Académique Documents
Professionnel Documents
Culture Documents
Record Step-by-Step
Microsoft Corporation
Published: April 2010
Author: Bill Mathers
Acknowledgements
Special thanks to the following people for reviewing and providing invaluable feedback for this
document:
Jason Tyler, Microsoft Corporation.
Jody Hendrix, Microsoft Corporation
Manthan Maru, Microsoft Corporation
Pat Hoffer, Microsoft Corporation
.
Abstract
This document will assist architects, consultants, system engineers, and system administrators in
moving the Active Directory Rights Management Services (AD RMS) databases from one server
to another. This guide only covers the step-by-step procedures of moving the database when a
CNAME record was used prior to installing AD RMS. If a CNAME record was not used please
see the AD RMS Database Relocation without a CNAME Record Step-by-Step
(http://go.microsoft.com/fwlink/?LinkID=188464).
Copyright
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place
or event is intended or should be inferred.
2009 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
AD RMS Database Relocation with a CNAME Record Step-by-Step.............................................5
About this Guide.......................................................................................................................... 5
What This Guide Does Not Provide......................................................................................... 5
Requirements for this Document.................................................................................................... 6
The Scenario.................................................................................................................................. 7
Scenario description.................................................................................................................... 7
The testing environment........................................................................................................... 7
Required Groups...................................................................................................................... 8
Required accounts................................................................................................................... 9
Required CNAME Records...................................................................................................... 9
The Importance of CNAME Records............................................................................................10
What are CNAME Records?...................................................................................................... 10
Why are CNAME Records important to AD RMS?.....................................................................11
SQL Server and CNAME Records............................................................................................. 11
Implementing the Procedures in this Document...........................................................................12
Step 1 - Create FabrikamUsers Organizational Unit.....................................................................13
Step 2 - Create Test Users............................................................................................................ 14
Step 3 - Create Test Groups......................................................................................................... 17
Step 4 - Add Users to Groups....................................................................................................... 22
Step 5 - Create MachineGPO....................................................................................................... 24
Step 6 - Create FabrikamDocuments Shared Folder....................................................................27
Step 7 - Create an All Staff Rights Protected Word Document.....................................................28
Step 8 - Consume AllStaffTest Document as Britta Simon............................................................29
Step 9 - Export the Trusted User Domain and Trusted Publishing Domain...................................30
Step 10 - Stop IIS......................................................................................................................... 32
Step 11 - Verify MSMQ is Empty and Stop the AD RMS Logging Service....................................33
Step 12 - Create database backups.............................................................................................35
Step 13 - Restore the database to the new SQL Server...............................................................42
Verify that the move was successful and that AD RMS is up and running again. This is done by testing
the ability to create new rights-protected content once the databases have been moved, consume the
newly created rights-protected content, and consume existing rights-protected content.
Guidance for setting up and configuring Active Directory Domain Service in either a production or test
environment. This guide assumes that Active Directory Domain Services is already configured in the
test environment. For more information about configuring Active Directory Domain Services see, AD
DS Installation and Removal Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=154567).
Guidance for setting up and configuring Active Directory Certificate Services in either a production or
test environment. This guide assumes that Active Directory Certificate Services is already configured
and working in the test environment. You must ensure that you have a valid SSL certificate and that it
is bound properly in IIS to the default website. For more information about configuring Active
Directory Certificate Services, see the Active Directory Certificate Services
(http://go.microsoft.com/fwlink/?LinkId=179761).
Guidance for setting up and configuring AD RMS in either a production or test environment. This
guide assumes that AD RMS is already configured and working in the test environment. For more
information about configuring AD RMS, see the AD RMS Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkID=154256).
Guidance for setting up and configuring Exchange Server 2007 SP1 in either a production or test
environment. This guide assumes that Exchange 2007 SP1 is already setup and configured in the test
8
environment. For more information about configuring Exchange Server 2007 SP1, see Microsoft
Exchange Server 2007 (http://go.microsoft.com/fwlink/?LinkId=154564).
Additional Information
Windows 7 Enterprise
Windows 7 Enterprise
(http://go.microsoft.com/fwlink/?LinkId=160776)
Active Directory
(http://go.microsoft.com/fwlink/?LinkId=156712)
Microsoft Hyper-V
Microsoft Hyper-V
(http://go.microsoft.com/fwlink/?
