Documente Academic
Documente Profesional
Documente Cultură
Features in AD RMS
By using Server Manager, you can set up the following components of AD RMS:
Active Directory Rights Management Services. The Active Directory Rights Management Services (AD RMS) role service
is a required role service that installs the AD RMS components used to publish and consume rights-protected content.
Identity Federation Support. The identity federation support role service is an optional role service that allows federated
identities to consume rights-protected content by using Active Directory Federation Services.
Hardware and software considerations
AD RMS runs on a computer running the Windows Server 2008 operating system. When the AD RMS
server role is installed, the required services are installed, one of which is Internet Information Services
(IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the
same server as AD RMS or on a remote server, and an Active Directory Domain Services forest.
The following table describes the minimum hardware requirements and recommendations for running
Windows Server 2008-based servers with the AD RMS server role.
Requirement Recommendation
One Pentium 4 3 GHz processor or higher Two Pentium 4 3 GHz processors or higher
A limited set of server roles is available for the Server Core installation option of Windows Server 2008 and for Windows
Server 2008 for Itanium-Based Systems.
To assist with your hardware considerations, use testing in a lab environment, data from existing
hardware in a production environment, and pilot roll-outs to determine the capacity needed for your
server.
The following table describes the software requirements for running Windows Server 2008-based servers
with the AD RMS server role. For requirements that can be met by enabling features on the operating
system, installing the AD RMS server role will configure those features as appropriate, if they are not
already configured.
Software Requirement
Operating system Windows Server 2008, except for Windows Web Server 2008
Active Directory or AD RMS must be installed in an Active Directory domain in which the domain controllers are running
Active Directory Windows Server 2000 with Service Pack 3 (SP3), Windows Server 2003, or Windows Server 2008. All
Domain Services users and groups who use AD RMS to acquire licenses and publish content must have an e-mail address
configured in Active Directory.
Database server AD RMS requires a database server, such as Microsoft SQL Server 2005, and stored procedures to
perform operations.
The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft
Word, Outlook, or PowerPoint in Microsoft Office 2007. In order to create rights-protected content,
Microsoft Office 2007 Enterprise, Professional Plus, or Ultimate is required. For additional security,
AD RMS can be integrated with other technologies such as smart cards.
Windows Vista includes the AD RMS client by default, but other client operating systems must have the
RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded from the Microsoft
Download Center and works on versions of the client operating system earlier than Windows Vista and
Windows Server 2008.
For more detailed information about hardware and software considerations with AD RMS, see the Pre-
installation Information for Active Directory Rights Management Services topic on the Windows
Server 2008 Technical Library (http://go.microsoft.com/fwlink/?
LinkId=84733 [http://go.microsoft.com/fwlink/?LinkId=84733] ).
Installing AD RMS
After you finish installing the operating system, you can use Initial Configuration Tasks or Server
Manager to install server roles. To install AD RMS, in the list of tasks, click Add roles, and then click the
Active Directory Rights Management Services check box.
For detailed instructions about installing and configuring AD RMS in a test environment, see the AD RMS
installation Step-by-Step Guide (http://go.microsoft.com/fwlink/?
LinkId=72134 [http://go.microsoft.com/fwlink/?LinkId=72134] ).
Managing AD RMS
Server roles are managed by using a Microsoft Management Console (MMC) snap-in. Use the Active
Directory Rights Management Services console to manage AD RMS. To open the Active Directory Rights
Management console, click Start, point to Administrative Tools, and then click Active Directory
Rights Management Services.
For Windows Server 2008, Active Directory Rights Management Services (AD RMS) includes several
new features that were not available in Microsoft Windows Rights Management Services (RMS).
These new features were designed to ease administrative overhead of AD RMS and to extend its use
outside of your organization. These new features include:
Inclusion of AD RMS in Windows Server 2008 as a server role
Administration through a Microsoft Management Console (MMC)
Integration with Active Directory Federation Services (AD FS)
Self-enrollment of AD RMS servers
Ability to delegate responsibility by means of new AD RMS administrative roles
Note:
This topic concentrates on the features specific to AD RMS that are being released with Windows Server 2008. Earlier versions of
RMS were available as a separate download. For more information about the features that were available in RMS, see Windows
Server 2003 Rights Management Services (RMS) (http://go.microsoft.com/fwlink/?
LinkId=68637 [http://go.microsoft.com/fwlink/?LinkId=68637] ).
Integration with AD FS
Enterprises are increasingly feeling the need to collaborate outside their enterprise boundaries and are
looking at federation as a solution. Federation support with AD RMS will allow enterprises to leverage
their established federated relationships to enable collaboration with external entities. For example, an
organization that has deployed AD RMS can set up federation with an external entity by using AD FS and
can leverage this relationship to share rights-protected content across the two organizations without
requiring a deployment of AD RMS in both places.
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Windows Server Active Directory Rights Management Services Step-
by-Step Guide
To prepare your AD RMS test environment in the CPANDL domain, you must complete the following
tasks:
Configure the domain controller (CPANDL-DC) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-
c44c-4ce8-b81e-ea3815faa4911033.mspx#BKMK_S1]
Configure the AD RMS database computer (ADRMS-
DB) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-c44c-4ce8-b81e-
ea3815faa4911033.mspx#BKMK_S2]
Configure the AD RMS root cluster computer (ADRMS-
SRV) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-c44c-4ce8-b81e-
ea3815faa4911033.mspx#BKMK_S3]
Configure the AD RMS client computer (ADRMS-
CLNT) [http://technet2.microsoft.com/WindowsServer2008/en/library/e8898839-c44c-4ce8-b81e-
ea3815faa4911033.mspx#BKMK_S4]
Use the following table as a reference when setting up the appropriate computer names, operating
systems, and network settings that are required to complete the steps in this guide.
Important:
Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows
product activation while each of your computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370 [http://go.microsoft.com/fwlink/?
LinkID=47370] ).
Computer IP
Operating system requirement DNS settings
name settings
CPANDL-DC Windows Server 2003 with Service Pack 2 (SP2) or IP address: Configured by DNS
Windows Server 2008 10.0.0.1 server role.
Subnet mask:
255.255.255.0
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Access to the Enterprise Admins group should be granted only while AD RMS is being installed. After installation is complete, the
cpandl\ADRMSADMIN account should be removed from this group.
To add ADRMSADMIN to the Enterprise Admins group
1. Log on to CPANDL-DC with the cpandl\Administrator account or another user account in the Domain Admins group.
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
3. In the console tree, expand cpandl.com, double-click Users, and then double-click Enterprise Admins.
4. Click the Members tab, and then click Add.
5. Type adrmsadmin@cpandl.com, and then click OK.
Note:
At this point in the guide, you can remove cpandl\ADRMSADMIN from the local Administrators group on ADRMS-DB.
