Active Directory Rights Management Services

Active Directory Rights Management Services

Overview
Updated: May 03, 2007
By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can
augment an organization's security strategy by protecting information through persistent usage policies,
which remain with the information, no matter where it is moved. You can use AD RMS to help prevent
sensitive informationsuch as financial reports, product specifications, customer data, and confidential
e-mail messagesfrom intentionally or accidentally getting into the wrong hands.
For information about AD RMS, see the Active Directory Rights Management Services TechCenter page at
http://go.microsoft.com/fwlink/?LinkId=80907 [http://go.microsoft.com/fwlink/?LinkId=80907] .
In the following sections, learn more about AD RMS, the required and optional features in AD RMS, and
hardware and software used for running AD RMS. At the end of this topic, learn how to open the AD RMS
console and how to find more information about AD RMS.
What is Active Directory Rights Management Services?

An AD RMS system includes a Windows Server 2008-based server running the Active Directory Rights
Management Services (AD RMS) server role that handles certificates and licensing, a database server,
and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista
operating system. The deployment of an AD RMS system provides the following benefits to an
organization:
Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can
be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take
other actions with the information. Organizations can create custom usage policy templates such as "confidential - read only"
that can be applied directly to the information.
Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control
lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how
information is used even after it has been opened by intended recipients.
Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any
application or enable other servers, such as content management systems or portal servers running on Windows or other
operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information
protection into server-based solutions such as document and records management, e-mail gateways and archival systems,
automated workflows, and content inspection.
AD RMS combines the features of Rights Management Services (RMS) in Windows Server 2003,
developer tools, and industry security technologiesincluding encryption, certificates, and authentication
to help organizations create reliable information protection solutions. For creating customized AD RMS
solutions, an AD RMS software development kit (SDK) is available.
Features in AD RMS
By using Server Manager, you can set up the following components of AD RMS:
Active Directory Rights Management Services. The Active Directory Rights Management Services (AD RMS) role service
is a required role service that installs the AD RMS components used to publish and consume rights-protected content.
Identity Federation Support. The identity federation support role service is an optional role service that allows federated
identities to consume rights-protected content by using Active Directory Federation Services.
Hardware and software considerations
AD RMS runs on a computer running the Windows Server 2008 operating system. When the AD RMS
server role is installed, the required services are installed, one of which is Internet Information Services
(IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the
same server as AD RMS or on a remote server, and an Active Directory Domain Services forest.
The following table describes the minimum hardware requirements and recommendations for running
Windows Server 2008-based servers with the AD RMS server role.
Requirement Recommendation
One Pentium 4 3 GHz processor or higher Two Pentium 4 3 GHz processors or higher
512 MB of RAM 1024 MB of RAM
40 GB of free hard disk space 80 GB of free hard disk space

Note:
A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows
Server 2008 for Itanium-Based Systems.
To assist with your hardware considerations, use testing in a lab environment, data from existing
hardware in a production environment, and pilot roll-outs to determine the capacity needed for your
server.
The following table describes the software requirements for running Windows Server 2008-based servers
with the AD RMS server role. For requirements that can be met by enabling features on the operating
system, installing the AD RMS server role will configure those features as appropriate, if they are not
already configured.
Software Requirement
Operating system Windows Server 2008, except for Windows Web Server 2008
File system NTFS file system is recommended
Messaging Message Queuing
Web services Internet Information Services (IIS).

ASP.NET must be enabled.
Active Directory or AD RMS must be installed in an Active Directory domain in which the domain controllers are running
Active Directory Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, or Windows Server 2008. All
Domain Services users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address
configured in Active Directory.
Database server AD RMS requires a database server, such as Microsoft SQL Server 2005, and stored procedures to
perform operations.
The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft
Word, Outlook, or PowerPoint in Microsoft Office 2007. In order to create rights-protected content,
Microsoft Office 2007 Enterprise, Professional Plus, or Ultimate is required. For additional security,
AD RMS can be integrated with other technologies such as smart cards.
Windows Vista includes the AD RMS client by default, but other client operating systems must have the
RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded from the Microsoft
Download Center and works on versions of the client operating system earlier than Windows Vista and
Windows Server 2008.
For more detailed information about hardware and software considerations with AD RMS, see the Pre-
installation Information for Active Directory Rights Management Services topic on the Windows
Server 2008 Technical Library (http://go.microsoft.com/fwlink/?
LinkId=84733 [http://go.microsoft.com/fwlink/?LinkId=84733] ).
Installing AD RMS
After you finish installing the operating system, you can use Initial Configuration Tasks or Server
Manager to install server roles. To install AD RMS, in the list of tasks, click Add roles, and then click the
Active Directory Rights Management Services check box.
For detailed instructions about installing and configuring AD RMS in a test environment, see the AD RMS
installation Step-by-Step Guide (http://go.microsoft.com/fwlink/?
Managing AD RMS
Server roles are managed by using a Microsoft Management Console (MMC) snap-in. Use the Active
Directory Rights Management Services console to manage AD RMS. To open the Active Directory Rights
Management console, click Start, point to Administrative Tools, and then click Active Directory
Rights Management Services.
For more information

To learn more about AD RMS, you can view the Help on your server. To do this, open the Active Directory
Rights Management Services console, and then press F1, or visit the Active Directory Rights Management
Services TechCenter (http://go.microsoft.com/fwlink/?LinkId=80907 [http://go.microsoft.com/fwlink/?
LinkId=80907] ).
Manage Your Profile

2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Product Evaluation:
AD RMS > What's New in Active Directory Rights Management Services in
Windows Server 2008

Role
Updated: January 21, 2008
For Windows Server 2008, Active Directory Rights Management Services (AD RMS) includes several
new features that were not available in Microsoft Windows Rights Management Services (RMS).
These new features were designed to ease administrative overhead of AD RMS and to extend its use
outside of your organization. These new features include:

Inclusion of AD RMS in Windows Server 2008 as a server role

Administration through a Microsoft Management Console (MMC)

Integration with Active Directory Federation Services (AD FS)

Self-enrollment of AD RMS servers

Ability to delegate responsibility by means of new AD RMS administrative roles
Note:
This topic concentrates on the features specific to AD RMS that are being released with Windows Server 2008. Earlier versions of
RMS were available as a separate download. For more information about the features that were available in RMS, see Windows
Server 2003 Rights Management Services (RMS) (http://go.microsoft.com/fwlink/?
What does AD RMS do?

AD RMS, a format and application-agnostic technology, provides services to enable the creation of
information-protection solutions. It will work with any AD RMS-enabled application to provide persistent
usage policies for sensitive information. Content that can be protected by using AD RMS includes intranet
Web sites, e-mail messages, and documents. AD RMS includes a set of core functions that allow
developers to add information protection to the functionality of existing applications.
An AD RMS system, which includes both server and client components, performs the following processes:
Licensing rights-protected information. An AD RMS system issues rights account certificates, which identify trusted
entities (such as users, groups, and services) that can publish rights-protected content. Once trust has been established, users
can assign usage rights and conditions to content they want to protect. These usage rights specify who can access rights-
protected content and what they can do with it. When the content is protected, a publishing license is created for the content.
This license binds the specific usage rights to a given piece of content so that the content can be distributed. For example,
users can send rights-protected documents to other users inside or outside of their organization without the content losing its
rights protection.
Acquiring licenses to decrypt rights-protected content and applying usage policies. Users who have been granted a
rights account certificate can access rights-protected content by using an AD RMS-enabled client application that allows
users to view and work with rights-protected content. When users attempt to access rights-protected content, requests are sent
to AD RMS to access, or consume, that content. When a user attempts to consume the protected content, the AD RMS
licensing service on the AD RMS cluster issues a unique use license that reads, interprets, and applies the usage rights and
conditions specified in the publishing licenses. The usage rights and conditions are persistent and automatically applied
everywhere the content goes.
Creating rights-protected files and templates. Users who are trusted entities in an AD RMS system can create and manage
protection-enhanced files by using familiar authoring tools in an AD RMS-enabled application that incorporates AD RMS
technology features. In addition, AD RMS-enabled applications can use centrally defined and officially authorized usage
rights templates to help users efficiently apply a predefined set of usage policies.
Who will be interested in this server role?
AD RMS is designed to help make content more secure, regardless of wherever the rights-protected
content might be moved to.
You should review this section, and additional documentation about AD RMS, if you are in any of the
following groups:

IT planners and analysts who are evaluating enterprise rights management products

IT professionals responsible for supporting an existing RMS infrastructure
IT security architects who are interested in deploying information protection technology that provides protection for both
data at rest and in motion
Are there any special considerations?
AD RMS relies on Active Directory Domain Services (AD DS) to verify that the user attempting to
consume rights-protected content is authorized to do so. When registering the AD RMS service
connection point (SCP) during installation, the installing user account must have Write access to the
Services container in AD DS.
Finally, all configuration and logging information is stored in the AD RMS Logging Database. In a test
environment, you can use the Windows Internal Database, but in a production environment, we
recommend using a separate database server.
What new functionality does this server role provide?

AD RMS includes a number of enhancements over earlier versions of RMS. These enhancements include
the following:
Improved installation and administration experience. AD RMS is included with Windows Server 2008 and is installed as
a server role. Additionally, AD RMS administration is done through an MMC, as opposed to the Web site administration
presented in the earlier versions.
Self-enrollment of the AD RMS cluster. AD RMS cluster can be enrolled without having to connect to the Microsoft
Enrollment Service. Through the use of a server self-enrollment certificate, the enrollment process is done entirely on the
local computer.
Integration with AD FS. AD RMS and AD FS have been integrated such that enterprises are able to leverage existing
federated relationships to collaborate with external partners.
New AD RMS administrative roles. The ability to delegate AD RMS tasks to different administrators is needed in any
enterprise environment and is included with this version of AD RMS. Three administrative roles have been created: AD RMS
Enterprise Administrators, AD RMS Template Administrators, and AD RMS Auditors.
Improved installation and administration experience

AD RMS in Windows Server 2008 brings many improvements to both the installation and administration
experience. In earlier versions of RMS, a separate installation package had to be downloaded and
installed, but in this version, AD RMS has been integrated into the operating system and is installed as a
server role through Server Manager. Configuration and provisioning is achieved through the server role
installation. Additionally, Server Manager automatically lists and installs all services that AD RMS is
dependent on, such as Message Queuing and Web Server (IIS), during the AD RMS server role
installation. During installation, if you do not specify a remote database as the AD RMS Configuration and
Logging database, the AD RMS server role installation automatically installs and configures the Windows
Internal Database for use with AD RMS.
In the earlier versions of RMS, administration was done through a Web interface. In AD RMS, the
administrative interface has been migrated to an MMC snap-in console. AD RMS console gives you all the
functionality available with the earlier version of RMS but in an interface that is much easier to use.
Why is this functionality important?

Offering AD RMS as a server role that is included with Windows Server 2008 makes the installation
process less burdensome by not requiring you to download AD RMS separately before installing it.
Using an AD RMS console for administration instead of a browser interface makes more options available
to improve the user interface. The AD RMS console employs user interface elements that are consistent
throughout Windows Server 2008, which is designed to be much easier to follow and navigate.
Additionally, with the inclusion of AD RMS administration roles, the AD RMS console displays only the
parts of the console that the user can access. For example, a user who is using the AD RMS Template
Administrators administration role is restricted to tasks that are specific to AD RMS templates. All other
administrative tasks are not available in the AD RMS console.
Self-enrollment of AD RMS server

Server enrollment in AD RMS is the process of creating and signing a server licensor certificate (SLC)
that grants the AD RMS server the right to issue certificates and licenses. In earlier versions of RMS, the
SLC had to be signed by the Microsoft Enrollment Service through an Internet connection. This required
that either the RMS server had to have Internet connectivity to do online enrollment with the Microsoft
Enrollment Service or be able to connect to another computer with Internet access that could do offline
enrollment of the server.
In AD RMS with Windows Server 2008, the requirement for AD RMS server to directly contact the
Microsoft Enrollment Service has been removed. Instead, a server self-enrollment certificate is included
with Windows Server 2008 that signs the AD RMS server's SLC.

Requiring the SLC to be signed by the Microsoft Enrollment Service introduced an operational
dependency that many customers did not want to introduce into their environment. The Microsoft
Enrollment Service is no longer required to sign the SLC.
What works differently?

Instead of requiring the Microsoft Enrollment Service to sign the AD RMS server's SLC, the server self-
enrollment certificate, included with Windows Server 2008, can sign the SLC locally. The server self-
enrollment certificate allows AD RMS to operate in a network that is entirely isolated from the Internet.
How should I prepare for this change?

When upgrading from RMS with Service Pack 1 (SP1) or later, the root cluster must be upgraded before
the licensing-only cluster. This is required so that the licensing-only cluster receives the root cluster's
new self-enrolled SLC.
Integration with AD FS
Enterprises are increasingly feeling the need to collaborate outside their enterprise boundaries and are
looking at federation as a solution. Federation support with AD RMS will allow enterprises to leverage
their established federated relationships to enable collaboration with external entities. For example, an
organization that has deployed AD RMS can set up federation with an external entity by using AD FS and
can leverage this relationship to share rights-protected content across the two organizations without
requiring a deployment of AD RMS in both places.

In earlier versions of RMS, the options for external collaboration of rights-protected content were limited
to Windows Live ID. Integrating AD FS with AD RMS provides the ability to establish federated
identities between organizations and share rights-protected content.