LinkID=156719)
The Scenario
Scenario description
Fabrikam, a fictitious company, wants to move their current AD RMS databases from an existing
Microsoft SQL Server 2008 server to a brand new server. Prior to doing this in production,
Fabrikam would like to setup a test environment that will allow them to walk through the process
of moving the database. This will also allow them to verify that everything is working after the
database move.
10
Forest
Operating System
DC
fabrikam.com
EX
fabrikam.net
ADRMS
fabrikam.com
SQL1
fabrikam.com
SQL2
fabrikam.com
CLT
fabrikam.com
Hyper-V is not a requirement to complete the steps outlined later. These steps can be
implemented on physical computers as long as they reflect the same roles as the preceding table.
Required Groups
The following table summarizes the universal groups used in this step-by-step guide.
Table 2 - Group Summary
Group Name
Group Scope
Group Type
All Staff
Universal
Security
All FTE
Universal
Security
All Contractors
Universal
Security
Required accounts
The following table summarizes the accounts used in this step-by-step guide.
Table 3 - Required Accounts
Account
Display name
Forest
bsimon
Britta Simon
fabrikam.com
ljacobson
Lola Jacobson
fabrikam.com
ADRMSService
ADRMS Service
fabrikam.com
11
Record Type
FQDN
RMS
CNAME
RMS.fabrikam.com
RMS-SQL
CNAME
RMS-SQL.fabrikam.com
12
13
Secondly, if you decide later on down the line that you want to add Network Load Balancing
because the AD RMS infrastructure has grown, it is much simpler to do this with a CNAME
record.
14
2.
3.
4.
5.
6.
7.
8.
9.
Step 9 Export the Trusted User Domain and Trusted Publishing Domain
15
16
Last Name
Britta
Simon
bsimon
Lola
Jacobson
ljacobson
17
19
Group Scope
Group Type
All Staff
Universal
Security
All FTE
Universal
Security
All Contractors
Universal
Security
20
21
10. On the Completion screen, verify that it was successful and click Finish
11. Close Exchange Management Console
12. Repeat these steps for all of the groups listed in the Group Summary table.
22
Add All FTE group and All Contractors group to All Staff group
1. Log on to the DC.fabrikam.com Server as Administrator.
2. Click Start, select Administrative Tools, and click Active Directory Users and Computers.
3. Expand fabrikam.com, select FabrikamUsers, right-click All Staff, and select Properties.
This will bring up the All Staff Properties window.
4. On the Members tab, click Add. This will bring up the Select Groups dialog box.
5. On the Select Groups dialog box, under Enter the object names to select (examples) box,
enter All FTE and click Check Names. This should resolve with an underline.
6. Click Ok. This will close the Select Groups dialog box.
7. On the Members tab, click Add. This will bring up the Select Groups dialog box.
8. On the Select Groups dialog box, under Enter the object names to select (examples) box,
enter All Contractors and click Check Names. This should resolve with an underline.
9. Click Ok. This will close the Select Groups dialog box.
10. On the All Staff Properties window, click Apply.
23
11. Click Ok. This will close the All Staff Properties dialog box.
12. Close Active Directory Users and Computers.
24
Last Name
Britta
Simon
bsimon
Lola
Jacobson
ljacobson
25
26
Open the Group Policy Management console. Click Start, point to Administrative Tools, and then
click Group Policy Management.
3.
In the Group Policy Management console, expand Forest: fabrikam.com, expand Domains, rightclick fabrikam.com, and select Create a GPO in this domain, and Link it here. This will bring up a
New GPO dialog box.
4.
In the New GPO box, enter LocalIntranetMachineGPO under Name: and click OK. This will close
the dialog box.
5.
On the left, expand fabrikam.com, right-click LocalIntranetMachineGPO and select Edit. This will
bring up the Group Policy Management Editor.
6.
In the Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, expand Internet Explorer Maintenance and click Security.
7.
On the right, double-click Security Zones and Content Ratings. This will bring up the Security
Zones and Content Ratings box.
8.
On the Security Zones and Content Ratings box, select Import the current security zones and
27
This will bring up an Internet Explorer Enhanced Security Configuration box. Click Continue to close
this box.
10. On the Security Zones and Content Ratings box, click the Modify Settings button. This will bring up
the Internet Properties box.
11. On the Internet Properties box, click the Security tab, select Local intranet and click the Sites button.
This will bring up the Local intranet box.
12. On the Local intranet box, enter https://rms.fabrikam.com and click Add. Click Close. This will
close the second Local intranet box.
