ADRMS DB Relo SXS

AD RMS Database Relocation with a CNAME
Record Step-by-Step
Microsoft Corporation
Published: April 2010
Author: Bill Mathers
Acknowledgements
Special thanks to the following people for reviewing and providing invaluable feedback for this
document:
Jason Tyler, Microsoft Corporation.
Jody Hendrix, Microsoft Corporation
Manthan Maru, Microsoft Corporation
Pat Hoffer, Microsoft Corporation
.
Abstract
This document will assist architects, consultants, system engineers, and system administrators in
moving the Active Directory Rights Management Services (AD RMS) databases from one server
to another. This guide only covers the step-by-step procedures of moving the database when a
CNAME record was used prior to installing AD RMS. If a CNAME record was not used please
see the AD RMS Database Relocation without a CNAME Record Step-by-Step
(http://go.microsoft.com/fwlink/?LinkID=188464).
Copyright
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place
or event is intended or should be inferred.
2009 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
AD RMS Database Relocation with a CNAME Record Step-by-Step.............................................5
About this Guide.......................................................................................................................... 5
What This Guide Does Not Provide......................................................................................... 5
Requirements for this Document.................................................................................................... 6
The Scenario.................................................................................................................................. 7
Scenario description.................................................................................................................... 7
The testing environment........................................................................................................... 7
Required Groups...................................................................................................................... 8
Required accounts................................................................................................................... 9
Required CNAME Records...................................................................................................... 9
The Importance of CNAME Records............................................................................................10
What are CNAME Records?...................................................................................................... 10
Why are CNAME Records important to AD RMS?.....................................................................11
SQL Server and CNAME Records............................................................................................. 11
Implementing the Procedures in this Document...........................................................................12
Step 1 - Create FabrikamUsers Organizational Unit.....................................................................13
Step 2 - Create Test Users............................................................................................................ 14
Step 3 - Create Test Groups......................................................................................................... 17
Step 4 - Add Users to Groups....................................................................................................... 22
Step 5 - Create MachineGPO....................................................................................................... 24
Step 6 - Create FabrikamDocuments Shared Folder....................................................................27
Step 7 - Create an All Staff Rights Protected Word Document.....................................................28
Step 8 - Consume AllStaffTest Document as Britta Simon............................................................29
Step 9 - Export the Trusted User Domain and Trusted Publishing Domain...................................30
Step 10 - Stop IIS......................................................................................................................... 32
Step 11 - Verify MSMQ is Empty and Stop the AD RMS Logging Service....................................33
Step 12 - Create database backups.............................................................................................35
Step 13 - Restore the database to the new SQL Server...............................................................42
Step 14 - Add DisableStrictNameChecking Registry Key.............................................................49

Step 15 - Enable SQL Firewall Ports............................................................................................ 50
Step 16 - Enable SQL Server Network Protocols..........................................................................56
Step 17 - Add ADRMSService to SQL Logins...............................................................................60
Step 18 - Change the CNAME Record in DNS.............................................................................62
Step 19 - Restart IIS and AD RMS Logging Service.....................................................................63
Testing the Implementation........................................................................................................... 65
Step 1 - Create an All FTE Rights Protected Word Document......................................................66
Step 2 - Consume AllFTETest Document as Britta Simon............................................................67
Step 3 - Consume AllFTETest Document as Lola Jacobson.........................................................68
Step 4 - Consume AllStaffTest Document as Lola Jacobson........................................................69
Appendix A - How to Install AD RMS with a CNAME Record........................................................69
Installing AD RMS using a CNAME Record...............................................................................69
The environment.................................................................................................................... 69
CNAME Records.................................................................................................................... 71
Additional Information............................................................................................................ 71
Step 1 - Create CNAME Records................................................................................................. 71
Step 2 - Install AD RMS................................................................................................................ 75
AD RMS Database Relocation with a CNAME

Record Step-by-Step
About this Guide
This step-by-step guide walks you through the process of moving the AD RMS databases from
one SQL Server 2008 SP1 server to another SQL Server 2008 SP1 server. This is done in a test
environment so that you may be familiar with the process before attempting it in a production
environment. The first part of this guide deals with setting up a working AD RMS test
environment. It is this environment that will be used to verify that the databases have been
moved successfully. The final parts of this guide deal with the actual moving of the databases.
As you complete the steps in this guide, you will:
Backup the AD RMS database.
Restore the AD RMS database.
Verify that the move was successful and that AD RMS is up and running again. This is done by testing
the ability to create new rights-protected content once the databases have been moved, consume the
newly created rights-protected content, and consume existing rights-protected content.
What This Guide Does Not Provide

This guide does not provide the following:
Guidance for setting up and configuring Active Directory Domain Service in either a production or test
environment. This guide assumes that Active Directory Domain Services is already configured in the
test environment. For more information about configuring Active Directory Domain Services see, AD
DS Installation and Removal Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=154567).
Guidance for setting up and configuring Active Directory Certificate Services in either a production or
test environment. This guide assumes that Active Directory Certificate Services is already configured
and working in the test environment. You must ensure that you have a valid SSL certificate and that it
is bound properly in IIS to the default website. For more information about configuring Active
Directory Certificate Services, see the Active Directory Certificate Services
(http://go.microsoft.com/fwlink/?LinkId=179761).
Guidance for setting up and configuring AD RMS in either a production or test environment. This
guide assumes that AD RMS is already configured and working in the test environment. For more
information about configuring AD RMS, see the AD RMS Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkID=154256).
Guidance for setting up and configuring Exchange Server 2007 SP1 in either a production or test
environment. This guide assumes that Exchange 2007 SP1 is already setup and configured in the test
8
environment. For more information about configuring Exchange Server 2007 SP1, see Microsoft
Exchange Server 2007 (http://go.microsoft.com/fwlink/?LinkId=154564).
Requirements for this Document

The following table will provide a summary of the Microsoft software that was used in this guide.
Software
Additional Information
Windows Server 2008 Enterprise 64-bit

edition
Windows Server 2008 Enterprise

(http://go.microsoft.com/fwlink/?LinkId=156710)
Windows Server 2008 R2 Enterprise 64-bit
Windows Server 2008 R2

Windows 7 Enterprise
Windows 7 Enterprise
Active Directory Domain Service
Active Directory
Active Directory Certificate Services
Active Directory Certificate Services

Active Directory Rights Management Services

(AD RMS)
Active Directory Rights Management Services

(AD RMS) (http://go.microsoft.com/fwlink/?
LinkId=163969)
Microsoft SQL Server 2008 Service Pack 1

64-bit edition
Microsoft SQL Server 2008

Microsoft Exchange Server 2007 Service Pack

2 64-bit
Microsoft Exchange Server 2007

Microsoft Office 2007 with Service Pack 2
Microsoft Office 2007

Microsoft Hyper-V
Microsoft Hyper-V
(http://go.microsoft.com/fwlink/?
LinkID=156719)
Internet Information Services (IIS) 7.0
IIS 7.0 (http://go.microsoft.com/fwlink/?