If you are interested in using AD FS with AD RMS, you must have federated trust between your
organization and the external partners you would like to collaborate with before AD RMS is installed.
Additionally, you must use the AD RMS client included with Windows Vista or RMS Client with Service
Pack 2 (SP2) to take advantage of the AD FS integration with AD RMS. RMS clients earlier than RMS
Client with SP2 will not support AD FS collaboration.
New AD RMS Administrative Roles

To better delegate control of your AD RMS environment, new administrative roles have been created.
These administrative roles are local security groups that are created when the AD RMS role is installed.
Each of these administrative roles has different levels of access to AD RMS associated with them. The
new roles are AD RMS Service Group, AD RMS Enterprise Administrators, AD RMS Template
Administrators, and AD RMS Auditors.
The AD RMS Service Group holds the AD RMS service account. When the AD RMS role is added, the
service account configured during setup is added to this administrative role automatically.
The AD RMS Enterprise Administrators role allows members of this group to manage all AD RMS policies
and settings. During AD RMS provisioning, the user account installing the AD RMS server role and the
local administrators group are added to the AD RMS Enterprise Administrators role. As a best practice,
membership of this group should be restricted to only user accounts that need full AD RMS administrative
control.
The AD RMS Templates Administrators role allows members of this group to manage rights policy
templates. Specifically, AD RMS Template Administrators can read cluster information, list rights policy
templates, create new rights policy templates, modify existing rights policy template, and export rights
policy templates.
The AD RMS Auditors role allows members of this group to manage logs and reports. This is a read-only
role that is restricted to read cluster information, read logging settings, and run reports available on the
AD RMS cluster.

The new AD RMS administrative roles give you the opportunity to delegate AD RMS tasks without giving
full administrative control over the entire AD RMS cluster.

Customers who would like to deploy AD RMS in their organization will not have to do anything to prepare
for this change. Optionally, it is recommended to create Active Directory security groups for each of these
administrative roles and add them to their respective local security groups. This will give you the ability
to scale your AD RMS deployment across several servers without having to add specific user accounts to
each AD RMS server.
What existing functionality is changing?

The earlier versions of AD RMS were provided as a separate installation available from the Microsoft
Download Center. For more technical information about earlier versions of RMS, see
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Windows Server Active Directory Rights Management Services Step-
by-Step Guide
Step 1: Setting up the Infrastructure

Updated: December 13, 2007
To prepare your AD RMS test environment in the CPANDL domain, you must complete the following
tasks:
Configure the domain controller (CPANDL-DC) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-
c44c-4ce8-b81e-ea3815faa4911033.mspx#BKMK_S1]
Configure the AD RMS database computer (ADRMS-
DB) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-c44c-4ce8-b81e-
ea3815faa4911033.mspx#BKMK_S2]
Configure the AD RMS root cluster computer (ADRMS-
SRV) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-c44c-4ce8-b81e-
Configure the AD RMS client computer (ADRMS-
CLNT) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-c44c-4ce8-b81e-
Use the following table as a reference when setting up the appropriate computer names, operating
systems, and network settings that are required to complete the steps in this guide.
Important:
Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows
product activation while each of your computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370 [http://go.microsoft.com/fwlink/?
LinkID=47370] ).
Computer IP
Operating system requirement DNS settings
name settings
CPANDL-DC Windows Server 2003 with Service Pack 2 (SP2) or IP address: Configured by DNS
Windows Server 2008 10.0.0.1 server role.
Subnet mask:
255.255.255.0
ADRMS-SRV Windows Server 2008 IP address: Preferred:

10.0.0.2 10.0.0.1
Subnet mask:
255.255.255.0
ADRMS-DB Windows Server 2003 with SP2 IP address: Preferred:

10.0.0.3 10.0.0.1
Subnet mask:
255.255.255.0
ADRMS-CLNT Windows Vista IP address Preferred:

10.0.0.4 10.0.0.1
Subnet mask:
255.255.255.0
Configure the domain controller (CPANDL-DC)

Depending on your environment, you may evaluate AD RMS in Windows Server 2008 or Windows
Server 2003 domain. Use the appropriate section to configure the domain controller, depending on the
Manage Your Profile
Statement
Windows Server 2008 Technical Library > Active Directory Rights

Management Services > Getting Started: AD RMS > Windows Server Active
Directory Rights Management Services Step-by-Step Guide
Step 2: Installing and Configuring AD RMS on

ADRMS-SRV
To install and configure AD RMS, you must add the AD RMS server role.
Windows Server 2008 includes the option to install AD RMS as a server role through Server Manager.
Both installation and configuration of AD RMS are handled through Server Manager. The first server in an
AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS
servers configured in a load-balancing environment. This step-by-step guide will install and configure a
single-server AD RMS root cluster.
Registering the AD RMS service connection point (SCP) requires that the installing user account be a
member of the Active Directory Enterprise Admins group.
Important:
Access to the Enterprise Admins group should be granted only while AD RMS is being installed. After installation is complete, the
cpandl\ADRMSADMIN account should be removed from this group.
To add ADRMSADMIN to the Enterprise Admins group
1. Log on to CPANDL-DC with the cpandl\Administrator account or another user account in the Domain Admins group.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. In the console tree, expand cpandl.com, double-click Users, and then double-click Enterprise Admins.
4. Click the Members tab, and then click Add.
5. Type adrmsadmin@cpandl.com, and then click OK.
Install and configure AD RMS as a root cluster.

To add the AD RMS Server Role
1. Log on to ADRMS-SRV as cpandl\ADRMSADMIN.

2. Click Start, point to Administrative Tools, and then click Server Manager.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
Continue.
4. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens.
5. Read the Before You Begin section, and then click Next.
6. On the Select Server Roles page, select the Active Directory Rights Management Services check box.
7. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web
Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required
Role Services. Click Next.
8. Read the AD RMS introduction page, and then click Next.
9. On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and
then click Next.
10. Click the Create a new AD RMS cluster option, and then click Next.
11. Click the Use a different database server option.
12. Click Select, type ADRMS-DB in the Select Computer dialog box, and then click OK.
13. In Database Instance, click Default, and then click Validate.
14. Click Next.
15. Click Specify, type CPANDL\ADRMSSRVC, type the password for the account, click OK, and then click Next.
16. Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.
17. Type a strong password in the Password box and in the Confirm password box, and then click Next.
18. Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the
only available Web site should be Default Web Site.
19. Click the Use an SSL-encrypted connection (https://) option.
20. In the Fully-Qualified Domain Name box, type adrms-srv.cpandl.com, and then click Validate. If validation succeeds,
the Next button becomes available. Click Next.
21. Click the Choose an existing certificate for SSL encryption option, click the certificate that has been imported for this
AD RMS cluster, and then click Next.
22. Type a name that will help you identify the AD RMS cluster in the Friendly name box, and then click Next.
23. Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the
AD RMS service connection point (SCP) in Active Directory during installation.
24. Read the Introduction to Web Server (IIS) page, and then click Next.
25. Keep the Web server default check box selections, and then click Next.
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation.
27. Click Close.
28. Log off the server, and then log on again to update the security token of the logged-on user account. The user account that is
logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise
Administrators local group. A user must be a member of that group to administer AD RMS.
Note:
At this point in the guide, you can remove cpandl\ADRMSADMIN from the local Administrators group on ADRMS-DB.
Your AD RMS root cluster is now installed and configured.
Further management of AD RMS is done by using the Active Directory Rights Management Services
console.
To open the Active Directory Rights Management Services console
1. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
Continue.
From the console, you can configure trust policies, configure exclusion policies, and create rights policy
templates.
Manage Your Profile
Statement

Management Services > Getting Started: AD RMS > Windows Server Active
Directory Rights Management Services Step-by-Step Guide
Step 3: Verifying AD RMS Functionality on

ADRMS-CLNT
The AD RMS client is included in the default installation of Windows Vista and Windows Server 2008.
Previous versions of the client are available for download for some earlier versions of the Windows
operating system. For more information, see the Windows Server 2003 Rights Management Services
page on the Microsoft Windows Server TechCenter (http://go.microsoft.com/fwlink/?
Before you can consume rights-protected content, you must add the AD RMS cluster URL to the Local
Intranet security zone.
Add the AD RMS cluster URL to the Local Intranet security zone for all users who will be consuming
rights-protected content.
To add AD RMS cluster to Local Intranet security zone
1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).

2. Click Start, click All Programs, and then click Internet Explorer.
3. Click Tools, and then click Internet Options.
4. Click the Security tab, click Local intranet, and then click Sites.
5. Click Advanced.
6. In the Add this website to the zone, type https://adrms-srv.cpandl.com, and then click Add.
7. Click Close.
8. Repeat steps 17 for Stuart Railson and Limor Henig.
To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then restrict
permissions on a Microsoft Word 2007 document so that members of the CP&L Engineering group are
able to read the document but unable to change, print, or copy. You will then log on as Stuart Railson,
verifying that the proper permission to read the document has been granted, and nothing else. Then, you
will log on as Limor Henig. Since Limor is not a member of the Engineering group, he should not be able
to consume the rights-protected file.
To restrict permissions on a Microsoft Word document
1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).

2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
3. Type CP&L engineering employees can read this document, but they cannot change, print, or copy it on the blank
document page.
4. Click the Microsoft Office Button, click Prepare, click Restrict Permission, and then click Restricted Access.
5. Click the Restrict permission to this document check box.
6. In the Read box, type engineering@cpandl.com, and then click OK to close the Permission dialog box.
7. Click the Microsoft Office Button, click Save As, and then save the file as \\ADRMS-DB\Public\ADRMS-TST.docx.
8. Log off as Nicole Holliday.
Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.

To view a rights-protected document
1. Log on to ADRMS-CLNT as Stuart Railson (cpandl\SRAILSON).

3. Click the Microsoft Office Button, and then click Open.
4. In the File name box, type \\ADRMS-DB\Public\ADRMS-TST.docx, and then click Open.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to
https://adrms-srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your permission."
5. Click OK.
The following message appears: "Verifying your credentials for opening content with restricted permissions".
6. When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.
7. Close Microsoft Word.
8. Log off as Stuart Railson.
Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.
To attempt to view a rights-protected document
1. Log on to ADRMS-CLNT as Limor Henig (cpandl\LHENIG).

3. Click the Microsoft Office Button, click Open, and then double-click \\ADRMS-DB\Public\ADRMS-TST.docx.
https://adrms-srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your permission."
4. Click OK.
5. The following message appears: "You do not have credentials that allow you to open this document. You can request
updated permission from nhollida@cpandl.com. Do you want to request updated permission?"
6. Click No, and then close Microsoft Word.
You have successfully deployed and demonstrated the functionality of AD RMS, using the simple scenario
of applying restricted permissions to a Microsoft Word 2007 document. You can also use this deployment
to explore some of the additional capabilities of AD RMS through additional configuration and testing.
Manage Your Profile

Statement
RMS
Using Identity Federation with Active Directory

Rights Management Services Step-by-Step
Guide
About This Guide

This step-by-step guide will assist you in using Active Directory Rights Management Services (AD RMS)
with Active Directory Federation Services (AD FS) in a test environment. Specifically, this guide will
look at how to implement AD RMS if you have also deployed AD FS in your organization and have
established a trust relationship with another organization that has not deployed AD RMS. Using the
information in this guide, you can extend the basic AD RMS deployment to use AD FS credentials to
establish trusted user accounts. This will enable you to share access to rights-protected content with
another organization without having to establish a separate trust.
In this guide, you will create a test deployment that includes the following components:

An AD FS resource partner server

An AD FS account partner server

An AD RMS server

An AD RMS database server

Two AD RMS clients

Two Active Directory domain controllers
This guide assumes that you previously completed Windows Server Active Directory Rights Management
Services Step-by-Step Guide, and that you have already deployed the following components:

An AD RMS server


One AD RMS-enabled client

One Active Directory domain controller
What This Guide Does Not Provide

This guide does not provide the following:
An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see

Guidance for setting up and configuring AD RMS in a production environment.

Complete technical reference for AD RMS or AD FS.
Guidance for setting up AD FS with Microsoft Office SharePoint Server 2007 and AD RMS. For more information about
using identity federation with Office SharePoint Server 2007 and AD RMS, see Appendix A of the Deploying Active
Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=93136 [http://go.microsoft.com/fwlink/?LinkId=93136] ).
Deploying AD RMS with Identity Federation Support in a Test
Environment
We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step
guides are not necessarily meant to be used to deploy Windows Server features without additional
deployment documentation and should be used with discretion as a stand-alone document.
Upon completion of this guide, you will have a working AD RMS and AD FS infrastructure. You can then
test and verify AD RMS and AD FS functionality as follows:

Restrict permissions on a Microsoft Word 2007 document in the CPANDL.COM domain.

Have an authorized user in the TREYRESEARCH.NET domain open and work with the document.

