Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 6: Configuring AD RMS

Published byShana Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "Module 6: Configuring AD RMS"— Presentation transcript:

1 Module 6: Configuring AD RMS
Course 6426A Module 6: Configuring AD RMS Presentation: 60 minutes Lab: 60 minutes Configuring and Troubleshooting Identity and Access Solutions with Windows Server® Active Directory® This module helps students to install and configure AD RMS. After completing this module, students will be able to: Describe AD RMS. Explain the process to install and configure AD RMS. Describe AD RMS administration by configuring rights policy templates. Describe the process to Implement AD RMS Trust policies. Required materials To teach this module, you need the Microsoft® Office PowerPoint® file 6426A_06.ppt. Important It is recommended that you use PowerPoint 2002 or a later version to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides might not be displayed correctly. Preparation tasks To prepare for this module: Read all of the materials for this module. Practice performing the demonstrations and the lab exercises. Work through the Module Review and Takeaways section and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance. Make sure that students are aware that there are additional online resources for the module on the Course CD.

2 Module 6: Configuring AD RMS
Course 6426A Module 6: Configuring AD RMS Module 6: Configuring AD RMS Overview of AD RMS Installing and Configuring AD RMS Server Components Administering AD RMS Implementing AD RMS Trust Policies

3 Lesson 1: Overview of AD RMS
Course 6426A Lesson 1: Overview of AD RMS Module 6: Configuring AD RMS How Access Management Is Enforced by Using AD RMS Usage Scenarios of AD RMS Comparing Technologies Used to Protect Information Identifying AD RMS Components AD RMS Certificates and Licenses Overview of AD RMS Workflow How Files Are Protected by Using AD RMS

4 How Access Management Is Enforced by Using AD RMS
Course 6426A How Access Management Is Enforced by Using AD RMS Module 6: Configuring AD RMS AD RMS enforces access management by : Establishing trusted participants within the AD RMS system Assigning persistent usage rights and conditions on how a trusted participant can use protected information Encrypting information and allowing access to users that have the required components and rights to open and view the information Discuss the following: “Persistent usage rights and conditions” refers to how usage policies are attached to the protected information and is maintained with the information wherever it goes. Types of information that may be protected using AD RMS. Points on the slide. An example AD RMS-intranet service. Microsoft® SharePoint® Server 2007 is an example AD RMS-intranet service that provides the ability to bind the permissions configured for a document library to AD RMS permissions on the document itself. AD RMS is a practical way to limit accidental distribution of sensitive information. However, it does not provide unbreakable, attacker-proof security. It also does not protect against analog attacks such as third-party screen-capture programs or a person taking a digital-camera picture of the online document. Types of information that can be protected includes: Sensitive documents such as plans, proposals, reports messages Content stored in AD RMS-aware intranet services

5 Usage Scenarios for AD RMS
Course 6426A Usage Scenarios for AD RMS Module 6: Configuring AD RMS Usage Scenario Application Features Secure Confidential Files Microsoft® Office: Word® Excel® PowerPoint® Set rights (View, Change, Print) Set validity period Do-Not-Forward/Print Message Microsoft® Office Outlook®: Microsoft® Exchange Server 2007 Service Pack (SP1) Help protect sensitive messages from being sent to the Internet Help protect confidential messages from being taken outside the company Help protect Rights Management Services (RMS) prelicensing agent Help Safeguard Intranet Content Microsoft® Office SharePoint® Services Help safeguard intranet content by restricting access to View, Change, and Print Identity Federation Support All RMS-enabled application Active Directory® Federation Services (AD FS) Help safeguard data across AD FS trusts Describe each of the uses and the corresponding applications/services that are related to perform each usage scenario.