LinkId=160778)
Rights Management Services Administration

Toolkit with SP2
Rights Management Services Administration

Toolkit with SP2
(http://go.microsoft.com/fwlink/?
LinkID=158667)
The Scenario
Scenario description
Fabrikam, a fictitious company, wants to move their current AD RMS databases from an existing
Microsoft SQL Server 2008 server to a brand new server. Prior to doing this in production,
Fabrikam would like to setup a test environment that will allow them to walk through the process
of moving the database. This will also allow them to verify that everything is working after the
database move.
The testing environment

The scenario outlined in this document has been developed and tested on one stand-alone
computer running the 64-bit edition of the Windows Server 2008 R2 operating system and
Hyper-V. The servers have two 3.0 gigahertz (GHz) dual core processors and 8 gigabytes (GB) of
RAM each. Using Hyper-V, the following six virtual machines were created on the hosts.
Figure 1 The testing environment
10
Table 1 - Virtual Machines and Roles

Computer Name
Forest
Operating System
DC
fabrikam.com
Windows Server 2008 x64
EX
fabrikam.net
ADRMS
fabrikam.com
SQL1
fabrikam.com
SQL2
fabrikam.com
Windows Server 2008 R
CLT
fabrikam.com
Windows 7 Enterprise x86
Hyper-V is not a requirement to complete the steps outlined later. These steps can be
implemented on physical computers as long as they reflect the same roles as the preceding table.
Required Groups
The following table summarizes the universal groups used in this step-by-step guide.
Table 2 - Group Summary
Group Name
Group Scope
Group Type
All Staff
Universal
Security
All FTE
Universal
Security
All Contractors
Universal
Security
Required accounts
The following table summarizes the accounts used in this step-by-step guide.
Table 3 - Required Accounts
Account
Display name
Forest
bsimon
Britta Simon
fabrikam.com
ljacobson
Lola Jacobson
fabrikam.com
ADRMSService
ADRMS Service
fabrikam.com
11
Required CNAME Records

The following table summarizes the CNAME records used in this step-by-step guide. These
records were created before installing ADRMS in the test environment.
Table 4 - CNAME Records
Name
Record Type
FQDN
RMS
CNAME
RMS.fabrikam.com
RMS-SQL
CNAME
RMS-SQL.fabrikam.com
The Importance of CNAME Records

What are CNAME Records?
CNAME stands for Canonical Name record. It is a type of resource record that is used in the
Domain Name System. In DNS, the CNAME record is used as an alias for another record within
DNS. For example, in our scenario here, we use a CNAME record named ADRMS-SQL to point
to the FQDN of our SQL Server, SQL1.fabrikam.com.
12
Figure 3 - CNAME Records in DNS
Why are CNAME Records important to AD RMS?

CNAME records are important for several reasons. First, when you create a piece of content, the
URL for the AD RMS server is embedded into the header of it. When a user attempts to consume
this content, it is this URL that is used to obtain a use license. If you originally installed AD RMS
using the FQDN of the physical AD RMS server as the URL and this were to ever change,
documents with the old URL would be inaccessible.
For example, if we have an AD-RMS server with an FQDN of AD-RMS.fabrikam.com and we use
a URL of https://AD-RMS.fabrikam.com, then all of our content will have https://ADRMS.fabrikam.com embedded in the header of all rights protected content. Now say we decide
to change the AD RMS servers name to AD-RMS2.fabrikam.com and our URL is now https://ADRMS2.fabrikam.com. Now when a user attempts to consume older rights-protected content, they
will look for a use license at https://AD-RMS.fabrikam.com, not our new URL of https://ADRMS2.fabrikam.com. They will not be able to consume this content. Now suppose instead we
had created a CNAME record called RMS. We can point this record at AD-RMS.fabrikam.com.
This record will have an FQDN RMS.fabrikam.com. When we install AD RMS, we will specify
https://RMS.fabrikam.com as the URL. So now if we decide to change the AD RMS servers
name to AD-RMS2.fabrikam.com we can simply edit the CNAME record to point to ADRMS2.fabrikam.com.
13
Figure 2 Sample AD RMS encrypted header
Secondly, if you decide later on down the line that you want to add Network Load Balancing
because the AD RMS infrastructure has grown, it is much simpler to do this with a CNAME
record.
SQL Server and CNAME Records

In order to use a CNAME record with a SQL Server, the DisableStrictNameChecking registry key
must be added and the value set to 1. This allows for the SQL Server to be called something
other than its proper name when a connection attempt is being made. Step 14 Add
DisableStrictNameChecking of this guide describes how to do this in detail. This is disabled by
default.
Figure 4 DisableStrictNameChecking Registry Key
14
Implementing the Procedures in this

Document
The following steps will guide you through setting up the initial environment.
This section is comprised of the following steps:
1.
Step 1 Create FabrikamUsers Organizational Unit
2.
Step 2 Create Test Users
3.
Step 3 Create Test Groups
4.
Step 4 Add Users to Groups
5.
Step 5 Create MachineGPO
6.
Step 6 Create FabrikamDocuments Shared Folder
7.
Step 7 Create an All Staff Rights Protected Word Document
8.
Step 8 Consume AllStaffTest Document as Britta Simon
9.
Step 9 Export the Trusted User Domain and Trusted Publishing Domain
10. Step 10 Stop IIS

11. Step 11 Verify MSMQ is Empty and Stop the AD RMS Logging Service
12. Step 12 Create database backups
13. Step 13 Restore the database to the new SQL Server
14. Step 14 Add DisableStrictNameChecking Registry Key
15. Step 15 Enable SQL Firewall Ports
16. Step 16 Enable SQL Server Network Protocols
17. Step 17 Add ADRMSService to SQL Logins
18. Step 18 Change the CNAME Record in DNS
19. Step 19 Restart IIS and the AD RMS Logging Service
15
Step 1 - Create FabrikamUsers

Organizational Unit
This step explains how to create an organizational unit in fabrikam.com. This organizational unit
will store all of the test users.
To create the organizational unit
1. Log on to DC.fabrikam.com as Administrator
2. Click Start, select Administrative Tools, and click Active Directory Users and Computers.
This will open the Active Directory Users and Computers mmc.
3. In the Active Directory Users and Computers mmc, from the tree-view on the left, rightclick fabrikam.com, select New, and then Organizational Unit.
4. In the Name textbox, type FabrikamUsers. Click OK.
5. Close Active Directory Users and Computers.
Figure 5 FabrikamUsers Organizational Unit
16
Step 2 - Create Test Users