Your AD RMS root cluster is now installed and configured.
Further management of AD RMS is done by using the Active Directory Rights Management Services
console.
To open the Active Directory Rights Management Services console
1. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
Continue.
From the console, you can configure trust policies, configure exclusion policies, and create rights policy
templates.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then restrict
permissions on a Microsoft Word 2007 document so that members of the CP&L Engineering group are
able to read the document but unable to change, print, or copy. You will then log on as Stuart Railson,
verifying that the proper permission to read the document has been granted, and nothing else. Then, you
will log on as Limor Henig. Since Limor is not a member of the Engineering group, he should not be able
to consume the rights-protected file.
To restrict permissions on a Microsoft Word document
Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.
To attempt to view a rights-protected document
You have successfully deployed and demonstrated the functionality of AD RMS, using the simple scenario
of applying restricted permissions to a Microsoft Word 2007 document. You can also use this deployment
to explore some of the additional capabilities of AD RMS through additional configuration and testing.
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS
Computer
Operating System Applications and Services
Name
CPANDL-DC Windows Server 2003 with Service Pack 2 (SP2) Active Directory, Domain Name
TREY-DC Note: System (DNS)
ADRMS-DB Windows Server 2003 with SP2 Microsoft SQL Server 2005 Standard
Edition with Service Pack 2 (SP2)
ADFS- Windows Server 2008 Enterprise or Windows Sever 2003 R2 AD FS, IIS
RESOURCE Enterprise Edition
Computer
Operating System Applications and Services
Name
ADFS-
ACCOUNT
Note:
Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum
requirements for AD RMS (http://go.microsoft.com/fwlink/?LinkId=84733 [http://go.microsoft.com/fwlink/?LinkId=84733] ).
The computers form two private intranets and are connected through a common hub or Layer 2 switch.
This configuration can be emulated in a virtual server environment, if desired. This step-by-step exercise
uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used
for the intranet. The domain controller for the domain named cpandl.com is CPANDL-DC and the domain
controller for the domain name treyresearch.net is TREY-DC. The following figure shows the configuration
of the test environment:
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Using Identity Federation with Active Directory Rights Management
Services Step-by-Step Guide
Before you install AD FS and the AD RMS Identity Federation Support role service, you need to make
changes to the infrastructure of the CPANDL domain. In this step, you will perform the following tasks to
install the required Active Directory Federation Services resource partner and add it to the CP&L
Enterprises infrastructure.
This section includes the following procedures:
Install AD FS resource partner (ADFS-
RESOURCE) [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
9a0a4998fcf31033.mspx#BKMK_S1_1]
Create the ADFSADMIN user account [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-
aaad-9a0a4998fcf31033.mspx#BKMK_S1_2]
Add the ADFSADMIN user account to the local Administrators group on ADFS-
RESOURCE [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
9a0a4998fcf31033.mspx#BKMK_S1_3]
Configure a DNS forwarder [http://technet2.microsoft.com/WindowsServer2008/en/library/10d3b411-c590-4eb4-aaad-
9a0a4998fcf31033.mspx#BKMK_S1_4]
This step assumes that you have completed the Windows Server Active Directory Rights Management
Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?
LinkId=72134 [http://go.microsoft.com/fwlink/?LinkId=72134] ).
Use the following table as a reference when setting up the appropriate computer names, operating
systems, and network settings that are required to complete the steps in this guide.
Important:
Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows
product activation while each of your computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47290 [http://go.microsoft.com/fwlink/?
LinkID=47290] ).
Computer IP DNS
Operating system requirement
name settings settings
ADFS- Windows Server 2003 R2 Enterprise Edition with Service Pack 2 (SP2) or IP address: Preferred:
RESOURCE Windows Server 2008 Enterprise 10.0.0.7 10.0.0.1
Subnet mask:
255.255.255.0
Windows Server 2003 R2 Enterprise Edition is required for the federation servers.
1. Start your computer by using the Windows Server 2003 R2 Enterprise Edition product CD.
2. Follow the instructions that appear on your computer screen, and when prompted for a computer
name, type ADFS-RESOURCE.
In this step configure TCP/IP properties so that ADFS-RESOURCE has a static IP address of 10.0.0.7.
To configure TCP/IP properties on ADFS-RESOURCE
2. Click Start, point to Control Panel, and then double-click Network Connections.
4. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
5. Click the Use the following IP address option. In the IP address box, type 10.0.0.7. In the
Subnet mask box, type 255.255.255.0.
6. Click the Use the following DNS server addresses option. In the Preferred DNS server box,
type 10.0.0.1.
7. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
Next, join the federation resource partner (ADFS-RESOURCE) computer to the CP&L domain:
To join ADFS-RESOURCE to CPANDL domain
4. In the Computer Name Changes dialog box, click Domain, and then type cpandl.com.
5. Click More, and then type cpandl.com in the Primary DNS suffix of this computer box.
6. Click OK twice.
7. When a Computer Name Changes dialog box appears prompting you for administrative
credentials, provide the credentials, and click OK.
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Using Identity Federation with Active Directory Rights Management
Services Step-by-Step Guide
Before you install AD FS and the AD RMS Federation Identity Support role service, you should install and
configure the Trey Research infrastructure. In this step, you will install the required computers that make
up the Trey Research domain:
Configure the domain controller (TREY-DC) [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-
4f08-ae2f-c2da3cf0493f1033.mspx#BKMK_S1]
Create user accounts [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
c2da3cf0493f1033.mspx#BKMK_S2]
Configure the federation account partner (ADFS-
ACCOUNT) [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
c2da3cf0493f1033.mspx#BKMK_S3]
Configure the AD RMS-enabled client computer (ADRMS-
CLNT2) [http://technet2.microsoft.com/WindowsServer2008/en/library/e3fbbda7-40a6-4f08-ae2f-
c2da3cf0493f1033.mspx#BKMK_S4]
Use the following table as reference when setting up the appropriate computer names, operating
systems, and network settings that are required to complete the steps in this guide.
Important:
Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows
product activation while each of your computers still has Internet connectivity.
Computer IP
Operating system requirement DNS settings
name settings
TREY-DC Windows Server 2003 with Service Pack 2 (SP2) or IP address: Configured by DNS
Windows Server 2008 10.0.0.30 server role.