Important
This document assumes that, prior to installing AD RMS, a CNAME record called
RMS was created and pointed to ADRMS.fabrikam.com.
13. Click OK to close the Internet Properties box.
14. Click OK to close the Security Zones and Content Ratings box.
28
29
should now appear in the box below. Under Permission Level, select Read/Write.
7. Click Share. The window should change and you should now see Your folder is shared.
8. Click Done.
1.
2.
Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Word 2007.
This will bring up Word 2007 with a blank document.
3.
On the blank document type the words This is an All Staff test.
4.
At the top, click the Office button, select Prepare from the drop-down, select Restrict Permission,
and select Restrict Access. This will bring up the Permission window.
5.
On the Permission window, place a check in Restrict permission to this document. Next, click
Read. This will bring up a Select Names window. Choose All Staff and click OK. This will close
the Select Names window.
6.
30
7.
At the top, click the Office button and select Save As from the drop-down.
8.
At the top, remove Libraries -> Documents from the location and enter
\\ADRMS.fabrikam.com\FabrikamDocuments.
9.
1.
2.
3.
4.
Double-click AllStaffTest. This will launch the Configuring your computer for Information Rights
Management box.
Figure 17 Configuring your computer for Information Rights Management
31
5.
Once this completes, you should see a pop-up box that says Permissions to this document is
currently restricted. Microsoft Office must connect to
https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and download your
permissions. Click OK.
6.
On the Desktop, right-click and select New and select Folder from the drop-down.
3.
4.
Open the Active Directory Rights Management Services Administration console. Click Start, point to
Administrative Tools, and then click Active Directory Rights Management Services.
5.
In the Active Directory Rights Management Services Administration console, expand the cluster name.
6.
7.
On the right, select Export Trusted User Domain. This will will bring up the Export Trusted User
Domain As box.
8.
From the Export Trusted User Domain As box, on the left, select Desktop and select the
ADRMSBackup folder.
9.
Under File name enter ADRMSTUD and make sure Binary File (*.bin) is selected for Save As Type.
Click Save. This will close the Export Trusted User Domain As box.
32
10. In the Active Directory Rights Management Services Administration console select Trusted
Publishing Domains.
11. On the right, select Export Trusted Publishing Domain. This will bring up the Export Trusted
Publishing Domain box.
12. From the Export Trusted Publishing Domain, click Save As. This will bring up the Export Trusted
Publishing Domain File As box. From the Export Trusted Publishing Domain As box, on the left,
select Desktop and select the ADRMSBackup folder.
13. Under File name enter ADRMSTPD and make sure XML File (*.xml) is selected for Save As Type.
Click Save. This will close the Export Trusted Publishing Domain As box.
14. From the Export Trusted Publishing Domain box, enter Pass1word$ in the Password box. Enter
Pass1word$ in the Confirm Password box.
15. Click Finish. Close the Active Directory Rights Management Services Administration console.
33
34
35
Figure 21 MSMQ
36
37
1.
2.
38
3.
4.
5.
Click the box. This will bring up the Locate Database Files SQL1 window. Navigate to the
folder that was created above. Enter DRMS_Config for the File Name and click OK.
39
6.
40
7.
41
8.
Once this has completed, a pop-up will say the database has been backed up successfully. Click OK.
Management Studio. This will bring up the Connect to Server dialog box. Ensure that the
Server name is SQL1 and that Authentication is set to Windows Authentication. Click
Connect.
3. On the right, expand Databases. Right-click DRMS_Logging_rms_fabrikam_com_443,
select Tasks and choose Back Up. This will bring up the Back Up Database
DRMS_Logging_rms_fabrikam_com_443 windows.
4. From Back Up Database DRMS_Logging_rms_fabrikam_com_443, down under
Destination, highlight the entry and click Remove. Click Add. This will bring up the Select
Backup Destination box.
5. Click the box. This will bring up the Locate Database Files SQL1 window. Navigate to
the folder that was created above. Enter DRMS_Logging for the File Name and click OK.
6. On the Select Backup Destination screen, click OK.
7. On the Back Up Database DRMS_Logging_rms_fabrikam_com_443 screen, click OK.
8. Once this has completed, a pop-up will say the database has been backed up successfully.
Click OK.
1.
2.
Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL Server
Management Studio. This will bring up the Connect to Server dialog box. Ensure that the Server
name is SQL2 and that Authentication is set to Windows Authentication. Click Connect.
3.