Have an unauthorized user in the CPANDL.COM domain attempt to open and work with the document.
The test environment described in this guide includes eight computers connected to a private network
and using the following operating systems, applications, and services:
Computer
Operating System Applications and Services
Name
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information

Services (IIS) 7.0, World Wide Web
Publishing Service, and Message
Queuing
CPANDL-DC Windows Server 2003 with Service Pack 2 (SP2) Active Directory, Domain Name
TREY-DC Note: System (DNS)
Domain controllers running Windows 2000 Server with Service

Pack 4 can be used. However, in this step-by-step guide it is
assumed that you will be using domain controllers running
Windows Server 2003 with SP2.
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server 2005 Standard
Edition with Service Pack 2 (SP2)
ADRMS- Windows Vista Microsoft Office Word 2007 Enterprise

CLNT Edition
ADRMS-
CLNT2
ADFS- Windows Server 2008 Enterprise or Windows Sever 2003 R2 AD FS, IIS
RESOURCE Enterprise Edition
Computer
Name
ADFS-
ACCOUNT
Note:
Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum
requirements for AD RMS (http://go.microsoft.com/fwlink/?LinkId=84733 [http://go.microsoft.com/fwlink/?LinkId=84733] ).
The computers form two private intranets and are connected through a common hub or Layer 2 switch.
This configuration can be emulated in a virtual server environment, if desired. This step-by-step exercise
uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used
for the intranet. The domain controller for the domain named cpandl.com is CPANDL-DC and the domain
controller for the domain name treyresearch.net is TREY-DC. The following figure shows the configuration
of the test environment:
Manage Your Profile
Statement
RMS > Using Identity Federation with Active Directory Rights Management
Services Step-by-Step Guide
Step 1: Setting up the CP&L Enterprises

Domain
Before you install AD FS and the AD RMS Identity Federation Support role service, you need to make
changes to the infrastructure of the CPANDL domain. In this step, you will perform the following tasks to
install the required Active Directory Federation Services resource partner and add it to the CP&L
Enterprises infrastructure.
This section includes the following procedures:
Install AD FS resource partner (ADFS-
RESOURCE) [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
9a0a4998fcf31033.mspx#BKMK_S1_1]
Create the ADFSADMIN user account [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-
aaad-9a0a4998fcf31033.mspx#BKMK_S1_2]
Add the ADFSADMIN user account to the local Administrators group on ADFS-
RESOURCE [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
Configure a DNS forwarder [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
This step assumes that you have completed the Windows Server Active Directory Rights Management
Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?
Use the following table as a reference when setting up the appropriate computer names, operating
Important:
LinkID=47290] ).
Computer IP DNS
Operating system requirement
name settings settings
ADFS- Windows Server 2003 R2 Enterprise Edition with Service Pack 2 (SP2) or IP address: Preferred:
RESOURCE Windows Server 2008 Enterprise 10.0.0.7 10.0.0.1
Subnet mask:
255.255.255.0
Configure the AD FS resource partner (ADFS-RESOURCE)

AD RMS can use federation servers that are running either Windows Server 2003 R2 or Windows
Server 2008 Enterprise. Use one of the following sections to configure Windows Server depending on the
requirements in your organization:
Configure the Windows Sever 2003 R2based AD FS resource
partner [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
9a0a4998fcf31033.mspx#BKMK_2003]
Configure the Windows Server 2008based AD FS resource
partner [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
9a0a4998fcf31033.mspx#BKMK_2008]
Configure the Windows Server 2003 R2based AD FS resource partner

In this section you will install Windows Server 2003 R2 Enterprise Edition, configure TCP/IP properties,
add ADFS-RESOURCE to the CP&L domain, and then add the Application server role.
First, install Windows Server 2003 R2 Enterprise Edition as a stand-alone server on ADFS-RESOURCE.
Important:
Windows Server 2003 R2 Enterprise Edition is required for the federation servers.
To install Windows Server 2003 R2 Enterprise Edition
1. Start your computer by using the Windows Server 2003 R2 Enterprise Edition product CD.
2. Follow the instructions that appear on your computer screen, and when prompted for a computer
name, type ADFS-RESOURCE.
In this step configure TCP/IP properties so that ADFS-RESOURCE has a static IP address of 10.0.0.7.
To configure TCP/IP properties on ADFS-RESOURCE
1. Log on to ADFS-RESOURCE as a member of the local Administrators group.
2. Click Start, point to Control Panel, and then double-click Network Connections.
3. Right-click Local Area Connection, and then click Properties.
4. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
5. Click the Use the following IP address option. In the IP address box, type 10.0.0.7. In the
Subnet mask box, type 255.255.255.0.
6. Click the Use the following DNS server addresses option. In the Preferred DNS server box,
type 10.0.0.1.
7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
Next, join the federation resource partner (ADFS-RESOURCE) computer to the CP&L domain:
To join ADFS-RESOURCE to CPANDL domain
1. Log on to ADFS-RESOURCE as a member of the local administrators group.
2. Click Start, right-click My Computer, and then click Properties.
3. Click Computer Name tab, and then click Change.
4. In the Computer Name Changes dialog box, click Domain, and then type cpandl.com.
5. Click More, and then type cpandl.com in the Primary DNS suffix of this computer box.
6. Click OK twice.
7. When a Computer Name Changes dialog box appears prompting you for administrative
credentials, provide the credentials, and click OK.
Manage Your Profile
Statement
Step 2: Setting up the Trey Research Domain

Before you install AD FS and the AD RMS Federation Identity Support role service, you should install and
configure the Trey Research infrastructure. In this step, you will install the required computers that make
up the Trey Research domain:
Configure the domain controller (TREY-DC) [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-
4f08-ae2f-c2da3cf0493f1033.mspx#BKMK_S1]
Create user accounts [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
c2da3cf0493f1033.mspx#BKMK_S2]
Configure the federation account partner (ADFS-
ACCOUNT) [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
Configure the AD RMS-enabled client computer (ADRMS-
CLNT2) [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
Use the following table as reference when setting up the appropriate computer names, operating
Important:
product activation while each of your computers still has Internet connectivity.
Computer IP
Operating system requirement DNS settings
name settings
TREY-DC Windows Server 2003 with Service Pack 2 (SP2) or IP address: Configured by DNS
Windows Server 2008 10.0.0.30 server role.
Subnet mask:
255.255.255.0
ADFS- Windows Server 2008 Enterprise or Windows Server 2003 R2 IP address: Preferred:
ACCOUNT Enterprise Edition with Service Pack 2 (SP2) 10.0.0.31 10.0.0.30
Subnet mask:
255.255.255.0
ADRMS-CLNT2 Windows Vista IP address Preferred:

10.0.0.32 10.0.0.30
Subnet mask:
255.255.255.0
Configure the domain controller (TREY-DC)

Depending on your environment, you can evaluate AD RMS in either a Windows Server 2008 domain or a
Windows Server 2003 domain. Use one of the following sections depending on the domain to be used.
Configure the Windows Server 2003based domain
controller [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
c2da3cf0493f1033.mspx#BKMK_2003_DC]
Configure the Windows Server 2008based domain
controller [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
c2da3cf0493f1033.mspx#BKMK_2008_DC]
Manage Your Profile
Statement
Page Options
Management Services > Getting Started: AD RMS > Using Identity
Federation with Active Directory Rights Management Services Step-by-Step
Guide
Step 3: Installing and Configuring AD FS

Now that you have configured the computers that will be used as
federation servers, you are ready to install Active Directory Federation
Services (AD FS) components on each of the computers. This section includes the following procedures:

Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT

Configure ADFS-ACCOUNT to work with AD RMS

Configure ADFS-RESOURCE to work with AD RMS
Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT

Use one of the following sections to install the Federation Service component of AD FS on the ADFS-
RESOURCE computer and the ADFS-ACCOUNT computer depending on the requirements in your
organization. After the Federation Service is installed on a computer, that computer becomes a
federation server.

Install Federation Service on a Windows Server 2003 R2 Enterprise Editionbased server

Install Federation Service role service on a Windows Server 2008 Enterprise-based server
Install Federation Service on a Windows Server 2003 R2 Enterprise

Editionbased server
If you are running Windows Server 2003 R2 Enterprise Edition on ADFS-RESOURCE and ADFS-ACCOUNT,
use the following procedure to add the federation service. You must have a Secure Sockets Layer (SSL)
certificate installed on the computer before adding the federation service.
To install the Federation Service on a Windows Server 2003 R2 Enterprise Editionbased
computer
1. Log on to ADFS-RESOURCE with the CPANDL\ADFSADMIN account.
2. Click Start, point to Control Panel, and then click Add or Remove Programs.
3. In Add or Remove Programs, click Add/Remove Windows Components.
4. In the Windows Components Wizard, click Active Directory Services, and then click Details.
5. In the Active Directory Services dialog box, click Active Directory Federation Services
(ADFS), and then click Details.
6. In the Active Directory Federation Services (ADFS) dialog box, select the Federation
Service check box, and then click OK. If Microsoft ASP.NET 2.0 was not previously enabled, click
Yes to enable it, and then click OK.
7. In the Active Directory Services dialog box, click OK.
8. In the Windows Components Wizard, click Next.
9. On the Federation Service page, click the Select token certificate option, and select the
certificate that should be used as the token signing certificate.
10. Under Trust policy, click Create a new trust policy, and then click Next.
11. If you are prompted for the location of the installation files, insert the Windows Server 2003 R2
Enterprise Edition product disc, and then click OK.
12. On the Completing the Windows Components Wizard page, click Finish.
13. Log on to ADFS-ACCOUNT as TREYRESEARCH\ADFSADMIN.
14. Repeat steps 212 for the ADFS-ACCOUNT computer using the TREYRESEARCH\ADFSADMIN user
account.
Top of page
Install Federation Service role service on a Windows Server 2008

Enterprisebased server
If you are running Windows Server 2008 Enterprise on ADFS-RESOURCE and ADFS-ACCOUNT, use the
following procedure to add the Federation Service role service by using Server Manager:
To add the Federation Service role service on a Windows Server 2008 Enterprisebased
computer
1. Log on to ADFS-RESOURCE with the CPANDL\ADFSADMIN.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.
4. Click Add Roles.
5. On the Before You Begin page, click Next.
6. On the Select Server Roles page, click Active Directory Federation Services.
7. Click Next.
8. On the Introduction to AD FS page, click Next.
9. On the Select Role Services page, select the Federation Service check box. If you are
prompted to install additional role services, click Add Required Role Services, and then click
1. In the Active Directory Federation Services console, expand Federation Service, expand Trust
Policy, and then expand Partner Organizations.
2. Right-click Resource Partners, point to New, and then click Resource Partner.
3. On the Welcome to the Add Resource Partner Wizard page, click Next.
4. Select the No option on the Import Policy File page, and then click Next.
5. On the Resource Partner Details page, in the Display name box, type CP&L Enterprises.
6. In the Federation Service URI box, type urn:federation:cpandl.com.
Note:
The Federation Service URL value is case sensitive.
7. In the Federation Service endpoint URL box, type https://adfs-

resource.cpandl.com/adfs/ls/, and then click Next.
8. On the Federation Scenario page, click the Federated Web SSO option, and then click Next.
9. Select the UPN Claim and E-mail Claim check boxes, and then click Next.
10. Click the Pass all UPN suffixes through unchanged option, and then click Next.
11. Click the Pass all E-mail suffixes through unchanged option, and then click Next.
12. Ensure that the Enable this resource partner check box is checked, and then click Next.
13. Click Finish.
14. Right-click the new CP&L Enterprises resource partner, point to New, and then click Outgoing
Custom Claim Mapping.
15. In the Outgoing custom claim name box, type ProxyAddresses, and then click OK.
16. Close the Active Directory Federation Services console.
Top of page
Configure ADFS-RESOURCE to Work with AD RMS

The ADFS-RESOURCE computer is a member of the CPANDL domain and receives AD RMS requests from
the TREYRESEARCH domain. In this section, you configure the AD FS trust policy, create a custom claim
for the ProxyAddresses Active Directory attribute, add an Active Directory Account Store, add AD RMS as
a Claims-aware application, and configure a resource partner.
First, configure the ADFS-RESOURCE computer trust policy for the federation service in the CPANDL
domain.
To configure the trust policy on the AD FS resource partner (ADFS-RESOURCE)
1. Log on to ADFS-RESOURCE with the CPANDL\ADFSADMIN account or another user account in the
local Administrators group.
2. Click Start, point to Administrative Tools, and then click Active Directory Federation
Services.
3. Expand Federation Service, right-click Trust Policy, and then click Properties.
4. In the Federation Service URI box, type urn:federation:cpandl.com.
Note:
The Federation Service URI value is case sensitive.
5. In the Federation Service endpoint URL box, confirm that https://ADFS-

RESOURCE.cpandl.com/adfs/ls/ is shown.
6. On the Display Name tab, in Display name for this trust policy, type CP&L Enterprises, and
then click OK.
Next, create a custom claim that will be used with AD RMS.

To create a custom claim
Policy, and then expand My Organization.
2. Right-click Organization Claims, point to New, and then click Organization Claim.
3. In the Claim name box, type ProxyAddresses.
Note:
The claim name value is case-sensitive.
4. Click the Custom claim option, and then click OK.
Next, add an Active Directory account store to the Federation Service for the CPANDL domain.
To add an Active Directory account store to ADFS-RESOURCE
2. Right-click Account Stores, point to New, and then click Account Store.
3. On the Welcome to the Add Account Store Wizard page, click Next.
4. On the Account Store Type page, select the Active Directory Domain Services option, and
then click Next.
Note:
On Windows Server 2003 R2 Enterprise Edition, this option is called Active Directory.
5. On the Enable this Account Store page, select the Enable this account store check box, and
then click Next.
6. On the Completing the Add Account Store Wizard page, click Finish.
7. Double-click the E-mail organization claim, select the Enabled check box, type mail in the LDAP
attribute box, and then click OK.
8. Right-click the Active Directory account store, point to New, and then click Custom claim
extraction.
9. In the Attribute box, type ProxyAddresses, and then click OK.
Next, add the AD RMS certification pipeline as a claims-aware application.

