Category: Active Directory Rights Management Services



After the First ADRMS Blog I got to know that I cannot use the name PTCL.

Now the domain name is fazal.com

Machine names are the same but instead of PTCL I have named them like

Khi-ADRMS, Khi-SQL, Khi-CA and so on.

So now we have a good basic understanding of what ADRMS does. Let us start with creating templates now for ADRMS .

One of the Things which I forgot to mention was:

If you have clients which are using Windows XP SP3. Then you need to install an ADRMS Client.

clip_image001

Click Next and Next and the client is installed.

Creating a Folder where the Templates can be saved

clip_image003

clip_image004

clip_image006

clip_image008

clip_image010

Click Finish

clip_image012

clip_image014

clip_image016

clip_image018

Now go on the SQL Server and verify that these XML Files are created.

clip_image020

Now Installing the ADM Template so that we can define the Template Location for Microsoft office Documents using Group Policy.

clip_image021

clip_image023

Import the ADM File.

clip_image024

clip_image026

clip_image028

Now go on the client and run GPUPDATE /Force

clip_image030

Now Let us say that we don’t want out client to use Office 2007 now to encrypt messages using ADRMS.

clip_image032

Click on Enable Exclusion

Now Click on Exclude Application

clip_image034

The above is Just an Example. Not even sure if this is correct as in the Maximum version.[Hope you got the understanding by seeing the above snapshot]

Definitely not a good idea to click finish so click Cancel Smile

Now What if there are certain users whom you do not want to send RMS Encrypted document to?

Let us block adrms1@fazal.com [which means that ADRMS2 would not be able to send RMS encrypted message to ADRMS1]

clip_image036

Not Click on Exclude User.

clip_image038

clip_image040

Now let us Verify by logging with User 2 and Creating a rights protected document and then logging on with User 1 to open that Document.

clip_image042

Now logging in with ADRMS1

clip_image044

Now Let us remove Adrms1 and then try again.

Now we have deleted the user and also disabled the exception

clip_image046

Let us restart IIS on ADRMS Server.

clip_image047

Now back on the client

clip_image049

And it Opens Smile

clip_image051

We can exclude earlier version of RMS Client using Lockbox version.

clip_image053


Machines used.

1)DC named as = PTCL-DC [Windows Server 2008 R2]

2)Exchange 2010 Sp1 = PTCL-EXCH [Windows Server 2008 R2]

3)MOSS 2007 = Moss [Windows Server 2003 R2]

4)Sql Server 2008 SP1 = PTCL-SQL

Let us start with Installing a Certificate authority on Windows Server 2008 R2 machine which is joined to the Domain.

The Goal of this LAB is that Users get familiar with the process of Installing Certificate Authority and then enroll certificates for their ADRMS and Exchange 2010 OWA.

image

image

image

image

image

image

image

image

image

image

image

image

image

image

Accept the Defaults of IIS

image

image

Click on install and wait for the installation to Finish and then restart the Machine.

image

image

After the machine is re booted

image

If we check under Issued certificates at present none of the certificates are issued.

 

image

Now go on the DC and run GPUPDATE /force

image

 

Now go back on the CA and view the issued certificates

image

This means that the CA is working as expected.

Now Let us start with Doing ADRMS the wrong way Sad smile

 

Don’t be surprised by reading the title. I just wanted to highlight a common mistake which is done by most of the customers that I have been too.

Open the machine named PTCL-ADRMS

clip_image001

clip_image005

clip_image006

clip_image007

clip_image009

Note the name of the machine Smile with tongue out [hint to what would be going wrong]

clip_image002

clip_image004

clip_image006

clip_image008

clip_image010

Click on next and try entering the user account which you are logged in as and give the password [The error says that Installation account could not be the same as the service account]

Let us go In active Directory users and computers and create a User account

clip_image011

clip_image012

clip_image013

Now Let us go back on the ADRMS Machine.

clip_image017

clip_image021

Now this is where everything goes wrong.

clip_image022clip_image023clip_image025

clip_image027

Make sure that the account your are doing the installation is the member of Enterprise Admin for this step

clip_image029

Click Next and Next again

clip_image031

clip_image002[4]

Click Install

clip_image004[4]

Now Verify that these groups are present

clip_image006[4]

Log off and Log back in

clip_image008[4]

clip_image010[4]

Have a Good Look at the Licensing path.

Now the Question in your mind would be that we have done everything and installed everything but where is the DOING IT ALL WRONG PART J

Trust me it is just around the corner. J

Now let us test it on the client.

Let us go in Exchange 2010 and create a new user

Please Go in services and check if all the exchange related services have started Jclip_image012

clip_image013[4]

clip_image014

You know the password J

clip_image015

clip_image016

Next and then New

Create another user named ADRMS2

Now Open the Windows 7 machine and log in

clip_image017

clip_image019[4]

Go in C Drive and create a word document by this name J

clip_image021[4]

clip_image023

Notice that the machine is doing the bootstrap process{If this step hangs than log in to Outlook once}

clip_image024

Now Click on More Options

You can give Finer Permission from here

Access Content Programmatically could be used if you are using MACROS

clip_image028

clip_image030

Open this word file with Notepad now

clip_image031

clip_image033

Note that Every RMS Encrypted document has this URL Stamped. Now if ever you decide to Load Balance this RMS Cluster you cannot because you have hard coded the URL with the machine name. Another Problem is that all content is hardcoded with http and now If you setup Https than still all clients would use http.