This step explains how to create and mailbox-enable the test users in fabrikam.com. These
accounts will be used to verify that users are able to create and consume content once the
databases have been moved.
Table 5 - Required Accounts
First Name
Last Name
User logon name
Britta
Simon
bsimon
Lola
Jacobson
ljacobson
To create the test User Accounts

1. Log on to the DC.corp.fabrikam.com Server as Administrator.
3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select User. This
will bring up the New Object User window.
4. On the New Object User screen, in the First Name box, enter Britta.
5. On the New Object User screen, in the Last Name box, enter Simon.
6. On the New Object User screen, in the User logon name: box, enter bsimon and click
Next.
7. On the New Object User screen, in the Password box, enter Pass1word!.
8. On the New Object User screen, in the Confirm Password box, enter Pass1word!.
9. On the New Object User screen, remove the check from User must change password at
next logon.
10. On the New Object User screen, add a check to Password never expires and click Next.
11. Click Finish.
12. Repeat these steps for all of the accounts listed in the Account Summary table.
17
Figure 6 Fabrikam Users
To Mailbox-Enable the User Accounts

1. Log on to the EX.fabrikam.com Server as Administrator
2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click Exchange
Management Console.
3. In the Exchange Management Console, expand Recipient Configuration, and click
Mailbox.
4. On the right, in the Actions pane, click New Mailbox to start the New Mailbox wizard.
5. On the Introduction screen, select User Mailbox and click Next.
6. On the User Type screen, select Existing users and click Add. This will bring up the Select
User fabrikam.com screen.
7. From the list, using the Ctrl key, select Britta Simon and Lola Jacobson then click OK.
8. Click Next.
9. On the Group Information click Next.
10. On the Mailbox Settings screen, under Mailbox database click Browse. This will bring up
18
the Select Mailbox Database screen.

11. Select the Mailbox Database and click OK. Click Next.
12. On the New Mailbox screen, click Next.
13. On the Completion screen, verify that it was successful and click Finish
14. Close Exchange Management Console
Figure 7 New mailbox wizard
19
Step 3 - Create Test Groups

This step explains how to create and mail-enable the test groups in fabrikam.com. It also
explains how to make certain groups members of other groups. These groups will be used to
determine who has usage rights to the protected content created later in this guide.
Table 6 - Group Summary
Group Name
Group Scope
Group Type
All Staff
Universal
Security
All FTE
Universal
Security
All Contractors
Universal
Security
To create the test Groups

1. Log on to the DC.fabrikam.com Server as Administrator.
3. Expand fabrikam.com, right-click FabrikamUsers, select New and then select Group. This
will bring up the New Object Group window.
4. On the New Object Group screen, in the Group Name box, enter All Staff.
5. On the New Object Group screen, under Group scope, select Universal.
6. On the New Object Group screen, under Group type, select Security.
7. Click Ok.
8. Repeat these steps for all of the groups listed in the Group Summary table.
20
Figure 8 Fabrikam Groups
To Mail-Enable the Security Groups

1. Log on to the EX.fabrikam.com Server as Administrator
2. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click Exchange
Management Console.
3. In the Exchange Management Console, expand Recipient Configuration, and click
Distribution Group.
4. On the right, in the Actions pane, click New Distribution Group to start the New
Distribution Group wizard.
5. On the Introduction screen, select Existing group and click Browse. This will bring up the
Select Group fabrikam.com screen.
6. From the list, select All Staff and click OK.
7. Click Next.
8. On the Group Information click Next.
9. On the New Distribution Group screen click New.
21
10. On the Completion screen, verify that it was successful and click Finish
11. Close Exchange Management Console
12. Repeat these steps for all of the groups listed in the Group Summary table.
Figure 9 New Distribution Group Wizard
22
Figure 10 Fabrikam Distribution Groups
Add All FTE group and All Contractors group to All Staff group
3. Expand fabrikam.com, select FabrikamUsers, right-click All Staff, and select Properties.
This will bring up the All Staff Properties window.
4. On the Members tab, click Add. This will bring up the Select Groups dialog box.
5. On the Select Groups dialog box, under Enter the object names to select (examples) box,
enter All FTE and click Check Names. This should resolve with an underline.
6. Click Ok. This will close the Select Groups dialog box.
7. On the Members tab, click Add. This will bring up the Select Groups dialog box.
enter All Contractors and click Check Names. This should resolve with an underline.
10. On the All Staff Properties window, click Apply.
23
11. Click Ok. This will close the All Staff Properties dialog box.
Figure 11 All Staff Properties
Step 4 - Add Users to Groups

This step explains how to add the previously created users to the previously created security
groups. The group membership will be used to determine whether or not a user will be able to
access a piece of rights-protected e-mail.
24
Table 7 - Account Summary

First Name
Last Name
User logon name
Britta
Simon
bsimon
Lola
Jacobson
ljacobson
To add test user accounts to test groups

3. Expand fabrikam.com, select FabrikamUsers, right-click Britta Simon, and select
Properties. This will bring up the Britta Simon Properties window.
4. On the Member of tab, click Add. This will bring up the Select Groups dialog box.
enter All FTE and click Check Names. This should resolve with an underline.
7. On the Britta Simon Properties window, click Apply.
8. Click Ok. This will close the Britta Simon Properties dialog box.
9. Repeat these steps for all of the accounts listed in the Account Summary table, substituting
the appropriate Member of value.
25
Figure 12 Britta Simons Group Membership
Step 5 - Create MachineGPO

This step explains how to create a Group Policy Object that will be applied to all of our machines
in the test environment. The purpose of this GPO is to add the AD RMS URL to the local intranet
sites in Internet Explorer. This allows for a more seamless experience for the users as they will
not be prompted for credentials when attempting to create or consume protected content.
26
Figure 13 Group Policy Management
To create the LocalIntranetMachineGPO

1. Log on to DC.fabrikam.com as Administrator.
2.
Open the Group Policy Management console. Click Start, point to Administrative Tools, and then
click Group Policy Management.
3.
In the Group Policy Management console, expand Forest: fabrikam.com, expand Domains, rightclick fabrikam.com, and select Create a GPO in this domain, and Link it here. This will bring up a
New GPO dialog box.
4.
In the New GPO box, enter LocalIntranetMachineGPO under Name: and click OK. This will close
the dialog box.
5.
On the left, expand fabrikam.com, right-click LocalIntranetMachineGPO and select Edit. This will
bring up the Group Policy Management Editor.
6.
In the Group Policy Management Editor, under User Configuration, expand Policies, expand
Windows Settings, expand Internet Explorer Maintenance and click Security.
7.
On the right, double-click Security Zones and Content Ratings. This will bring up the Security
Zones and Content Ratings box.
8.
On the Security Zones and Content Ratings box, select Import the current security zones and
27
privacy settings radio button.

