Configuring AD RMS

AD RMS configuration, unlike Windows Rights Management Services, is performed through the MMC. This console is integrated in Server Manager but is also available as a standalone console through Remote Server Administration Tools (RSAT). Each of the tasks you need to perform to finalize your configuration is available through this console.

Use the buttons below to navigate through the lesson

Creating an Extranet URL

When you want to extend your AD RMS infrastructure to mobile users or teleworkers outside your internal network, you must configure an extranet URL. Use the following procedure;-
These URLs must point to a valid IIS installation in the extranet and should be permanent. Proper DNS registration should also be implemented for these URLs. Use SSL encryption for the communication through Secure HTTP or HTTPS connections. Finally, remember to create the appropriate virtual directories to host the AD RMS data.

Expand Active Directory Rights Management. Right click servername and click Properties. Click Cluster URLs. Select Extranet URLs. Type in the valid URLs, then click OK.

Exporting the Server Licensor Certificate

To work with either trusted publishing domains or trusted user domains, you must export the server licensor certificate from your root cluster or from the root cluster to be trusted. Certificates are exported to be used in establishing trusts.

In the Server Certificate Tab click Export Certificate. Type in a filename and click Save. Click OK.

Preparing AD RMS Certificates

Certificates are created by default during the installation of AD RMS. However, you must configure appropriate certificate duration based on your rights-protection policies. Four activities can be performed in terms of certificate administration:

  • Specify the duration of rights account certificates.
  • Enable certification for mobile devices.
  • Enable certification of server services.
  • Authenticate clients through smart cards.

Of these, the one you must absolutely set is the validation period for the RAC. Others are optional operations that depend on your rights-protection policies.

Note that standard RACs are valid for 365 days by default, and temporary RACs last only 15 minutes. You might want to extend the duration of a temporary RAC, but be careful about extending the validity of a standard RAC. Click Change standard RAC validity period. Set a suitable period (Days). Then click Temporary RAC tab. Set a suitable period (Days). Then click Temporary RAC tab. Set a suitable period (Minutes). Then click OK. Set a suitable period (Minutes). Then click OK.

Preparing Exclusion Policies

When you decide the scope of your rights-protection policy implementation, you can configure exclusion policies or policies that will exclude users and computers from participating in your AD RMS implementation.

You can create exclusion policies for four entities: users, applications, lockboxes, and Windows operating systems.

When you do so, the list of the specified exclusion members is included in the use license for the content. You can remove an excluded entity from an exclusion list, but remember that if you remove the entity from the list, it will no longer be added to the use licenses. Existing content, however, will already contain it because use licenses are issued only once, by default. Because of this, keep three items in mind when preparing exclusion lists:-

  • Assign only exclusions that will be as permanent as possible.
  • If you change your mind, wait until existing use licenses have expired before removing entities from an exclusion list.
  • Rely on exclusion lists if the credentials of one of the supported entities, such as a user, have been compromised, and your rights protected content is at risk.

Expand Exclusion Policies. Right click Users and select Enable User Exclusion. Click Exclude User. You can exclude a user either through the e-mail address or through the public key assigned to the user. The first is for users included in your AD DS directory, and the second is for external users who might not have an account in your AD DS directory. If you exclude users in your AD DS directory, make sure you exclude a group so that it is easier to manage as time goes on. Click Browse. Locate the User or group to be excluded and click OK. Click Finish.

Preparing Accounts and Access Rights

To ensure that your users can work with AD RMS, you must prepare their accounts. When you do so, AD RMS includes the account within its own database. However, when you remove an account, AD RMS disables the account but does not automatically remove it from its database. Because of this, the database can become large and contain obsolete data. To protect against this, either create a stored procedure in SQL Server that will automatically remove the account when you delete it or create a script that will do so on a scheduled basis. These users can recover or modify any data that is managed by your AD RMS infrastructure and can, therefore, recover data from users who have left the organization. You should usually assign a Universal Group from your directory to this role. Prepare the Universal Group before enabling Super Users in AD RMS.

Select Security Policies and click Change super user settings. Select Security Policies and click Change super user settings. Select Enable Super Users. Select Change super user group. Type the e-mail address of a mail-enabled universal distribution group from your forest or use the Browse button to locate it. Locate the group and click OK. Click OK. Members of this group will now have access to all AD RMS content. Select these members very carefully and ensure that they are completely trustworthy. In fact, you might prefer to keep the Super Users group disabled and enable it only when you need it for security purposes.

Creating a Rights Policy Template

To facilitate the rights-protection application by your users, prepare policy templates. These templates will save considerable time for your users and ensure that you maintain the standards you set in your rights-protection policies. You must perform several activities with policy templates. First, you must create the template. Next, you must specify a location for the template. Locations are usually shared folders contained within your network. However, for users to rely on the template to create content, they must have access to it.  Offline users will not have access to the templates unless you configure the offline folder settings for the shared folder so that the content of the folder will automatically be available locally to the user. In addition, relying on offline folders will ensure that when you modify, add, or update templates, they will automatically be updated on the client computer the next time the user connects to the network. Offline folders, however, will not work for external users who do not have access to your internal network.

Expand Active Directory Rights Management and click Rights Policy Templates. Click Create Distributed Rights Policy Templates. Click Add. Choose language for template. Type in name and description for the template and click Add. Click Next. Click Add to select the user or group that will have access to the template.  Selecting Anyone will enable any user to request a use license for the content. Click OK. First select the user and then assign the rights to that particular user or group in the Rights For User pane. You can also create a custom right for the user. First select the user and then assign the rights to that particular user or group in the Rights For User pane. You can also create a custom right for the user. Note that the Grant Owner (Author) Full Control right with no expiration option is selected by default. In the Rights Request URL, type the appropriate URL. Then click Next. Then click Next. On the Specify Expiration Policy page, select one of the three available options and type a value in days. If you need to ensure that content expires automatically after a number of days, select Expires After The Following Duration (Days), and type the number of days. Click Next.

Specify Extended Policy

On the Specify Extended Policy page, you can assign the following settings:

  1. Choose Enable Users to view protected content, using a browser add-on. This enables users who do not have AD RMS–enabled applications to view protected content by automatically installing the required add-on.
  2. Select Request A New Use License Every Time Content Is Consumed (Disable Client-Side Caching) if you need authentication against the AD RMS servers each time content is consumed. Note that this will not work for offline users.
  3. Select If You Would Like To Specify Additional Information For Your AD RMSEnabled Applications, You Can Specify Them Here As Name-Value Pairs if you need to add specific data to the protected content. This option is usually reserved for developers, however.

Select the appropriate option. Then click Next.

Specify Revocation Policy

On the Specify Revocation Policy page, you can enable revocation by selecting the Require Revocation option and then:

  1. Selecting Location Where The Revocation List Is Published (URL or UNC) and typing the value for the location of the revocation file. Keep in mind that if you use a URL and you have both internal and external users, the URL should be accessible from both network locations.
  2. Selecting Refresh Interval For Revocation List (Days) and typing the number of days the revocation list will be maintained. This determines when users must update their revocation list when viewing content.
  3. Selecting File Containing Public Key Corresponding To The Signed Revocation List.

If required tick Require revocation and then select the appropriate option. Then click Finish.

Template has been created.