012 R2, then you would choose AD FS 1.0 and 1.1 profile, and
later, configure different claims. However, this configuration is outside the scope of this document.
7. On the Configure Certificate page, do not browse to a certificate for token encryption, but just click Next. This generates a self-signed certificate that is suitable
even for production networks. However, if your organization wants to use a PKI certificate, this is where you would select a previously installed PKI certificate (no
specific extended key usage required, and no specific value required in the certificate subject or subject alternate name).
8. On the Configure URL page, select Enable support for the WS-Federation Passive protocol, and type the following for the
URL:https://RMSService.contoso.com/_wmcs/certificationexternal/
Important
Make sure that you include the trailing “/”. The configuration will not work without this and the symptoms are that the verification tests pass but the
Word document will prompt for authentication, and then fail to open.
9. On the Configure Identifiers page, you should see the following identifier: https://RMSService.contoso.com/_wmcs/certificationexternal/
10. On the Configure Multi-factor Authentication Now page, select I do not want to specify multi-factor authentication setting for this relying party trust at
this time.
11. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.
12. On the Ready to Add Trust page, click Next.
13. On the Finish page, select the option to open the Edit Claims dialog box, and click Close.
14. In the Edit Claims Rules dialog box, add 2 claim rules:
a. Claim rule 1—LDAP attributes:
 On the Issuance Transform Rules tab, click Add Rule.
 On the Select Rule Template page, select Send LDAP attributes as Claims.
 On the Configure Rule page, specify the name as LDAP claims for AD RMS. For the Attribute store, select Active Directory.
 For the Mapping of LDAP attributes to outgoing claim types section, specify the following, then click Finish:
LDAP attribute Outgoing Claim Type
E-Mail-Addresses E-Mail Address
b. Claim rule 2—Email:
 On the Issuance Transform Rules tab, click Add Rule.
 On the Select Rule Template page, select Pass Through or Filter an Incoming Claim.
 On the Configure Rule page, specify the name as Email claims for AD RMS.
 For the Incoming claim type field, specify E-Mail Address, select Pass through only claim values that match a specific email suffix, and then,
for the Email suffix value, specify trey.net.
Note
This configuration filters helps to prevent somebody from the account organization (Trey.net in our example) from issuing forged claims
(impersonation) to access resources in the resource organization (Contoso.com in our example). If the account organization uses more than
one email suffix (for example, as a result of a merger), you can create additional email rules, each one specifying the email suffix that you
want to allow. For example, you create a new email claim rule that has the same configuration as this one, except that you
specify treyresearch.net orfabrikam.com for the Email suffix value. Alternatively, use the instructions from this TechNet wiki article to use
RegEx for the condition statement in the claims rule language: AD FS 2.0: Using RegEx in the Claims Rule Language
When a user from the partner organization tries to authenticate by using an email suffix that isn’t specified in these email claim rules, the
user sees the following error message: An error occurred while trying to contact the Active Directory Rights Management Services server.
Try again later or contact your administrator.
 Click Finish.
15. Click OK to close the Edit Claims Rules dialog box.

Now repeat steps 3-15 in this procedure (including the 2 claim rules) to create a second relying party trust that you name AD RMS Licensing. The only difference in the
configuration is the URL and identifier (steps 7 and 8):
 On the Configure URL page, select Enable support for the WS-Federation Passive protocol, and type the following for the
URL:https://RMSService.contoso.com/_wmcs/licensingexternal/
Again, make sure that you include the trailing “/”.
 On the Configure Identifiers page, you should see the following identifier: https://RMSService.contoso.com/_wmcs/licensingexternal/
Add a claims provider trust and claim rules to ContosoADFS