9.
This will bring up an Internet Explorer Enhanced Security Configuration box. Click Continue to close
this box.
10. On the Security Zones and Content Ratings box, click the Modify Settings button. This will bring up
the Internet Properties box.
11. On the Internet Properties box, click the Security tab, select Local intranet and click the Sites button.
This will bring up the Local intranet box.
12. On the Local intranet box, enter https://rms.fabrikam.com and click Add. Click Close. This will
close the second Local intranet box.
Important
This document assumes that, prior to installing AD RMS, a CNAME record called
RMS was created and pointed to ADRMS.fabrikam.com.
13. Click OK to close the Internet Properties box.
14. Click OK to close the Security Zones and Content Ratings box.
Figure 14 Group Policy Management Editor
28
Figure 15 Security Zones and Content Ratings
Step 6 - Create FabrikamDocuments Shared

Folder
This step explains how to create the FabrikamDocuments shared folder. This is the folder that
will store our test documents.
To create the FabrikamDocuments Shared Folder
1. Log on to ADRMS.fabrikam.com as Administrator
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. Click File, point to New, and then click Folder.
4. Type FabrikamDocuments for the new folder, and then press ENTER.
5. Right-click FabrikamDocuments, click Share with, and then click Specific people.
6. On the File Sharing window, in the box under Type a name and then click Add, or click
the arrow to find someone select Everyone, then and click Add. The Everyone group
29
should now appear in the box below. Under Permission Level, select Read/Write.
7. Click Share. The window should change and you should now see Your folder is shared.
8. Click Done.
Step 7 - Create an All Staff Rights Protected

Word Document
This section explains how to create a rights protected Word document that is only accessible by
members of the All Staff group.
1.
To create an All Staff Rights Protected Word Document

Log on to the CLT.fabrikam.com as Administrator.
2.
Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Word 2007.
This will bring up Word 2007 with a blank document.
3.
On the blank document type the words This is an All Staff test.
4.
At the top, click the Office button, select Prepare from the drop-down, select Restrict Permission,
and select Restrict Access. This will bring up the Permission window.
5.
On the Permission window, place a check in Restrict permission to this document. Next, click
Read. This will bring up a Select Names window. Choose All Staff and click OK. This will close
the Select Names window.
6.
On the Permission window, click OK.
Figure 16 Permission Window
30
7.
At the top, click the Office button and select Save As from the drop-down.
8.
At the top, remove Libraries -> Documents from the location and enter
\\ADRMS.fabrikam.com\FabrikamDocuments.
9.
Under File Name:, enter AllStaffTest.
10. Click Save.

11. Close Word.
Step 8 - Consume AllStaffTest Document as

Britta Simon
In this step, Britta Simon will consume the AllStaffTest document. This will validate the AD RMS
environment prior to moving the AD RMS databases.
1.
To consume AllStaffTest document as Britta Simon

Log on to CLT.fabrikam.com as fabrikam\bsimon
2.
Click the Windows button.
3.
In the search box, type \\adrms.fabrikam.com\FabrikamDocuments. This will open the

FabrikamDocuments share.
4.
Double-click AllStaffTest. This will launch the Configuring your computer for Information Rights
Management box.
Figure 17 Configuring your computer for Information Rights Management
31
5.
Once this completes, you should see a pop-up box that says Permissions to this document is
currently restricted. Microsoft Office must connect to
https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and download your
permissions. Click OK.
6.
Once this completes, you should be able to view AllStaffTest.
Step 9 - Export the Trusted User Domain and

Trusted Publishing Domain
This step explains how to export the Trusted User Domain and the Trusted Publishing Domain.
This is done for backup and disaster recovery purposes.
To export the Trusted User Domain and the Trusted Publishing Domain
1. Log on to ADRMS.fabrikam.com as Administrator.
2.
On the Desktop, right-click and select New and select Folder from the drop-down.
3.
Rename the new folder, ADRMSBackup.
4.
Open the Active Directory Rights Management Services Administration console. Click Start, point to
Administrative Tools, and then click Active Directory Rights Management Services.
5.
In the Active Directory Rights Management Services Administration console, expand the cluster name.
6.
Expand Trusted Policies and select Trusted User Domains.
7.
On the right, select Export Trusted User Domain. This will will bring up the Export Trusted User
Domain As box.
8.
From the Export Trusted User Domain As box, on the left, select Desktop and select the
ADRMSBackup folder.
9.
Under File name enter ADRMSTUD and make sure Binary File (*.bin) is selected for Save As Type.
Click Save. This will close the Export Trusted User Domain As box.
32
Figure 18 Trusted User Domain
10. In the Active Directory Rights Management Services Administration console select Trusted
Publishing Domains.
11. On the right, select Export Trusted Publishing Domain. This will bring up the Export Trusted
Publishing Domain box.
12. From the Export Trusted Publishing Domain, click Save As. This will bring up the Export Trusted
Publishing Domain File As box. From the Export Trusted Publishing Domain As box, on the left,
select Desktop and select the ADRMSBackup folder.
13. Under File name enter ADRMSTPD and make sure XML File (*.xml) is selected for Save As Type.
Click Save. This will close the Export Trusted Publishing Domain As box.
14. From the Export Trusted Publishing Domain box, enter Pass1word$ in the Password box. Enter
Pass1word$ in the Confirm Password box.
15. Click Finish. Close the Active Directory Rights Management Services Administration console.
Figure 19 Trusted Publishing Domain Wizard
33
Step 10 - Stop IIS

This step explains how to stop the Internet Information Server that is running on the AD RMS
databases.
To stop IIS
2. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager. This will bring up the Internet Information Services (IIS) Manager.
3. From the Internet Information Services (IIS) Manager, on the left, select ADRMS
(FABRIKAM\Administrator). On the right, under Actions select Stop.
4. Close the Internet Information Services (IIS) Manager.
34
Figure 20 Internet Information Services (IIS) Manager
Step 11 - Verify MSMQ is Empty and Stop the

AD RMS Logging Service
This step explains how to verify the Microsoft Message Queuing is emptied and stop the AD RMS
Logging Service. AD RMS uses MSMQ on each server in the AD RMS cluster to send
information to the logging database. This needs to be done prior to backing up the AD RMS
Logging database.
To verify the MSMQ is empty
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. On the left, expand Features, expand Message Queuing, expand Private Queues, expand
drms_logging_rms_fabrikam_com_443, and select Queue messages. This will populate
the middle pane with Queue messages.
35
4. Verify there are no messages in Queue messages. Close Server Manager.
Figure 21 MSMQ
To stop the AD RMS Logging Service