Subnet mask:
255.255.255.0
ADFS- Windows Server 2008 Enterprise or Windows Server 2003 R2 IP address: Preferred:
ACCOUNT Enterprise Edition with Service Pack 2 (SP2) 10.0.0.31 10.0.0.30
Subnet mask:
255.255.255.0
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Page Options
Windows Server 2008 Technical Library > Active Directory Rights
Management Services > Getting Started: AD RMS > Using Identity
Federation with Active Directory Rights Management Services Step-by-Step
Guide
Now that you have configured the computers that will be used as
federation servers, you are ready to install Active Directory Federation
Services (AD FS) components on each of the computers. This section includes the following procedures:
Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT
Configure ADFS-ACCOUNT to work with AD RMS
Configure ADFS-RESOURCE to work with AD RMS
2. Click Start, point to Control Panel, and then click Add or Remove Programs.
4. In the Windows Components Wizard, click Active Directory Services, and then click Details.
5. In the Active Directory Services dialog box, click Active Directory Federation Services
(ADFS), and then click Details.
6. In the Active Directory Federation Services (ADFS) dialog box, select the Federation
Service check box, and then click OK. If Microsoft ASP.NET 2.0 was not previously enabled, click
Yes to enable it, and then click OK.
9. On the Federation Service page, click the Select token certificate option, and select the
certificate that should be used as the token signing certificate.
10. Under Trust policy, click Create a new trust policy, and then click Next.
11. If you are prompted for the location of the installation files, insert the Windows Server 2003 R2
Enterprise Edition product disc, and then click OK.
12. On the Completing the Windows Components Wizard page, click Finish.
14. Repeat steps 212 for the ADFS-ACCOUNT computer using the TREYRESEARCH\ADFSADMIN user
account.
Top of page
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.
6. On the Select Server Roles page, click Active Directory Federation Services.
7. Click Next.
9. On the Select Role Services page, select the Federation Service check box. If you are
prompted to install additional role services, click Add Required Role Services, and then click
1. In the Active Directory Federation Services console, expand Federation Service, expand Trust
Policy, and then expand Partner Organizations.
2. Right-click Resource Partners, point to New, and then click Resource Partner.
3. On the Welcome to the Add Resource Partner Wizard page, click Next.
4. Select the No option on the Import Policy File page, and then click Next.
5. On the Resource Partner Details page, in the Display name box, type CP&L Enterprises.
Note:
8. On the Federation Scenario page, click the Federated Web SSO option, and then click Next.
9. Select the UPN Claim and E-mail Claim check boxes, and then click Next.
10. Click the Pass all UPN suffixes through unchanged option, and then click Next.
11. Click the Pass all E-mail suffixes through unchanged option, and then click Next.
12. Ensure that the Enable this resource partner check box is checked, and then click Next.
14. Right-click the new CP&L Enterprises resource partner, point to New, and then click Outgoing
Custom Claim Mapping.
15. In the Outgoing custom claim name box, type ProxyAddresses, and then click OK.
Top of page
2. Click Start, point to Administrative Tools, and then click Active Directory Federation
Services.
3. Expand Federation Service, right-click Trust Policy, and then click Properties.
Note:
6. On the Display Name tab, in Display name for this trust policy, type CP&L Enterprises, and
then click OK.
1. In the Active Directory Federation Services console, expand Federation Service, expand Trust
Policy, and then expand My Organization.
2. Right-click Organization Claims, point to New, and then click Organization Claim.
Note:
Next, add an Active Directory account store to the Federation Service for the CPANDL domain.
To add an Active Directory account store to ADFS-RESOURCE
1. In the Active Directory Federation Services console, expand Federation Service, expand Trust
Policy, and then expand My Organization.
2. Right-click Account Stores, point to New, and then click Account Store.
3. On the Welcome to the Add Account Store Wizard page, click Next.
4. On the Account Store Type page, select the Active Directory Domain Services option, and
then click Next.
Note:
On Windows Server 2003 R2 Enterprise Edition, this option is called Active Directory.
5. On the Enable this Account Store page, select the Enable this account store check box, and
then click Next.
6. On the Completing the Add Account Store Wizard page, click Finish.
7. Double-click the E-mail organization claim, select the Enabled check box, type mail in the LDAP
attribute box, and then click OK.
8. Right-click the Active Directory account store, point to New, and then click Custom claim
extraction.
1. In the Active Directory Federation Services console, expand Federation Service, expand Trust
Policy, and then expand My Organization.
4. On the Application Type page, select the Claims-aware application option, and then click
Next.
Note:
The application URL is case sensitive and the name of the AD RMS extranet cluster should match
the return URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS
functionality will not work.
7. On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail
check boxes, and then click Next.
8. On the Enable this Application page, select the Enable this application check box, and then
click Next.
10. In the task pane, double-click ProxyAddresses, select the Enabled check box, and then click
OK.
Use the following procedure to add the AD RMS licensing pipeline as a claims-aware application.
To add AD RMS licensing as a claims-aware application
1. In the Active Directory Federation Services console, expand Federation Service, expand Trust
Policy, and then expand My Organization.
4. On the Application Type page, select the Claims-aware application option, and then click
Next.
Note:
The application URL is case sensitive and the computer name in the URL should match the return
URL value of the ADRMS-SRV computer exactly. If the values do not match, AD FS functionality
will not work.
7. On the Accepted Identity Claims page, select the User principal name (UPN) and E-mail
check boxes, and then click Next.
8. On the Enable this Application page, click the Enable this application check box, and then
click Next.
10. In the task pane, double-click ProxyAddresses, click the Enabled check box, and then click OK.
Next, add an account partner to ADFS-RESOURCE. This account partner receives requests from the
ADFS-ACCOUNT computer in the TREYRESEARCH domain.
To add an account partner to ADFS-RESOURCE
1. In the Active Directory Federation Services console, expand Federation Service, expand Trust
Policy, and then expand Partner Organizations.
2. Right-click Account Partners, point to New, and then click Account Partner.
3. On the Welcome to the Add Account Partner Wizard page, click Next.
4. On the Import Policy File page, click the No option, and then click Next.
5. On the Resource Partner Details page , in the Display name box, type Trey Research.
8. On the Account Partner Verification page, type the path where the token signing certificate is
stored, and then click Next.
9. Select the Federated Web SSO option, and then click Next.
10. Select the UPN Claim and E-mail Claim check boxes, and then click Next.
11. On the Accepted UPN Suffixes page, type treyresearch.net, click Add, and then click Next.
12. On the Accept E-mail Suffixes page, type treyresearch.net, click Add, and then click Next.
13. Verify that the Enable this account partner check box is selected, and then click Next.
15. Right-click the Trey Research account partner, point to New, and then click Incoming Custom
Claim Mapping.