On the right, right-click Databases and select Restore Database. This will bring up the Restore
43
Database window.
Figure 30 Restore Database
4.
On the Restore Database screen, select the From Device radio button and click the box. This will
bring up the Specify Backup screen.
Figure 31 Select From Device
44
5.
On the Specify Backup screen, click Add. This will bring up the Locate Backup File SQL2 screen.
Figure 32 Specify Backup
45
Select the DBBackup folder. Enter DRMS_Config for the File Name and click OK.
Figure 33 Locate Backup File SQL2
46
6.
7.
8.
On the Restore Database screen, under Select the backup sets to restore: place a check in the Restore
box, next to DRMS_Config_rms_fabrikam_com_443-Full Database Backup. Click OK.
Figure 34 - Restore
47
9.
Once this has completed, a pop-up will say the database has been restored successfully. Click OK.
Figure 35 Restore Successful
Connect.
3. On the right, right-click Databases and select Restore Database. This will bring up the
Restore Database window.
4. On the Restore Database screen, select the From Device radio button and click the box.
This will bring up the Specify Backup screen.
5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File SQL2
screen. Select the DBBackup folder. Enter DRMS_Directory for the File Name and click
OK.
6. On the Specify Backup screen click OK.
7. On the Restore Database screen, in the drop-down beside To database: select
DRMS_DirectoryServices_rms_fabrikam_com_443.
8. On the Restore Database screen, under Select the backup sets to restore: place a check
in the Restore box, next to DRMS_DirectoryServices_rms_fabrikam_com_443-Full
Database Backup. Click OK.
9. Once this has completed, a pop-up will say the database has been restored successfully.
Click OK.
To restore the DRMS_Logging_rms_fabriakam_com_443 databases from SQL1
1. Log on to SQL2.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL Server
Management Studio. This will bring up the Connect to Server dialog box. Ensure that the
Server name is SQL2 and that Authentication is set to Windows Authentication. Click
Connect.
3. On the right, right-click Databases and select Restore Database. This will bring up the
Restore Database window.
4. On the Restore Database screen, select the From Device radio button and click the box.
This will bring up the Specify Backup screen.
5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File SQL2
screen. Select the DBBackup folder. Enter DRMS_Logging for the File Name and click OK.
6. On the Specify Backup screen click OK.
7. On the Restore Database screen, in the drop-down beside To database: select
DRMS_Logging_rms_fabrikam_com_443.
8. On the Restore Database screen, under Select the backup sets to restore: place a check
in the Restore box, next to DRMS_Logging_rms_fabrikam_com_443-Full Database
Backup. Click OK.
49
9. Once this has completed, a pop-up will say the database has been restored successfully.
Click OK.
Click Start, type regedit.exe in the Start Search box, and then press ENTER.
3.
4.
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
5.
In the Value name box, type DisableStrictNameChecking, and then press ENTER.
6.
Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, and
then click OK.
7.
50
Figure 36 - DisableStrictNameChecking
1.
2.
51
3.
On the left, select Inbound Rules and on the right click New Rule. This will bring up the New
Inbound Rule Wizard.
Figure 38 New Inbound Rule Wizard
52
4.
53
5.
On the Protocol and ports screen, select TCP and enter 445 in the box next to Specific local ports: and
click Next.
6.
On the Action screen, select Allow the connection and click Next.
Figure 40 - Action
54
7.
On the Profile screen, select Domain, Private, and Public then click Next.
Figure 41 - Profile
55
8.
On the Name screen, enter SQL Server Named Pipes in the box and click Finish.
9.
Repeat these steps for all of the entries in the table below.
Port Number
Name
TCP
445
TCP
1433
UDP
1434
56
1.
2.
3.
In SQL Server Configuration Manager, on the left, expand SQL Server Network Configuration and
click Protocols for MSSQLSERVER. This will populate the right pane with four protocols and their
status.
Figure 43 Protocols for MSSQLSERVER
57
4.
On the right, right-click Disabled next to Named Pipes and select Enable. This will bring up a popup box that says Any changes made will be saved; however, they will not take effect until the
service is stopped and restarted. Click OK.
Figure 44 Enable Protocols
58
5.
On the right, right-click Disabled next to TCP/IP and select Enable. This will bring up a pop-up box
that says Any changes made will be saved; however, they will not take effect until the service is
stopped and restarted. Click OK.
Figure 46 Protocol Summary
59
6.
In SQL Server Configuration Manager, on the left, click SQL Server Services. This will populate the
right pane with three services and their state.