2. Click Start, point to Administrative Tools, and then click Services.
3. On the Services screen, right-click AD RMS Logging Service, and select Stop.
4. Close Services.
36
Figure 22 Stop the AD RMS Logging Service
Step 12 - Create database backups

This step explains how to backup the SQL databases. There are three databases that will be
backed up as part of this step.
To create the DBBackup Folder
1. Log on to SQL1.fabrikam.com as Administrator
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. Click File, point to New, and then click Folder.
4. Type DBBackup for the new folder, and then press ENTER.
37
Figure 23 Create DBBackup Folder
1.
2.
To back up the DRMS_Config_rms_fabrikam_com_443 database

Log on to SQL1.fabrikam.com as Administrator.
Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL Server
Management Studio. This will bring up the Connect to Server dialog box. Ensure that the Server
name is SQL1 and that Authentication is set to Windows Authentication. Click Connect.
Figure 24 Connect to SQL Server
38
3.
On the right, expand Databases. Right-click DRMS_Config_rms_fabrikam_com_443, select Tasks

and choose Back Up. This will bring up the Back Up Database
DRMS_Config_rms_fabrikam_com_443 windows.
Figure 25 Backup Database
4.
From Back Up Database DRMS_Config_rms_fabrikam_com_443, down under Destination,

highlight the entry and click Remove. Click Add. This will bring up the Select Backup Destination
box.
5.
Click the box. This will bring up the Locate Database Files SQL1 window. Navigate to the
folder that was created above. Enter DRMS_Config for the File Name and click OK.
Figure 26 Locate Database Files
39
6.
On the Select Backup Destination screen, click OK.
Figure 27 Select Backup Destination
40
7.
On the Back Up Database DRMS_Config_rms_fabrikam_com_443 screen, click OK.
Figure 28 How Back Up Database should look before clicking OK
41
8.
Once this has completed, a pop-up will say the database has been backed up successfully. Click OK.
Figure 29 Backup Successful
To back up the DRMS_DirectoryServices_rms_fabrikam_com_443 database

1. Log on to SQL1.fabrikam.com as Administrator.
2. Click Start, select All Programs, click Microsoft SQL Server 2008 and select SQL Server
Management Studio. This will bring up the Connect to Server dialog box. Ensure that the
Server name is SQL1 and that Authentication is set to Windows Authentication. Click
Connect.
3. On the right, expand Databases. Right-click
DRMS_DirectoryServices_rms_fabrikam_com_443, select Tasks and choose Back Up.
This will bring up the Back Up Database
DRMS_DirectoryServices_rms_fabrikam_com_443 windows.
4. From Back Up Database DRMS_DirectoryServices_rms_fabrikam_com_443, down under
Destination, highlight the entry and click Remove. Click Add. This will bring up the Select
Backup Destination box.
5. Click the box. This will bring up the Locate Database Files SQL1 window. Navigate to
the folder that was created above. Enter DRMS_Directory for the File Name and click OK.
6. On the Select Backup Destination screen, click OK.
7. On the Back Up Database DRMS_DirectoryServices_rms_fabrikam_com_443 screen, click
OK.
8. Once this has completed, a pop-up will say the database has been backed up successfully.
Click OK.
To back up the DRMS_Logging_rms_fabrikam_com_443 database
42
Connect.
3. On the right, expand Databases. Right-click DRMS_Logging_rms_fabrikam_com_443,
select Tasks and choose Back Up. This will bring up the Back Up Database
DRMS_Logging_rms_fabrikam_com_443 windows.
4. From Back Up Database DRMS_Logging_rms_fabrikam_com_443, down under
Destination, highlight the entry and click Remove. Click Add. This will bring up the Select
Backup Destination box.
5. Click the box. This will bring up the Locate Database Files SQL1 window. Navigate to
the folder that was created above. Enter DRMS_Logging for the File Name and click OK.
6. On the Select Backup Destination screen, click OK.
7. On the Back Up Database DRMS_Logging_rms_fabrikam_com_443 screen, click OK.
8. Once this has completed, a pop-up will say the database has been backed up successfully.
Click OK.
Step 13 - Restore the database to the new

SQL Server
This step explains how restore the databases that were backed up from SQL1 in the last step.
To copy the databases over to SQL2
1. Log on to SQL2.fabrikam.com as Administrator
2. Click Start, select Run and enter \\SQL1\C$ in the box. Click OK.
3. Navigate to C:\DBBackup on SQL1. Copy the entire folder to C:\DBBackup on SQL2.
4. When the copy is complete you can close the SQL1\C$ window.
1.
To restore the DRMS_Config_rms_fabriakam_com_443 databases from SQL1

2.
3.
On the right, right-click Databases and select Restore Database. This will bring up the Restore
43
Database window.
Figure 30 Restore Database
4.
On the Restore Database screen, select the From Device radio button and click the box. This will
bring up the Specify Backup screen.
Figure 31 Select From Device
44
5.
On the Specify Backup screen, click Add. This will bring up the Locate Backup File SQL2 screen.
Figure 32 Specify Backup
45
Select the DBBackup folder. Enter DRMS_Config for the File Name and click OK.
Figure 33 Locate Backup File SQL2
46
6.
On the Specify Backup screen click OK.
7.
On the Restore Database screen, in the drop-down beside To database: select

DRMS_Config_rms_fabrikam_com_443.
8.
On the Restore Database screen, under Select the backup sets to restore: place a check in the Restore
box, next to DRMS_Config_rms_fabrikam_com_443-Full Database Backup. Click OK.
Figure 34 - Restore
47
9.
Once this has completed, a pop-up will say the database has been restored successfully. Click OK.
Figure 35 Restore Successful
To restore the DRMS_DirectoryServices_rms_fabriakam_com_443 databases from SQL1

48
Connect.
3. On the right, right-click Databases and select Restore Database. This will bring up the
Restore Database window.
4. On the Restore Database screen, select the From Device radio button and click the box.
This will bring up the Specify Backup screen.
5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File SQL2
screen. Select the DBBackup folder. Enter DRMS_Directory for the File Name and click
OK.
6. On the Specify Backup screen click OK.
7. On the Restore Database screen, in the drop-down beside To database: select
DRMS_DirectoryServices_rms_fabrikam_com_443.
8. On the Restore Database screen, under Select the backup sets to restore: place a check
in the Restore box, next to DRMS_DirectoryServices_rms_fabrikam_com_443-Full
Database Backup. Click OK.
9. Once this has completed, a pop-up will say the database has been restored successfully.
Click OK.
To restore the DRMS_Logging_rms_fabriakam_com_443 databases from SQL1
Connect.
3. On the right, right-click Databases and select Restore Database. This will bring up the
Restore Database window.
4. On the Restore Database screen, select the From Device radio button and click the box.
This will bring up the Specify Backup screen.
5. On the Specify Backup screen, click Add. This will bring up the Locate Backup File SQL2
screen. Select the DBBackup folder. Enter DRMS_Logging for the File Name and click OK.
6. On the Specify Backup screen click OK.
7. On the Restore Database screen, in the drop-down beside To database: select
DRMS_Logging_rms_fabrikam_com_443.
8. On the Restore Database screen, under Select the backup sets to restore: place a check
in the Restore box, next to DRMS_Logging_rms_fabrikam_com_443-Full Database
Backup. Click OK.
49
9. Once this has completed, a pop-up will say the database has been restored successfully.
Click OK.
Step 14 - Add DisableStrictNameChecking