That is why it is said to use Cnames in DNSJ

Now let us verify that RMS Really works

Press clip_image034 on Windows 7 VM and switch user

clip_image035

Let us go in C Drive and try to open the document.(ADD THE URL IN THE INTERNET EXPLORER LIKE YOU DID BEFORE)

clip_image037

Again Boot Strap would occur first and remember to open outlook if it hangs J

clip_image039

Notice the document is all greyed out J

Now stay logged in as ADRMS2 and create the document by the same name as shown below and give ADRMS1 read only rights.

Make Sure that you don’t open this document by logging in with another user.(Will see in the Lab why)

clip_image041

clip_image043

Now go on the ADRMS Server and Export a few files (What they do is a secret at the moment J)

clip_image045

Exporting the TUD on the desktop

clip_image046

Exporting the TPD

clip_image048

Please give the password as Win2003

clip_image049clip_image050clip_image052

Removing the ADRMS Server and doing the corrected installation now. Lets see the difference J

clip_image054

clip_image055

clip_image056

Safe to remove ADRMS now

clip_image057

Uncheck ADRMS

clip_image059

Now Click Remove.

Now it is uninstalling ADRMS.

In the meantime let’s go to DNS and create a CName Record as this is a proper installation now.

clip_image061

clip_image062

CName record for SQL is already created

Now back to the ADRMS machine and let us re provision the Server with SQL as its database now.

clip_image063

clip_image065

clip_image067

clip_image069

clip_image071

Click on Validate and you will get an error J

clip_image073

This is because the account does not have rights on the SQl Server.

Check the SQL Server and the services are up

clip_image075

clip_image076

Go on the SQL Machine and open SQL Server Management studio.

clip_image077

clip_image079

clip_image081

Click ok

Now Back to the ADRMS Server

And Click on Validate and it should give no errors now and click on next

clip_image083

clip_image085

clip_image087

clip_image089

clip_image091

clip_image093

clip_image095

clip_image097

Next Install and DONE J

Log Off and Log back in.

clip_image098

Try opening the ADRMS console and we are here with an error

clip_image099

Now Press ok and Open IIS

clip_image101

Click on Server Certificates

clip_image102

clip_image103

clip_image104

Now Click Finish

clip_image106

Now click on Bindings

clip_image107

clip_image108

Click ok and close

Now go into the ADRMS console and press Refresh

clip_image110

clip_image111

Why are we presented with this ? (Do ask me and If you know than please tell me J)

Click on yes and now click on

clip_image112

clip_image114

Why wasn’t that Screen prompted now ? [Try giving the answer in the comment section below Smile]

clip_image115

clip_image116

Now let us set these URL’s through Group Policy so that users are not prompted for password again and again

Now go in the DC and open GPMC

clip_image118

clip_image119

Clickclip_image121

Click on Edit.

clip_image123

clip_image124

clip_image125

clip_image126

Donot forget to click Add

Now Add it in Local Intranet Sites.

Click OK and close GPMC

Go on the Client machine now and run Gpupdate /force

Verify it and If it is not populated than you can add it for now

clip_image128

Now Log on with ADRMS user 1 and try opening the file which was encrypted by ADRMS2

clip_image129

clip_image130

Notice that it is trying to find the server but the URL has now been changed and this TUD is no longer there.(RAC which user is presenting is no more trusted by this ADRMS Server)

Now the reason is that These clients have been bootstrapped by the old RMS Server and it is no more there now

clip_image131

Go in this location and see all the certificates issued by the old RMS Server in the bootstrap process.

clip_image133

GIC = RAC

I know you don’t trust me and want to read from ADRMS itself J

Let us go on the ADRMS Server and view it.

clip_image135

clip_image137

Click Finish

clip_image138

This is failing because the RAC is not trusted as it was issued by another ADRMS.

clip_image140

Now how should we fix this ?

There are two answers

1)Import the TUD which we exported

2)Delete the DRM folder on the client and let it get bootstrap with the new RMS Server.

What are the draw backs ?

2)We cannot open the old documents than.

Now as the discussion is done let us Import the TUD.

clip_image142

clip_image144

Let us now go on the client with ADRMS1 and verify where are we now

clip_image145

clip_image146

Press NO and Log Off here

Log in with ADRMs2 and verify the same thing with the other document.

clip_image148

This document was opened because the client already had the End user License issued from the old ADRMS Server.

Let us again go back to ADRMS Server and verify what happened wrong with ADRMS1 user

clip_image150

clip_image152

EU cannot be issued because new ADRMS server does not have the private key to decrypt the content.

Let us now import the certificate that we exported

clip_image154

clip_image156

Let us now Open the document with the ADRMS1 user which didn’t opened before.

clip_image157

clip_image159

And it opens J

clip_image161

Now we need to make sure that on all the documents that all my users encrypt with ADRMS should have the new Server named stamped . So we would need to develop a Script to delete the DRM folder on all the clients.

Now Let us do this manually from our client.

clip_image162

clip_image163

Now let us Encrypt a document and see how the machine bootstraps again.

Just a hint J

clip_image165

This should appear

And we see the RAC and CLC and Machine cert. J

clip_image167

Hope this was Informative and we would be doing the Integration with Moss, Exchange 2010 and learn more about ADRMS.