16. In the Incoming custom claim name box, type ProxyAddresses, and then click OK.
Top of page
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Using Identity Federation with Active Directory Rights Management
Services Step-by-Step Guide
Windows Server 2008 includes the option to install identity federation support for AD RMS as a role
service through Server Manager. This step of the guide covers the following tasks:
Grant security audit privileges to the AD RMS service
account [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-4003-8ad9-
861a7bb66a1c1033.mspx#BKMK_S1_3]
Add the AD RMS extranet cluster URLs [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-
4003-8ad9-861a7bb66a1c1033.mspx#BKMK_S1_4]
Add the AD RMS Identity Federation Support role
service [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-4003-8ad9-
861a7bb66a1c1033.mspx#BKMK_S1_5]
Enable Identity Federation Support in the Active Directory Rights Management Services
console [http://technet2.microsoft.com/WindowsServer2008/en/library/6980c8d3-1ec4-4003-8ad9-
861a7bb66a1c1033.mspx#BKMK_S1_7]
2. Click Start, point to Administrative Tools, and then click Local Security Policy.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.
Top of page
2. Open the Active Directory Rights Management Services console. Click Start, point to
Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.
5. Click the Cluster URLs tab, and then select the Extranet URLs check box.
8. Click OK.
Top of page
2. Click Start, point to Administrative Tools, and then click Server Manager.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.
4. In the Roles Summary box, click Active Directory Rights Management Services, and then
click Add Role Services.
5. Select the Identity Federation Support check box. Ensure that the Claims-aware Agent is
listed as a required role service, and then click Add Required Role Services.
6. Click Next.
9. On the AD FS Role Service page, confirm that Claims-aware Agent is selected, and then click
Next.
10. Click Install to add the Identity Federation Support role service to the ADRMS-SRV computer.
Top of page
2. Open the Active Directory Rights Management Services console and expand the AD RMS
cluster.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.
4. In the console tree, expand Trust Policies,and then click Federated Identity Support.
7. On the Active Directory Federation Service Policies tab, in Federated Identity Certificate
validity period, type 7. This is the number of days that federated rights account certificates are to
be valid.
8. Click OK.
Top of page
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights
Management Services > Getting Started: AD RMS > Using Identity Federation
with Active Directory Rights Management Services Step-by-Step Guide
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday, create a Microsoft
Word 2007 document, and then restrict permissions on it so that Terrence Philip is able to read the
document but is unable to change, print, or copy it. You then log on as Terence Philip, verifying that
Terence Philip can read the document but do nothing else with it.
To restrict permissions on a Microsoft Word document
Finally, log on as Terence Philip on ADRMS-CLNT2 in the TREYRESEARCH.NET domain and attempt to
open the document, ADRMS-TST.docx.
To view a protected document
You have successfully deployed and demonstrated the functionality of using identity federation with
AD RMS, using the simple scenario of applying restricted permissions to a Microsoft Word 2007
document. You can also use this deployment to explore some of the additional capabilities of AD RMS
through additional configuration and testing.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Creating and Deploying Active Directory
Rights Management Services Rights Policy
Templates Step-by-Step Guide
Updated: March 24, 2008
ADRMS-SRV Windows Server 2008 AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing
Service, Message Queuing (also known as MSMQ), and Windows Internal
Database
CPANDL-DC Windows Server 2003 with Active Directory, Domain Name System (DNS)
Service Pack 2 (SP2)
ADRMS-DB Windows Server 2003 with Microsoft SQL Server 2005 Standard Edition
SP2
ADRMS-CLNT Windows Vista with SP1 Microsoft Office Word 2007 Enterprise Edition
The computers form a private intranet and are connected through a common hub or Layer 2 switch. This
configuration can be emulated in a virtual server environment if desired. This step-by-step exercise uses
private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for
the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com.
The following figure shows the configuration of the test environment:
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Creating and Deploying Active Directory Rights Management Services
Rights Policy Templates Step-by-Step Guide
The AD RMS service account must have Write access to the rights policy template shared folder in order for the rights policy
template export function to work correctly.
To create a new AD RMS rights policy template
Note:
AD RMS in Windows Server 2008 introduces the concept of distributed and archived rights policy templates. Through the Active
Directory Rights Management Services console, you can select rights policy templates to distribute to client computers and archive
the rights policy templates that should not be distributed. An archived rights policy template allows the AD RMS server to generate
end user licenses for rights-protected content that has a publishing license generated from that template. By default, a rights policy
template is distributed. A rights policy template should not be deleted because any content protected by that rights policy template
will not be accessible.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Creating and Deploying Active Directory Rights Management Services Rights Policy Templates Step-by-
Step Guide
The AD RMS client is included in the default installation of Windows Vista, Windows Vista with Service
Pack 1, and Windows Server 2008. Previous versions of the client are available for download for other
Windows operating systems. However, only AD RMS clients running Windows Vista with SP1 or Windows
Server 2008 support automatic rights policy template distribution.
Note:
Windows Vista Service Pack 1 can be downloaded from Windows Update (http://go.microsoft.com/fwlink/?
LinkID=37392 [http://go.microsoft.com/fwlink/?LinkID=37392] ) for a single computer or from the Microsoft Download Center
http://go.microsoft.com/fwlink/?LinkId=114577 [http://go.microsoft.com/fwlink/?LinkId=114577] ) for multiple computers.
This guide assumes that an AD RMS cluster is already configured in a test environment. Additionally,
extra configuration is required on the AD RMS client workstation so that the rights policy templates are
accessible.
The automated scheduled task works only on computers that are joined to your organizations domain. The manual scheduled task
should be used for users with a domain account who are using a client computer that is not joined to your organizations domain. In
order for the manual scheduled task to work, you must configure the Enterprise Publishing client registry override found in the
following registry entry: HKEY_LOCAL_MACHINE\Software\Microsof\MSDRM\ServiceLocation\EnterprisePublishing.
To enable the automated scheduled task
4. If the User Account Control dialog box appears, confirm that the action it displays is what you
want, and then click Continue.
5. Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active
Directory Rights Management Services Client.
6. Right-click AD RMS Rights Policy Template Management (Automated), and then click
Enable.
Note:
The automated scheduled task can also be enabled from the command prompt or though
Systems Management Server or Group Policy by using the following command: schtasks
/Change /TN \Microsoft\Windows\Active Directory Rights Management Services
Client\AD RMS Rights Policy Template Management (Automated) /ENABLE.
8. Click Start, type regedit.exe in the Start Search box, and then press ENTER.
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
Note:
If DRM was not already created as a part of the key, you must create it manually. For Microsoft
Office 2003, the registry entry is as follows:
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\DRM.