6 Comparing Technologies Used to Protect Information
Course 6426A Comparing Technologies Used to Protect Information Module 6: Configuring AD RMS * With some limitations Feature AD RMS Secure/Multipurp ose Internet Mail Extension (S/MIME) Signing S/MIME Encryption Access control lists (ACLs) Encryptin g File Systems (EFS) Attests to the identity of the publisher Differentiates permissions by a user Prevents unauthorized viewing Encrypts protected content Offers content expiration Controls content reading * Modifying, or printing by user Extends protection beyond initial publication Compare and contrast each of these methods. It is important to not say that AD RMS replaces any of these other technologies, but rather can be used to enhance other technologies. * ACLs can be set to modify, write, or read-only. EFS encryption is maintained with a copied or moved file only if the destination folder is also on an NTFS-formatted volume and, when copying, the destination folder is marked for encryption.

7 Identifying AD RMS Components
Course 6426A Identifying AD RMS Components Module 6: Configuring AD RMS Describe the following points: AD RMS Cluster: There are two types of clusters, Root cluster and Licensing-only cluster. Root cluster - Always the first server installed in an AD RMS installation. Handles all of the licensing and certification requests for the AD DS domain in which it was installed. This can be a single server or a group of servers. Licensing-only cluster - Used for distributed environments such as departments, where different policies may be required. Does not perform certification. Web Services: AD RMS server role requires a number of Web-related server roles and features as provided by the Web Server (IIS) server role. Active Directory® Domain Services (AD DS):The AD RMS server must be a member of an Active Directory® domain. AD DS is also used for hosting the Service Connection Point (SCP), which is used to provide intranet clients the ability to automatically discover the URL for the AD RMS cluster. Database Services: AD RMS requires a database to store configuration information, user and server keys, and logging information. SQL Server™ is typically used, however smaller environments can use the internal database provided by Windows Server® 2008. AD RMS Client: AD RMS client includes several components for securing and communicating with the RMS server cluster (commonly called a lockbox). Windows Vista® and Windows Server® 2008 both include the client components. Windows XP®, Windows 2000®, and Windows Server® 2003 requires an add-on that can be downloaded from the Microsoft® Download Center. AD RMS-Aware Applications: Users must use applications that have RMS features. AD RMS Licensing-only Cluster AD RMS Client AD RMS Root Cluster Web Server (IIS) Active Directory® Domain Services (AD DS) SQL Server™ AD RMS Client AD RMS Client SQL Server™ Configuration Data Logging AD RMS Client

8 AD RMS Certificates and Licenses
Course 6426A AD RMS Certificates and Licenses Module 6: Configuring AD RMS Server Licensor Certificate Gets created when the AD RMS server role is installed and configured on the first server of an AD RMS Root Cluster Machine Certificate Identifies a trusted computer and contains the unique public key for that machine, on a per user per computer basis Describe that server and client components use various types of eXtensible rights Markup language (XrML)-based certificates and licenses to ensure trusted connections and protected content. XrML is an industry standard that is used to link usage rights to digital documents. Describe that a major change in AD RMS compared to previous versions is the way AD RMS server role is enrolled. Previously, enrollment required a connection to an enrollment server at Microsoft®. Windows Server® 2008 AD RMS performs a self-enrollment that has the server self-enrollment certificate (included with Windows Server® 2008) sign, the SLC. This ensures that any licenses issued to machines and users are verified and trusted by a valid Root Cluster. If you add any additional servers to the Root Cluster, each will share the SLC. If you deploy licensing-only clusters, these will generate their own unique SLC. Source information: The XrML Web site: Rights Account Certificate Names a trusted user identity by using the address or SID of the user on a per user basis Client Licensor Certificate Names a trusted user that is authorized to publish RMS-protected information without requiring connectivity to an RMS server. This naming is based on per user on a computer Publishing License Sets the policy for acquiring a used license for rights-protected information Use License Grants an authorized user with valid RAC rights to consume rights-protected information based on policy established in the publishing license