Registry Key
This step explains how to add the DisableStrictNameChecking registry key. This key allows
connections to be made to the SQL server by names other than the proper name. By default,
SQL Server 2008 will not allow this.
To add the DisableStrictNameChecking Registry Key

2.
Click Start, type regedit.exe in the Start Search box, and then press ENTER.
3.
Expand the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Paramet
ers
4.
Right-click Parameters, click New, and then click DWORD (32-bit) Value.
5.
In the Value name box, type DisableStrictNameChecking, and then press ENTER.
6.
Double-click the DisableStrictNameChecking registry value and type 1 in the Value data box, and
then click OK.
7.
Close Registry Editor.
50
Figure 36 - DisableStrictNameChecking
Step 15 - Enable SQL Firewall Ports

This step explains how to enable the firewall rules on the new SQL server. These rules are
required to allow the AD RMS cluster to communicate with the SQL Server.
1.
2.
To enable the firewall ports on SQL2

Click Start, select Administrative Tools and click Windows Firewall with Advanced Security. This
will bring up the Windows Firewall with Advanced Security mcc.
Figure 37 Windows Firewall with Advanced Security
51
3.
On the left, select Inbound Rules and on the right click New Rule. This will bring up the New
Inbound Rule Wizard.
Figure 38 New Inbound Rule Wizard
52
4.
On the Rule Type screen, select Port and click Next.

Figure 39 Protocols and Ports
53
5.
On the Protocol and ports screen, select TCP and enter 445 in the box next to Specific local ports: and
click Next.
6.
On the Action screen, select Allow the connection and click Next.
Figure 40 - Action
54
7.
On the Profile screen, select Domain, Private, and Public then click Next.
Figure 41 - Profile
55
8.
On the Name screen, enter SQL Server Named Pipes in the box and click Finish.
9.
Repeat these steps for all of the entries in the table below.
Table 8 SQL Server Firewall Port Exceptions

Protocol
Port Number
Name
TCP
445
SQL Server Name
TCP
1433
SQL Server Listen
UDP
1434
SQL Server Brows
56
Step 16 - Enable SQL Server Network

Protocols
This step explains how to enable the allowed network protocols for SQL2. This is done so that
the AD RMS Server can communicate with the database server.
1.
2.
To enable SQL Server Network Protocols

Click Start, select All Programs, click Microsoft SQL Server 2008, click Configuration Tools, and
select SQL Server Configuration Manager. This will bring up the SQL Server Configuration
Manager.
Figure 42 SQL Server Configuration Manager
3.
In SQL Server Configuration Manager, on the left, expand SQL Server Network Configuration and
click Protocols for MSSQLSERVER. This will populate the right pane with four protocols and their
status.
Figure 43 Protocols for MSSQLSERVER
57
4.
On the right, right-click Disabled next to Named Pipes and select Enable. This will bring up a popup box that says Any changes made will be saved; however, they will not take effect until the
service is stopped and restarted. Click OK.
Figure 44 Enable Protocols
58
Figure 45 Restart box
5.
On the right, right-click Disabled next to TCP/IP and select Enable. This will bring up a pop-up box
that says Any changes made will be saved; however, they will not take effect until the service is
stopped and restarted. Click OK.
Figure 46 Protocol Summary
59
6.
In SQL Server Configuration Manager, on the left, click SQL Server Services. This will populate the
right pane with three services and their state.
Figure 47 SQL Server Services
60
7.
On the right, right-click SQL Server (MSSQLSERVER) and select Stop. This will stop the SQL
Server service.
8.
On the right, right-click SQL Server (MSSQLSERVER) and select Start. This will start the SQL
Server service.
9.
Close SQL Server Configuration Manager.
Step 17 - Add ADRMSService to SQL Logins

This step explains how to add the AD RMS Service Account (ADRMSService) to SQL Logins on
SQL2. This allows the service account to connect to SQL2.
1.
To add ADRMSService to SQL Logins

2.
3.
On the right, expand Security, right-click Logins, and select New Login. This will bring up the Login
61
New screen.
Figure 48 Login - New
4.
On the Login New screen, click Search. This will bring up a Select User or Group box.
5.
On the Select User or Group box, enter fabrikam\ADRMSService in the box below Enter the object
name to select (examples) and click Check Names. This should resolve with an underline. Click
Ok.
Figure 49 Name Resolved
62
6.
On the Login New screen, click OK. This will close the Login New screen.
7.
Close SQL Server Management Studio.
Step 18 - Change the CNAME Record in DNS

This step explains how to change the CNAME record in DNS.
To change the CNAME Record
2. Click Start, point to Administrative Tools, and then click DNS. This will bring up the DNS
Manager.
3. From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, and click
fabrikam.com. On the right, right-click the CNAME record ADRMS-SQL and select
Properties. This will bring up the ADRMS-SQL Properties.
4. On the ADRMS-SQL properties, enter sql2.fabrikam.com under Fully qualified domain
name (FQDN) for target host: and click OK.
5. Close DNS Manager.
63
Figure 50 Change CNAME Record
Step 19 - Restart IIS and AD RMS Logging

Service
This step explains how to start the Internet Information Server and the AD RMS Logging Service.
To start IIS
2. Click Start, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager. This will bring up the Internet Infromation Services (IIS) Manager.
3. From the Internet Information Services (IIS) Manager, on the left, select ADRMS
(FABRIKAM\Administrator). On the right, under Actions select Start.
4. Close the Internet Information Services (IIS) Manager.
64
Figure 51 Restart IIS
To start the AD RMS Logging Service

2. Click Start, point to Administrative Tools, and then click Services.
3. On the Services screen, right-click AD RMS Logging Service, and select Start.
4. Close Services.
65
Figure 52 Start AD RMS Logging Service
Testing the Implementation

The following steps will guide you through testing the AD RMS environment now that the
databases have been successfully moved. The following tests will verify that existing users are
able to create and consume new rights-protected content and that new users are able to
consume existing rights-protected content.
This section is comprised of the following steps:
1.
Step 1 Create an All FTE Rights Protected Word Document
2.
Step 2 Consume AllFTETest Document as Britta Simon
3.
Step 3 Consume AllFTETest Document as Lola Jacobson
4.
Step 4 Consume AllStaffTest Document as Lola Jacobson
66
Step 1 - Create an All FTE Rights Protected

Word Document
This section explains how to create a rights protected Word document that is only accessible by
members of the All FTE group.
1.
To create an All FTE Rights Protected Word Document

Log on to the CLT.fabrikam.com as Administrator.
2.
Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Word 2007.
This will bring up Word 2007 with a blank document.
3.
On the blank document type the words This is an All FTE test.
4.
At the top, click the Office button, select Prepare from the drop-down, select Restrict Permission,
and select Restrict Access. This will bring up the Permission window.
5.
On the Permission window, place a check in Restrict permission to this document. Next, click
Read. This will bring up a Select Names window. Choose All FTE and click OK. This will close
the Select Names window.
6.
On the Permission window, click OK.