10. Right-click DRM, click New, and then click Expandable String Value.
11. In the Value name box, type AdminTemplatePath, and then press ENTER.
Important:
If you are using a 64-bit version of Windows, you must also configure this registry entry in the following location:
HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\MSDRM.
Next, you should log in as Nicole Hollida (cpandl\nhollida) on ADRMS-CLNT, wait for about an hour, and
check the following directory:
%LocalAppData%\Microsoft\DRM\Templates
where %LocalAppData% equals C:\Users\nhollida\AppData\Local. Once the rights policy template is
copied to the client, you are ready to continue to step 3 of this guide.
Note:
The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs.
Instead, it checks updateFrenquency registry entry. This registry entry specifies the time interval (in days) after which the client
should update its rights policy templates. The default, when the registry key is not present, is to check for new, deleted, or modified
rights policy templates every 30 days. The registry entry is found at the following location:
HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM\TemplateManagement. In this registry key, you can also
configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.
Distribute Rights Policy Template Manually
You can still distribute rights policy templates manually through other methods, such as Systems
Management Server and Group Policy. This is required for all AD RMS clients that are not running
Windows Vista with SP1 or Windows Server 2008. To do this, you must configure an export location for
the rights policy templates as described in Step 1 of this guide. The rights policy templates exported to
this shared folder must be copied to the folder specified in the AdminTemplatePath registry entry, as
described in the previous procedure named To enable the automated scheduled task.
Note:
When distributing rights policy templates manually, you should not use the %LocalAppData%\Microsoft\DRM\Templates folder.
If you later enable automatic rights policy template distribution, there will be a conflict because the AD RMS cluster will not
recognize or manage the templates in this folder that were deployed manually.
To distribute a rights policy template manually
2. Click Start, type regedit.exe in the Start Search box, and then press ENTER.
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
Note:
If DRM was not already created as a part of the key, you must create it manually.
4. Right-click DRM, click New, and then click Expandable String Value.
9. Click Start, type \\ADRMS-DB\Public in the Start Search box, and then press ENTER.
10. Copy the exported AD RMS rights policy templates from \\ADRMS-DB\Public to
C:\Users\nhollida\AppData\Local\Microsoft\DRM\Templates_Manual.
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Creating and Deploying Active Directory Rights Management Services
Rights Policy Templates Step-by-Step Guide
You have successfully deployed and demonstrated the rights templates policy feature of AD RMS, using
the simple scenario of applying a rights policy template to a Microsoft Word 2007 document. You can also
use this deployment to explore some of the additional capabilities of AD RMS through additional
configuration and testing.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS
ISA Server 2006 Standard Edition is not required for AD RMS. Any reverse proxy server that has the ability to listen on TCP
ports 80 and 443 can be used. For the purposes of this guide, we will use ISA Server 2006 Standard Edition.
You will also need a USB flash drive or another medium to copy the files from the AD RMS-enabled client to the AD RMS-
enabled extranet client.
Computer
Operating System Applications and Services
Name
CPANDL-DC Windows Server 2003 with Service Pack 1 (SP1) Active Directory, Domain Name System (DNS)
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server 2005 Standard Edition
ISA-SRV Windows Server 2003 with SP1 Microsoft ISA Server 2006 Standard Edition
Note:
Note:
In a production environment, the ISA server's external address would be an IP address available to the Internet, giving extranet
users the ability to consume rights-protected content.
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
You must configure the extranet cluster URLs before you can rights-protect content. If you already have rights-protected content,
the AD RMS-enabled client must download a new client licensor certificate that includes the extranet cluster URL.
Configuring the extranet cluster URLs is done through the Active Directory Rights Management Services
console. You should follow these steps to accomplish this task:
To configure the AD RMS extranet cluster URLs
1. Log on to ADRMS-SRV as CPANDL\ADRMSADMIN.
2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
Continue.
4. Right-click ADRMS-SRV (Local), and then click Properties.
5. Click the Cluster URLs tab, and then select the Extranet URLs check box.
6. In the Licensing box, select https://, and then type adrms-srv.cpandl.com.
7. In the Certification box, select https://, and then type adrms-srv.cpandl.com.
8. Click OK.
Next, export the ADRMS-SRV server authentication certificate with its private key. This is required so that
ISA-SRV can pass HTTPS requests from ADRMS-EXCLNT to the AD RMS cluster.
To export the ADRMS-SRV server authentication certificate with private key
1. Start your computer by using the Windows Server 2003 product CD.
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ISA-SRV.
Next, configure TCP/IP properties so that ISA-SRV has a static IP address of 10.0.0.5 and preferred DNS
server with IP address 10.0.0.1 on the first network adapter. On the second network adapter, use
10.0.100.1 as the IP address.
To configure TCP/IP properties on ISA-SRV
Next, import the server authentication certificate that contains the private key into the Trusted
Certification Authorities store on ISA-SRV.
To import the server authentication certificate to the ISA-SRV computer
Top of page
1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand ISA-SRV, and then click Firewall Policy.
3. Click the Tasks tab, and then click Publish Web Sites.
4. In the Web publishing rule name box, type AD RMS Extranet, and then click Next.
5. Click Next twice accepting the default selections.
6. Select the Use SSL to connect to the published Web server or server farm option, and then click Next.
7. In the Internal Site Name box, type adrms-srv.cpandl.com.
8. Select the Use a computer name of IP address to connect to the published server check box, type 10.0.0.2 in the
Computer name or IP address box, and then click Next.
9. In the Path (optional) box, type /*, select the Forward the original host header instead of the actual one specified in the
Internal site name field on the previous page check box, and then click Next.
10. In the Public name box, type adrms-srv.cpandl.com, and then click Next.
11. Click New to create a new Web listener.
12. In the Web listener name box, type HTTPS Port 443, and then click Next.
13. Select the Require SSL secured connections with clients option, and then click Next.
14. Select the External check box, and then click Next.
15. Select the Use a single certificate for this Web listener option, and then click Select Certificate.
16. Click the ADRMS-SRV.cpandl.com certificate, click Select, and then click Next.
17. In the Select how clients will provide credentials to ISA Server box, select No Authentication, click Next, and then click
Next again.