1. Still signed in on ContosoFS as CONTOSO\Administrator, and in the AD FS Management console, make sure that Trust Relationships is expanded, click Claims
Provider Trusts, and then, from the Actions pane, click Add Claims Provider Trust to start the Add Claims Provider Trust Wizard.
2. On the Select Data Source page, click Import data about the claims provider published online or on a local network and
typehttps://TreyADFS.trey.net/FederationMetadata/2007-06/FederationMetadata.xml.
3. On the Specify Display Name page, specify a display name such as Trey AD FS.
6. In the Edit Claim Rules dialog box, add 2 claim rules:
a. Claim rule 1—Email:
 On the Acceptance Transform Rules tab, click Add Rule.
 On the Select Rule Template page, select Pass Through or Filter an Incoming Claim.
 On the Configure Rule page, specify the name as Pass through email.
 For the Incoming claim type field, specify E-Mail Address, select Pass through only claim values that match a specific email suffix, and then,
for the Email suffix value, specify trey.net.
Note
This configuration filters helps to prevent somebody from the account organization (Trey.net in our example) from issuing forged claims
(impersonation) to access resources in the resource organization (Contoso.com in our example). If the account organization uses more than
one email suffix (for example, as a result of a merger), you can create additional email rules, each one specifying the email suffix that you
want to allow. For example, you create a new email claim rule that has the same configuration as this one, except that you
specify treyresearch.net orfabrikam.com for the Email suffix value. Alternatively, use the instructions from this TechNet wiki article to use
RegEx for the condition statement in the claims rule language: AD FS 2.0: Using RegEx in the Claims Rule Language
When a user from the partner organization tries to authenticate by using an email suffix that isn’t specified in these email claim rules, the
user sees the following error message: An error occurred while trying to contact the Active Directory Rights Management Services server.
Try again later or contact your administrator.
 Click Finish.
Create a relying party trust on TreyFS

1. Sign in on TreyFS as TREY\Administrator, and start the AD FS Management console.
2. Expand Trust Relationships, click Relying Party Trusts, and then, from the Actions pane, click Add Relying Party Trust to start the Add Relying Party Trust Wizard.
3. On the Select Data Source page, click Import data about the relying party published online or on a local network and
typehttps://contosoadfs.contoso.com/federationmetadata/2007-06/federationmetadata.xml.
4. On the Specify Display Name page, type a name such as Contoso AD FS, and then click Next.
5. On the Configure Multi-factor Authentication Now page, select I do not want to specify multi-factor authentication setting for this relying party trust at
this time.
6. On the Choose Issuance Authorization Rules page, select Permit all users to access this relying party.
9. In the Edit Claims dialog box, add 1 claim rule:
o On the Issuance Transform Rules tab, click Add Rule.
o On the Select Rule Template page, select Send LDAP attributes as Claims.
o On the Configure Rule page, specify the name as Claims for AD FS. For the Attribute store, select Active Directory.
o For the Mapping of LDAP attributes to outgoing claim types section, specify the following, then click Finish, and then click OK to close the Edit Claim
Rules dialog box:
LDAP attribute Outgoing Claim Type
E-Mail-Addresses E-mail Address
Checkpoint verifications
1. Sign in on ContosoDC as CONTOSO\Administrator and confirm the status of the certificate revocation list (CRL) by using Enterprise PKI (PKIView):
a. From search or Run, type Pkiview.msc.
b. In the console, click ContosoRootCA.
c. In the results pane, confirm that that there is a location that starts with http:// and that its status is OK.
This is the CRL that computers in the other organization will use for certificates that this CA issues, because they cannot use the default CRL that uses an
LDAP location.
d. Sign in on TreyDC as TREY\Administrator and repeat steps 1 through 3.
To extend the CRL verification to make sure that the CRL is accessible from the other organization:
e. Copy the HTTP URL from PKIView and paste it into a browser on a computer in the other organization. You should see a file download dialog box, asking
you whether you want to open or save the file.
f. Click Open, to see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer should be the CA
server from the other organization.
To extend the CRL verification to confirm the certificate chain and certificate revocation status from the CRL, run the certutil -v -urlfetch -verify
[certificate_file]command from TreyClient:
o Example: certutil -v -urlfetch -verify E:\ContosoRMS.cer
o The [certificate_file] is the server certificate that you deployed on the AD RMS server (ContosoRMS), exported to a .cer file and saved to a USB thumb drive
that you then attach to the TreyClient computer.
o Examine the output. It’s expected to see errors for the LDAP URL, because the TreyClient cannot use LDAP to communicate with the CA in Contoso. But you
should see verification for the HTTP URL. The end of the command output should display Leaf certificate revocation check passed.
Repeat this test by exporting the certificate from TreyFS and running the same command on the ContosoClient computer.
Using the client computer, ContosoClient, use Internet Explorer to test a connection to the Contoso federation server, ContosoADFS, by using these URLs:
o https://ContosoADFS.contoso.com/federationmetadata/2007-06/federationmetadata.xml
o https://ContosoADFS.contoso.com/adfs/ls/idpinitiatedsignon.htm
The first URL should display the federation server metadata in the browser, and the second displays an AD FS sign-in page where you can sign in with domain
credentials. A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is working
within the resource organization, Contoso.
Similarly, using the client computer, TreyClient, use Internet Explorer to test a connection to the Trey Research federation server, TreyADFS, by using these URLs:
o https://TreyADFS.trey.net/federationmetadata/2007-06/federationmetadata.xml
o https://TreyADFS.trey.net/adfs/ls/idpinitiatedsignon.htm
As before, the first URL should display the federation server metadata in the browser, and the second displays an AD FS sign-in page where you can sign in with
domain credentials. A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is
working within the account organization, Trey Research.
Using the client computer, TreyClient, use Internet Explorer to test a connection to the Contoso federation server, ContosoADFS, by using this URL:
o https://ContosoADFS.contoso.com/federationmetadata/2007-06/federationmetadata.xml
A successful connection should not result in certificate errors or prompts for authentication. If you do not see these, it confirms that AD FS is working across the two
forests; from the account organization (Trey Research) to the resource organization, Contoso.
Using the client computers, ContosoClient and TreyClient, use Internet Explorer to test a connection to the RMS service, by using this URL:
o https://RMSService.contoso.com/_wmcs/licensingexternal/license.asmx
This displays a web page in the browser that has the title License and introduction text of The following operations are supported. A successful connection verifies
that both clients can communicate with the RMS service.
If you are prompted for credentials, it could indicate a problem with the Group Policy configuration to add the local federation server or the RMS service URL (for the
Contoso domain only) to the local intranet zone. Make sure that this setting is configured and that the client has downloaded the latest Group Policy settings.
If the connection is successful for ContosoClient but not for TreyClient, it could indicate a problem with the AD FS claims configuration.
Step 6: Preparing the Trey Research client for AD RMS: Configuring the Federation Home Realm
You must edit the registry on the client in the Trey Research domain so that the client can find its local federation server.
In a production environment, you would do this by using Group Policy or a script. However, for our single testing client, we will edit the registry directly.
Configuring the Federation Home Realm