Figure 47 SQL Server Services
60
7.
On the right, right-click SQL Server (MSSQLSERVER) and select Stop. This will stop the SQL
Server service.
8.
On the right, right-click SQL Server (MSSQLSERVER) and select Start. This will start the SQL
Server service.
9.
1.
2.
Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL Server
Management Studio. This will bring up the Connect to Server dialog box. Ensure that the Server
name is SQL2 and that Authentication is set to Windows Authentication. Click Connect.
3.
On the right, expand Security, right-click Logins, and select New Login. This will bring up the Login
61
New screen.
Figure 48 Login - New
4.
On the Login New screen, click Search. This will bring up a Select User or Group box.
5.
On the Select User or Group box, enter fabrikam\ADRMSService in the box below Enter the object
name to select (examples) and click Check Names. This should resolve with an underline. Click
Ok.
Figure 49 Name Resolved
62
6.
On the Login New screen, click OK. This will close the Login New screen.
7.
63
65
2.
3.
4.
66
1.
2.
Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Word 2007.
This will bring up Word 2007 with a blank document.
3.
On the blank document type the words This is an All FTE test.
4.
At the top, click the Office button, select Prepare from the drop-down, select Restrict Permission,
and select Restrict Access. This will bring up the Permission window.
5.
On the Permission window, place a check in Restrict permission to this document. Next, click
Read. This will bring up a Select Names window. Choose All FTE and click OK. This will close
the Select Names window.
6.
67
7.
At the top, click the Office button and select Save As from the drop-down.
8.
At the top, remove Libraries -> Documents from the location and enter
\\ADRMS.fabrikam.com\FabrikamDocuments.
9.
1.
2.
3.
4.
Double-click AllFTETest.
5.
This will take a moment, then you will see the Permissions to this document is currently restricted.
Microsoft Office must connect to https://rms.fabrikam.com:443/_wmcs/licensing to verify your
credentials and download your permissions box. Click OK.
Figure 54 Permission to this document is currently restricted box
68
6.
7.
Close Word.
1.
2.
3.
4.
Double-click AllFTETest. This will launch the Configuring your computer for Information Rights
Management box.
5.
This will take a moment, then you will see the Permissions to this document is currently restricted.
Microsoft Office must connect to https://rms.fabrikam.com:443/_wmcs/licensing to verify your
credentials and download your permissions box. Click OK.
6.
This will bring up a box that says You do not have credentials that allow you to open this
document. You can request updated permission from administrator@fabrikam.com. Do you
want to request updated permissions? Click No.
Figure 55 You do not have credentials
7.
Close Word.
69
The environment
The following three virtual machines are used to complete the steps outlined in this Appendix.
70
Forest
Operating System
DC
fabrikam.com
Windows Server 20
ADRMS
fabrikam.com
Windows Server 20
SQL1
fabrikam.com
Windows Server 20
CNAME Records
The following two CNAME records will be created in the steps outlined by this appendix.
Table 10 - CNAME Records
Name
Record Type
FQDN
RMS
CNAME
RMS.fabrikam.com
71
RMS-SQL
CNAME
RMS-SQL.fabrikam.com
Additional Information
The following additional information is assumed for completion of the steps outlined in this
Appendix.
1.
The AD RMS Service account used is fabrikam\ADRMSService. The password for this account is
Pass1word$.
2.
Prior to installing AD RMS, SQL1 has had the proper network protocols enabled, firewall ports
opened, and the DisableStrictNameChecking registry key has been added.
Click Start, point to Administrative Tools, and then click DNS. This will bring up the DNS Manager.
3.
From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-click
fabrikam.com and select New Alias (CNAME) from the menu. This will bring up the New Resource
Record dialog box.
Figure 56 New Alias (CNAME)
72
4.
On the New Resource Record box, under Alias name (uses parent domain if left blank): enter RMS.
5.
On the New Resource Record box, under Fully qualified domain name (FQDN) for target host:,
click Browse, double-click DC, double-click Forward Lookup Zones, double-click fabrikam.com
and select the ADRMS Host record. Click OK.
Figure 57 RMS CNAME Record
73
6.
Click OK.
7.
1.
2.
Click Start, point to Administrative Tools, and then click DNS. This will bring up the DNS Manager.
3.
From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-click
fabrikam.com and select New Alias (CNAME) from the menu. This will bring up the New Resource
Record dialog box.
4.