18. Click Finish to close the New Web Listener Wizard.
19. Click Next.
20. Click No delegation, but client may authenticate directly, and then click Next.
21. Click Next to apply this Web publishing rule to all users.
22. Click Finish.
23. Click Apply to save changes and update your configuration, and then click OK.
Finally, move the ADRMS-SRV server authentication certificate from the Personal certificate store to the
Trusted Root Certification Authorities store:
To move the ADRMS-SRV server authentication certificate
Top of page
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights
Management Services > Getting Started: AD RMS > Deploying Active
Directory Rights Management Services in an Extranet Step-by-Step Guide
Next, configure TCP/IP properties so that ADRMS-EXCLNT has a static IP address of 10.0.100.2.
To configure TCP/IP properties
1. Click Start, click Control Panel, click Network and Internet, double-click Network and Sharing Center, click Manage
Network Connections in the left pane, right-click Local Area Connection, and then click Properties.
2. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
3. Select the Use the following IP address option. In IP address, type 10.0.100.2, in Subnet mask, type 255.255.255.0.
4. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
5. Close the other open windows and return to the desktop.
In this guide, a test environment without an external DNS server is used. In order for the extranet
cluster URLs to resolve to its appropriate IP address, you must create a manual entry in the HOSTS file
that points to ISA-SRV.
Note:
In a production environment, this step is not required because the extranet client computer's Internet Service Provider will handle
the DNS resolution.
To create an entry in the HOSTS file for AD RMS extranet cluster URL
To show the HOSTS file, when you get to the etc folder you must select All Files (above the Open button).
Next, import the ADRMS-SRV server authentication certificate into the Trusted Root Certification store on
ADRMS-EXCNT. This is only required when using self-signed certificates. In a production environment,
the certificate should be trusted by a certification authority.
To import the server authentication certificate to the ADRMS-EXCLNT computer
1. Log on to ADRMS-EXCLNT with a user account that is a member of the local Administrators group.
2. Click Start, point to All Programs, and then click Internet Explorer.
3. In the Address bar, type https://adrms-srv.cpandl.com/_wmcs/licensing/license.asmx, and then press ENTER.
4. On the Certificate Error: Navigation Blocked Web page, click Continue to this website (not recommended).
5. In the User name box, type CPANDL\srailson. In the Password box, type the password for Stuart Railson, and then click
OK.
6. In the Address Bar, click Certificate Error, and then click View Certificates.
7. On the Certificate Information page, click Install Certificate.
8. On the Welcome to the Certificate Import Wizard page, click Next.
9. Select the Place all certificates in the following store option, click Browse, click Trusted Root Certification Authorities,
and then click OK.
10. Click Next, and then click Finish.
11. Click Yes, accepting the security warning. This only happens because self-signed certificates are used.
12. Click OK, confirming that the certificate import was successful.
13. Click OK to close the Certificate Information window.
14. Close Internet Explorer.
1. Double-click setup.exe from the Microsoft Office 2007 Enterprise product CD.
2. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office
Word 2007 Enterprise, and then click Install Now. This might take several minutes to complete.
Important:
Only the Ultimate, Professional Plus, and Enterprise editions of Microsoft Office 2007 allow you to create rights-protected content.
All editions will allow you to consume rights-protected content.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights
Management Services > Getting Started: AD RMS > Deploying Active
Directory Rights Management Services in an Extranet Step-by-Step Guide
A USB flash drive is not required in this scenario. Any means of getting the document to the extranet client computer will work,
such as attaching the document to an e-mail message and sending it to Stuart. In that example, Stuart would then open the
document contained in the e-mail message on the extranet client computer.
Use the following steps to restrict permissions on a Microsoft Word document:
To restrict permissions on a Microsoft Word document
Finally, open the document, ADRMS-TST.docx, on ADRMS-EXCLNT from the USB flash drive.
To view a protected document
1. Log on to ADRMS-EXCLNT with the local user account that you want to use for consuming the rights-protected document.
Caution:
Once this document has been consumed, any other user who logs on to the computer with the same user account will also be
able to consume the document.
2. Insert the USB flash drive, and then double-click the ADRMS-TST.docx file.
3. In the User name box, type cpandl\srailson. In the Password box, type the password for Stuart Railson, and then click OK.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to
https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permissions."
4. Click OK.
The following message appears: "You are attempting to send information to an Internet site (https://adrms-
srv.cpandl.com) that is not in your Local, Intranet, or Trusted zones. This could pose a security risk. Do you want to
send the information anyway?"
5. Click Yes.
The following message appears: "Verifying your credentials for opening content with restricted permissions".
6. When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.
7. Click View Permission in the message bar. You can see that srailson@cpandl.com (Stuart Railson) has been restricted to so
that he can only read the document.
8. Click OK to close the My Permissions dialog box, and then close Microsoft Word.
You have successfully deployed and demonstrated the functionality of AD RMS in an extranet, using the
simple scenario of applying restricted permissions to a Microsoft Word 2007 document. You can also use
this deployment to explore some of the additional capabilities of AD RMS through additional configuration
and testing.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS
Windows SharePoint Services 3.0 does not have the Microsoft Office protector files that are required to automatically rights-
protect a document when it is uploaded. You must use Office SharePoint Server 2007 to do this.
This guide assumes that you previously completed the Active Directory Rights Management Services
Step-by-Step Guide, and that you have already deployed the following components:
One Active Directory domain controller
An AD RMS server
An AD RMS database server
An AD RMS-enabled client
In this guide, you will create a test deployment that includes an Office SharePoint Server 2007 server.
Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting them to an
Office SharePoint Server 2007 site so that they can be accessed over the corporate network. The goal of
integrating an Office SharePoint Server 2007 deployment with an AD RMS infrastructure is to be able to
protect documents that are downloaded from the Office SharePoint Server 2007 server by users of any
given organization.
Note:
Integrating Office SharePoint Server 2007 with AD RMS does not protect the documents while they are on the server. When a
document is uploaded to an Office SharePoint Server 2007 site, the server removes all protection until a download request is
received by the Office SharePoint Server 2007 server. At this time, the Office SharePoint Server 2007 server applies the
appropriate restrictions to the document before it is downloaded to the client computer.
CPANDL-DC Windows Server 2003 with Service Pack 1 (SP1) Active Directory, Domain Name
System (DNS)
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server 2005
with Service Pack 2 (SP2)
SPS-SRV Windows Server 2003 R2 Standard Edition. Windows Server 2003 R2 must Office SharePoint Server 2007
be used if federated identity support with Office SharePoint Server 2007 is
required. Otherwise, Windows Server 2003 with SP1 can be used.
Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum
requirements for AD RMS (http://go.microsoft.com/fwlink/?LinkId=84733 [http://go.microsoft.com/fwlink/?LinkId=84733] ).