1. Sign in on TreyClient as TREY\Administrator.
2. Edit the registry with the Run as administrator option.
Use the following table to create and specify the following registry value (REG_SZ) for the version of Office that the client is using. Create the registry keys if needed.
Version of Microsoft Operating system

Registry value (REG_SZ)
Office platform
Office 2013, 64-bit 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Federation]

"FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"
Office 2013, 32-bit 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\Federation]

Office 2013, 32-bit 32-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Federation]

Office 2010 or earlier, 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\Federation]

64-bit "FederationHomeRealm"="http://TreyADFS.trey.net/adfs/services/trust"
Office 2010 or earlier, 64-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSDRM\Federation]

Office 2010 or earlier, 32-bit [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\Federation]

Note
Although specifying HTTP rather than HTTPS for the federation home realm URL might look odd, it is correct. If you specify HTTPS instead, it does not
work.
For the URL, we recommend that you keep the casing exactly as it appears in the AD FS server certificate (in our guide, TreyADFS.trey.net and
nottreyadfs.trey.net). Some versions of Office might fail to connect if the casing does not match.
This concludes the configuration steps and you’re ready to test the AD RMS with AD FS deployment.
Step 7: Verifying the AD RMS and AD FS deployment

To verify that AD RMS with AD FS is working, you protect a Word document in the Contoso organization such that a user in Trey Research can open it, but for read-only. For
example, he cannot save or print the document.
To protect the document in Contoso

1. Sign in on ContosoClient as CONTOSO\nhollida.
2. Start Word 2013, and in the document, type: Only Terence Philip can read this document, but cannot change, print, or copy it.
3. Click the Microsoft Office button, click the File tab, and click Info.
4. Click Protect Document, and then Restrict Access.
5. Click Restricted Access.
6. In the Permission dialog box, in the Read text box, type TPHILIP@TREY.NET, and then click OK.
7. Click the Microsoft Office button, click Save As, and save the file to a thumb drive.
To open the protected document in Trey Research

