640 Part V: Identity and Access Management with Active Directory Implementing AD LDS AD LDS is implemented in Windows Server 2008 as a server role To install the server role, use Server Manager to add the role To install the server role on a Windows Server 2008 computer running Server Core, run the start /w ocsetup DirectoryServices-ADAM-ServerCore command During the role installation, you not need to make any installation decisions other than choosing to install the role In order to install AD LDS, your user account must be a member of the local Administrators group Configuring Instances and Application Partitions After installing the AD LDS server role, you use the Active Directory Lightweight Directory Services Setup Wizard to create AD LDS service instances Multiple instances of AD LDS can run simultaneously on the same computer Each instance of the AD LDS directory service has a separate directory data store, a unique service name, and a unique service description that is assigned during installation When you run the wizard, you also have the option of creating an application directory partition To create a new AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard, complete the following steps: Start the Active Directory Lightweight Directory Services Setup Wizard You can start the wizard from the Administrative Tools menu or from Server Manager On the Welcome page, click Next On the Setup Options page, you have a choice of creating a new instance or creating a replica of an existing instance, as shown in Figure 16-4 Click A Unique Instance and then click Next Figure 16-4 Creating an AD LDS instance Chapter 16: Active Directory Lightweight Directory Services 641 On the Instance Name page, provide a name for the AD LDS instance that you are installing The name that you choose must meet the following requirements: ❑ It must be different from other ADAM instances running on the same computer ❑ It must be no longer than 44 characters ❑ It must use characters only from the ranges of a through z, A through Z, or through ❑ The name ntds cannot be used On the Ports page, specify the communications ports that the AD LDS instance uses to communicate AD LDS can communicate using both LDAP and Secure Sockets Layer (SSL) Note If you install AD LDS on a computer where either of the default ports is in use, the Active Directory Lightweight Directory Services Setup Wizard automatically locates the first available port, starting at 50000 If you install AD LDS on an AD DS domain controller, you cannot use ports 389 and 636, or ports 3268 and 3269 on global catalog servers, as these ports are used for AD DS domain controller and global catalog lookups On the Application Directory Partition page, you can create an application directory partition during the AD LDS installation, as shown in Figure 16-5 If you not install an application directory partition now, you must create an application directory partition manually after installation When you create the application partition, you must provide a fully qualified partition name Figure 16-5 You can create an application directory partition when creating an AD LDS instance 642 Part V: Identity and Access Management with Active Directory On the File Locations page, you can view and change the installation directories for AD LDS data and recovery (log) files By default, AD LDS data and recovery files are installed in %ProgramFiles%\Microsoft ADAM\instancename\data, where instancename represents the AD LDS instance name that you specified on the Instance Name page On the Service Account Selection page, select an account to be used as the service account for AD LDS The account that you select determines the security context in which the AD LDS instance runs The Active Directory Lightweight Directory Services Setup Wizard defaults to the Network Service account Note If you are installing AD LDS on a computer that is a member of a Windows Server 2000 or later domain, you can use the Network Service account even if you plan to implement replication If you are deploying AD LDS on a computer that is a member of a workgroup, or you want to enable replication between AD LDS computers in different untrusted domains, you will need to use the identical user account on all computers as the AD LDS service account On the AD LDS Administrators page, select a user or group to become the default administrator for the AD LDS instance The user or group that you select will have full administrative control of the AD LDS instance By default, the Active Directory Lightweight Directory Services Setup Wizard specifies the currently logged-on user You can change this selection to any local or domain account or group on your network 10 On the Importing LDIF Files page, you can import schema ldf files into the AD LDS instance, as shown in Figure 16-6 Figure 16-6 By adding ldf files, you modify the AD LDS schema 11 On the Ready To Install page, review your installation selections After you click Next, the Active Directory Lightweight Directory Services Setup Wizard copies files and sets up AD LDS on your computer Chapter 16: Active Directory Lightweight Directory Services 643 Note If an error occurs in the Active Directory Lightweight Directory Services Setup Wizard before the Summary page, you can review the error message that appears In addition, you can view the adamsetup.log file and the adamsetup_loader.log files in the %windir%\debug folder for information on why the installation failed Note To remove an AD LDS instance, access the Programs And Features console in the Control Panel All AD LDS instances are listed as installed programs, and you can uninstall the instance just like any other program AD LDS Management Tools In most cases, after you install an AD LDS instance, you will install the application that will use the instance (in fact, the application may install AD LDS and configure the instance for you) However, you can also manage AD LDS instances by using the administration tools provided with AD LDS Using the ADSI Edit Tool ADSI Edit is a Microsoft Management Console (MMC) snap-in for general administration of AD LDS It is installed