The computers form a private intranet and are connected through a common hub or Layer 2 switch. This
configuration can be emulated in a virtual server environment if desired. This step-by-step exercise uses
private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for
the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com. The
following figure shows the configuration of the test environment:
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007
Step-By-Step Guide
To prepare your AD RMS test environment in the CPANDL domain, you must complete the following
tasks:
Configure the Office SharePoint Server (SPS-SRV) [http://technet2.microsoft.com/WindowsServer2008/en/library/fb957cea-
e436-4bf3-9dbc-375f9fbf911b1033.mspx#BKMK_S1]
Install Office SharePoint Server 2007 [http://technet2.microsoft.com/WindowsServer2008/en/library/fb957cea-e436-4bf3-
9dbc-375f9fbf911b1033.mspx#BKMK_S2]
Use the following table as a reference when setting up the appropriate computer name, operating
system, and network settings that are required to complete the steps in this guide.
Important:
Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows
product activation while each of your computers still has Internet connectivity. You should also install any available critical
security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370 [http://go.microsoft.com/fwlink/?
LinkID=47370] ).
Computer IP DNS
Operating system requirement
name settings settings
Important: 10.0.0.6
Subnet mask:
255.255.255.0
In order to use Active Directory Federation Services (AD FS) with
Office SharePoint Server 2007, you must install Windows
Server 2003 R2 with Service Pack 2 (SP2).
1. Start your computer by using the Windows Server 2003 R2 Standard Edition product CD.
4. Follow the rest of the instructions that appear on your screen to finish the installation.
Next, configure TCP/IP properties so that SPS-SRV has a static IP address of 10.0.0.6. In addition,
configure the Domain Name System (DNS) Server service by using the IP address of CPANDL-DC
(10.0.0.1).
To configure TCP/IP Properties
1. Log on to SPS-SRV with the SPS-SRV\Administrator account or another user account in the local
Administrators group.
2. Click Start, point to Control Panel, point to Network Connections, double-click Local Area
Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
4. Select the Use the following IP address option. In the IP address box, type 10.0.0.6. In Subnet
mask box, type 255.255.255.0.
5. Select the Use the following DNS server addresses option. In the Preferred DNS server box,
type 10.0.0.1.
6. Click OK, and then click OK to close the Local Area Connection Properties dialog box. Close the
Local Area Connection Status dialog box.
3. In the Computer Name Changes dialog box, click Domain, and then type cpandl.com.
4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
5. Click OK twice.
6. When a Computer Name Changes dialog box appears prompting you for administrative
credentials, provide the credentials for CPANDL\Administrator, and then click OK.
7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain,
click OK.
8. When a Computer Name Changes dialog box appears telling you that the computer must be
restarted, click OK, and then click Close.
2.
installation.
3.
4.
start the installation.
5.
Top of page
Office SharePoint Server 2007 uses the Application Server role, which contains IIS and ASP.NET, to host
Office SharePoint Server 2007 document libraries. To install the Application Server role, you must
complete the following steps:
1. Click Start, point to All Programs, point to Administrative Tools, and then click Manage Your
Server.
3. On the Preliminary Steps page of the Configure your Server Wizard, click Next.
5. Select the Enable ASP.NET check box, and then click Next twice.
Note:
You will be asked for the Windows Server 2003 product CD in order to complete the installation of
the Application Server role.
2. Double-click dotnetfx3setup.exe, and then click Run in the Open File - Security Warning
dialog box.
3. Click the I have read and ACCEPT the terms of the License Agreement option, and then click
Install.
1. Double-click setup.exe from the Office SharePoint Server 2007 product CD.
3. Select the I accept the terms of this agreement check box, and then click Continue.
4. Click Basic.
5. After installation has completed, select the Run the SharePoint Products and Technologies
Configuration Wizard now check box, and then click Close. The installation might take 10
minutes to complete.
6. On the Welcome to theSharePoint Products and Technologies page, click Next. Click Yes in
the message confirming that the SharePoint services should be restarted. Office SharePoint Server
2007 will also be configured at this time.
Top of page
Page OptionsComments
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Deploying Active Directory Rights Management Services with Microsoft
Office SharePoint Server 2007 Step-By-Step Guide
Next, give Nicole Holliday and Stuart Railson access to the SharePoint site so that the Office SharePoint
Server 2007 integration with AD RMS can be verified later in this guide:
To add Nicole Holliday and Stuart Railson to the SharePoint site
1. Click Start, point to All Programs, and then click Internet Explorer.
2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that
was created during installation.
3. Click Site Actions, point to Site Settings, and then click People and Groups.
4. Click New, and then click Add Users.
5. Type nhollida@cpandl.com;srailson@cpandl.com in the Users/Groups box, and then click OK. A list of users who have
permission to use the SharePoint site is displayed.
Next, add the Office SharePoint Server 2007 server and AD RMS Service Group to the AD RMS cluster
server certification pipeline.
Important:
By default, the AD RMS cluster server certification pipeline ACL is configured to allow only the local System account. You must
add the permissions in order for Office SharePoint Server 2007 to integrate with AD RMS.
To add SPS-SRV to the AD RMS Certification Pipeline
Once the AD RMS cluster certification pipeline has been allowed so that SPS-SRV can communicate with
it, you must configure Office SharePoint Server 2007 to use the AD RMS cluster:
To enable Information Rights Management in Office SharePoint Server 2007
Create an Office SharePoint Server 2007 permission policy on the default document library. This
permission policy will be used to restrict the ability to print any documents that are uploaded to the
document library:
To restrict permissions using AD RMS
1. Log on as cpandl\Administrator.
2. Click Start, point to All Programs, and then click Internet Explorer.
3. Type http://SPS-SRV in the address bar, and then click Go.
4. Click Document Center, click Documents, click Settings, and then click Document Library Settings.
5. Under the Permissions and Management heading, click Information Rights Management.
6. Select the Restrict permission to documents in this library on download check box.
7. Type CPANDL Protected in the Permissions policy title box.
8. Type Restrict CPANDL employees from printing in the Permission policy description box.
9. Click OK.
Note:
Office SharePoint Server 2007 will automatically apply AD RMS rights to the document when it is downloaded from the Office
SharePoint Server 2007 site. These rights are determined by the Office SharePoint Server 2007 group membership for that site. For
example, a user who is in the Visitors Office SharePoint Server 2007 group will not be able to modify the document when it is
downloaded from the Office SharePoint Server 2007 site.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Windows Server 2008 Technical Library > Active Directory Rights Management Services > Getting Started: AD
RMS > Deploying Active Directory Rights Management Services with Microsoft
Office SharePoint Server 2007 Step-By-Step Guide
Next, log on a Nicole Holliday and create a Microsoft Word 2007 document and upload it to the Office
SharePoint Server 2007 site.