1. Sign in on TreyClient as TREY\tphilip.
2. Double-click the file from the thumb drive.
3. Word starts and you see the following message:
Permission to this document is currently restricted. Microsoft Office must connect to https://rmsservice.contoso.com/_wmcs/licensing to verify your
credentials and download your permissions.
4. Click OK, and you then see this message:
Verifying your credentials for opening content with restricted permissions.
5. The document opens and it has a yellow message bar at the top of the page that displays the permission that are assigned to the document.
6. Click View Permission in the message bar to confirm that Terence Philip can only read the document. You can also confirm this because the options to save and
print are not available.
This final step confirms that AD RMS is successfully working with AD FS.
Installing an AD RMS Cluster
Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1
Before you can use Windows PowerShell cmdlets to install the Active Directory Rights Management Services (AD RMS) server role on a computer running Windows
Server® 2008 R2, you must start Windows PowerShell with administrator privileges after logging in with an account that meets the following requirements:
 The user account that you use to install AD RMS must not be the same account as the AD RMS service account.
 If you are registering the AD RMS service connection point (SCP) during installation, the user account that you use to install AD RMS must be a member of the Active
Directory Domain Services (AD DS) Enterprise Admins group, or equivalent.
 If you are using an external database server for the AD RMS databases, the user account that you use to install AD RMS must have the right to create new databases.
If Microsoft SQL Server 2005 or Microsoft SQL Server 2008 is used, the user account must be a member of the System Administrators database role, or equivalent.
 The user account that you use to install AD RMS must have access to query the AD DS domain, such as a domain user account.
 The user account that you use to install AD RMS must be a member of the Administrators group, or equivalent, on the server.
Important
You cannot use Windows PowerShell to install AD RMS with a Web site other than the default Web site. If you need to use a different Web site to host AD RMS, you
must use Server Manager to install and configure AD RMS.
Installing and provisioning the first server in an AD RMS cluster consists of the following steps:
1. Create the Windows PowerShell drive to represent the server you are provisioning. For more information, see Creating an AD RMS Cluster Windows PowerShell
Drive.
2. Set properties on objects in the drive namespace that represent required configuration settings. For more information, see Setting Properties on Objects in the AD
RMS Drive Namespace.
3. Run the Install-ADRMS cmdlet. In addition to installing the AD RMS server role and provisioning the server, this cmdlet also installs other features required by
AD RMS, such as Message Queuing, if necessary. For more information, see Running the Install-ADRMS Cmdlet.
See Also
Concepts
Using Windows PowerShell to Deploy AD RMS
Understanding the AD RMS Deployment Provider Namespace
Using Windows PowerShell to Administer AD RMS
Other Resources
Pre-installation Information for Active Directory Rights Management Services
Removing an AD RMS Cluster