as part of the AD LDS and AD DS server roles To use ADSI Edit to administer an AD LDS instance, you must first connect to the instance When you open ADSI Edit for the first time, it is not connected to any directory To connect to a directory, on the Action menu, click Connect To On the Connection Settings screen, shown in Figure 16-7, you must provide the following information: ■ A name for this connection If you choose one of the well-known naming contexts, this name is filled in for you ■ A connection point This can be a well-known naming context like the configuration or schema partitions, the rootDSE object, or the Default naming context (which only applies to AD DS domains or application directory partitions) If you want to connect to an application directory partition, you must enter the distinguished name of the application directory partition ■ The server to which you are connecting If you are using a port other than the standard LDAP ports, you must also provide the port number for the connection 644 Part V: Identity and Access Management with Active Directory Figure 16-7 Connecting to an AD LDS instance by using ADSI Edit Using the Ldp.exe Tool Ldp.exe is a tool that can be used to administer any LDAP directory service To use Ldp.exe to administer an AD LDS instance, you must connect and bind to the instance and then display the hierarchy (tree) of a distinguished name of the instance: To connect to an instance using LDP, open a command prompt and type Ldp.exe and then press Enter On the Connection menu, click Connect Provide the server name and the port used for the AD LDS instance and choose whether or not to use SSL After connecting to the instance, you need to provide your credentials by binding to the instance On the Connection menu, click Bind ❑ To bind using the credentials that you logged on with, click Bind As Currently Logged-on User ❑ To bind using a domain user account, click Bind With Credentials; then type the user name, password, and domain name (or the computer name if you are using a local workstation account) of the account that you are using ❑ To bind using just a user name and password, click Simple Bind and type the user name and password of the account that you are using ❑ To bind using an advanced method (NTLM, Distributed Password Authentication (DPA), Negotiate, or Digest), click Advanced DIGEST Then click Advanced, and in the Bind Options dialog box, select the desired method and set other options as needed Chapter 16: Active Directory Lightweight Directory Services 645 After you have been authenticated, on the View menu, click Tree Type or select the distinguished name for the directory partition that you want to connect to To view information about the objects in the directory partition, click the object in the left pane Detailed information about the object is displayed in the right pane, as shown in Figure 16-8 Figure 16-8 You can view details of all objects in AD LDS with Ldp.exe To edit the object, right-click the object and select one of options for modifying the object or adding child objects More Info For details on how to use ADSI Edit and Ldp.exe to manage AD LDS objects such as OUs, user, and group accounts, see the article titled “Working with Authentication and Access Control” in the AD LDS online help, or see the article “Stepby-Step Guide for Getting Started with Active Directory Lightweight Directory Services,” located at http://technet2.microsoft.com/windowsserver2008/en/library/141900a7445c-4bd3-9ce3-5ff53d70d10a1033.mspx?mfr=true Using the Dsdbutil Tool Dsdbutil is a directory service management tool that provides much of the same functionality as Ntdsutil does for AD DS With Dsdbutil, you can: ■ Backup and perform authoritative restores of AD LDS data ■ Move the AD LDS data files ■ Change the AD LDS service account and port numbers ■ List all of the AD LDS instances running on a server 646 Part V: Identity and Access Management with Active Directory To use Dsdbutil, start the utility from a command prompt Then connect to a specific instance by typing Activate Instance instancename To see all of the commands available in Dsdbutil, type Help Like Ntdsutil, Dsdbutil also provides context sensitive help, so typing Help at any command prompt will display all of the options available in that context Note If you add the MS-ADLDS-DisplaySpecifiers.ldf file, you can use the Active Directory Sites And Services snap-in to manage AD LDS sites To connect to an AD LDS instance, you must provide the server name and port number Configuring Access Control In AD LDS, each directory object has an access control list (ACLs) that determines which users have access to that object By default, ACLs are assigned only at the top of each directory partition All objects in a given directory partition inherit these ACLs If your application required specific permissions to be assigned at different levels in the directory structure, you can use tools such as Dsacls and Ldp.exe to view and assign permissions Dsacls is a command-line tool that can be used to view and modify permissions in a directory like AD LDS Dsacls uses the following syntax The syntax is described in Table 16-9 dsacls object [/a] [/d {user | group}:permissions [ ]] [/g {user | group}:permissions [ ]] [/i:{p | s | t}] [/n] [/p:{y | n}] [/r {user | group} [ ]] [/s [/t]] Table 16-9 Dsacls Syntax Parameter Description object This is the path to the directory services object on which to display or change the ACLs You need to use the full LDAP name, for example: CN=AppData,OU=Software,CN=App1,DC=AdatumApps To specify a server, add \\Servername:portnumber\ before the object For example: \\SEA-SVR1:3389\ CN=AppData,OU=Software,CN=App1,DC=AdatumApps /a Displays the auditing information as well as the permissions and ownership information /d {user | group}:permissions: Denies the specified permissions to a user or group /g {user | group}:permissions: Grants the specified permissions to a user or group /i:{p | s | t} : Specifies one of the following inheritance flags: ■ s: Use this option to propagate inheritable permissions to subobjects only ■ /n: p: Use this option to