Figure 53 Permission Window
67
7.
At the top, click the Office button and select Save As from the drop-down.
8.
At the top, remove Libraries -> Documents from the location and enter
\\ADRMS.fabrikam.com\FabrikamDocuments.
9.
Under File Name:, enter AllFTETest.
10. Click Save.

11. Close Word.
Step 2 - Consume AllFTETest Document as

Britta Simon
In this step, Britta Simon will consume the AllFTETest document. This will validate that an
existing user is able to consume newly created rights-protected content after the database has
been successfully moved.
1.
To consume AllFTETest document as Britta Simon

Log on to CLT.fabrikam.com as fabrikam\bsimon
2.
3.

4.
Double-click AllFTETest.
5.
This will take a moment, then you will see the Permissions to this document is currently restricted.
Microsoft Office must connect to https://rms.fabrikam.com:443/_wmcs/licensing to verify your
credentials and download your permissions box. Click OK.
Figure 54 Permission to this document is currently restricted box
68
6.
Once this completes, you should be able to view AllFTETest.
7.
Close Word.
Step 3 - Consume AllFTETest Document as

Lola Jacobson
In this step, Lola Jacobson will attempt to consume the AllFTETest document. Lola, remember is
not a member of the All FTE group. Also, Lola has never attempted to create or consume a
rights-protected document, so she is new to AD RMS. This step will validate that a new user can
successfully enroll and that document restrictions are enforced.
1.
To consume AllFTETest document as Lola Jacobson

Log on to CLT.fabrikam.com as fabrikam\ljacobson
2.
3.

4.
Double-click AllFTETest. This will launch the Configuring your computer for Information Rights
Management box.
5.
This will take a moment, then you will see the Permissions to this document is currently restricted.
Microsoft Office must connect to https://rms.fabrikam.com:443/_wmcs/licensing to verify your
credentials and download your permissions box. Click OK.
6.
This will bring up a box that says You do not have credentials that allow you to open this
document. You can request updated permission from administrator@fabrikam.com. Do you
want to request updated permissions? Click No.
Figure 55 You do not have credentials
7.
Close Word.
69
Step 4 - Consume AllStaffTest Document as

Lola Jacobson
In this step, Lola Jacobson will consume the AllStaffTest document. This will validate that a newly
enrolled user is able to consume existing rights-protected content after the database has been
successfully moved.
To consume AllStaffTest document as Lola Jacobson
1. Log on to CLT.fabrikam.com as fabrikam\ljacobson
2. Click the Windows button.
3. In the search box, type \\adrms.fabrikam.com\FabrikamDocuments. This will open the
4. Double-click AllStaffTest.
5. This will take a moment, then you will see the Permissions to this document is currently
restricted. Microsoft Office must connect to
https://rms.fabrikam.com:443/_wmcs/licensing to verify your credentials and download
your permissions box. Click OK.
6. Once this completes, you should be able to view AllStaffTest.
7. Close Word.
Appendix A - How to Install AD RMS with a

CNAME Record
Installing AD RMS using a CNAME Record
The following Appendix can be used to provide guidance for installing AD RMS using a CNAME
record. This appendix is provided for individuals who may not be totally familiar with this process.
The environment
The following three virtual machines are used to complete the steps outlined in this Appendix.
70
Figure 55 The testing environment
Table 9 - Virtual Machines and Roles

Computer Name
Forest
Operating System
DC
fabrikam.com
Windows Server 20
ADRMS
fabrikam.com
Windows Server 20
SQL1
fabrikam.com
Windows Server 20
CNAME Records
The following two CNAME records will be created in the steps outlined by this appendix.
Table 10 - CNAME Records
Name
Record Type
FQDN
RMS
CNAME
RMS.fabrikam.com
71
RMS-SQL
CNAME
RMS-SQL.fabrikam.com
Additional Information
The following additional information is assumed for completion of the steps outlined in this
Appendix.
1.
The AD RMS Service account used is fabrikam\ADRMSService. The password for this account is
Pass1word$.
2.
Prior to installing AD RMS, SQL1 has had the proper network protocols enabled, firewall ports
opened, and the DisableStrictNameChecking registry key has been added.
Step 1 - Create CNAME Records

This step explains how to create the CNAME records in DNS.
To create the RMS CNAME Record

2.
Click Start, point to Administrative Tools, and then click DNS. This will bring up the DNS Manager.
3.
From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-click
fabrikam.com and select New Alias (CNAME) from the menu. This will bring up the New Resource
Record dialog box.
Figure 56 New Alias (CNAME)
72
4.
On the New Resource Record box, under Alias name (uses parent domain if left blank): enter RMS.
5.
On the New Resource Record box, under Fully qualified domain name (FQDN) for target host:,
click Browse, double-click DC, double-click Forward Lookup Zones, double-click fabrikam.com
and select the ADRMS Host record. Click OK.
Figure 57 RMS CNAME Record
73
6.
Click OK.
7.
Close DNS Manager.
1.
To create the RMS-SQL CNAME Record

Log on to DC.fabrikam.com as Administrator.
2.
Click Start, point to Administrative Tools, and then click DNS. This will bring up the DNS Manager.
3.
From the DNS Manager, on the left, expand DC, expand Forward Lookup Zone, right-click
fabrikam.com and select New Alias (CNAME) from the menu. This will bring up the New Resource
Record dialog box.
4.
On the New Resource Record box, under Alias name (uses parent domain if left blank): enter RMSSQL.
5.
On the New Resource Record box, under Fully qualified domain name (FQDN) for target host:,
click Browse, double-click DC, double-click Forward Lookup Zones, double-click fabrikam.com
74
and select the SQL1 Host record. Click OK.