To add the AD RMS certification pipeline as a claims-aware application
2. Right-click Applications, point to New, and then click Application.
3. On the Welcome to the Add Application Wizard page, click Next.
4. On the Application Type page, select the Claims-aware application option, and then click
Next.
5. In the Application display name box, type AD RMS Certification.
6. In the Application URL box, type https://adrms-

srv.cpandl.com/_wmcs/certificationexternal/, and then click Next.
Note:
The application URL is case sensitive and the name of the AD RMS extranet cluster should match
the return URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS
functionality will not work.
7. On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail
check boxes, and then click Next.
8. On the Enable this Application page, select the Enable this application check box, and then
click Next.
9. On the Completing the Add Application Wizard page, click Finish.
10. In the task pane, double-click ProxyAddresses, select the Enabled check box, and then click
OK.
Use the following procedure to add the AD RMS licensing pipeline as a claims-aware application.
To add AD RMS licensing as a claims-aware application
3. On the Welcome to the Add Application Wizard page, click Next.
4. On the Application Type page, select the Claims-aware application option, and then click
Next.
5. In the Application display name box, type AD RMS Licensing.
6. In the Application URL box, type https://adrms-srv.cpandl.com/_wmcs/licensingexternal/,

and then click Next.
Note:
The application URL is case sensitive and the computer name in the URL should match the return
URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS functionality
will not work.
7. On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail
check boxes, and then click Next.
8. On the Enable this Application page, click the Enable this application check box, and then
click Next.
9. On the Completing the Add Application Wizard page, click Finish.
10. In the task pane, double-click ProxyAddresses, click the Enabled check box, and then click OK.
Next, add an account partner to ADFS-RESOURCE. This account partner receives requests from the
ADFS-ACCOUNT computer in the TREYRESEARCH domain.
To add an account partner to ADFS-RESOURCE
Policy, and then expand Partner Organizations.
2. Right-click Account Partners, point to New, and then click Account Partner.
3. On the Welcome to the Add Account Partner Wizard page, click Next.
4. On the Import Policy File page, click the No option, and then click Next.
5. On the Resource Partner Details page , in the Display name box, type Trey Research.
6. In the Federation Service URI box, type urn:federation:treyresearch.net.
7. In the Federation Service endpoint URL box, type https://adfs-

account.treyresearch.net/adfs/ls/, and then click Next.
8. On the Account Partner Verification page, type the path where the token signing certificate is
stored, and then click Next.
9. Select the Federated Web SSO option, and then click Next.
10. Select the UPN Claim and E-mail Claim check boxes, and then click Next.
11. On the Accepted UPN Suffixes page, type treyresearch.net, click Add, and then click Next.
12. On the Accept E-mail Suffixes page, type treyresearch.net, click Add, and then click Next.
13. Verify that the Enable this account partner check box is selected, and then click Next.
14. Click Finish.
15. Right-click the Trey Research account partner, point to New, and then click Incoming Custom
Claim Mapping.
16. In the Incoming custom claim name box, type ProxyAddresses, and then click OK.
17. Close the Active Directory Federation Services console.
Top of page
Manage Your Profile |Contact Us |Newsletter
2008 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy
Statement
Step 4: Configuring ADRMS-SRV to Work

with AD FS
Windows Server 2008 includes the option to install identity federation support for AD RMS as a role
service through Server Manager. This step of the guide covers the following tasks:
Grant security audit privileges to the AD RMS service
account [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-4003-8ad9-
861a7bb66a1c1033.mspx#BKMK_S1_3]
Add the AD RMS extranet cluster URLs [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-
4003-8ad9-861a7bb66a1c1033.mspx#BKMK_S1_4]
Add the AD RMS Identity Federation Support role
service [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-4003-8ad9-
Enable Identity Federation Support in the Active Directory Rights Management Services
console [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-4003-8ad9-
Grant security audit privileges to the AD RMS service account

The AD RMS service account must be able to generate security audit events when using AD FS.
To grant security audit privileges to the AD RMS service account
1. Log on to ADRMS-SRV with the cpandl\Administrator account.
2. Click Start, point to Administrative Tools, and then click Local Security Policy.
4. Expand Local Policies, and then click User Rights Assignment.
5. Double-click Generate security audits.
6. Click Add User or Group.
7. Type cpandl\adrmssrvc, and then click OK.
8. Click OK to close the Generate security audits properties sheet.
Top of page
Add the AD RMS extranet cluster URLs

AD RMS-enabled clients consuming rights-protected content through a federated trust use the AD RMS
extranet cluster URLs to create a rights account certificate.
Caution:
The AD RMS cluster URLs must be added before the Identity Federation Support role service is added by using Server Manager. If
the cluster URLs are not added, you must edit the web.config files in the certificationexternal and licensingexternal directories
manually.
To add the AD RMS extranet cluster URLs
1. Log on to ADRMS-SRV with the CPANDL\ADRMSADMIN account.
2. Open the Active Directory Rights Management Services console. Click Start, point to
Administrative Tools, and then click Active Directory Rights Management Services.
4. Right-click adrms-srv.cpandl.com, and then click Properties.
5. Click the Cluster URLs tab, and then select the Extranet URLs check box.
6. For Licensing, click https://, and then type adrms-srv.cpandl.com.
7. For Certification, click https://, and then type adrms-srv.cpandl.com.
8. Click OK.
Top of page
Add the AD RMS Identity Federation Support role service

Next, add the Identity Federation Support role service through Server Manager.
To add the Identity Federation Support Role Service
4. In the Roles Summary box, click Active Directory Rights Management Services, and then
click Add Role Services.
5. Select the Identity Federation Support check box. Ensure that the Claims-aware Agent is
listed as a required role service, and then click Add Required Role Services.
6. Click Next.
7. On the Configure Identity Federation Support page, type adfs-resource.cpandl.com, click

Validate, and then click Next.
8. On the Introduction to AD FS page, click Next.
9. On the AD FS Role Service page, confirm that Claims-aware Agent is selected, and then click
Next.
10. Click Install to add the Identity Federation Support role service to the ADRMS-SRV computer.
11. Click Finish.
Top of page
Enable Identity Federation Support in the Active Directory Rights

Management Services console
Once enabled, Identity Federation Support allows user accounts to use credentials established by a
federated trust relationship through Active Directory Federation Services (AD FS) as a basis for obtaining
a rights account certificate from an AD RMS cluster.
To enable AD RMS identity federation support in the Active Directory Rights Management
Services console
2. Open the Active Directory Rights Management Services console and expand the AD RMS
cluster.
4. In the console tree, expand Trust Policies,and then click Federated Identity Support.
5. In the Actions pane, click Enable Federated Identity Support.
6. In the Actions pane, click Properties.
7. On the Active Directory Federation Service Policies tab, in Federated Identity Certificate
validity period, type 7. This is the number of days that federated rights account certificates are to
be valid.
8. Click OK.
Top of page
Manage Your Profile
Statement
Management Services > Getting Started: AD RMS > Using Identity Federation
with Active Directory Rights Management Services Step-by-Step Guide
Step 5: Verifying AD RMS Functionality

The AD RMS client is included in the default installation of Windows Vista and Windows Server 2008.
Previous versions of the client are available for download for some earlier versions of the Windows
operating systems. For more information, see the Windows Server 2003 Rights Management Services
page in the Microsoft Windows Server TechCenter (http://go.microsoft.com/fwlink/?
Before you can publish or consume rights-protected content on Windows Vista, you must add the
AD RMS cluster URL, the ADFS-RESOURCE URL, and the ADFS-ACCOUNT URL to the Internet Explorer
Local Intranet security zone of the ADRMS-CLNT2 computer. This is required to ensure that your
credentials are automatically passed from Microsoft Office Word to the AD RMS Web services.
To add AD RMS cluster URL to the Internet Explorer Local Intranet security zone
1. Log on to ADRMS-CLNT2 as Terence Philip (TREYRESEARCH\tphilip).

2. Click Start, click Control Panel, click Network and Internet, and then click Internet Options.
3. Click the Security tab, and then click Local Intranet.
4. Click Sites, and then click Advanced.
5. In the Add this website to the zone box, do the following:
1. Type https://adrms-srv.cpandl.com, and then click Add.
2. Type https://adfs-resource.cpandl.com, and then click Add.
3. Type https://adfs-account.treyresearch.net, and then click Add.
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a Microsoft
Word 2007 document, and then restrict permissions on it so that Terrence Philip is able to read the
document but is unable to change, print, or copy it. You then log on as Terence Philip, verifying that
Terence Philip can read the document but do nothing else with it.
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).

3. Type Only Terence Philip can read this document, but cannot change, print, or copy it. Click Microsoft Office Button,
point to Prepare, point to Restrict Permission, and then click Restricted Access.
4. Click the Restrict permission to this document check box.
5. In the Read text box, type TPHILIP@TREYRESEARCH.NET, and then click OK to close the Permission dialog box.
6. Click the Microsoft Office Button, click Save As, and then save the file as \\adrms-db\public\ADRMS-TST.docx
Finally, log on as Terence Philip on ADRMS-CLNT2 in the TREYRESEARCH.NET domain and attempt to
open the document, ADRMS-TST.docx.
To view a protected document
1. Log on to ADRMS-CLNT2 as Terence Philip (TREYRESEARCH\tphilip).

3. Click the Microsoft Office Button, click Open, and then type \\ADRMS-DB\PUBLIC \ADRMS-TST.docx. If you are
prompted for credentials, use CPANDL\Administrator.
https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permissions."
4. Click OK.
5. When the document opens, click Microsoft Office Button. Notice that the Print option is not available.
6. Click View Permission in the message bar. You should see that Terence Philip has been restricted to being able only to read
the document.
7. Click OK to close the My Permissions dialog box, and then close Microsoft Word.
You have successfully deployed and demonstrated the functionality of using identity federation with
AD RMS, using the simple scenario of applying restricted permissions to a Microsoft Word 2007
document. You can also use this deployment to explore some of the additional capabilities of AD RMS
through additional configuration and testing.
Manage Your Profile
Statement
Creating and Deploying Active Directory
Rights Management Services Rights Policy
Templates Step-by-Step Guide
Updated: March 24, 2008
About this Guide

This step-by-step guide walks you through the process of creating and deploying Active Directory Rights
Management Services (AD RMS) policy templates in a test environment. During this process you create a
rights policy template, deploy this template to a client computer running Windows Vista with Service
Pack 1 (SP1) and Microsoft Office Word 2007, and verify that the client computer can rights-protect a
document by using the newly-created rights policy template.
Once complete, you can use the test lab environment to assess how AD RMS rights policy templates can
be created with Windows Server 2008 and deployed within your organization.
As you complete the steps in this guide, you will:

Create an AD RMS rights policy template.

Deploy the rights policy template.

Verify AD RMS functionality after you complete the configuration.
The goal of an AD RMS deployment is to be able to protect information, no matter where it is moved.
Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the
content owner is able to remove the protection from the file. The owner can grant rights to other users to
perform actions on the content, such as the ability to view, copy, or print the file.

Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that
AD RMS is already configured for a test environment. For more information about configuring AD RMS, see Windows
Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?

Complete technical reference for AD RMS or deploying AD RMS templates within your organization.
Deploying AD RMS in a Test Environment

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step
guides are not necessarily meant to be used to deploy Microsoft products without accompanying
documentation and should be used with discretion as a stand-alone document. Before you start the steps
in this guide, you will need to use the steps provided in Windows Server Active Directory Rights
Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?
LinkId=72134 [http://go.microsoft.com/fwlink/?LinkId=72134] ), also in a lab environment. That guide
prepares the basic infrastructure for an AD RMS deployment, with an AD RMS cluster, AD RMS databases,
and a domain controller. This step-by-step guide builds on the previous guide, so it is important to
complete it before starting this one. On completion of this step-by-step guide, you will have a working
AD RMS cluster with a deployed rights policy template. You can then test and verify AD RMS rights policy
template functionality through the simple task of restricting permissions on a Microsoft Office Word 2007
document with the rights policy template created in this guide.
The test environment described in this guide includes three computers connected to a private network
and using the following operating systems, applications, and services:
Computer
Name
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing
Service, Message Queuing (also known as MSMQ), and Windows Internal
Database
CPANDL-DC Windows Server 2003 with Active Directory, Domain Name System (DNS)
Service Pack 2 (SP2)
ADRMS-DB Windows Server 2003 with Microsoft SQL Server 2005 Standard Edition
SP2
ADRMS-CLNT Windows Vista with SP1 Microsoft Office Word 2007 Enterprise Edition
The computers form a private intranet and are connected through a common hub or Layer 2 switch. This
configuration can be emulated in a virtual server environment if desired. This step-by-step exercise uses
private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for
the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com.
The following figure shows the configuration of the test environment:
Manage Your Profile
Statement
RMS > Creating and Deploying Active Directory Rights Management Services
Rights Policy Templates Step-by-Step Guide
Step 1: Creating an AD RMS Rights Policy

Template
To ease administration of the rights policy templates, AD RMS in Windows Server 2008 introduced a
rights policy template creation wizard. To ease distribution of rights policy templates, AD RMS has also
introduced a new rights policy template distribution pipeline. This new pipeline allows an AD RMS client
to request rights policy templates stored on the AD RMS cluster and store them locally on the client
computer. This functionality is available only with AD RMS clients in Windows Vista with Service Pack 1
(SP1) and Windows Server 2008.
For AD RMS clients that are not running Windows Vista with SP1 or Windows Server 2008, you must
distribute the rights policy templates from a central location to the client. Some distribution methods
include using Systems Management Server, Group Policy, or manually copying the templates to the client
computer.
This guide will demonstrate both the new template distribution and a manual distribution method. Manual
distribution includes exporting the rights policy templates that are stored in the AD RMS configuration
database to a shared folder on your network and then copying the rights policy templates to the client
computer. This guide uses the shared folder that was created in the Windows Server Active Directory
Rights Management Services Step-by-Step guide.
Note:
The AD RMS service account must have Write access to the rights policy template shared folder in order for the rights policy
template export function to work correctly.
To create a new AD RMS rights policy template
1. Log on to ADRMS-SRV as cpandl\ADRMSADMIN.

2. Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative
Tools, and then click Active Directory Rights Management Services.
Continue.
4. In the Active Directory Rights Management Services Administration console, expand the cluster name.
5. Right click Rights Policy Templates, and then click Properties.
6. Select the Enable export check box, type \\adrms-db\public in the Specify templates file location (UNC) box, and then
click OK.
7. In the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed Rights Policy
Template wizard.
8. Click Add.
9. In the Language box, choose the appropriate language for the rights policy template.
10. Type CPANDL.COM CC in the Name box.
11. Type CPANDL.COM Company Confidential in the Description box, and then click Add.
12. Click Next.
13. Click Add, type employees@cpandl.com in The e-mail address of a user or group box, and then click OK.
14. Select the View check box to grant the EMPLOYEES@CPANDL.COM group Read access to any document created by
using this AD RMS rights policy template.
15. Click Finish.
Note:
AD RMS in Windows Server 2008 introduces the concept of distributed and archived rights policy templates. Through the Active
Directory Rights Management Services console, you can select rights policy templates to distribute to client computers and archive
the rights policy templates that should not be distributed. An archived rights policy template allows the AD RMS server to generate
end user licenses for rights-protected content that has a publishing license generated from that template. By default, a rights policy
template is distributed. A rights policy template should not be deleted because any content protected by that rights policy template
will not be accessible.
Manage Your Profile
Statement
RMS > Creating and Deploying Active Directory Rights Management Services Rights Policy Templates Step-by-
Step Guide
Step 2: Configuring the AD RMS client

The AD RMS client is included in the default installation of Windows Vista, Windows Vista with Service
Pack 1, and Windows Server 2008. Previous versions of the client are available for download for other
Windows operating systems. However, only AD RMS clients running Windows Vista with SP1 or Windows
Server 2008 support automatic rights policy template distribution.
Note:
Windows Vista Service Pack 1 can be downloaded from Windows Update (http://go.microsoft.com/fwlink/?
LinkID=37392 [http://go.microsoft.com/fwlink/?LinkID=37392] ) for a single computer or from the Microsoft Download Center
http://go.microsoft.com/fwlink/?LinkId=114577 [http://go.microsoft.com/fwlink/?LinkId=114577] ) for multiple computers.
This guide assumes that an AD RMS cluster is already configured in a test environment. Additionally,
extra configuration is required on the AD RMS client workstation so that the rights policy templates are
accessible.
Distribute Rights Policy Template by using AD RMS Rights Policy

Template Distribution
The AD RMS client requests rights policy templates from the AD RMS cluster by using a scheduled task,
which is configured to query the template distribution pipeline on the AD RMS cluster.
Two scheduled tasks are available: automated or manual. The automated scheduled task is configured to
run up to one hour after a user logs on to the computer and every morning at 3:00 A.M., but this
scheduled task is disabled by default. You can enable and change the default configuration by using the
Task Scheduler control panel. After the scheduled task is enabled, you must configure a registry entry so
that Microsoft Office 2007 can locate the directory in which the rights policy templates are stored.
Note:
The automated scheduled task works only on computers that are joined to your organizations domain. The manual scheduled task
should be used for users with a domain account who are using a client computer that is not joined to your organizations domain. In
order for the manual scheduled task to work, you must configure the Enterprise Publishing client registry override found in the
following registry entry: HKEY_LOCAL_MACHINE\Software\Microsof\MSDRM\ServiceLocation\EnterprisePublishing.
To enable the automated scheduled task
1. Log on to ADRMS-CLNT as cpandl\administrator.
2. Click Start, and then click Control Panel.
3. Double-click Administrative Tools, and then double-click Task Scheduler.
5. Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active
Directory Rights Management Services Client.
6. Right-click AD RMS Rights Policy Template Management (Automated), and then click
Enable.
7. Close Task Scheduler.
Note:
The automated scheduled task can also be enabled from the command prompt or though
Systems Management Server or Group Policy by using the following command: schtasks
/Change /TN \Microsoft\Windows\Active Directory Rights Management Services
Client\AD RMS Rights Policy Template Management (Automated) /ENABLE.
8. Click Start, type regedit.exe in the Start Search box, and then press ENTER.
9. Expand the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
Note:
If DRM was not already created as a part of the key, you must create it manually. For Microsoft
Office 2003, the registry entry is as follows:
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\DRM.
10. Right-click DRM, click New, and then click Expandable String Value.
11. In the Value name box, type AdminTemplatePath, and then press ENTER.
12. Double-click the AdminTemplatePath registry value and type %LocalAppData

%\Microsoft\DRM\Templates in the Value data box, and then click OK.
13. Close Registry Editor.
Important:
If you are using a 64-bit version of Windows, you must also configure this registry entry in the following location:
HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\MSDRM.
Next, you should log in as Nicole Hollida (cpandl\nhollida) on ADRMS-CLNT, wait for about an hour, and
check the following directory:
%LocalAppData%\Microsoft\DRM\Templates
where %LocalAppData% equals C:\Users\nhollida\AppData\Local. Once the rights policy template is
copied to the client, you are ready to continue to step 3 of this guide.
Note:
The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs.
Instead, it checks updateFrenquency registry entry. This registry entry specifies the time interval (in days) after which the client
should update its rights policy templates. The default, when the registry key is not present, is to check for new, deleted, or modified
rights policy templates every 30 days. The registry entry is found at the following location:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM\TemplateManagement. In this registry key, you can also
configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.
Distribute Rights Policy Template Manually
You can still distribute rights policy templates manually through other methods, such as Systems
Management Server and Group Policy. This is required for all AD RMS clients that are not running
Windows Vista with SP1 or Windows Server 2008. To do this, you must configure an export location for
the rights policy templates as described in Step 1 of this guide. The rights policy templates exported to
this shared folder must be copied to the folder specified in the AdminTemplatePath registry entry, as
described in the previous procedure named To enable the automated scheduled task.
Note:
When distributing rights policy templates manually, you should not use the %LocalAppData%\Microsoft\DRM\Templates folder.
If you later enable automatic rights policy template distribution, there will be a conflict because the AD RMS cluster will not
recognize or manage the templates in this folder that were deployed manually.
To distribute a rights policy template manually
1. Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).
2. Click Start, type regedit.exe in the Start Search box, and then press ENTER.
3. Expand the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
Note:
If DRM was not already created as a part of the key, you must create it manually.
4. Right-click DRM, click New, and then click Expandable String Value.
5. For the name, type AdminTemplatePath, and then press ENTER.
6. Double-click the AdminTemplatePath registry value and type %LocalAppData

%\Microsoft\DRM\Templates_Manual in the Value data box, and then click OK.
7. Close Registry Editor.
8. Verify that the path C:\Users\nhollida\AppData\Local\Microsoft\DRM\Templates\ is valid. If it is not,

create the appropriate folders.
9. Click Start, type \\ADRMS-DB\Public in the Start Search box, and then press ENTER.
10. Copy the exported AD RMS rights policy templates from \\ADRMS-DB\Public to
C:\Users\nhollida\AppData\Local\Microsoft\DRM\Templates_Manual.
Manage Your Profile
Statement
RMS > Creating and Deploying Active Directory Rights Management Services
Rights Policy Templates Step-by-Step Guide
Step 3: Verifying AD RMS Functionality using

ADRMS-CLNT
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday and then restrict
permissions on a Microsoft Word 2007 document by using the AD RMS rights policy template created
earlier in this guide. This policy gives CP&L employees the ability to read the document but not to
change, print, or copy. All other people have no access at all to the document. You then log on as Stuart
Railson and verify that Stuart Railson, a member of the Employees group at CP&L, cannot print the
document.
To restrict permissions on a Microsoft Word 2007 document
1. Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).

2. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3. Type CP&L Employees cannot print this document on the blank document page, click the Microsoft Office button, point
to Prepare, point to Restrict Permission, and then click CPANDL CC.
4. Click the Microsoft Office button, click Save As, and then save the file as \\ADRMS-DB\public\ADRMS-TST.docx.
Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.

1. Log on as Stuart Railson (srailson@cpandl.com).

3. Click the Microsoft Office button, click Open, navigate to \\ADRMS-DB\public, and then double-click ADRMS-TST.docx.
https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission."
4. Click OK.
The following message appears: "Verifying your credentials for opening content with restricted permissions"
5. When the document opens, click the Microsoft Office button. Notice that the Print option is not available.
6. Click View Permission in the message bar. You should see that AD RMS rights policy template has been applied to this
document.
You have successfully deployed and demonstrated the rights templates policy feature of AD RMS, using
the simple scenario of applying a rights policy template to a Microsoft Word 2007 document. You can also
use this deployment to explore some of the additional capabilities of AD RMS through additional
configuration and testing.
Manage Your Profile
Statement
RMS
Deploying Active Directory Rights

Management Services in an Extranet Step-
by-Step Guide
About this Guide

This step-by-step guide walks you through the process of configuring Active Directory Rights
Management Services (AD RMS) in a test environment that includes an extranet. An extranet is an
extension of your organization's network to an external source. In this guide, the AD RMS cluster is
extended to the Internet so that users can consume rights-protected content when not connected to the
internal network. During this process, you install Microsoft Internet Security and Acceleration (ISA)
Server 2006 Standard Edition, integrate it with AD RMS, and verify that you can open a rights-protected
document from a computer that is not a member of your organizational network.
Once complete, you can use the test AD RMS lab environment to assess how AD RMS on
Windows Server 2008 can be created and deployed within your organization to accommodate for
extranet users.
As you complete the steps in this guide, you will:

Install and configure ISA Server 2006 Standard Edition with AD RMS.

Verify AD RMS functionality after you complete the configuration.
Note:
ISA Server 2006 Standard Edition is not required for AD RMS. Any reverse proxy server that has the ability to listen on TCP
ports 80 and 443 can be used. For the purposes of this guide, we will use ISA Server 2006 Standard Edition.

Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that
AD RMS is already configured for a test environment. For more information about configuring AD RMS, see the Windows
Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?
Complete technical reference for AD RMS or Microsoft ISA Server 2006 Standard Edition. For more information about
Microsoft ISA Server 2006 Standard Edition, visit the ISA Server 2006 Technical Library (http://go.microsoft.com/fwlink/?
We recommend that you use the steps provided in the "Windows Server Active Directory Rights
Management Services Step-by-Step Guide" before completing the steps in this guide. Step-by-step
guides are not necessarily meant to be used to deploy Windows Server features without additional
documentation and should be used with discretion as a stand-alone document.
Upon completion of this Step-by-Step guide, you will have a working AD RMS test lab environment
configured for use in an extranet scenario. You can then test and verify AD RMS extranet functionality
through the simple task of restricting permissions on a Microsoft Office Word 2007 document and
attempting to open this document from a client computer that is not part of your organization's network.
The test environment described in this guide includes six computers that use the following operating
systems, applications, and services:
Note:
You will also need a USB flash drive or another medium to copy the files from the AD RMS-enabled client to the AD RMS-
enabled extranet client.
Computer
Name
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information Services

(IIS) 7.0, Message Queuing, and Windows
Internal Database
CPANDL-DC Windows Server 2003 with Service Pack 1 (SP1) Active Directory, Domain Name System (DNS)
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server 2005 Standard Edition
ISA-SRV Windows Server 2003 with SP1 Microsoft ISA Server 2006 Standard Edition
Note:
This computer must have two network adapters so that

ISA Server 2006 can distinguish between the public and
private IP addresses.
ADRMS-CLNT Windows Vista Microsoft Office Word 2007 Enterprise Edition

Computer
Name
ADRMS- Windows Vista Microsoft Office Word 2007 Enterprise Edition

EXCLNT
The first five computers in the table form a private intranet and are connected through a common hub or
Layer 2 switch. Additionally, ISA-SRV has a second network adapter installed that is exposed to the
Internet. This allows for the ISA Server to accept requests from the Internet and forward them to the
AD RMS server. ADRMS-EXCLNT is a computer that is not part of the same network. This configuration
can be emulated in a virtual server environment if desired.
This step-by-step exercise uses private addresses throughout the test lab configuration. The private
network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the
domain named cpandl.com. ADRMS-EXCLNT is configured with an IP address of 10.0.100.2/24 in order
to simulate a client computer on an extranet. The following figure shows the configuration of the test
environment:
Note:
In a production environment, the ISA server's external address would be an IP address available to the Internet, giving extranet
users the ability to consume rights-protected content.
Manage Your Profile
Statement

Management Services > Getting Started: AD RMS > Deploying Active
Directory Rights Management Services in an Extranet Step-by-Step Guide
Step 1: Configuring AD RMS to Work in an

Extranet
In addition to the steps outlined in the "Windows Server Active Directory Rights Management Services
Step-by-Step Guide," you must also do the following:
Configure the extranet cluster URL in the Active Directory Rights Management Services console.
Export the server authentication certificate, including the private key, on ADRMS-SRV. This will be imported into the
Personal certificate store on the ISA server (ISA-SRV).
In order for users who are not connected to your organization's internal network to consume rights-
protected content, you must configure the AD RMS extranet cluster URLs. These URLs are included in the
AD RMS client licensor certificate and published with all rights-protected content. These URLs should be
an address that is available to all computers on the Internet.
Note:
You must configure the extranet cluster URLs before you can rights-protect content. If you already have rights-protected content,
the AD RMS-enabled client must download a new client licensor certificate that includes the extranet cluster URL.
Configuring the extranet cluster URLs is done through the Active Directory Rights Management Services
console. You should follow these steps to accomplish this task:
To configure the AD RMS extranet cluster URLs
1. Log on to ADRMS-SRV as CPANDL\ADRMSADMIN.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
Continue.
4. Right-click ADRMS-SRV (Local), and then click Properties.
5. Click the Cluster URLs tab, and then select the Extranet URLs check box.
6. In the Licensing box, select https://, and then type adrms-srv.cpandl.com.
7. In the Certification box, select https://, and then type adrms-srv.cpandl.com.
8. Click OK.
Next, export the ADRMS-SRV server authentication certificate with its private key. This is required so that
ISA-SRV can pass HTTPS requests from ADRMS-EXCLNT to the AD RMS cluster.
To export the ADRMS-SRV server authentication certificate with private key
1. Click Start, type mmc.exe, and then press ENTER.