9 Overview of AD RMS Workflow
Course 6426A Overview of AD RMS Workflow Module 6: Configuring AD RMS Database Server AD RMS Cluster Active Directory® 7 The following steps illustrate the Windows® RMS workflow: The author receives a RAC and CLC from the AD RMS cluster the first time he or she tries to rights-protect information. This is a one-time step that establishes the user’s AD RMS credential (the RAC is the AD RMS user credential) and enables offline publishing of rights- protected information (using the CLC) in the future. Using an AD RMS-enabled application, an author creates a file and specifies a set of usage rights and conditions for that file. A publishing license that contains the usage policies is then generated. The application then encrypts the file with a symmetric key, which is then encrypted by the public key of the AD RMS cluster. The key is then inserted into the publishing license and the publishing license is bound to the file. Only the author’s AD RMS cluster can issue use licenses to decrypt this file. If the author has used offline publishing, another copy of the symmetric key is encrypted by the public key of the author’s client licensor certificate and included in the publishing license. The result of this additional encryption step is that an owner license is created that allows the author to consume the content without licensing it from an AD RMS cluster. The author distributes the file. A recipient receives a protected file through a regular distribution channel and opens it using an AD RMS-enabled application. If the recipient does not have a RAC on the current computer, this is the point at which one will be issued from the AD RMS cluster. The application sends a request for a use license to the AD RMS cluster that issued the publishing license for the protected information. The request includes the recipient’s account certificate (which contains the recipient’s public key) and the publishing license (which contains the symmetric key that encrypted the file). The AD RMS cluster confirms that the recipient is authorized, checks that the recipient is a named user, and creates a use license. During this process, the server decrypts the symmetric key by using the private key of the server, re-encrypts the symmetric key by using the public key of the recipient, and then adds the encrypted symmetric key to the use license. This step ensures that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file. The server also adds any relevant conditions to the use license, such as the expiration or an application or operating system exclusion. When the confirmation is complete, the licensing server returns the use license to the recipient’s client computer. After receiving the use license, the application examines both the license and the recipient’s account certificate to determine whether any certificate in either chain of trust requires a revocation list. If so, the application checks for a local copy of the revocation list that has not expired. If necessary, it retrieves a current copy of the revocation list. The application then applies any revocation conditions that are relevant in the current context. If no revocation condition blocks access to the file, the application renders the data, and the user may exercise the rights he or she has been granted. Consuming Publishing 8 1 6 3 9 2 5 4 Information Author Information Recipient

10 How Files Are Protected by Using AD RMS
Course 6426A How Files Are Protected by Using AD RMS Module 6: Configuring AD RMS Gets added to the file after the server licenses a user to open it Gets created when file is protected Publishing License Use License Gets encrypted with the public key of server Discuss the following: It is important to understand how RMS stores key and rights information within a document. The RMS-enabled application of the user encrypts the document content by using a generated symmetric key and sends the key along with the rights information to the RMS server. The RMS server then verifies the user and recipient information and sends it back to the user with the content key and rights information encrypted with the RMS public key of the server. RMS also supports offline publishing where the content key and rights information are encrypted locally using a Client Licensor Certificate (CLC) which contains the RMS public key of server. Microsoft® Office 2003 Professional utilizes offline publishing with RMS. As a result, anyone wanting to access the document will need to make a request to the RMS server to receive a copy of the content key. Content Key Rights info with addresses Gets encrypted with the public key of user Gets encrypted with the public key of server Rights information with addresses Content Key Gets encrypted with the public key of user Gets encrypted with 128-bit AES symmetric encryption key The content of the file such as text, pictures, and media. URLs are stored in the local RMS license cache, not in messages directly.