On the New Resource Record box, under Alias name (uses parent domain if left blank): enter RMSSQL.
5.
On the New Resource Record box, under Fully qualified domain name (FQDN) for target host:,
click Browse, double-click DC, double-click Forward Lookup Zones, double-click fabrikam.com
74
6.
Click OK.
7.
75
1.
2.
Click Start, point to Administrative Tools, and then click Server Manager. This will bring up the
Server Manager.
3.
From the Server Manager, on the left, select Roles. This will populate the right pane with a Roles
Summary.
Figure 60 Server Manager
76
4.
On the right, select Add Roles. This will bring up the Add Roles Wizard.
Figure 61 Add Roles Wizard
77
5.
On the Add Roles Wizard, click Next. This will bring up the Server Roles screen.
6.
From Server Roles, place a check in Active Directory Rights Management Services. This will bring
up a box that says Add role services and features required for Active Directory Rights
Management Services? Click Add Required Roles Services.
Figure 62 Select Server Roles
78
7.
Once this is complete, click Next. This will bring up the Active Directory Rights Management
79
Services introductory screen. Click Next. This will bring up the Role Services screen.
Figure 64 Active Directory Rights Management Services Introductory Screen
8.
On the Roles Services screen, leave the defaults and click Next. This will bring up the AD RMS
Cluster screen.
Figure 65 Role Services
80
9.
On the AD RMS Cluster screen, leave the default of Create a new AD RMS cluster and click Next.
Because this is the root cluster, the other option will be greyed out. This will bring up the
Configuration Database screen.
Figure 66 AD RMS Cluster
81
10. On the Configuration Database screen, select Use a different database server. Under Server enter
RMS-SQL.fabrikam.com and click Get Database Instances. From the drop-down, select Default.
Click Validate. If this is successful, there should be no error message. Click Next. This will bring up
the Service Account screen.
Figure 67 Configuration Database
82
11. On the Service Account screen, click Specify. This will bring up a Windows Security box. For User
name enter ADRMSService and for Password enter Pass1word$. Click OK. On the Service
Account screen, click Next. This will bring up the Cluster Key Storage screen.
Figure 68 Service Account
83
12. On the Cluster Key Storage screen, leave the default of Use AD RMS centrally managed key storage
and click Next. This will bring up the Cluster Key Password screen.
Figure 69 Cluster Key Storage
84
13. On the Cluster Key Password screen, for Password enter Pass1word$, for Confirm Password enter
Pass1word$. Click Next. This will bring up the Cluster Web Site screen.
Figure 70 Cluster Key Password
85
14. On the Cluster Web Site screen, leave the default of Default Web Site and click Next. This will bring
up the Cluster Address screen.
Figure 71 Cluster Web Site
86
15. On the Cluster Address screen, leave the default of Use an SSL-encrypted connection (https://) and
under Internal Address enter RMS.fabrikam.com. Leave the default port of 443. Click Validate. If
this is successful, https://RMS.fabrikam.com should appear under Preview of cluster address for
clients on the network. Click Next. This will bring up the Server Authentication Certificate screen.
Figure 72 Cluster Address
87
16. On the Server Authentication Certificate screen, select Choose a certificate for SSL encryption later.
This will bring up the Licensor Certificate Name screen. Once the installation is complete, a SSL
certificate can be requested through IIS. For information on how to do this, see Import an SSL
Certificate Using Internet Information Services (IIS) Manager (http://go.microsoft.com/fwlink/?
LinkID=154912).
Figure 73 Server Authentication Certificate
88
17. On the Licensor Certificate Name screen, leave the default Name of ADRMS and click Next. This
will bring up the SCP Registration screen.
Figure 74 Licensor Certificate Name
89
18. On the SCP Registration screen, leave the default of Register the AD RMS service connection point
now and click Next. This will bring up the Web Server (IIS) screen.
Figure 75 SCP Registration
90
19. On the Web Server (IIS) screen, click Next. This will bring up the Role Services for IIS screen.
Figure 76 Web Server (IIS)
91
20. On the Role Services for IIS screen, leave the defaults and click Next. This will bring up the
Confirmation screen.
Figure 77 Role Services (IIS)
92
21. On the Confirmation screen, click Install. This will bring up Progress screen.
Figure 78 Confirmation
93
22. Once the Progress screen has completed the installation has completed. Click Close.
79 - Progress
94
Warning
Before you administer AD RMS, you will need to log off and then log on again.
Figure 79 - Results
95
96