Applies To: Windows Server 2008 R2, Windows Server 2012
There can be instances when you need to retire an Active Directory Rights Management Services (AD RMS) server or remove an existing AD RMS cluster entirely. Before you
retire a server, you should back up all AD RMS databases that are used by the server, especially the configuration database.
After you back up the databases, you can remove the server. The requirements for removing an AD RMS server depend on the role of the server and topology of the
AD RMS installation:
 Removing one server from a cluster . If the AD RMS server that you want to retire is in a cluster in which other servers in that AD RMS cluster are still active and
required, removing an individual AD RMS server from the cluster requires that you unprovision and uninstall AD RMS on the server that you want to retire, and
remove the server from the load-balancing rotation. Consult the documentation of the load balancer for instructions about removing a server.
Note
Only servers in the root cluster must be unprovisioned before you uninstall AD RMS. This process is not required for servers that are in licensing-
only clusters.
 Retiring a stand-alone server . If the AD RMS server to be retired is the only server in that cluster, take the following steps: decommission, unprovision, and
uninstall the existing AD RMS server, remove it from the network, and then immediately install and provision AD RMS on the replacement server. Configure the new
AD RMS server (this will create a new single-server cluster) and use the same URL and configuration database as the retired AD RMS server. Keep in mind that, until
the replacement server is installed and provisioned, users cannot consume rights-protected content that was published by the single-server cluster.
Important
If the AD RMS server that you are replacing uses a hardware or software-based cryptographic service provider (CSP), you must move the key
container to the new server before you install and provision AD RMS on it. For information about moving the key container, see the documentation
that came with your CSP.
 Replacing an AD RMS installation with another, existing AD RMS installation . In some circumstances, you might need to retire an AD RMS installation and
replace it with another, existing AD RMS installation, for example, in the case of a company merger where both companies are running AD RMS. In this case, you
should export the trusted user domain (TUD) and trusted publishing domain (TPD) from the AD RMS cluster being retired. Import the TUD and TPD into the AD RMS
cluster that is still active. Importing the TUD and TPD will ensure that the rights-protected content that was previously protected from the retired AD RMS installation
can be consumed in the active cluster.
When you decommission, unprovision, and uninstall an AD RMS server, the server is removed from the ClusterServer table of the configuration database, and the directory
services database is deleted from the database server.
This section contains the following procedures:
 Decommission AD RMS
 Remove the AD RMS Server Role
Decommission AD RMS
Before you remove the Active Directory Rights Management Services (AD RMS) role from a server, you should first decommission AD RMS. When you decommission
AD RMS, the behavior of the AD RMS cluster is changed such that it can now provide a key that decrypts the rights-protected content that it had previously published. This
key allows the content to be saved without AD RMS protection. This can be useful if you have decided to stop using AD RMS protection in your organization, or still need the
information.
You should enable decommissioning on each server in the cluster long enough for users to have the opportunity to save their content without AD RMS protection and for
your network and system administrators to disable any AD RMS-enabled clients from using the service.
After you enable decommissioning, the Active Directory Rights Management console will only show the Decommissioning server information page in the results pane; no
further administration is supported.
Caution
When you decommission a server, it cannot be restored to its previous AD RMS configuration. This process cannot be reversed. Once you have decommissioned
AD RMS, you must completely remove AD RMS by using Server Manager before you attempt to install another instance of AD RMS.
Membership in the local AD RMS Enterprise Administrators , or equivalent, is the minimum required to complete this procedure.
To decommission AD RMS
1. Log on to the server on which you want to decommission AD RMS.
2. Modify the access control list (ACL) on the decommissioning.asmx file by granting the Everyone group Read & Execute permissions. The default location for this file
is %systemdrive%\inetpub\wwwroot\_wmcs\decommission.
3. Open the Active Directory Rights Management Services console and add the AD RMS cluster.
4. Expand the AD RMS cluster, expand Security Policies , and then select Decommissioning .
5. Select the Enable Decommissioning option in the Actions pane.
6. Click Decommission .
7. When prompted, click Yes to confirm that you want to permanently decommission the AD RMS installation.
8. Repeat steps 1–7 for all AD RMS servers in the cluster.
9. Inform your users that you are decommissioning the AD RMS installation and advise them to connect to the cluster to save their content without AD RMS protection.
Alternatively, you could delegate a trusted person to decrypt all rights-protected content by temporarily adding that person to the AD RMS super users group.
10. After you believe that all of the content is unprotected and saved, you should export the server licensor certificate, and then uninstall AD RMS from the server.
Additional considerations
 You can also perform the task described in this procedure by using Windows PowerShell. For more information about Windows PowerShell for AD RMS,
seehttp://go.microsoft.com/fwlink/?LinkId=136806.
Remove the AD RMS Server Role
The AD RMS server role is removed from an AD RMS cluster by using Server Manager.
Important
If you are removing every server in the AD RMS cluster, be sure to first decommission AD RMS and remove all protection from the content that is rights-protected by
this AD RMS cluster. If you are only removing one AD RMS server from the cluster, you do not need to decommission the AD RMS environment because other servers
continue to issue certification and licensing requests to AD RMS users.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To remove the AD RMS server role
1. Log on to the server on which you want to remove the AD RMS server role.
2. Open Server Manager. Click Start , point to Administrative Tools , and then click Server Manager .
3. In the tree, click Manage Roles .
4. Under Roles Summary , click Remove roles .
5. Read Before You Begin , and then click Next .
6. Clear the Active Directory Rights Management Services check box. If you no longer have a need for Internet Information Services (IIS) on this server, clear
the Web Server (IIS) box, and then click Next .
7. Click Remove . Removing the AD RMS server role can take several minutes.
8. When the server role is removed, click Finish .
Additional considerations
 You can also perform the task described in this procedure by using Windows PowerShell. For more information about Windows PowerShell for AD RMS,
seehttp://go.microsoft.com/fwlink/?LinkId=136806.