11 Lesson 2: Installing and Configuring AD RMS Server Components
Course 6426A Lesson 2: Installing and Configuring AD RMS Server Components Module 6: Configuring AD RMS AD RMS Deployment Scenarios Preinstallation Considerations AD RMS System Requirements How to Install the First Server of an AD RMS Cluster What Is a Service Connection Point? Implementing an AD RMS Client Configuring Client Service Discovery

12 AD RMS Deployment Scenarios
Course 6426A AD RMS Deployment Scenarios Module 6: Configuring AD RMS Deploying AD RMS in a single Forest Deploying an AD RMS Licensing-Only cluster Describe the various scenarios that can be deployed using AD RMS, such as: Deploying AD RMS in a single forest - Explain that it may contain a single server or have multiple servers in a single cluster. Deploying an AD RMS licensing-only cluster - Explain that this scenario is typically used to distribute the licensing services. Deploying AD RMS in a multi-forest environment - Explain the need for multiple AD RMS root clusters and the configuration of trust policies. Deploying AD RMS in an extranet - Explain how either a licensing-only server or Internet Security and Acceleration (ISA) server can be used in this scenario. Deploying AD RMS with AD FS - Explain some of the considerations for integrating AD RMS and AD FS. Deploying AD RMS in a Multi-Forest environment Deploying AD RMS in an Extranet Deploying AD RMS with AD FS AD RMS AD FS

13 Preinstallation Considerations
Course 6426A Preinstallation Considerations Module 6: Configuring AD RMS Consider the following points before deploying AD RMS: Install AD RMS on a member server in the same domain as the user accounts that will participate in AD RMS. ü Determine whether to use an external database or the internal database provided by Windows Server® 2008. ü Discuss the pre-installation considerations and emphasize the following points: AD RMS can be installed on a domain controller, but the service account must be a member of the Domain Admins group. Such a membership can increase the security risk. The user account that is used to install the AD RMS server must be different from the account used as the AD RMS service account. If an external database is being used for AD RMS, the user installing AD RMS must also have the right to create databases in SQL Server™. To explain the reason for the CNAME records, explain that if the AD RMS servers are retired, lost due to a hardware failure, or the computer name is changed, a CNAME record can be updated without having to publish all rights-protected files again. Create a specific AD RMS service account with standard user permissions. ü Make the account used to install AD RMS, as the member of the Enterprise Admins group or equivalent, if the service connection point is to be registered during installation. ü Create a DNS alias (CNAME) record for the AD RMS cluster URL, and a CNAME record for the computer hosting the configuration database. ü Obtain an Secure Socket Layer (SSL) certificate from a trusted Certification Authority, if secure communication to and from the AD RMS cluster is required. ü

14 AD RMS System Requirements
Course 6426A AD RMS System Requirements Module 6: Configuring AD RMS Hardware Requirements Required Recommended One Pentium 4 processor (3Ghz or higher) 512 MB RAM 40 GB free disk space Two Pentium 4 processors (3Ghz or higher) 1024 MB RAM 80 GB free disk space Discuss the system requirements for AD RMS. Point out the need to have an address to perform operations. Explain that while an address is required for the user or group object in Active Directory®, this does not imply that Microsoft® Exchange Server is deployed in the organization. Software Requirements Software Requirement Operating System Windows Server® 2008 File System NTFS file system is recommended Messaging Message Queuing Web Services Internet Information Services (IIS) ASP.NET must be enabled Active Directory® or AD DS AD RMS must be installed in an Active Directory® domain. The domain controllers should run Windows Server® 2000 with Service Pack 3, Windows Server® 2003, or Windows Server® 2008. All users and groups who use AD RMS to acquire licenses and publish content must have an address configured in Active Directory® Database Server Microsoft® SQL Server™ 2005 or equivalent, and stored procedures

15 Demonstration: How to Install the First Server of an AD RMS Cluster
Course 6426A Demonstration: How to Install the First Server of an AD RMS Cluster Module 6: Configuring AD RMS To use DNS to configure a CNAME for the AD RMS cluster To use Server Manager to install the AD RMS server role In this demonstration, discuss the following installation options: Required role services (IIS) Role services available for AD RMS: Active Directory® Rights Management Server Identity Federation Support Database options Service account Cluster key storage options Use of SSL Providing the internal URL address (remind about the best practice of using an alias (CNAME) in DNS Registering the service connection point While discussing the point about the internal URL address, remind the students about best practices to be followed, such as using an alias or CNAME in DNS.

