The Active Directory Rights Management Services (AD RMS) is basically a DRM system. DRM is often used by streaming services to ensure that a piece of music can only be played if there is a corresponding subscription. AD RMS uses a very similar concept, files are provided with a license and encrypted. The license controls what a user is allowed to do with a file (Word, Excel) or an e-mail (read, print, forward). The author of an e-mail or document can determine which license is to be used. The license can also be withdrawn at a later date.
AD RMS can also be integrated into Exchange, the next articles will focus on installation, configuration and integration in Exchange Server 2016.
Surroundings
.he environment in which the Active Directory rights management services are installed is as follows:
There are a few users with Outlook 2016, a domain controller, 3 Exchange servers (one DAG), a file server for the quorum and a Windows Server 2012 R2 which is currently only configured as a member server and is to be given the RMS role.
The Active Directory is called frankysweb.de, the users use Windows 10 with Outlook 2016.
Preparation
Only a few preparations are required to install the rights management services. A service account can be created in advance, which is used for RMS. The service account is a normal Active Directory user account:
The only important thing is that the password must not expire:
Desweiteren wird ein DNS Eintrag benötigt, falls sich die RMS-Adresse vom Servernamen unterscheidet. In meinem Fall heißt der RMS-Server schlicht „RMS“ und mein Active Directory hört auf den Namen „frankysweb.de“. Ich brauche somit keinen DNS Eintrag erstellen, da der DNS Eintrag automatisch bei der Aufnahme des Servers in das AD erstellt wird:
Wenn das AD beispielsweise auf „frankysweb.local“ hört, kann Split-DNS verwendet werden. Heißt konkret: lautet der Servername rms.frankysweb.local, muss ein DNS-Eintrag mit rms.frankysweb.de und der IP des RMS Servers angelegt werden. Hier sollte ein DNS Name verwendet werden, der später auch aus dem Internet erreichbar gemacht werden kann.
Es wird ebenfalls ein Zertifikat für die Rechteverwaltungsdienste benötigt. Während der Installation kann ein selbstsigniertes Zertifikat für Testumgebungen installiert werden. Für produktive Umgebungen sollte ein gültiges Zertifikat verwendet werden. Im Abschnitt „Zwischenschritt Zertifikat für RMS“ wird ein gültiges Zertifikat konfiguriert. Wer nur eine Testumgebung installiert, kann an dieser Stelle auch ein selbstsigniertes Zertifikat verwenden und den Schritt überspringen.
Now the installation can begin.
Installation of Active Directory rights management services
The installation of the rights management services can now be started via the Server Manager. The necessary additional features can also be installed directly:
The Server Manager then automatically selects the required IIS services:
Im nächsten Dialog wird nur der „Active Directory-Rechteverwaltungsserver“ ausgewählt.
The final step is to install the roller:
Similar to a domain controller, the basic configuration must first be carried out after installing the role:
Nach dem Klick auf „Zusätzliche Einstellungen konfigurieren“ öffnet sich der Assistent für AD RMS:
As the first AD RMS server is installed in this case, an AD RMS root cluster must be created:
You can now select whether an SQL server should be used for the database or whether the Windows Internal Database should be used. In productive environments, an SQL database with the highest possible availability would be used at this point instead of the Windows Internal Database:
Für das Dienstkonto wird der Benutzer angegeben, der zuvor bei den Vorbereitungen erstellt wurde. In diesem Fall „ADRMSServiceAccount“:
Once the user has been specified, you can continue:
Cryptographic mode 2 (SHA256) is now selected. SHA1 should no longer be used:
Bei dem Punkt „Clusterschlüsselspeicher“ wird der Punkt „Zentral verwalteten AD RMS-Schlüsselspeicher verwenden“ ausgewählt:
A password must be assigned for the cluster key:
Da der IIS bereits durch den Server Manager installiert wurde, kann jetzt die „Default Web Site“ ausgewählt werden:
The address for RMS can now be defined. This should not be an internal server name, but an FQDN that can also be reached from the Internet. In my case, it is rms.frankysweb.de on port 443 (HTTPS). The DNS entry has already been created internally under the preparations:
As a certificate is required for HTTPS, either a self-signed certificate can be created in the next dialog or an intermediate step can be taken to configure a valid certificate. The next section can be skipped for test environments.
Intermediate step Certificate for RMS
As the IIS has already been installed by the Server Manager, a certificate request can be generated using the IIS Manager:
Important: All public CAs now use 2048-bit keys, 1024-bit keys are considered insecure:
The CSR can now be saved and submitted to a CA of your choice. In my case, I used StartSSL. StartSSL issues a corresponding certificate with a term of 1 year free of charge:
Once the certificate has been issued by the CA, the certificate request can be completed:
The certificate only needs to contain the name of the cluster address. The installation can now be continued.
Complete RMS installation
A certificate is required for client communication with the RMS server. I use a free certificate from StartSSL at this point. A self-signed certificate can also be used for test environments:
In addition, a licensing certificate is created, here only the name must be specified:
The SCP can be created automatically:
A summary is displayed in the last step. The installation can begin:
It takes a little while until RMS is installed:
Finally, the installation result is displayed:
The installation is now complete. The next article is about the configuration.