Table of Contents Active Directory Rights Management Services

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Table of Contents Active Directory Rights Management Services

Enviado por

Direitos autorais:

Formatos disponíveis

Table Of Contents Active Directory Rights Management Services

Table Of Contents Active Directory Rights Management Services ....................................................................................................................................................................... 1

Managing AD RMS ............................................................................................................................................................................................................................................ 6

To configure the AD RMS extranet cluster URLs ......................................................................................................................................................................................... 10

To join ISA-SRV to the cpandl.com domain............................................................................................................................................................................................. 12

To publish AD RMS in ISA Server 2006 Standard Edition ...................................................................................................................................................................... 13

To restrict permissions on a Microsoft Word document ........................................................................................................................................................................... 17

Step 3: Deploying the PKI certificates ....................................................................................................................................................................................................... 27

See Also ............................................................................................................................................................................................................................................................ 48

What is Active Directory Rights Management Services?

Hardware and software considerations

512 MB of RAM 1024 MB of RAM

40 GB of free hard disk space 80 GB of free hard disk space

Operating system Windows Server 2008 R2

File system NTFS file system is recommended

Messaging Message Queuing

Web services Internet Information Services (IIS).

AD RMS Deployment in an Extranet Step-by-Step

 Verify AD RMS functionality after you complete the configuration.

What This Guide Does Not Provide

Deploying AD RMS in a Test Environment

ADRMS- Windows Vista® Microsoft Office Word 2007 Enterprise Edition

ADRMS- Windows Vista Microsoft Office Word 2007 Enterprise Edition

Step 1: Configuring AD RMS to Work in an Extranet

To configure the AD RMS extranet cluster URLs

To export the ADRMS-SRV server authentication certificate with private key

Step 2: Installing and Configuring ISA-SRV

 Configure the ISA Server (ISA-SRV)

 Publish AD RMS cluster to extranet

Configure the ISA Server (ISA-SRV)

To install Windows Server 2003, Standard Edition

To configure TCP/IP properties on ISA-SRV

To join ISA-SRV to the cpandl.com domain

To import the server authentication certificate to the ISA-SRV computer

To install ISA Server 2006 Standard Edition

Publish AD RMS cluster to extranet

To publish AD RMS in ISA Server 2006 Standard Edition

Step 3: Configuring AD RMS Extranet Client

To install Windows Vista

To configure TCP/IP properties

5. On a new line at the bottom of the file, type 10.0.100.1 adrms-srv.cpandl.com.

To import the server authentication certificate to the ADRMS-EXCLNT computer

To install Microsoft Office Word 2007 Enterprise

Step 4: Verifying AD RMS Functionality using ADRMS-

Use the following steps to restrict permissions on a Microsoft Word document:

To restrict permissions on a Microsoft Word document

To view a protected document

Deploying Active Directory Rights Management

If you are unfamiliar with AD RMS or AD FS:

Overview of this deployment:

Steps to complete this AD RMS with AD FS deployment

Step 1: Preparing the resource partner organization (Contoso)

Host name IP address Roles in the resource forest

ContosoDC 192.168.111.1/24 Active Directory Domain Services with DNS

ContosoFS 192.168.111.3/24 Active Directory Federation Services

ContosoClient 192.168.111.10/24 Client to protect content

Install and configure the domain (Contoso.com)

o Computer name: ContosoDC

 Enable and add ContosoADFS.contoso.com with the value of 1.

 Enable and add RMSService.contoso.com with the value of 1.

Select Password never expires.

AdrmsSvc AdrmsSvc Not needed Default

AdfsAdmin AdfsAdmin Not needed Default