16 What Is a Service Connection Point?
Course 6426A What Is a Service Connection Point? Module 6: Configuring AD RMS A service connection point: Provides automatic discovery of the AD RMS cluster URL Contains only one SCP per Active Directory® forest Requires AD RMS management console to be registered or removed Requires ADSI Edit to be viewed and modified ADSI Edit Configuration [SEC-DC.Adatum.com] CN=Configuration, DC=Adatum, DC=com CN=Display Specifiers CN=Extended-Rights Describe the purpose of the service connection point. CN=ForestUpdates CN=Services CN=MsmqServices CN=NetServices CN=Public Key Services CN=Rights Management Services CN=SCP CN=RRAS CN=Windows NT

17 Implementing an AD RMS Client
Course 6426A Implementing an AD RMS Client Module 6: Configuring AD RMS The AD RMS client creates and manages the machine certificate and lockbox. Explain that Systems Management Server or System Center Configuration Manger can also be used to deploy the AD RMS client. Mention that in addition to the AD RMS client, end-users require applications that support rights-management features. Examples of such applications include: Microsoft® Office Professional Edition 2003 Microsoft® Office 2007 Enterprise, Ultimate, and Professional Plus editions Windows Mobile® 6 Microsoft® Office SharePoint® Server 2007 Microsoft® Exchange Server 2007 with Service Pack 1 The AD RMS client works with AD RMS-compatible applications such as the 2007 Office System. The AD RMS client is integrated with the Windows Vista® and Windows Server® 2008 operating systems. The AD RMS client is downloaded from the Microsoft® Download center for earlier versions of Windows®. The AD RMS client is deployed manually or automated using Active Directory® Group Policy.

18 Configuring Client Service Discovery
Course 6426A Configuring Client Service Discovery Module 6: Configuring AD RMS AD RMS clients discover the AD RMS cluster using the following methods: AD DS service connection point AD RMS client registry override HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation Activation (syntax: http(s):// <cluster>/_wmcs/ certification) EnterprisePublishing (syntax: http(s):// <cluster> /_wmcs /certification) Describe that registry overrides are useful for when you need a client to connect to a different certification or licensing cluster than what is registered in the service connection point. Typically used in multi-forest scenarios.

19 Lesson 3: Administering AD RMS
Course 6426A Lesson 3: Administering AD RMS Module 6: Configuring AD RMS AD RMS Administration Tasks What Is a Rights Policy Template? How To Create a Rights Policy Template Providing Rights Policy Templates for Offline Use What Are Exclusion Policies?

20 AD RMS Administration Tasks
Course 6426A AD RMS Administration Tasks Module 6: Configuring AD RMS AD RMS Trust Policies Exclusion Policies Rights Policy Template Describe common administration tasks: Create and manage Rights Policy Templates Configure Exclusion Policies Configure Trust Policies

21 What Is a Rights Policy Template?
Course 6426A What Is a Rights Policy Template? Module 6: Configuring AD RMS Specifies users or groups who must have rights to work with content protected with the template Uses Online Certificate Status Protocol validation and revocation checking using HTTP Rights include Full Control, View, Edit, Save, or Print, Forward, Reply Describe the Rights Policy Template. Stores in the configuration database or a shared folder on the network for offline publishing Author selects Rights Policy Template during document creation to apply rights to the content Rights Policy Template Configures as a distributed or archived template

22 Demonstration: How To Create a Rights Policy Template
Course 6426A Demonstration: How To Create a Rights Policy Template Module 6: Configuring AD RMS To configure a distributed rights policy template To manage archived rights policy templates Demonstrate how to configure and archive rights policy templates.