Continue.
3. Click File, and then click Add/Remove Snap-in.
4. Click Certificates, and then click Add.
5. Select the Computer account option, and then click Next.
6. Click Finish, and then click OK.
7. Expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates in
the console tree.
8. Right-click ADRMS-SRV.cpandl.com, point to All Tasks, and then click Export.
9. On the Welcome to the Certificate Export Wizard page, click Next.
10. Select the Yes, export the private key option, and then click Next.
11. On the Export File Format page, click Next, accepting the default selections.
12. In the Password and Type and confirm password boxes, type the same strong password, and then click Next.
13. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, and then click Next.
14. Click Finish.
15. Click OK, confirming that the export was successful.
Manage Your Profile
Statement
Step 2: Installing and Configuring ISA-SRV

ISA Server 2006 Standard Edition is an integrated edge security gateway that can be used with AD RMS
to restrict Internet access to the AD RMS cluster. The ISA server handles all requests from the Internet to
the AD RMS extranet cluster URLs and passes them to the AD RMS cluster, when necessary.
To install and configure ISA Server 2006 Standard Edition to work with AD RMS, you must complete the
following steps:
Configure the ISA Server (ISA-SRV) [http://technet2.microsoft.com/WindowsServer2008/en/library/c98824ed-2a42-43a1-
9a41-699000891f351033.mspx#BKMK_S1]
Publish AD RMS cluster to extranet [http://technet2.microsoft.com/WindowsServer2008/en/library/c98824ed-2a42-43a1-
9a41-699000891f351033.mspx#BKMK_S2]
Configure the ISA Server (ISA-SRV)
First, install Windows Server 2003 on a stand-alone server.
To install Windows Server 2003, Standard Edition
1. Start your computer by using the Windows Server 2003 product CD.
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ISA-SRV.
Next, configure TCP/IP properties so that ISA-SRV has a static IP address of 10.0.0.5 and preferred DNS
server with IP address 10.0.0.1 on the first network adapter. On the second network adapter, use
10.0.100.1 as the IP address.
To configure TCP/IP properties on ISA-SRV
1. Log on to ISA-SRV as a member of the local Administrators group.

2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click
Properties.
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.5. In the Subnet mask box, type
255.255.255.0. In the Preferred DNS server box, type 10.0.0.1.
6. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection 2, and then click
Properties.
8. Click the Use the following IP address option. In the IP address box, type 10.0.100.1. In the Subnet mask box, type
255.255.255.0.
9. Click OK, and then click Close to close the Local Area Connection 2 Properties dialog box.
Next, join ISA-SRV to the cpandl.com domain.

To join ISA-SRV to the cpandl.com domain
1. Click Start, right-click MyComputer, and then click Properties.

2. Click the Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, select the Domain option, and then type cpandl.com.
4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
5. Click OK, and then click OK again.
6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials
for CPANDL\Administrator, and then click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK.
8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then
click Close.
9. Click Restart Now.
Next, import the server authentication certificate that contains the private key into the Trusted
Certification Authorities store on ISA-SRV.
To import the server authentication certificate to the ISA-SRV computer
1. Log on to ISA-SRV with as a member of the local Administrators group.

2. Click Start, click Run, type mmc.exe, and then press ENTER.
3. Click File, and then click Add/Remote Snap-in.
4. Click Add, select Certificates, and then click Add.
5. Select the Computer Account option, click Next, and then click Finish.
6. Click Close, and then click OK.
7. Expand Certificates, and then expand Personal.
8. Right-click Certificates in the console tree, point to All Tasks, and then click Import.
9. On the Welcome to the Certificate Import wizard page, click Next.
10. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, click OK, and then click Next.
11. Type the password used to export the certificate, and then click Next.
12. Click Next, and then click Finish.
13. Click OK confirming that the import was successful.
14. Close the Certificates console.
Finally, install ISA Server 2006 Standard Edition.

To install ISA Server 2006 Standard Edition
1. Log on to ISA-SRV as a member of the local Administrators group.

2. Insert the ISA Server 2006 Standard Edition product CD.
3. Click Install ISA Server 2006.
4. On the Welcome to the Installation Wizard for Microsoft ISA Server 2006 page, click Next.
5. Select the I accept the terms in the license agreement option, and then click Next.
6. Type your ISA Server product key in the Product Serial Number box, and then click Next.
7. Select the Typical option, and then click Next.
8. Click Add, click Add Adapter, select the Local Area Connection check box, click OK, and then click OK again.
9. Click Next three times, and then click Install.
10. When the installation is complete, click Finish.
11. Click OK. Read the information if desired, and then close Internet Explorer.
12. Click Exit to close Microsoft ISA Server 2006 Setup.
Top of page
Publish AD RMS cluster to extranet

ISA Server 2006 Standard Edition requires that a Web listener be configured for a specified port. In this
guide, you use TCP port 443 (SSL) in order to help make data transmission secure between the clients
and ISA server. In this section, you publish the AD RMS Web site through the ISA server. This involves
publishing the AD RMS extranet cluster URL to this ISA Server and then allowing the ISA server to pass
the user credentials directly to the AD RMS server. Because a self-signed certificate is used for the
AD RMS cluster in this guide, you must move it from the Personal certificate store to the Trusted
Certification Root Authorities store.
First, publish the AD RMS cluster on ISA-SRV.
To publish AD RMS in ISA Server 2006 Standard Edition
1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand ISA-SRV, and then click Firewall Policy.
3. Click the Tasks tab, and then click Publish Web Sites.
4. In the Web publishing rule name box, type AD RMS Extranet, and then click Next.
5. Click Next twice accepting the default selections.
6. Select the Use SSL to connect to the published Web server or server farm option, and then click Next.
7. In the Internal Site Name box, type adrms-srv.cpandl.com.
8. Select the Use a computer name of IP address to connect to the published server check box, type 10.0.0.2 in the
Computer name or IP address box, and then click Next.
9. In the Path (optional) box, type /*, select the Forward the original host header instead of the actual one specified in the
Internal site name field on the previous page check box, and then click Next.
10. In the Public name box, type adrms-srv.cpandl.com, and then click Next.
11. Click New to create a new Web listener.
12. In the Web listener name box, type HTTPS Port 443, and then click Next.
13. Select the Require SSL secured connections with clients option, and then click Next.
14. Select the External check box, and then click Next.
15. Select the Use a single certificate for this Web listener option, and then click Select Certificate.
16. Click the ADRMS-SRV.cpandl.com certificate, click Select, and then click Next.
17. In the Select how clients will provide credentials to ISA Server box, select No Authentication, click Next, and then click
Next again.
18. Click Finish to close the New Web Listener Wizard.
19. Click Next.
20. Click No delegation, but client may authenticate directly, and then click Next.
21. Click Next to apply this Web publishing rule to all users.
22. Click Finish.
23. Click Apply to save changes and update your configuration, and then click OK.
Finally, move the ADRMS-SRV server authentication certificate from the Personal certificate store to the
Trusted Root Certification Authorities store:
To move the ADRMS-SRV server authentication certificate
1. Click Start, and then click Run.

2. Type mmc.exe, and then click OK.
3. Click File, and then click Add/Remove Snap-in.
4. Click Add, click Certificates, click Add, select the Computer account option, and then click Next.
5. Click Finish, click Close, and then click OK.
6. Expand Certificates (Local computer), expand Personal, and then expand Trusted Root Certification Authorities.
7. Click Certificates under Personal in the console tree.
8. Select the ADRMS-SRV.cpandl.com certificate in the details pane and drag it to the Certificates folder under Trusted Root
Certification Authorities.
9. Close the Certificates console.
Top of page
Manage Your Profile
Statement
Step 3: Configuring AD RMS Extranet Client

To configure the AD RMS extranet client computer (ADRMS-EXCLNT), you must install Windows Vista,
configure TCP/IP properties, create an entry in the local HOSTS file, import the ADRMS-SRV server
authentication certificate, and then install an AD RMS enabled application. In this example, Microsoft
Office Word 2007 is installed on ADRMS-EXCLNT.
To install Windows Vista
1. Start your computer using the Windows Vista product CD.

2. Follow the instructions that appear on your screen, and when prompted for a computer name, type ADRMS-EXCLNT.
Next, configure TCP/IP properties so that ADRMS-EXCLNT has a static IP address of 10.0.100.2.
To configure TCP/IP properties
1. Click Start, click Control Panel, click Network and Internet, double-click Network and Sharing Center, click Manage
Network Connections in the left pane, right-click Local Area Connection, and then click Properties.
2. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
3. Select the Use the following IP address option. In IP address, type 10.0.100.2, in Subnet mask, type 255.255.255.0.
5. Close the other open windows and return to the desktop.
In this guide, a test environment without an external DNS server is used. In order for the extranet
cluster URLs to resolve to its appropriate IP address, you must create a manual entry in the HOSTS file
that points to ISA-SRV.
Note:
In a production environment, this step is not required because the extranet client computer's Internet Service Provider will handle
the DNS resolution.
To create an entry in the HOSTS file for AD RMS extranet cluster URL
1. Log on to ADRMS-EXCLNT as a member of the local Administrators group.

2. Click Start, point to All Programs, click Accessories, and then click Notepad.
3. Within Notepad, click File, and then click Open.
4. Navigate to C:\windows\System32\drivers\etc\HOSTS, and then click Open.
Note:
To show the HOSTS file, when you get to the etc folder you must select All Files (above the Open button).
5. On a new line at the bottom of the file, type 10.0.100.1 adrms-srv.cpandl.com.

6. Save and close the HOSTS file.
Next, import the ADRMS-SRV server authentication certificate into the Trusted Root Certification store on
ADRMS-EXCNT. This is only required when using self-signed certificates. In a production environment,
the certificate should be trusted by a certification authority.
To import the server authentication certificate to the ADRMS-EXCLNT computer
1. Log on to ADRMS-EXCLNT with a user account that is a member of the local Administrators group.
2. Click Start, point to All Programs, and then click Internet Explorer.
3. In the Address bar, type https://adrms-srv.cpandl.com/_wmcs/licensing/license.asmx, and then press ENTER.
4. On the Certificate Error: Navigation Blocked Web page, click Continue to this website (not recommended).
5. In the User name box, type CPANDL\srailson. In the Password box, type the password for Stuart Railson, and then click
OK.
6. In the Address Bar, click Certificate Error, and then click View Certificates.
7. On the Certificate Information page, click Install Certificate.
8. On the Welcome to the Certificate Import Wizard page, click Next.
9. Select the Place all certificates in the following store option, click Browse, click Trusted Root Certification Authorities,
and then click OK.
10. Click Next, and then click Finish.
11. Click Yes, accepting the security warning. This only happens because self-signed certificates are used.
12. Click OK, confirming that the certificate import was successful.
13. Click OK to close the Certificate Information window.
14. Close Internet Explorer.
Finally, install Microsoft Office Word 2007 Enterprise.

To install Microsoft Office Word 2007 Enterprise
1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.
2. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office
Word 2007 Enterprise, and then click Install Now. This might take several minutes to complete.
Important:
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content.
All editions will allow you to consume rights-protected content.
Manage Your Profile
Statement

ADRMS-CLNT
To verify the functionality of the AD RMS deployment, you will log on to ADRMS-CLNT as Nicole Holliday
and then restrict permissions on a Microsoft Word 2007 document so that Stuart Railson is only able to
read the document but unable to change, print, or copy. You will then copy this document to a removable
device (for example, a USB flash drive) and log on to a client computer that is not part of the
organizational network, such as a home computer. In this example, ADRMS-EXCLNT serves as the home
computer. After the file is copied to the USB flash drive, Stuart Railson logs on to the extranet client
computer (ADRMS-EXCLNT) and verifies that he is able to open the rights-protected document from the
USB flash drive.
Note:
A USB flash drive is not required in this scenario. Any means of getting the document to the extranet client computer will work,
such as attaching the document to an e-mail message and sending it to Stuart. In that example, Stuart would then open the
document contained in the e-mail message on the extranet client computer.
Use the following steps to restrict permissions on a Microsoft Word document:
1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\nhollida).

2. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3. Type This is a test of AD RMS Extranet functionality.into the blank document page, click the Microsoft Office Button,
point to Prepare, point to Restrict Permission, and then click Restricted Access.
4. Select the Restrict permission to this document check box.
5. In the Read box, type srailson@cpandl.com, and then click OK to close the Permission dialog box.
6. Click the Microsoft Office Button, click Save As, and then save the file as ADRMS-TST.
7. Copy ADRMS-TST.docx to a USB flash drive.
Finally, open the document, ADRMS-TST.docx, on ADRMS-EXCLNT from the USB flash drive.
1. Log on to ADRMS-EXCLNT with the local user account that you want to use for consuming the rights-protected document.
Caution:
Once this document has been consumed, any other user who logs on to the computer with the same user account will also be
able to consume the document.
2. Insert the USB flash drive, and then double-click the ADRMS-TST.docx file.
3. In the User name box, type cpandl\srailson. In the Password box, type the password for Stuart Railson, and then click OK.
https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permissions."
4. Click OK.
The following message appears: "You are attempting to send information to an Internet site (https://adrms-
srv.cpandl.com) that is not in your Local, Intranet, or Trusted zones. This could pose a security risk. Do you want to
send the information anyway?"
5. Click Yes.
6. When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.
7. Click View Permission in the message bar. You can see that srailson@cpandl.com (Stuart Railson) has been restricted to so
that he can only read the document.
You have successfully deployed and demonstrated the functionality of AD RMS in an extranet, using the
simple scenario of applying restricted permissions to a Microsoft Word 2007 document. You can also use
this deployment to explore some of the additional capabilities of AD RMS through additional configuration
and testing.
Manage Your Profile
Statement
RMS
Deploying Active Directory Rights

Management Services with Microsoft Office
SharePoint Server 2007 Step-By-Step Guide
Updated: September 20, 2007
About this Guide

This step-by-step guide walks you through the process of deploying Active Directory Rights Management
Services (AD RMS) and Microsoft Office SharePoint Server 2007 together in a test environment.
Specifically, this guide shows you how to add an Office SharePoint Server 2007 to an existing AD RMS
environment.
Important:
Windows SharePoint Services 3.0 does not have the Microsoft Office protector files that are required to automatically rights-
protect a document when it is uploaded. You must use Office SharePoint Server 2007 to do this.
This guide assumes that you previously completed the Active Directory Rights Management Services
Step-by-Step Guide, and that you have already deployed the following components:

One Active Directory domain controller

An AD RMS server


An AD RMS-enabled client
In this guide, you will create a test deployment that includes an Office SharePoint Server 2007 server.
Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting them to an
Office SharePoint Server 2007 site so that they can be accessed over the corporate network. The goal of
integrating an Office SharePoint Server 2007 deployment with an AD RMS infrastructure is to be able to
protect documents that are downloaded from the Office SharePoint Server 2007 server by users of any
given organization.
Note:
Integrating Office SharePoint Server 2007 with AD RMS does not protect the documents while they are on the server. When a
document is uploaded to an Office SharePoint Server 2007 site, the server removes all protection until a download request is
received by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server 2007 server applies the
appropriate restrictions to the document before it is downloaded to the client computer.

An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see

Guidance for setting up and configuring AD RMS in a production environment.

Guidance for integrating Office SharePoint Server 2007 with AD RMS in a production environment.

Complete technical reference for AD RMS.
Complete information about Office SharePoint Server 2007. For more information, see http://go.microsoft.com/fwlink/?
LinkId=74460 [http://go.microsoft.com/fwlink/?LinkId=74460] .
We recommend that you use the steps provided in the "Windows Server Active Directory Rights
Management Services Step-by-Step Guide" before completing the steps in this guide. Step-by-step
guides are not necessarily meant to be used to deploy Microsoft products without additional
documentation and should be used with discretion as a stand-alone document.
Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure integrated
with Office SharePoint Server 2007. You can then test AD RMS and Office SharePoint Server 2007
functionality as follows:

Create a Microsoft Office Word 2007 document in the CPANDL domain.

Upload this document to the Office SharePoint Server 2007 document library.

Have an authorized user in the CPANDL domain open and work with the document.
The test environment described in this guide includes five computers connected to a private network and
using a clean installation of the following operating systems, applications, and services:
Computer Applications and

Operating System
Name Services
CPANDL-DC Windows Server 2003 with Service Pack 1 (SP1) Active Directory, Domain Name
System (DNS)
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information

Services (IIS) 7.0, and Message
Queuing
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server 2005
with Service Pack 2 (SP2)
SPS-SRV Windows Server 2003 R2 Standard Edition. Windows Server 2003 R2 must Office SharePoint Server 2007
be used if federated identity support with Office SharePoint Server 2007 is
required. Otherwise, Windows Server 2003 with SP1 can be used.
ADRMS-CLNT Windows Vista Microsoft Office Word 2007

Enterprise Edition
Note:
Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum
requirements for AD RMS (http://go.microsoft.com/fwlink/?LinkId=84733 [http://go.microsoft.com/fwlink/?LinkId=84733] ).
The computers form a private intranet and are connected through a common hub or Layer 2 switch. This
configuration can be emulated in a virtual server environment if desired. This step-by-step exercise uses
private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for
the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com. The
following figure shows the configuration of the test environment:
Manage Your Profile
Statement
RMS > Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007
Step-By-Step Guide
Step 1: Installing and Configuring SPS-SRV

To prepare your AD RMS test environment in the CPANDL domain, you must complete the following
tasks:
Configure the Office SharePoint Server (SPS-SRV) [http://technet2.microsoft.com/WindowsServer2008/en/library/fb957cea-
e436-4bf3-9dbc-375f9fbf911b1033.mspx#BKMK_S1]
Install Office SharePoint Server 2007 [http://technet2.microsoft.com/WindowsServer2008/en/library/fb957cea-e436-4bf3-
9dbc-375f9fbf911b1033.mspx#BKMK_S2]
Use the following table as a reference when setting up the appropriate computer name, operating
system, and network settings that are required to complete the steps in this guide.
Important:
LinkID=47370] ).
Computer IP DNS
Operating system requirement
name settings settings
SPS-SRV Windows Server 2003 R2, Standard Edition IP address: 10.0.0.1
Important: 10.0.0.6
Subnet mask:
255.255.255.0
In order to use Active Directory Federation Services (AD FS) with
Office SharePoint Server 2007, you must install Windows
Server 2003 R2 with Service Pack 2 (SP2).
Configure the Office SharePoint Server (SPS-SRV)

To configure the Office SharePoint Server 2007 server SPS-SRV, you must:
1. Install Windows Server 2003 R2 Standard Edition.
2. Configure TCP/IP properties.
3. Join the computer to the cpandl.com domain.
4. Install the Rights Management Services (RMS) client with SP2.
To install Windows Server 2003 R2 Standard Edition
1. Start your computer by using the Windows Server 2003 R2 Standard Edition product CD.
2. When prompted for the installation type, choose Custom Installation.

3. When prompted for a computer name, type SPS-SRV.
4. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that SPS-SRV has a static IP address of 10.0.0.6. In addition,
configure the Domain Name System (DNS) Server service by using the IP address of CPANDL-DC
(10.0.0.1).
To configure TCP/IP Properties
1. Log on to SPS-SRV with the SPS-SRV\Administrator account or another user account in the local
Administrators group.
2. Click Start, point to Control Panel, point to Network Connections, double-click Local Area
Connection, and then click Properties.
4. Select the Use the following IP address option. In the IP address box, type 10.0.0.6. In Subnet
mask box, type 255.255.255.0.
5. Select the Use the following DNS server addresses option. In the Preferred DNS server box,
type 10.0.0.1.
6. Click OK, and then click OK to close the Local Area Connection Properties dialog box. Close the
Local Area Connection Status dialog box.
Next, join SPS-SRV to the cpandl.com domain.

To join SPS-SRV to the cpandl.com domain
1. Click Start, right-click My Computer, and then click Properties.
2. Click Computer Name tab, and then click Change.
3. In the Computer Name Changes dialog box, click Domain, and then type cpandl.com.
4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
5. Click OK twice.
6. When a Computer Name Changes dialog box appears prompting you for administrative
credentials, provide the credentials for CPANDL\Administrator, and then click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain,
click OK.
8. When a Computer Name Changes dialog box appears telling you that the computer must be
restarted, click OK, and then click Close.
9. Click Yes to restart the computer.
Finally, install the RMS client with SP2 on SPS-SRV.

To install the RMS client with SP2
1.
LinkId=67736 [http://go.microsoft.com/fwlink/?LinkId=67736] . If you are using a 64-bit version
Windows Server 2003, download the 64-bit version of the RMS client from
2.
installation.
3.
4.
start the installation.
5.
Top of page
Install Office SharePoint Server 2007

To install Office SharePoint Server 2007, you must complete the following steps in the following order:
Office SharePoint Server 2007 uses the Application Server role, which contains IIS and ASP.NET, to host
Office SharePoint Server 2007 document libraries. To install the Application Server role, you must
complete the following steps:
1. Click Start, point to All Programs, point to Administrative Tools, and then click Manage Your
Server.
2. Click Add or remove a role.
3. On the Preliminary Steps page of the Configure your Server Wizard, click Next.
4. Click Application Server (IIS, ASP.NET), and then click Next.
5. Select the Enable ASP.NET check box, and then click Next twice.
Note:
You will be asked for the Windows Server 2003 product CD in order to complete the installation of
the Application Server role.
6. Click Finish to complete the installation.

Next, install the .NET Framework 3.0. Office SharePoint Server 2007 requires the Windows Workflow
Foundation, which has been integrated into .NET Framework 3.0.
To install .NET Framework 3.0
1. Download Microsoft .NET Framework 3.0 from http://go.microsoft.com/fwlink/?

LinkId=73912 [http://go.microsoft.com/fwlink/?LinkId=73912] .
2. Double-click dotnetfx3setup.exe, and then click Run in the Open File - Security Warning
dialog box.
3. Click the I have read and ACCEPT the terms of the License Agreement option, and then click
Install.
4. Click Exit to complete the installation.
Next, install Office SharePoint Server 2007.

To install Office SharePoint Server 2007
1. Double-click setup.exe from the Office SharePoint Server 2007 product CD.
2. Enter your Product Key, and then click Continue.
3. Select the I accept the terms of this agreement check box, and then click Continue.
4. Click Basic.
5. After installation has completed, select the Run the SharePoint Products and Technologies
Configuration Wizard now check box, and then click Close. The installation might take 10
minutes to complete.
6. On the Welcome to theSharePoint Products and Technologies page, click Next. Click Yes in
the message confirming that the SharePoint services should be restarted. Office SharePoint Server
2007 will also be configured at this time.
Top of page
Manage Your Profile
Statement
RMS > Deploying Active Directory Rights Management Services with Microsoft
Office SharePoint Server 2007 Step-By-Step Guide
Step 2: Configuring AD RMS to Work with

SPS-SRV
After Office SharePoint Server 2007 has been installed, there are several tasks that must be completed
to integrate Office SharePoint Server 2007 with AD RMS:
Add the Office SharePoint Server 2007 site to the Local Intranet Internet Explorer zone.
Add three user accounts, CPANDL\Administrator, Nicole Holliday, and Stuart Railson, to the SharePoint site.
Add the Office SharePoint Server 2007 server to the AD RMS server certification pipeline.
Enable Information Rights Management in Office SharePoint Server 2007.
Restrict permissions by using AD RMS.
First, add the Office SharePoint Server 2007 site to the Internet Explorer Local Intranet zone on the
Office SharePoint Server 2007 computer.
To add SPS-SRV to Local Intranet
1. Log on to SPS-SRV as cpandl\administrator.

2. Click Start, point to Control Panel, and then click Internet Options.
3. Click the Security tab, click Local Intranet, and then click the Sites button.
4. Type http://SPS-SRV, and then click Add.
5. Click Close, and then click OK.
Next, give Nicole Holliday and Stuart Railson access to the SharePoint site so that the Office SharePoint
Server 2007 integration with AD RMS can be verified later in this guide:
To add Nicole Holliday and Stuart Railson to the SharePoint site
2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that
was created during installation.
3. Click Site Actions, point to Site Settings, and then click People and Groups.
4. Click New, and then click Add Users.
5. Type nhollida@cpandl.com;srailson@cpandl.com in the Users/Groups box, and then click OK. A list of users who have
permission to use the SharePoint site is displayed.
Next, add the Office SharePoint Server 2007 server and AD RMS Service Group to the AD RMS cluster
server certification pipeline.
Important:
By default, the AD RMS cluster server certification pipeline ACL is configured to allow only the local System account. You must
add the permissions in order for Office SharePoint Server 2007 to integrate with AD RMS.
To add SPS-SRV to the AD RMS Certification Pipeline
1. Log on to ADRMS-SRV as CPANDL\Administrator.

2. Click Start, and then click Computer.
3. Navigate to C:\Inetpub\wwwroot\_wmcs\Certification.
4. Right-click ServerCertification.asmx, click Properties, and then click the Security tab.
5. Click Advanced, click Edit, select the Include inheritable permissions from this object's parent check box, and then
click OK two times.
6. Click Edit, and then click Add.
7. Click Object Types, select the Computers check box, and then click OK.
8. Type SPS-SRV, and then click OK.
9. Click OK to close the ServerCertification.asmx Properties sheet.
By default the Read & execute and the Read permissions are configured for the SPS-SRV computer account object and all
other accounts inherited from the parent folder.
10. Click Start, and then click Command Prompt.
11. Type iisreset, and then press ENTER.
Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can communicate with
it, you must configure Office SharePoint Server 2007 to use the AD RMS cluster:
To enable Information Rights Management in Office SharePoint Server 2007
1. Log on to SPS-SRV as CPANDL\administrator.