propagate inheritable permissions one level only ■ t: Use this option to propagate inheritable permissions to this object and subobjects Replaces the current access on the object instead of editing it Chapter 16: Active Directory Lightweight Directory Services 647 Table 16-9 Dsacls Syntax (continued) Parameter Description /p:{y | n}: This parameter determines whether or not the object can inherit permissions from its parent objects If you omit this parameter, the inheritance properties of the object are not changed /r {user | group}: Remove all permissions for the specified user or group /s: Restore the security on the object to the default security for that object class /t: Use this parameter to restore the security on the tree of objects to the default for each object class This switch is valid only when you also use the /s parameter Dsacls uses permissions bits in the command to configure permissions on the object For example, dsacls provides the generic permissions: GR – Generic Read, GE – Generic Execute, GW – Generic Write, and GA – Generic All More Info For detailed information about how to use Dsacls to manage permissions in a directory, including details on the permission bit settings, see the Knowledge Base article “How to Use Dsacls.exe in Windows Server 2003 and Windows 2000,” located at http://support.microsoft.com/kb/281146 You can also type dsacls /? at the command line Table 16-10 describes some sample Dsacls commands Table 16-10 Sample Dsacls Commands Command Explanation dsacls \\SEA-SVR1:4389\O=App2, DC=Adatum,DC=com Displays the permissions assigned to the references application partition dsacls \\SEA-SVR1:4389\O=App2, DC=Adatum,DC=com /G “CN=Gregory Weber, OU=Users,O=App2, DC=Adatum,DC=com “:SD Grants the user Gregory Weber the special Delete permission on the object O=App2 dsacls “\\SEA-SVR1:4389\O=App2, DC=Adatum,DC=com” /D “CN=Alice Ciccu, OU=Users,O=App2, DC=Adatum, DC=com “:SDDCDT Denies the Delete, Delete Child, and Delete Tree permissions on the O=App2 object for the user Alice Ciccu You can also use Ldp.exe to configure permissions on AD LDS objects To configure permissions using LDP, complete the following steps: Open Ldp.exe and then connect and bind to an AD LDS instance On the View menu, click Tree View and then select the directory partition that you are connecting to Right-click the directory partition object for which you want to modify the permissions, click Advanced, and then click Security Descriptor The Security Descriptor dialog box displays all access control entries (ACEs) and their assigned access rights over the selected directory partition object 648 Part V: Identity and Access Management with Active Directory Click anywhere in the discretionary access control list (DACL) and then click Add ACE See Figure 16-9 Type the distinguished name of the user account and select the appropriate permissions You can also choose to allow or deny permissions and configure permission inheritance Figure 16-9 Configuring permissions by using Ldp.exe Configuring Replication Like AD DS, AD LDS uses replication to provide redundancy, geographic distribution, and load balancing for AD LDS instances As described earlier, AD LDS uses many of the same concepts and processes to implement replication as AD DS Creating AD LDS Replicas To configure AD LDS replication, you start by creating additional replicas of the AD LDS instance The replica can only be configured when you create the instance All AD LDS instances in a configuration set replicate a common configuration directory partition and a common schema directory partition, plus any number of application directory partitions To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Wizard to create a replica AD LDS instance You need to know the DNS name of the server running an AD LDS instance that belongs to the configuration set, as well as the LDAP port that was specified when the instance was created You can also supply the distinguished names of specific application directory partitions that you want to copy from the configuration set to the AD LDS instance that you are creating To create a replica AD LDS instance by using the Active Directory Lightweight Directory Services Setup Wizard, complete the following steps: Start the Active Directory Lightweight Directory Services Setup Wizard On the Welcome page, click Next On the Setup Options page, click A Replica Of An Existing Instance (see Figure 16-4) Chapter 16: Active Directory Lightweight Directory Services 649 On the Instance Name page, configure an instance name AD LDS instance names have to be unique on a given computer Also, the instance name can (but does not need to) match the instance name of other replicas On the Ports page, configure the port numbers for the instance These port numbers define the ports clients will use to connect to the server, so it is recommended but not required that you use the same ports as the existing instance On the Joining a Configuration Set page, provide the host name or DNS name of the computer where the first AD LDS instance is installed Then, type the LDAP port number in use by the first AD LDS instance This port number must match the port number configured on the existing instance On the Administrative Credentials for the Configuration Set page, click the account that is used as the AD LDS administrator for your first AD LDS instance On the Copy Application Directory Partition page, select the application directory partitions that you want to replicate to the new AD LDS instance See Figure 16-10 Figure 16-10 When creating an AD LDS replica, you can add application directory partitions to the replica Accept the default values on the remaining Active Directory Lightweight Directory Services Set Wizard pages by clicking Next on each page and then click Finish on the Completing The Active Directory Application Mode Setup Wizard page Note You can also install an AD LDS instance by using the Install From Media feature To this, back up a copy of the AD LDS data store on the source AD LDS server and restore the files to an alternate location that is accessible from the server where you are configuring