Step by Step Guide to deploy RMS Server

  • Article

So, today we shall see how to deploy RMS rapidly :)

 

Prerequisites

 

AD RMS would require the following –

· RMS Service account

· Ensure that the user has email address attribute filled in.

· Ensure that the RMS server is a member server in the Domain.

· RMS server is reachable using DNS name.

· Ensure that RMS Server is included in the Trusted Sites of IE.

· Office 2003 Professional or Office 2007 Professional Plus for authors. The end-user can be on Office 2003 standard / Office 2007 standard

 

  • Creating AD RMS Service Account

a. If necessary, log onto the AD server as Administrator.

b. In the Server Manager window, expand Roles, then expand Active Directory Domain Services, and click Active Directory Users and Computers.

c. Create New User with the following parameters:

     i. First name: ADRMSSvc

     ii. User logon name: ADRMSSvc

     iii. Password: Str0ngPassw0rd

     iv. User must change password at next logon: Not Selected

     v. Password never expires: Selected

d. Select Next, and then Finish.

Close Active Directory Users and Computers

  •  

  • Creating GPO to include RMS Server is included in Trusted sites of IE

    a. In the Group Policy Management Editor, expand User Configuration, expand Policies, and then select Windows Settings.

    b. Expand the Internet Explorer Maintenance node and then click Security.

    c. In the details pane, double-click Security Zones and Content Ratings and click Continue in the pop-up window.

    d. In the Security Zones and Content Ratings dialog box, in the Security Zones and Privacy section, click Import the current security zones and privacy settings.

    e. Click Modify Settings.

    f. Click Trusted Sites, and then click Sites.

    g. Verify that the following entries have been added to the list:

    · *. xxxxx.com (This would be your domain name)

    h. Click Close.

    i. Click Local Intranet, and then click Sites.

    j. Click the Advanced button.

    k. Verify that the following entries have been added to the list:

    · *.xxxx.com

    l. Click Close, and then click OK in the local Intranet window.

    m. Click OK twice to return to the Group Policy Object Editor and close the Group Policy Object Editor.

    n. Close the Group Policy Management Console.

    o. Close all windows and log off

The other prerequisites do not require my help :)

I am sure, you can check if RMS server is reachable by pining it from client machines.

**** But don’t forget to ensure that the AD user accounts have email address field populated with valid email IDs.

 

Installing RMS Server (Provisioning RMS Server)

 

Lets see how the RMS Server is provisioned on Windows 2008 Server.

 

a. If necessary, log on Administrator to the Server identified for being RMS Server.

b. Click the Start button, and then click Server Manager.

c. Click Roles, and then click Add Roles on the right panel. The Add Roles Wizard opens. Click Next.

d. On the Select Server Roles page, select Active Directory Rights Management Services.

e. The Add Role Wizard page appears, informing you that the required role-services dependencies on Message Queuing will be installed. Click Add Required Features to install the role and role services. This may take several minutes.

f. The Add Role Wizard page will show you the following role selected:

· Active Directory Rights Management Services

g. Click Next.

h. The Add Role Wizard page shows you an Introduction to Active Directory Rights Management Services. Click Next to continue.

i. The Add Role Wizard page shows you the component list. Only Active Directory Rights Management Services is selected. Click Next.

j. The Add Role Wizard – Create or Join an AD RMS Cluster page appears. Verify that the only option available is Create a New AD RMS Cluster and then click Next.

k. The Add Role Wizard – Select Configuration Database page appears. Select Use a different database server, and click Select.

l. In the Select Computer window, type xxxxxxx and click CheckNames, then click OK.

m. In the Database Instance dropdown, select Default, then click Validate and click Next.

 

Note: For Production environment, It is highly recommended that the databases are installed on a separate machine or SQL cluster.

n. The Add Role Wizard – Specify Service Account page appears; click the Specify... button and assign the following attributes to the account:

i. Username: AD RMSSvc

ii. Password: ********* (some strong password you can provide)

o. Click Next.

 

Note: This account doesn’t require any additional privileges (domain user only).

 

p. The Add Role Wizard – Configure AD RMS Cluster Key Storage page appears; click Use AD RMS centrally managed key storage, and then click Next.

q. The Add Role Wizard – Specify AD RMS Cluster Key Password page appears; specify the following strong password: Sup3r$Str0ngP@$$w0rd& and then click Next.