2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.
3. Click Operations, and then click Information Rights Management.
4. Select the Use the default RMS server specified in Active Directory option, and then click OK.
Create an Office SharePoint Server 2007 permission policy on the default document library. This
permission policy will be used to restrict the ability to print any documents that are uploaded to the
document library:
To restrict permissions using AD RMS
1. Log on as cpandl\Administrator.
3. Type http://SPS-SRV in the address bar, and then click Go.
4. Click Document Center, click Documents, click Settings, and then click Document Library Settings.
5. Under the Permissions and Management heading, click Information Rights Management.
6. Select the Restrict permission to documents in this library on download check box.
7. Type CPANDL Protected in the Permissions policy title box.
8. Type Restrict CPANDL employees from printing in the Permission policy description box.
9. Click OK.
Note:
Office SharePoint Server 2007 will automatically apply AD RMS rights to the document when it is downloaded from the Office
SharePoint Server 2007 site. These rights are determined by the Office SharePoint Server 2007 group membership for that site. For
example, a user who is in the Visitors Office SharePoint Server 2007 group will not be able to modify the document when it is
downloaded from the Office SharePoint Server 2007 site.
Manage Your Profile
Statement
RMS > Deploying Active Directory Rights Management Services with Microsoft
Office SharePoint Server 2007 Step-By-Step Guide

ADRMS-CLNT
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a new
Microsoft Word 2007 document, and upload it to the Office SharePoint Server 2007 site into a rights-
enabled document library configured such that users who download the document will not be able to
print it. You then log on as Stuart Railson, download the document from the Office SharePoint Server
2007 site and verify that the ability to print the document has been restricted.
Before you can consume rights-protected content, you must add SPS-SRV to the Local Intranet security
zone.
To add SPS-SRV to Local Intranet security zone
1. Log on to ADRMS-CLNT as Nicole Holliday (CPANDL\nhollida).

3. Click Tools, and then click Internet Options.
4. Click the Security tab, click Local intranet, and then click Sites.
5. Click Advanced.
6. In the Add this website to the zone, type http://sps-srv, and then click Add.
7. Click close.
8. Repeat steps 17 for Stuart Railson (CPANDL\srailson).
Next, log on a Nicole Holliday and create a Microsoft Word 2007 document and upload it to the Office
SharePoint Server 2007 site.
To create and upload a Microsoft Word document for testing
2. Type This document is read-only. You cannot print it. in the new document, click the Microsoft Office Button, click Save
As, and then save the file as ADRMS-TST.docx to a location on ADRMS-CLNT. This document will be uploaded to the
Office SharePoint Server 2007 document library.
Note:
Since Nicole Holliday is the author of this document, she will have full rights to the document, regardless of the AD RMS
rights that are applied to it.
3. Close Microsoft Office Word 2007.

5. Type http://SPS-SRV/in the address bar, and then click Go.
6. Click Document Center, and then click Documents.
7. Click Upload, click Upload Document, click Browse to locate and select ADRMS-TST, and then click Open.
8. Click OK to upload the file, and then click Check In.
By uploading the document into this library, the document receives the restrictions set on the library.
Finally, log on as Stuart Railson and open the document from the Office SharePoint Server 2007 site.
To open a protected document
1. Log on to ADRMS-CLNT as Stuart Railson (CPANDL\srailson).

3. Type http://SPS-SRV/ in the address bar, and then click Go.
4. Click Document Center, and then click Documents.
5. Click ADRMS-TST, and then click OK to open the document as Read Only.
6. The following message will appear: "Permission to this document is currently restricted. Microsoft Office must
connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission."
7. Click OK.
8. The following message will appear: "Verifying your credentials for opening content with restricted permissions".
9. Click OK in the full screen reading view message, and then click Close to close the full screen reading view.
10. Click the Microsoft Office button. The Print command is disabled.
You have successfully deployed, integrated, and demonstrated the functionality of AD RMS and Office
SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office Word 2007 document
to an Office SharePoint Server 2007 site. You can also use this deployment to explore some of the
additional capabilities of AD RMS through additional configuration and testing.
Manage Your Profile
Statement
Computer
Name
Services (IIS) 7.0, Message Queuing,

and World Wide Web Publishing
Service
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server 2005
Standard Edition
SPS-SRV Windows Server 2003 R2 with Server Pack 2 (SP2). AD FS claims-aware agent, Office
Important: SharePoint Server 2007
Windows Server 2003 R2 with SP2 is required for federation

support to work with Office SharePoint Server 2007.
ADRMS- Windows Vista Microsoft Office Word 2007 Enterprise

CLNT Edition
ADRMS-
CLNT2
ADFS- Windows Server 2008 Enterprise AD FS, IIS

RESOURCE
ADFS-
ACCOUNT
The computers form two private intranets and are connected through a common hub or Layer 2 switch.
This configuration can be emulated in a virtual server environment, if desired. This appendix exercise
uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used
for the intranet. The domain controller for the domain named cpandl.com is CPANDL-DC and the domain
controller for the domain name treyresearch.net is TREY-DC. The following figure shows the configuration
of the test environment:
Step 1: Setting up the infrastructure

The following steps should be taken to prepare the existing test infrastructure for configuring AD FS with
Office SharePoint Server 2007:
Install the claims-aware applications Windows component on SPS-SRV.
Add a DNS host name record to the CPANDL.COM domain so that federated users can access the Office SharePoint Server
2007 Web site.
Add the external SharePoint Web site as a claims-aware application on ADFS-RESOURCE.
Note:
Windows Server 2003 with SP2 is required for AD FS and Office SharePoint Server 2007 to work together. To download Windows
Server 2003 with SP2, see http://go.microsoft.com/fwlink/?LinkId=98598 [http://go.microsoft.com/fwlink/?LinkId=98598] .
First, add the claims-aware application Windows component. This component is required for AD FS and
interfaces with the AD FS federation servers to submit claims.
To add the claims-aware applications Windows component
1. Log on to SPS-SRV as cpandl\administrator or another user account in the local Administrators group.
2. Click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
3. Click Active Directory Services, and then click Details.
4. Click Active Directory Federation Services (ADFS), and then click Details.
5. Click ADFS Web Agents, and then click Details.
6. Select the Claims-aware applications check box, and then click OK three times.
7. Click Next.
Note:
You will be asked for the Windows Server 2003 R2 product CD in order to complete the installation of the claims-aware
applications Windows component.
Next, add a DNS host name record is required in the CPANDL.COM domain so that federated users in the
TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web site.
To create a DNS host name record for the external Office SharePoint Server 2007 Web site
1. Log on to CPANDL-DC as cpandl\administrator or another user account in the local Administrators group.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A).
4. In the Name box, type external-sps.
5. In the IP Address box, type 10.0.0.6, and then click Add Host.
6. Click OK, confirming that the host record was successfully created.
7. Click Done.
Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFS-
RESOURCE: This should be done before a user is added to doc library.
To add the external SharePoint Web site as a claims-aware Windows application on ADFS-RESOURCE
1. Log on to ADFS-RESOURCE as cpandl\adfsadmin or another user account in the local Administrators group.
2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Continue.
4. Expand Federation Services, expand Trust Policy, and then expand My Organization.
6. On the Welcome to the Add Application Wizard, click Next.
7. Select the Claims-aware application option, and then click Next.
8. In the Application display name box, type External SharePoint Web site.
9. In the Application URL box, type https://external-sps.cpandl.com, and then click Next.
10. Select the E-mail check box, and then click Next.
11. Select the Enable this application check box, and then click Next.
12. Click Finish.
Step 2: Configuring Office SharePoint 2007 to work with AD FS

To configure Office SharePoint Server 2007 to work with AD FS, several steps must be completed:
Add a claims-aware Windows application for the external Web site.
Extend the internal Office SharePoint Server 2007 Web site.
Add a Secure Sockets Layer (SSL) certificate to the external Web site.
Configure the authentication provider on the external Web site.
Edit the web.config file on the internal Web site.
Add Terrence Philip to the default document library.
Edit the web.config file on the external Web site.
First, extend the existing internal Web site, created earlier in this guide, and add it to the Extranet zone.
To extend the internal Office SharePoint 2007 Web site and add it to the Extranet zone on SPS-SRV.
1. Log on to SPS-SRV as cpandl\administrator or another user account in the local Administrators group.
2. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration.
3. Click Application Management, click Create or Extend Web application, and then click Extend an existing Web
application.
4. Select the Create a new Web site option, and then type External Users Web site in the Description box.
5. In the Web Application box, click Change Web Application, and then click http://sps-srv.
6. In the Port box, type 443.
7. In the Host header box, type external-sps.cpandl.com.
8. In the Secure Sockets Layer (SSL) box, select the Yes option.
9. In the URL box, type https://external-sps.cpandl.com.
10. In the Zone box, click Extranet.
11. Click OK.
Before proceeding with this appendix, verify that the internal Web site was correctly extended. To do this,
open the Alternate Access Mappings and ensure that external-sps.cpandl.com is available.
To verify that the external Web site is available
1. In the Central Administration 3.0 site, click Operations.

2. Under the Global Configuration heading, click Alternate access mappings.
3. Verify that the https://external-sps.cpandl.com is shown and the Zone is configured for Extranet.
Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS requires an SSL
connection for all claims-aware Windows applications.
To add an SSL certificate to the external Office SharePoint 2007 Web site
1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Expand Web Sites, right-click External Users Web site, and then click Properties.
3. Click Directory Security, and then click Server Certificate.
4. On the Welcome to the Web Server Certificate Wizard page, click Next.
5. Choose whether to import from an existing certificate file or request a new certificate.
6. After the certificate is imported, close the External Users Web site properties sheet.
Next, configure the authentication provider on the external Web site to use Web Single Sign On (SSO).
To configure the authentication provider of the Extranet Web application to use Web SSO
1. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration, and then click
Application Management.
2. Under the Application Security heading, click Authentication providers.
3. In the Web application box, click Change Web Application, and then click SharePoint - 80.
4. Click Extranet.
5. For Authentication Type, select the Web single sign on option.
6. In the Membership provider name box, type SingleSignOnMembershipProvider2.
7. In the Role manager name box, type SingleSignOnRoleProvider2.
8. For Enable client integration, select the No option, and then click Save.
Next, configure the internal Web application to accept claims from the external Web site by editing the
web.config file for the internal Web site:
To configure the internal Web site to accept claims from the external Web site
1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80.
2. Right-click web.config, and then click Open.
3. Select the Select the program from a list option, click Notepad, clear the Always use the selected program to open this
kind of file check box, and then click OK.
4. Add the following text under the line that reads <authentication mode ="Windows" />:
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" fs="https://adfs-
resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">

<providers>
<remove name="AspNetSqlRoleProvider" /> <add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" fs="https://adfs-
resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>
5. Click File, and then click Save.
6. Close Notepad.
7. At a command prompt, type IISRESET, and then press ENTER.
Next, add Terrence Philip (TREYRESEARCH\tphilip) to the default document library.

To add Terrence Philip to the default document library
2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that
was created during installation.
3. Click Site Actions, point to Site Settings, and then click People and Groups.
4. Click New, and then click Add Users.
5. In the Users/Groups box, type tphilip@treyresearch.net, and then click OK.
Important:
If the internal SharePoint Web site is not able to resolve Terence Philip using the procedure above, you should ensure all of the
previous steps were completed correctly before continuing through the rest of this appendix.
Next, edit the web.config file on the external Web site. There are several entries that must be made to
put each individual entry into its own procedure.
To add a new entry in the <configSections> node
1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443.
2. Right-click web.config, and then click Open.
3. Select the Select the program from a list option, click Notepad, and then clear the Always use the selected program to
open this kind of file check box.
4. Add the following text in the <configSections> node:

Active Directory Rights Management Services

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Active Directory Rights Management Services

Încărcat de

Drepturi de autor:

Formate disponibile

Active Directory Rights Management Services

Active Directory Rights Management Services

What is Active Directory Rights Management Services?

512 MB of RAM 1024 MB of RAM

40 GB of free hard disk space 80 GB of free hard disk space

File system NTFS file system is recommended

Messaging Message Queuing

Web services Internet Information Services (IIS).

For more information

Manage Your Profile

Active Directory Rights Management Services

What does AD RMS do?

What new functionality does this server role provide?

Improved installation and administration experience

Why is this functionality important?

Self-enrollment of AD RMS server

Why is this functionality important?

What works differently?

How should I prepare for this change?

Why is this functionality important?

How should I prepare for this change?

New AD RMS Administrative Roles

Why is this functionality important?

How should I prepare for this change?

What existing functionality is changing?

Printer-Friendly Version Email this page Add to Favorites

Manage Your Profile

Step 1: Setting up the Infrastructure

ADRMS-SRV Windows Server 2008 IP address: Preferred:

ADRMS-DB Windows Server 2003 with SP2 IP address: Preferred:

ADRMS-CLNT Windows Vista IP address Preferred:

Configure the domain controller (CPANDL-DC)

Windows Server 2008 Technical Library > Active Directory Rights

Step 2: Installing and Configuring AD RMS on

Install and configure AD RMS as a root cluster.

1. Log on to ADRMS-SRV as cpandl\ADRMSADMIN.

Windows Server 2008 Technical Library > Active Directory Rights

Step 3: Verifying AD RMS Functionality on

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).

Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.

1. Log on to ADRMS-CLNT as Stuart Railson (cpandl\SRAILSON).

1. Log on to ADRMS-CLNT as Limor Henig (cpandl\LHENIG).

Manage Your Profile

Using Identity Federation with Active Directory

About This Guide

What This Guide Does Not Provide

ADRMS-SRV Windows Server 2008 AD RMS, Internet Information

Domain controllers running Windows 2000 Server with Service

ADRMS- Windows Vista Microsoft Office Word 2007 Enterprise

Printer-Friendly Version Email this page Add to Favorites

Manage Your Profile

Step 1: Setting up the CP&L Enterprises

Configure the AD FS resource partner (ADFS-RESOURCE)

Configure the Windows Server 2003 R2based AD FS resource partner

To install Windows Server 2003 R2 Enterprise Edition

1. Log on to ADFS-RESOURCE as a member of the local Administrators group.

3. Right-click Local Area Connection, and then click Properties.

1. Log on to ADFS-RESOURCE as a member of the local administrators group.

2. Click Start, right-click My Computer, and then click Properties.

3. Click Computer Name tab, and then click Change.

Step 2: Setting up the Trey Research Domain

ADRMS-CLNT2 Windows Vista IP address Preferred:

Configure the domain controller (TREY-DC)