23 Providing Rights Policy Templates for Offline Use
Course 6426A Providing Rights Policy Templates for Offline Use Module 6: Configuring AD RMS 1 Create a shared folder on the server to be used to store the exported rights policy templates. 2 Use the AD RMS console to export the templates to the folder location. Describe the steps to specify the location of Rights Policy Templates. Also, discuss the listed key for Office If you are configuring Office 2003, substitute 12.0 with For Windows Vista® the recommended value is %userprofile%\AppData\Local\Microsoft\DRM. 3 Deploy the exported templates to a local folder on each client. 4 Modify the client registry to specify where to find the policy templates on the client. Example: For Office 2007 HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Common\DRM\AdminiTemplatePath Type: REG_EXPAND_SZ Recommended Value: %allusersprofile%\Application Data\Microsoft\DRM\<templatefoldername>

24 What Are Exclusion Policies?
Course 6426A What Are Exclusion Policies? Module 6: Configuring AD RMS Prevent compromised principles from acquiring new use license; however, existing licenses associated with excluded principals are still valid. Discuss Exclusion Policies and explain following principles: User IDs prevent specific user accounts from obtaining use licenses Applications prevent specific versions of AD RMS-enabled applications from access- protected content Lockbox versions ensure a minimum version of the Ad RMS client software Windows® versions prevent users that use Windows 98® Second Edition or Windows Millennium® Edition from obtaining RACs or Use Licenses Administrators can exclude following principles: User IDs Applications Lockbox versions Windows® versions

25 Lesson 4: Implementing AD RMS Trust Policies
Course 6426A Lesson 4: Implementing AD RMS Trust Policies Module 6: Configuring AD RMS Methods of Defining Trust Policies Overview of Trusted User Domain Interaction Overview of Trusted Publishing Domain Interaction How To configure Trust Policies Deploying AD RMS with AD FS

26 Methods of Defining Trust Policies
Course 6426A Methods of Defining Trust Policies Module 6: Configuring AD RMS Trust Policies help an AD RMS cluster to process licensing requests for content that are rights-protected by another AD RMS cluster. Discuss the methods to define trust policies for the following: Trusted user domains – Adding a trusted user domain allows the AD RMS root cluster to process requests for client licensor certificates or for using licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You can add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. Trusted publishing domains – Adding a trusted publishing domain allows one AD RMS cluster to issue use-licenses against publishing licenses that were issued by a different AD RMS cluster. You can add a trusted publishing domain by importing the server licensor certificate and private key of the server to trust. Windows Live™ ID - Setting up a trust with Windows Live™ ID allows an AD RMS user to send rights-protected content to a user with a Windows Live™ ID. The Windows Live™ ID user will be able to consume rights-protected content from the AD RMS cluster that has trusted Windows Live™ ID. However, the Windows Live™ ID user will not be able to create content that is rights-protected by the AD RMS cluster. Federated Trust - Establishing a federated trust between two forests is done by using Active Directory® Federation Services. This is useful if one forest does not have AD RMS installed, but its users need to consume rights-protected content from another forest. Trust policies can be defined for the following: Trusted user domains Trusted publishing domains Windows Live™ ID Federated Trust

27 Overview of Trusted User Domain Interaction
Course 6426A Overview of Trusted User Domain Interaction Module 6: Configuring AD RMS Contoso Northwind Traders imports Server Licensor Certificate (SLC) 2 Northwind Traders Contoso sends SLC to Northwind Traders 1 Discuss the following steps: Contoso, Ltd. exports and sends its server licensor certificate (public key) to Northwind Traders. Northwind Traders specifies Contoso, Ltd. as a trusted user domain and imports its server licensor certificate. sends an item of RMS protected content. Bob receives the content and in his attempt to consume it, sends his RAC and publishing license to the issuing licensing server at Northwind Traders. The licensing server at Northwind Traders is aware that Contoso Ltd’s domain is a trusted user domain and can use the imported server licensor certificate to verify Bob’s RAC and issue him a use license. Server uses imported SLC to verify Bob’s Rights account certificate (RAC) and returns UL 5 sends RM content to 3 sends PL and RAC with request for UL from Northwind Traders 4