Figure 58 RMS-SQL CNAME Record
6.
Click OK.
7.
Close DNS Manager.
75
Figure 59 DNS Summary
Step 2 - Install AD RMS

This step explains how to install AD RMS using the CNAME records.
1.
To install AD RMS using CNAME Records

Log on to ADRMS.fabrikam.com as Administrator.
2.
Click Start, point to Administrative Tools, and then click Server Manager. This will bring up the
Server Manager.
3.
From the Server Manager, on the left, select Roles. This will populate the right pane with a Roles
Summary.
Figure 60 Server Manager
76
4.
On the right, select Add Roles. This will bring up the Add Roles Wizard.
Figure 61 Add Roles Wizard
77
5.
On the Add Roles Wizard, click Next. This will bring up the Server Roles screen.
6.
From Server Roles, place a check in Active Directory Rights Management Services. This will bring
up a box that says Add role services and features required for Active Directory Rights
Management Services? Click Add Required Roles Services.
Figure 62 Select Server Roles
78
Figure 63 Add role services and features
7.
Once this is complete, click Next. This will bring up the Active Directory Rights Management
79
Services introductory screen. Click Next. This will bring up the Role Services screen.
Figure 64 Active Directory Rights Management Services Introductory Screen
8.
On the Roles Services screen, leave the defaults and click Next. This will bring up the AD RMS
Cluster screen.
Figure 65 Role Services
80
9.
On the AD RMS Cluster screen, leave the default of Create a new AD RMS cluster and click Next.
Because this is the root cluster, the other option will be greyed out. This will bring up the
Configuration Database screen.
Figure 66 AD RMS Cluster
81
10. On the Configuration Database screen, select Use a different database server. Under Server enter
RMS-SQL.fabrikam.com and click Get Database Instances. From the drop-down, select Default.
Click Validate. If this is successful, there should be no error message. Click Next. This will bring up
the Service Account screen.
Figure 67 Configuration Database
82
11. On the Service Account screen, click Specify. This will bring up a Windows Security box. For User
name enter ADRMSService and for Password enter Pass1word$. Click OK. On the Service
Account screen, click Next. This will bring up the Cluster Key Storage screen.
Figure 68 Service Account
83
12. On the Cluster Key Storage screen, leave the default of Use AD RMS centrally managed key storage
and click Next. This will bring up the Cluster Key Password screen.
Figure 69 Cluster Key Storage
84
13. On the Cluster Key Password screen, for Password enter Pass1word$, for Confirm Password enter
Pass1word$. Click Next. This will bring up the Cluster Web Site screen.
Figure 70 Cluster Key Password
85
14. On the Cluster Web Site screen, leave the default of Default Web Site and click Next. This will bring
up the Cluster Address screen.
Figure 71 Cluster Web Site
86
15. On the Cluster Address screen, leave the default of Use an SSL-encrypted connection (https://) and
under Internal Address enter RMS.fabrikam.com. Leave the default port of 443. Click Validate. If
this is successful, https://RMS.fabrikam.com should appear under Preview of cluster address for
clients on the network. Click Next. This will bring up the Server Authentication Certificate screen.
Figure 72 Cluster Address
87
16. On the Server Authentication Certificate screen, select Choose a certificate for SSL encryption later.
This will bring up the Licensor Certificate Name screen. Once the installation is complete, a SSL
certificate can be requested through IIS. For information on how to do this, see Import an SSL
Certificate Using Internet Information Services (IIS) Manager (http://go.microsoft.com/fwlink/?
LinkID=154912).
Figure 73 Server Authentication Certificate
88
17. On the Licensor Certificate Name screen, leave the default Name of ADRMS and click Next. This
will bring up the SCP Registration screen.
Figure 74 Licensor Certificate Name
89
18. On the SCP Registration screen, leave the default of Register the AD RMS service connection point
now and click Next. This will bring up the Web Server (IIS) screen.
Figure 75 SCP Registration
90
19. On the Web Server (IIS) screen, click Next. This will bring up the Role Services for IIS screen.
Figure 76 Web Server (IIS)
91
20. On the Role Services for IIS screen, leave the defaults and click Next. This will bring up the
Confirmation screen.
Figure 77 Role Services (IIS)
92
21. On the Confirmation screen, click Install. This will bring up Progress screen.
Figure 78 Confirmation
93
22. Once the Progress screen has completed the installation has completed. Click Close.
79 - Progress
94
Warning
Before you administer AD RMS, you will need to log off and then log on again.
Figure 79 - Results
95
96

ADRMS DB Relo SXS

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ADRMS DB Relo SXS

Transféré par

Droits d'auteur :

Formats disponibles

AD RMS Database Relocation with a CNAME

Step 14 - Add DisableStrictNameChecking Registry Key.............................................................49

AD RMS Database Relocation with a CNAME

Backup the AD RMS database.

Restore the AD RMS database.

What This Guide Does Not Provide

Requirements for this Document

Windows Server 2008 Enterprise 64-bit

Windows Server 2008 Enterprise

Windows Server 2008 R2 Enterprise 64-bit

Windows Server 2008 R2

Active Directory Domain Service

Active Directory Certificate Services

Active Directory Certificate Services

Active Directory Rights Management Services

Active Directory Rights Management Services

Microsoft SQL Server 2008 Service Pack 1

Microsoft SQL Server 2008

Microsoft Exchange Server 2007 Service Pack

Microsoft Exchange Server 2007

Microsoft Office 2007 with Service Pack 2

Microsoft Office 2007

Internet Information Services (IIS) 7.0

IIS 7.0 (http://go.microsoft.com/fwlink/?

Rights Management Services Administration

Rights Management Services Administration

The testing environment

Table 1 - Virtual Machines and Roles

Windows Server 2008 x64

Windows Server 2008 x64

Windows Server 2008 x64

Windows Server 2008 x64

Windows Server 2008 R

Windows 7 Enterprise x86

Required CNAME Records

The Importance of CNAME Records

Figure 3 - CNAME Records in DNS

Why are CNAME Records important to AD RMS?

Figure 2 Sample AD RMS encrypted header

SQL Server and CNAME Records

Implementing the Procedures in this

Step 1 Create FabrikamUsers Organizational Unit

Step 2 Create Test Users

Step 3 Create Test Groups

Step 4 Add Users to Groups

Step 5 Create MachineGPO

Step 6 Create FabrikamDocuments Shared Folder

Step 7 Create an All Staff Rights Protected Word Document

Step 8 Consume AllStaffTest Document as Britta Simon

10. Step 10 Stop IIS

Step 1 - Create FabrikamUsers

Figure 5 FabrikamUsers Organizational Unit

Step 2 - Create Test Users

User logon name

To create the test User Accounts

Figure 6 Fabrikam Users

To Mailbox-Enable the User Accounts

the Select Mailbox Database screen.

Figure 7 New mailbox wizard

Step 3 - Create Test Groups

To create the test Groups

Figure 8 Fabrikam Groups

To Mail-Enable the Security Groups