First, what AD RMS that?
1, AD RMS Introduction
RMS (Rights Management Services, Rights Management Services) as early as in Windows 2003 already exist, in order to provide maximum security for the information and data protection technology enterprises.
In the Windows server 2016, RMS service has been strengthened, its operating system which has been in and was officially named the AD RMS (Active Directory Rights Management Services) built as a regular service. It cooperates with AD RMS-enabled application to trees to prevent the use of the digital information in the case of unauthorized. AD RMS applications that require protection organize sensitive and proprietary information. AD RMS policy protection provided by permanent use of the information, thereby enhancing the organization's security policies, regardless of where the information is moved, permanent usage policies remain with the information together.
2, AD RMS cluster Overview
AD RMS cluster is defined as a single server to run AD RMS or AD RMS shared clients from AD RMS server and issues a set of authorization requests. When the first AD RMS server provided in the Active Directory forest, the server becomes AD RMS cluster, more servers may be provided at any time and add it to the AD RMS cluster.
There are two types of AD RMS cluster: root cluster and only authorized clusters .
A server installed in the first AD RMS root cluster is commonly referred to. Domain root cluster active directory service process (AD DS) which it is installed, all the certificates and the authorization request field. For complex environments, the root cluster, you can also create only authorized cluster. However, it is recommended to use a root cluster, then more join this AD RMS server in the cluster.
3, AD RMS client Introduction
AD RMS client with Windows 10 and Windows server 2016 together with the operating system. If you use Windows xp, Windows 2000 or Windows server 2003 as a client operating system, you can download a compatible version of the AD RMS client from microsoft download center.
4, AD RMS environment Why do you need IIS?
Because the client is a communication by HTTP or HTTPS protocol with AD RMS server, the deployment server must be installed AD RMS IIS.
5, AD RMS environment Why do you need a database?
AD RMS database for storing information and configuration strategies. You can use SQL Server, you can use the built-in AD RMS database.
Second, the deployment of AD RMS Service
1, the environment is as follows:
2, environmental analysis:
This case prepare yourself ahead of time-domain environment, the client ahead of time to prepare office 2016, where I will not say more, there is a need can comment or private letter to me. Further, in order to reduce costs, without using a separate server SQL server, but the use of AD RMS comes with built-in database.
I am here with 10 two server 2016 and two Windows
DC1 install domain environment, (I was installed in advance, not at this screenshot illustrates) and then add the Certificate Services, add the domain accounts and two ordinary client accounts.
DC3 join a domain, install IIS and RMS services.
windows 10 pre-installed office 2016 validation permission to use.
3. Analysis:
To be successful deployment and maintenance of AD RMS, we need to understand its working mechanism, create protected files from the file owner to the final user to access files protected access to the basic process by verifying documents as follows:
1) user bob in the implementation of the first protected files work, will first get a CLC (client license) from the AD RMS server can perform subsequent work by the file protection certificate.
2) require the use of user bob AD RMS client application that created the file, and work on protected files at the same time the file was created, including users and permissions can use this file. Meanwhile, according to these rights policy, generation publishing licenses, publishing usage rights and conditions of the permit contains the file.
3) AD RMS client symmetric key is encrypted with the original file.
. 4) AD RMS client added to release the symmetric key license, then AD RMS server's public key encrypted.
5) File tom when the recipient opens the file ends with AD RMS client, if it's not your computer RAC (rights account certificates) will obtain a RAC from the AD RMS server.
. 6) AD RMS client sends a request to obtain the license server AD RMS, which comprises RAC and a public key encryption server via the AD RMS publishing license (which contains the symmetric key).
7) AD RMS server receives the request, with their own private key to decrypt publishing licenses, obtain rights policy and symmetric key.
8) AD RMS rights policy server encrypted with the public key and symmetric tom generates license, then sent to the recipient user tom.
9) the recipient tom with his private key to decrypt license to obtain rights policy and symmetric key and thus decrypt the original file and opens the file in accordance with defined rights policy.
4, case implementation:
DC1_AD server deployment as follows:
Login AD server, configure the IP address, gateway and DNS
Add a domain controller in the name ADRMS organizational unit, the new management of AD RMS service users adrms, set up an account to never expire, adding belonging to domain admins group
Create two ordinary users and Bob are tom, add an email address for later verification AD RMS
Open the "Server Manager" window, click "Add Roles and Features."
In the "Add Roles and Features Wizard," "Before You Begin" screen, click "Next" button.
In the "Installation Type" screen, keep the default, click "Next" button. (Follow-up I will not default next screenshot)
In the "Server Selection" screen, keep the default, click "Next" button.
Select the "Select Server Roles" interface "Active Directory Certificate Services" check box will pop up prompt box, and then click the "Add Features" and "Next" button.
Select "role service" interface "Registration Certificate Authority web" check box will pop up prompt box, and then click the "Add Features" and "Next" button.
Begin installing AD Certificate Services
After installation is complete, start configuring Certificate Services, keep the default, click "Next" button in the "Credentials" interface.
In Select "role service" "Certificate Authority" and "Registration Certificate Authority web" check box, and then click "Next" button.
In the "Set type" screen, select "Enterprise CA" check box, and click the "Next" button.