 

Note: The key password is sensitive because it protects all encryption key services. The sample password is only for example.

r. The Add Role Wizard – Select AD RMS Cluster Web Site page appears; verify that Default Web Site is selected and then click Next.

s. The Add Role Wizard – Specify Cluster Address page appears; select the option Use an SSL-encrypted connection (https://) , and then specify the following FQDN: adrms.xxxxxx.com. Verify that the port specified is 443, click Validate and then click Next.

t. The Add Role Wizard – Name the Server Licensor Certificate page appears; assign a friendly name that represents your AD RMS organization, such as “xxxxx – AD RMS” , and then click Next.

(where xxxx is your company name)

u. The Add Role Wizard – Register AD RMS Service Connection Point page appears; select the option Register the AD RMS service connection point now, and then click Next.

v. The Add Role Wizard – Confirm Installation Selections page appears; verify that all the parameters are as you specified them to be configured, and then click Install. The installation process begins.

w. The Add Role Wizard – Installation Results page appears; verify that all components have been installed successfully, and then click Close.

x. Open the IIS Console.

y. Close all the windows and then restart the server

 

Create AD RMS Console

a. Log on to RMS Server as the Administrator.

b. Click Start, click Run, type mmc, and press Enter.

c. The MMC Console appears.

d. Click the File menu and then select Add or Remove Snap-ins.

e. In the Add or Remove Snap-ins window, select Active Directory Rights Management Services. Click the Add button and then click OK.

f. Select the Active Directory Rights Management Services snap-in and select the option Add Cluster in the right pane.

g. In the Add Cluster window, select the option called Connect To, and then select local machine and then click Finish.

h. In the File menu, select the option called Save. Put the MMC file on the computer desktop and assign the following name to the console: AD RMS

i. Do not close the AD RMS Console.

 

Configuring Extranet Pipelines

If you want your rights-protected document to be accessible from outside your organization, you must configure the external URLs immediately. The URL should not change after it is configured. The rights-protected documents contain this information within the non-encrypted header of the document. If you change the URL or configure the URL at a later time, none of the previously protected documents will be accessible from the extranet. These changes will not propagate to previously protected documents.

 

a. In the AD RMS MMC, expand Active Directory Rights Management Services, right-click AD RMS.xxxxxx.com, and then click Properties. Click the Cluster URLs tab, and then click the Extranet URLs check box.

b. For Licensing, click https:// , and then type adrms.xxxxx.com

c. For Certification, click https:// , and then type adrms.xxxxx.com

d. Click OK.

e. Close all the windows .

f. On the Microsoft Management Console, click No so that changes to the console will not be saved.

 

On the AD Domain Controller - Verify that the AD RMS service connection point is registered in Active Directory:

a. Log on to AD Domain Controller as the <Domain_name>\Administrator.

b. Click Start, click Run, and then type dssite.msc in the Open box. Click OK.

c. Expand Services and select RightManagementServices. In the right panel, select SCP, then right-click and select Properties. In the SCP Properties dialog box, select the Attribute Editor tab, then select Distinguished Name and click View.

On String Attribute Editor view, verify the following value: CN=SCP, CN=RightsManagementServices,CN=Services, CN=Configuration, DC=xxxxx,DC=com

Notice the various attributes registered in the service connection point. The keywords attribute is used by the clients to help query this object.

d. Click OK twice.

e. Close Active Directory Sites and Services. Don’t log off

 

Note - In order to enable external users or employee who are accessing the rights protected information from extranet, following should be performed –

    • Allow TCP port 443/80 on Firewall for RMS Server i.e. Firewall to allow inbound and outbound traffic to RMS Server on TCP 443 & TCP 80
    • Publish Extranet URL of RMS in DNS server. i.e. External user should be able to resolve the extranet URL of RMS.

Back up the AD RMS Private Key

Back up the AD RMS private key using following steps:

a. On the Desktop, click AD RMS.msc.

b. Expand Active Directory Rights Management Services.

c. Expand adrms.xxxx.com.

d. Expand Trust Policy and then select Trusted Publishing Domains.

e. Select xxxxx AD RMS and click Export Trusted Publishing Domain.

f. Click Save as, navigate to the desktop, and type xxxxx-Private-Key in the file name field.

g. Click Save, type pass@word1 as the password, and confirm the password.

h. Click Finish and do not save the changes.

i. Close the AD RMS Management Console.

 

Note: It is highly recommended that you store this file in a very secure place. In case of disaster recovery, this file is used to restore the service with a database backup.