28 Overview of Trusted Publishing Domain Interaction
Course 6426A Overview of Trusted Publishing Domain Interaction Module 6: Configuring AD RMS Northwind Traders exports private key and SLC 2 Northwind Traders Contoso Contoso imports private key and SLC 1 Use the diagram to explain the working of a trusted publishing domain. Contoso uses imported private key to decrypt PL and issues UL 5 sends RM content to 3 sends PL and RAC with request for UL from Northwind Traders 4

29 Demonstration: How To Configure Trust Policies
Course 6426A Demonstration: How To Configure Trust Policies Module 6: Configuring AD RMS To export a trusted user domain certificate To import a trusted user domain certificate To configure trusted publishing domains In this demonstration, discuss how to configure trust policies by exporting a trusted user domain certificate, importing a trusted user domain certificate, and configuring trusted publishing domains.

30 Deploying AD RMS with AD FS
Course 6426A Deploying AD RMS with AD FS Module 6: Configuring AD RMS Assign an SSL certificate to the Web site that hosts the AD RMS cluster. Install and configure AD RMS. Grant the AD RMS service account permissions to generate security audits. On the AD FS resource partner, create a claims-aware application for the AD RMS certification and licensing pipelines. Configure the AD RMS extranet cluster URL. Install the AD RMS Identity Federation Role service. Explain the steps for deploying AD RMS with AD FS. Tell the students if they are trying to connect their AD RMS client computer by using a federated trust, you need to configure the federation home realm. The registry key to configure the home realm is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\Federation Within this registry key create a registry entry named FederationHomeRealm of type REG_SZ and value as of the federation service URI. For more information: For more information on deploying AD RMS step-by-step refer to the following link: AD RMS Manufacturer Supplier Account Partner Resource Partner AD FS

31 Lab 6: Configuring AD RMS
Course 6426A Lab 6: Configuring AD RMS Module 6: Configuring AD RMS Exercise1: Installing the AD RMS Server Role Exercise 2: Managing AD RMS rights policy templates Exercise 3: Configuring Trust Policies Exercise 4: Testing AD RMS functionality In this lab, students will install and configure AD RMS as a server role, configure AD RMS templates and client settings. Exercise 1 In this exercise, students will install the AD RMS server role. Exercise 2 In this exercise, students will manage AD RMS rights policy template. Exercise 3 In this exercise, students will configure trust policies. Exercise 4 In this exercise, students will test AD RMS functionality. Before the students begin the lab, read the scenario associated with each exercise to the class. This will reinforce the broad issue that the students are troubleshooting and will help to facilitate the lab discussion at the end of the module. Remind the students to complete the discussion questions after the last lab exercise. Note: The lab exercise answer keys are provided on the Course CD. Logon information Virtual machine 6426A-NYC-DC1 6426A-NYC-SVR1 6426A-NYC-CL1 User name Administrator Domain woodgrovebank Password Pa$$w0rd Estimated time: 60 minutes

Download ppt "Module 6: Configuring AD RMS"

Similar presentations

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.

Microsoft® Windows® Rights Management Services (RMS) Deployment and Usage, Step-by-Step.
Rights Management Services (RMS) Paul Cullimore Graham Calladine Security Solutions Team, MCS, UK.

Rights Management Services (RMS) Paul Cullimore Graham Calladine Security Solutions Team, MCS, UK.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Implementing and Administering AD FS

Implementing and Administering AD FS
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Understanding Active Directory

Understanding Active Directory
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory

Understanding Active Directory
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Microsoft ® Official Course Module 8 Deploying and Managing Certificates.

Microsoft ® Official Course Module 8 Deploying and Managing Certificates.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services

Similar presentations

Ads by Google