a replica Then start the Active Directory Lightweight Directory Services Setup Wizard by typing %windir%\adam\adaminstall /adv at a command prompt When you start the wizard in advanced mode, you are given the choice of copying the application information from a restored copy of the data store Chapter 18: Active Directory Rights Management Services 711 Note You can view the machine certificate, RAC, and CLC in the following location on the user’s workstation: Windows XP/2003: %UserProfile%\Local Settings\Application Data\Microsoft\DRM Windows Vista/2008: %UserProfile%\AppData\Local\Microsoft\DRM After machine and client activation has take place, users can then apply rights-management policies to information or consume data that is already rights-protected Both of these tasks require specific types of certificates as described in Table 18-3 Table 18-3 AD RMS Licenses Used for Publishing or Consuming Data License Description Publishing license Issued by either a server in an AD RMS cluster or by (PL) a CLC through the lockbox The PL sets the policy (names principals, rights, and conditions) for acquiring a use license (UL) for rights-protected information Security Content Contains the symmetric keys used for decrypting the content, which is encrypted with the public key of the server that issued the license The PL also contains the URL of the AD RMS Licensing service Use license (UL) Issued only by a server in an AD RMS cluster, it grants an authorized user with valid RAC rights to consume rights-protected information based on policy established in the PL Contains the symmetric key for decrypting the content, which is encrypted with the public key of the user For the most part, machine and user enrollment and the publishing and use of rightsprotected information happen in the background with very little user interaction However, it is still important to understand the flow of the various processes Figure 18-2 provides an illustration of how AD RMS works when users publish or consume rights- protected information 712 Part V: Identity and Access Management with Active Directory AD RMS Root Cluster Database AD RMS Root Cluster Information Author Information User Figure 18-2 AD RMS publishing and usage workflow The author receives an RAC and a CLC from the AD RMS root cluster (or licensing-only cluster) the first time he or she tries to rights-protect information This is a one-time step that establishes the user’s AD RMS credential (which is the RAC) and enables offline publishing of rights-protected information (using the CLC) in the future Using an AD RMS-enabled application, an author creates a file and specifies a set of usage rights and conditions for that file A publishing license that contains the usage policies is then generated The application encrypts the file with a symmetric key, which is then encrypted by the public key of the author’s AD RMS cluster The key is inserted into the publishing license, and the publishing license is bound to the file Only the author’s AD RMS cluster can issue use licenses to decrypt this file If the author has used offline publishing, another copy of the symmetric key is encrypted by the public key of the author’s client licensor certificate and included in the publishing license The result of this additional encryption step is the creation of an owner license that allows the author to consume the content without licensing it from an AD RMS server The author distributes the file A recipient receives a rights-protected file through a regular distribution channel and opens it using an AD RMS–enabled application or browser If the recipient does not have an RAC on the current computer, this is the point at which one will be issued The application sends a request for a use license to the AD RMS cluster that issued the publishing license for the protected information The request includes the recipient’s account certificate (which contains the recipient’s public key) and the publishing license (which contains the symmetric key that encrypted the file) Chapter 18: Active Directory Rights Management Services 713 The AD RMS root cluster (or licensing-only cluster) confirms that the recipient is authorized, checks that the recipient is a named user, and creates a use license During this process, the server decrypts the symmetric key by using the private key of the server, re-encrypts the symmetric key by using the public key of the recipient, and then adds the encrypted symmetric key to the use license This step ensures that only the intended recipient can decrypt the symmetric key and thus decrypt the protected file The server also adds any relevant conditions to the use license, such as the expiration date or an application or operating system exclusion When the confirmation is complete, the AD RMS Root or licensing-only cluster server returns the use license to the recipient’s client computer After receiving the use license, the application examines both the license and the recipient’s account certificate to determine if any certificate in either chain of trust requires a revocation list If so, the application checks for a local copy of the revocation list that has not expired If necessary, it retrieves a current copy of the revocation list The application then applies any revocation conditions that are relevant in the current context If no revocation condition blocks access to the file, the application renders the data, and the user may exercise the rights he or she has been granted AD RMS Deployment Scenarios To meet specific organizational requirements, AD RMS can be deployed in a number of different scenarios Each of these scenarios offers unique considerations to ensure a secure and effective rights-management solution These are some possible deployment scenarios: ■ Providing AD RMS for the corporate intranet ■ Providing AD RMS to users over the Internet ■ Integrating AD RMS with Active Directory Federation Services Deploying AD RMS within the Corporate Intranet A typical AD RMS installation takes place in a single Active Directory Forest However, there may be other specific situations that require additional consideration For example, you may need to provide rights-management services to users throughout a large enterprise with multiple branch offices For scalability and performance reasons, you might choose to implement licensing-only clusters within these branch offices You may also have to deploy an AD RMS solution for an organization that has multiple Active Directory forests Since each forest can only contain a single root cluster, you will have to determine appropriate trust policies and AD RMS configuration between both forests This will effectively allow users from both forests to publish and consume rights-management content The configuration of trust policies for inter-forest or inter-organizational deployment scenarios is discussed in the section titled “Implementing AD RMS” later in this chapter 714 Part V: Identity and Access Management with Active Directory Deploying AD RMS to Users over the Internet Most organizations have to support a mobile computing workforce, which consists of users that connect to organizational resources from remote locations over the Internet To ensure that mobile users can perform rights-management tasks, you have to determine how to provide external access to the AD RMS infrastructure One method is to place a licensing-only server within your organization’s perimeter network This will allow external users to obtain use and publishing licenses for protecting or viewing information Another common solution is to use a reverse proxy server such as Microsoft Internet Security and Acceleration (ISA) Server 2006 to publish the extranet AD RMS cluster URL The ISA server will then handle all requests from the Internet to the AD RMS cluster and passes on the requests when necessary This is a more secure and effective method, so it is typically recommended over placing licensing servers within the perimeter network location Deploying AD RMS with Active Directory Federation Services Windows Server 2008 includes the Active Directory Federation Services (AD FS) server role, which is used to provide trusted inter-organizational access and collaboration scenarios between two organizations AD RMS can take advantage of the federated trust relationship as a basis for users from both organizations to obtain RAC, use, and publishing licenses In order to install AD RMS support for AD FS, you will need to have already deployed an AD FS solution within your environment This scenario is recommended if one organization has AD RMS and the other does not If both have AD RMS, trust policies are typically recommended More information about configuring AD FS support is discussed in the section titled “Federated Identity Support” later in this chapter Implementing AD RMS Regardless of which scenario you intend to use for rights-management services, you will always begin with the installation of the initial AD RMS root cluster After the root cluster is in place, you can then determine how to address specific requirements such as providing external access to the AD RMS environment This section describes how to deploy and configure AD RMS components to ensure an effective and secure rights-management solution Preinstallation Considerations Before Installing AD RMS During the installation process for the AD RMS server role, you will be asked to provide a number of configuration values that you should determine beforehand There are also several requirements that must be met in order for a successful implementation These points should be considered before installing AD RMS: ■ The AD RMS server role should be installed on a member server in the same Active Directory domain as the user accounts that will be participating in the rights-management solution It is possible to install AD RMS on a domain controller; however, you must Chapter 18: Active Directory Rights Management Services 715 add the AD RMS service account to the Domain Admins group, which may pose a security risk ■ You will need to create a domain user account that will be specified during installation as the AD RMS service account This account does not require any additional permission other than a standard user account ■ The user account that will be used to install the AD RMS server role must be a different account than the one specified as the AD RMS service account and must be able to query the Active Directory domain Also, if the AD RMS service connection point is to be registered during the installation, the user account that will be used to install AD RMS must be a member of the Active Directory Enterprise Admins group or equivalent ■ If an external database is being used for the AD RMS cluster, the user installing AD RMS must have the right to create new databases Also, if Microsoft SQL Server 2005 is used, the user account must be a member of the System Administrators database role ■ During installation, you will be asked to provide a URL for the AD RMS cluster Be sure to use a URL that is different than the computer name and one that will represent the entire AD RMS cluster You should also create a DNS alias (CNAME) record for the AD RMS cluster URL, as well as a separate CNAME record for the computer hosting the configuration database CNAMEs provide flexibility in the event that a hardware failure takes place or a computer’s name is changed ■ If you intend to secure communication to and from the AD RMS cluster using SSL, be sure to obtain the required SSL certificate from a trusted root certification authority You have an option to use a self-signed certificate; however, there are a number of limitations and this option is not recommended for a production environment Installing AD RMS Clusters The AD RMS server role is an option that is available with the Windows Server 2008 operating system You can use the Initial Configuration Tasks or Server Manager to install the role and configure the AD RMS root cluster You will need to be a member of the local Administrators group, or equivalent, in order to complete the installation The following is a high-level outline that describes the installation of an AD RMS cluster: Open the Server Manager (or use the Initial Configuration Tasks page), click the Roles node, and click Add Roles The Add Roles Wizard starts On the Select Server Roles page, select Active Directory Rights Management Services You are prompted to add additional required role services and features These include the Web Server (IIS) role service as well as the Windows Process Activation Service and Message Queuing features Figure 18-3 shows an illustration of the Add Roles Wizard with the appropriate roles selected 716 Part V: Identity and Access Management with Active Directory Figure 18-3 Selecting the Active Directory Rights Management Services and Web Server (IIS) roles On the Select Role Services page, you are provided the option to select the role services to install for Active Directory Rights Management Services There are two options: ❑ Active Directory Rights Management Server ❑ Identity Federation Support This is an optional role service that is used for This is the required role service that installs the AD RMS components required to publish and consume rightsprotected information providing rights-protected content integration with Active Directory Federation Services If you select this role service, you will also be prompted to add specific Active Directory Federation Services role services to the server On the Create Or Join An AD RMS Cluster page, you have two options: ❑ Create A New AD RMS Cluster If you are implementing a new AD RMS deployment, you would select this option to create an AD RMS root cluster for certification and licensing purposes If an existing AD RMS root cluster is detected within the Active Directory forest, you would then select this option to create a new licensingonly cluster ❑ If an existing root or licensing-only cluster is already deployed, you can use this option to add another server to the cluster You Join An Existing AD RMS Cluster Chapter 18: Active Directory Rights Management Services 717 will need to provide the name of an existing AD RMS configuration database as well as the name of the database server On the Select Configuration Database page, you configure the database that will be used to store configuration and policy information This page provides you with two options: ❑ Use Windows Internal Database On This Server If you are implementing AD RMS on a single server for a small environment or for a test lab, you can select this option Note that this option does not allow for more servers to join the AD RMS cluster, and so if you require future scalability, choose the other option ❑ Use A Different Database Server This option allows you to specify the server name and database instance for the configuration database It is recommended that you use a database server such as Microsoft SQL Server 2005 or above On the Specify Service Account page, you specify the account that the AD RMS cluster will use to communicate with other services on the computer and throughout the network This account requires only standard domain user permission This account will automatically be added to the AD RMS service group and will be provided with the default permissions for that group On the Configure AD RMS Cluster Key Storage page, you specify where you want to store the AD RMS cluster key The AD RMS cluster key is used to sign certificates and licenses issued by the cluster It is also used in disaster recovery scenarios and by other AD RMS servers as they join the cluster You are provided with two options for storing the cluster key: ❑ Use AD RMS Centrally Managed Key Storage When the AD RMS cluster key is generated, the next step of the wizard asks you to provide a cluster key password to protect the key (which you must remember for disaster recovery purposes) The AD RMS cluster key is stored in the configuration database and will be automatically shared by AD RMS servers joining the cluster ❑ Use CSP Key Storage For advanced security, you can choose to store the AD RMS cluster key to a cryptographic service provider (CSP) This provides the best security option, but it does require you to manually provide the key when new servers join the cluster If you choose this option, the next step of the wizard asks you to select the CSP and choose whether to create a new key with the CSP or use an existing key with the selected CSP (the latter option is typically used in a recovery scenario) On the Select AD RMS Cluster Web Site page, you can select a Web site for the AD RMS virtual directory Typically you would use the Default Web Site on a server that is only running the AD RMS server role The Specify Cluster Address page allows you to specify how AD RMS clients will communicate with the cluster You can choose to use an SSL-encrypted connection or 718 Part V: Identity and Access Management with Active Directory you can specify an unencrypted connection You will also provide the internal address and port that will be used for the cluster It is recommended that you use an SSLencrypted connection In order to so, the next step in the wizard provides the ability to either choose an existing certificate that has already been issued by a certification authority or create a self-signed certificate A self-signed certificate is only recommended for small-scale deployments because you will need to manually install the certificate on all clients that communicate with the server Figure 18-4 shows the configuration of an SSL-encrypted connection Note The internal address needs to be a fully qualified domain name that resolves to the AD RMS cluster You should not specify a server name, but rather an alias that represents the entire cluster This will then allow you to easily add Network load balancing or additional servers to the cluster at a later time Also note that you cannot change this address or port number after AD RMS is installed, so it is important to decide on this FQDN before deployment Note If you are planning to integrate AD RMS with AD FS, you must choose the SSLencrypted connection Otherwise, you have to reinstall AD RMS Figure 18-4 Configuring an SSL-encrypted cluster address Chapter 18: Active Directory Rights Management Services 719 10 On the Name the Server Licensor Certificate page, enter a name that will be used for identifying the SLC 11 On the Register AD RMS Service Connection Point page, you are provided with two options: ❑ Register The AD RMS Service Connection Point Now If you are a member of the Enterprise Admins group in Active Directory, you can have the AD RMS installation automatically configure the AD RMS service connection point Recall that this Active Directory object is required for AD RMS–enabled clients to resolve intranet URLs for the AD RMS cluster ❑ Register The AD RMS Service Connection Point Later If you are not a member of the Enterprise Admins group, or if you not yet want the AD RMS cluster to be automatically discoverable by clients, you can select this option 12 If you have selected to install Identity Federation Support, you will be asked to enter the federation server name that will communicate with the AD RMS server If you did not choose to install Identify Federation Support, this option will not be available 13 The final step is to configure the Web Server (IIS) role service Generally you would keep the recommended settings specified in the Select Role Services page; however, you have the option to add or remove specific role service settings as required After the installation is complete, you will need to log off and then log on again in order to update your security token and be able to administer the AD RMS server After logging back on, you can then administer the server by using the Active Directory Rights Management Services console, as shown in Figure 18-5 720 Part V: Identity and Access Management with Active Directory Figure 18-5 Viewing the Active Directory Rights Management Services console Configuring the AD RMS Service Connection Point As mentioned previously, the service connection point (SCP) is required for clients to be able to automatically discover the AD RMS cluster URL There is only one SCP per Active Directory forest When an AD RMS client attempts to use rights-management features on a computer, the AD RMS client application queries the SCP to find the URL of the AD RMS cluster After finding the AD RMS cluster, the client downloads an RAC and can then participate in publishing and consuming rights–protected information The SCP is typically registered during the installation of the AD RMS root cluster, but if you (or the individual that installed the AD RMS server) are not a member of the Enterprise Admins group, this task may have to take place as a separate step After installation, the SCP can be registered or changed from the cluster Properties box in the Active Directory Rights Management Services console In order to perform this task, membership is required in the AD RMS Enterprise Administrators and the Enterprise Admins groups in Active Directory Figure 18-6 provides an illustration of the dialog box used to modify the SCP registration Chapter 18: Active Directory Rights Management Services 721 Figure 18-6 Modifying the SCP registration Working with AD RMS Clients After the AD RMS cluster is deployed and the SCP configured, your next step is to ensure that all clients that are to participate in the rights-management solution have the appropriate AD RMS client software installed If your clients consist of mainly Windows Vista or Windows Server 2008 operating systems, then this step is easy, since the AD RMS client is already installed and provided with the client operating system If your client operating systems consist of Windows XP, Windows 2000, or Windows Server 2003, you will need to download a compatible version of the AD RMS client from the Microsoft Download Center and then determine an appropriate deployment method to have it installed on the computers that will take part in the AD RMS environment Many organizations will choose to use Systems Management Server (SMS), System Center Configuration Manager (SCCM), or Group Policy to deploy the RMS client In order to deploy the client using these methods, you must extract the Windows Installer files from the executable package using the following command syntax (note that the example uses the SP2 version of the RMS client): WindowsRightsManagementServicesSP2-KB917275-Client-ENU.exe /x When you provide the /x switch, you will be prompted for a location to extract the files These two files are required to be deployed to the clients: ■ MSDrmClient.msi This is the installation file for the RMS client This file should be deployed first, which will remove any previous versions and then install the new version of the client 722 Part V: ■ Identity and Access Management with Active Directory RMSClientBackCompat.msi This file associates the new RMS client to RMS-enabled applications such as Microsoft Office This should be installed after the MSDrmClient.msi file is deployed You might also decide to deploy the executable file using a script or batch file You can deploy the RMS client using an unattended installation method by using the following command: WindowsRightsManagementServicesSP2-KB917275-Client-ENU.exe -override /I MsDrmClient.msi REBOOT=ReallySuppress /q -override /I RmClientBackCompat.msi REBOOT=ReallySuppress /q Note In addition to installing the client, not forget that each user object is required to have the E-mail attribute configured on the General tab of the user Properties dialog box in Active Directory Configuring Client Service Discovery When a network client attempts to use a rights-management feature of a compatible application, the AD RMS client queries the service connection point in Active Directory to retrieve the URL pipeline of the Certification virtual directory located on the AD RMS root cluster The URL pipeline is in the following format: http(s):///_wmcs/Certification Note You will be prompted for credentials each time you attempt to connect to the AD RMS cluster To address this, you can add the AD RMS cluster URL to the Local intranet security zone for all users who will be participating in the AD RMS infrastructure You can configure this as a Group Policy setting to affect multiple clients as required During the creation or consumption of rights-protected content, the AD RMS client retrieves and looks for the URL to the Licensing virtual directory on the AD RMS cluster The URL pipeline for licensing requests is in the following format: http(s):/// _wmcs/Licensing There may be times when you will need to override the default service discovery process and force a client to contact a specific AD RMS cluster that is different from the one published in the SCP For example, if you deploy licensing-only AD RMS clusters for scalability purposes, you will need to override the default configuration on the clients with the licensing-only clusters deployed so that the AD RMS root cluster is no longer contacted to acquire use or publishing licenses You can override the default service discovery process by adding the following registry entry on the client workstations that are participating in the AD RMS environment: HKEY_LOCAL_MACHINE\Software\Microsoft\MSDRM\ServiceLocation Chapter 18: Active Directory Rights Management Services 723 The keys listed in Table 18-4 are used for overriding the activation or licensing services to use a specified AD RMS cluster Table 18-4 Keys Used for Overriding Activation or Licensing Services Key Name Data Type Syntax Description Activation REG_SZ http(s):///_wmcs/ certification (where is the URL of the root cluster that should be used for certification) Used to override the default AD RMS certification service that is configured in the SCP EnterprisePublishing REG_SZ http(s):///_wmcs/licensing Used to override (where is the URL of the the default AD licensing-only cluster) RMS licensing service Most applications that contain rights-management features also provide a way to identify specific licensing servers to be used for publishing or consuming rights-protected information This prevents you from having to change the global settings for service discovery, but still provides unique settings for a specific application For example, to specify a licensing server for Microsoft Office 2007, you can add or modify the following registry entry: Hive: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\12.0\Common\DRM Value: CorpLicenseServer Type: REG_SZ Entry: http(s):///_WMCS/licensing Creating Rights-Protected Content with Microsoft Office Both Microsoft Office 2003 Professional Edition and Microsoft Office 2007 (Enterprise, Ultimate, and Professional Plus editions) work together with the AD RMS client to enable the creation and use of rights-protected content You can apply rights to a document using the following methods: ■ For Microsoft Office Professional Edition 2003, click the File menu and then point to Permission You can then select an appropriate template to apply that specifies the rights required for the document ■ For Microsoft Office 2007, click the Office button and then point to Prepare You can then point to the Restrict Permission option to select an appropriate rights policy template to apply to the document Depending on the rights policy template being used, the user applying the permissions may have the Permission dialog box open This box provides the ability to specify who has Read or 724 Part V: Identity and Access Management with Active Directory Change permission to the document As shown in Figure 18-7, Don has Read permissions, and Terry has Change permissions to the document Figure 18-7 Restricting permissions on a document Clicking the More Options button provides additional permissions, as shown in Figure 18-8 and described in Table 18-5 Figure 18-8 Additional permissions and settings for users Chapter 18: Active Directory Rights Management Services 725 Table 18-5 Permission and Setting Options Permission or Setting Description Restrict Permission To This Document Provides the option for enabling or disabling the permissions applied to the document The Following Users Have Permission To This Document You can click the Add button or the Remove button to modify the list of users that have permissions and settings as configured in this dialog box This Document Expires On Provides the ability to set an expiration date for the document After the expiration date, the users will no longer have any rights to open the document Print Content Adds the permission to be able to print the document Allow Users With Read Access To Copy Content Adds the permission to copy content and paste it to another location or document Access Content Programmatically Adds permission for services or scripts to access the content Users Can Request Additional You can use this option to provide the e-mail address of the Permissions From individual that users can request additional permissions for content access and modification Require A Connection To Verify A User’s Permission You can use this check box to ensure that users can only open this document if a user can be verified by the AD RMS cluster This verification is done every time the file is opened, and so not enable this setting for offline users Set Defaults You can click the Set Defaults button to save common permission settings for future use When a user attempts to consume rights-protected content, a permission notification box is displayed As shown in Figure 18-9, you can see that the notification provides the URL to the licensing pipeline for credential verification and obtaining a use license Figure 18-9 Viewing the permission notification The user will then be restricted to the permissions as outlined in the use policy, which can be viewed by clicking the View Permission button, as shown in Figure 18-10 Notice that Don@ADatum.com has View and Copy permissions assigned to the document ... “Stepby-Step Guide for Getting Started with Active Directory Lightweight Directory Services,” located at http://technet2 .microsoft. com/windowsserver2008/en/library/14 190 0a7445c-4bd 3 -9 ce 3-5 ff53d70d10a1033.mspx?mfr=true... located at http://technet2 .microsoft. com/windowsserver/en/library/ d4b6dbdc-eb5 3-4 22 9- 9 118-b7d80c9125671033.mspx?mfr=true Chapter 16: Active Directory Lightweight Directory Services 657 The... Reference,” located at http://technet2 .microsoft. com/windowsserver/en/library/ d4b6dbdc-eb5 3-4 22 9- 9 118-b7d80c9125671033.mspx?mfr=true Related Tools Windows Server 2008 provides several tools that can