One of the most important challenges that an organization can face is protecting sensitive data, such as documents, spreadsheets and, amongst other things, E-mail messages. With this in mind, Active Directory Rights Management Services (AD RMS) is a powerful information protection tool from Microsoft that works with suitably-enabled applications, such as Exchange Server, to help maintain sensitive data by implementing the rights policy template.
In this article, we will look at the steps needed for a simple AD RMS installation in a very straightforward walk-though style, and then cover how to integrate AD RMS with Microsoft Exchange Server 2010. To finish off, we will also cover Rights Policy Template creation and management through the AD RMS management console and also through windows PowerShell.
If you want to know about more sophisticated Rights Management, then we will cover the IRM (Information Rights Management) features in Exchange Server 2010 in a future article, and the different ways to configure these features.
AD RMS installation:
The AD RMS installation must be performed on a Windows Server 2008 R2 server, and you’ll need to make sure you have met the following prerequisites prior to the installation:
- The machine you are installing the AD RMS role is a member server in a domain
- You have created a domain user account that will be used as the AD RMS Service Account
- You have created a second domain user account that will be used to install the AD RMS Service role. Add this user to the local administrators group and to the AD DS Enterprise Admin group
- You are hosting an Active Directory domain in which the domain controller is running at least Windows Server 2000 with Service Pack 3
For now, let us proceed with the installation by following these steps:
Go to Server Manager and click Add Roles, then select the Active Directory Rights Management Services checkbox and click Next, making sure to click the Add Required Role Services button as shown below.
On the ‘Select Server Roles’ page, make sure Active Directory Rights Management Services is selected before clicking Next.
Because it is our first AD RMS in the Active Directory forest, we will also need to create a new AD RMS cluster:
Once the AD RMS server is provisioned, it becomes an AD RMS cluster. We can differentiate two types of cluster:
- A root cluster that handles all certification and licensing requests. The first AD RMS in an Active Directory forest always becomes the root cluster.
- Licensing-only clusters that (unsurprisingly) handle licensing requests.
Both types of clusters cannot coexist in the same load-balancing pool, so that is something to consider when you’re setting up your infrastructure. Next, select to use a different database server, and click on Validate.
Even though you have the option to use the Windows internal database, it is recommended to instead use a separate server to host the AD RMS database. This is because the internal database doesn’t support remote connections, and hence prevents you from adding a second server to the AD RMS cluster. That being said, windows internal database can still be used in your lab environment. If you do elect to use a different database server, make sure that the SQL version is 2005 or later.
Next, on the Service Account page, select the AD RMS Service account:
Bear in mind that the AD RMS service account cannot be the same account as the domain account used for AD RMS installation. Next, when setting up the Cluster Key Storage, select Use AD RMS centrally managed key storage, and type in a Cluster Key Password.
On the Cluster Web Site page, you will notice the Default Website is selected; this is fine for a basic initial setup, so go ahead and click Next. On the Cluster Address, opt to use SSL and specify a Fully-Qualified Domain Name (FQDN) for the URL, and then click Validate to verify and preview the URL.
As a best practice, create a custom CNAME record for the AD RMS Cluster URL. This will ensure that the custom URL of the cluster is preserved if the AD RMS server is down, replaced or renamed, by only updating the appropriate record in the DNS.
On the Server Authentication Certificate page, click Choose an existing certificate for SSL encryption and click Import to import the necessary certificate. This could be a private certificate that is trusted within your Active Directory site, or a public certificate purchased from known vendors. You can select to use the self-signed certificate, but it is clearly not recommended to do so for a production environment due to the security implications.
In the next step, keep the default name for the Server Licensor Certificate and click Next, bringing you to the last step for configuring the AD RMS Cluster installation, where you need to should opt to Register the AD RMS service connection point now.
On the Role services for Web Server (IIS) page which follows, keep the default selected roles and click Next, and once you come to the Confirmation page, click Install. On the results page, make sure that the installation is successfully completed:
As the second warning message states, you must log off and then log on again, and AD RMS Enterprise Administrators Group membership will be automatically added to the your credentials.