To create and upload a Microsoft Word document for testing
1. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
2. Type This document is read-only. You cannot print it. in the new document, click the Microsoft Office Button, click Save
As, and then save the file as ADRMS-TST.docx to a location on ADRMS-CLNT. This document will be uploaded to the
Office SharePoint Server 2007 document library.
Note:
Since Nicole Holliday is the author of this document, she will have full rights to the document, regardless of the AD RMS
rights that are applied to it.
You have successfully deployed, integrated, and demonstrated the functionality of AD RMS and Office
SharePoint Server 2007, using the simple scenario of uploading a Microsoft Office Word 2007 document
to an Office SharePoint Server 2007 site. You can also use this deployment to explore some of the
additional capabilities of AD RMS through additional configuration and testing.
Page OptionsComments
Printer-Friendly Version Email this page Add to Favorites
Manage Your Profile
2008 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy
Statement
Computer
Operating System Applications and Services
Name
ADRMS-DB Windows Server 2003 with SP1 Microsoft SQL Server 2005
Standard Edition
SPS-SRV Windows Server 2003 R2 with Server Pack 2 (SP2). AD FS claims-aware agent, Office
Windows Server 2003 with SP2 is required for AD FS and Office SharePoint Server 2007 to work together. To download Windows
Server 2003 with SP2, see http://go.microsoft.com/fwlink/?LinkId=98598 [http://go.microsoft.com/fwlink/?LinkId=98598] .
First, add the claims-aware application Windows component. This component is required for AD FS and
interfaces with the AD FS federation servers to submit claims.
To add the claims-aware applications Windows component
1. Log on to SPS-SRV as cpandl\administrator or another user account in the local Administrators group.
2. Click Start, point to Control Panel, click Add or Remove Programs, and then click Add/Remove Windows Components.
3. Click Active Directory Services, and then click Details.
4. Click Active Directory Federation Services (ADFS), and then click Details.
5. Click ADFS Web Agents, and then click Details.
6. Select the Claims-aware applications check box, and then click OK three times.
7. Click Next.
Note:
You will be asked for the Windows Server 2003 R2 product CD in order to complete the installation of the claims-aware
applications Windows component.
Next, add a DNS host name record is required in the CPANDL.COM domain so that federated users in the
TREYRESEARCH.NET domain can access the Office SharePoint Server 2007 Web site.
To create a DNS host name record for the external Office SharePoint Server 2007 Web site
1. Log on to CPANDL-DC as cpandl\administrator or another user account in the local Administrators group.
2. Click Start, point to Administrative Tools, and then click DNS.
3. Expand Forward Lookup Zones, right-click CPANDL-DC, and then click New Host (A).
4. In the Name box, type external-sps.
5. In the IP Address box, type 10.0.0.6, and then click Add Host.
6. Click OK, confirming that the host record was successfully created.
7. Click Done.
Finally, add the external SharePoint Web site as a claims-aware Windows application on ADFS-
RESOURCE: This should be done before a user is added to doc library.
To add the external SharePoint Web site as a claims-aware Windows application on ADFS-RESOURCE
1. Log on to ADFS-RESOURCE as cpandl\adfsadmin or another user account in the local Administrators group.
2. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click
Continue.
4. Expand Federation Services, expand Trust Policy, and then expand My Organization.
5. Right-click Applications, point to New, and then click Application.
6. On the Welcome to the Add Application Wizard, click Next.
7. Select the Claims-aware application option, and then click Next.
8. In the Application display name box, type External SharePoint Web site.
9. In the Application URL box, type https://external-sps.cpandl.com, and then click Next.
10. Select the E-mail check box, and then click Next.
11. Select the Enable this application check box, and then click Next.
12. Click Finish.
Before proceeding with this appendix, verify that the internal Web site was correctly extended. To do this,
open the Alternate Access Mappings and ensure that external-sps.cpandl.com is available.
To verify that the external Web site is available
Next, add an SSL certificate to the external-sps.cpandl.com Web site by using IIS. AD FS requires an SSL
connection for all claims-aware Windows applications.
To add an SSL certificate to the external Office SharePoint 2007 Web site
1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Expand Web Sites, right-click External Users Web site, and then click Properties.
3. Click Directory Security, and then click Server Certificate.
4. On the Welcome to the Web Server Certificate Wizard page, click Next.
5. Choose whether to import from an existing certificate file or request a new certificate.
6. After the certificate is imported, close the External Users Web site properties sheet.
Next, configure the authentication provider on the external Web site to use Web Single Sign On (SSO).
To configure the authentication provider of the Extranet Web application to use Web SSO
1. Click Start, point to Administrative Tools, and then click SharePoint 3.0 Central Administration, and then click
Application Management.
2. Under the Application Security heading, click Authentication providers.
3. In the Web application box, click Change Web Application, and then click SharePoint - 80.
4. Click Extranet.
5. For Authentication Type, select the Web single sign on option.
6. In the Membership provider name box, type SingleSignOnMembershipProvider2.
7. In the Role manager name box, type SingleSignOnRoleProvider2.
8. For Enable client integration, select the No option, and then click Save.
Next, configure the internal Web application to accept claims from the external Web site by editing the
web.config file for the internal Web site:
To configure the internal Web site to accept claims from the external Web site
1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\80.
2. Right-click web.config, and then click Open.
3. Select the Select the program from a list option, click Notepad, clear the Always use the selected program to open this
kind of file check box, and then click OK.
4. Add the following text under the line that reads <authentication mode ="Windows" />:
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" fs="https://adfs-
resource.cpandl.com/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>
1. Click Start, point to All Programs, and then click Internet Explorer.
2. Type http://SPS-SRV in the address bar, and then click Go. This will open the default Office SharePoint Server 2007 site that
was created during installation.
3. Click Site Actions, point to Site Settings, and then click People and Groups.
4. Click New, and then click Add Users.
5. In the Users/Groups box, type tphilip@treyresearch.net, and then click OK.
Important:
If the internal SharePoint Web site is not able to resolve Terence Philip using the procedure above, you should ensure all of the
previous steps were completed correctly before continuing through the rest of this appendix.
Next, edit the web.config file on the external Web site. There are several entries that must be made to
put each individual entry into its own procedure.
To add a new entry in the <configSections> node
1. Navigate to C:\inetpub\wwwroot\wss\VirtualDirectories\external-sps.cpandl.com443.
2. Right-click web.config, and then click Open.
3. Select the Select the program from a list option, click Notepad, and then clear the Always use the selected program to
open this kind of file check box.
4. Add the following text in the <configSections> node: