Information Technology Reference
In-Depth Information
even printing documents can be restricted. For example, suppose you send an “eyes only” e-mail
to another employee. With AD RMS, you can restrict the recipient from printing the message or
forwarding it to someone else.
To be effective, AD RMS requires AD RMS-enabled client or server applications, such as
MS Office 2007, Microsoft Exchange 2007, and Microsoft Office SharePoint Server 2007.
Developers can also create AD RMS-enabled applications by using the AD RMS Software
Development Kit (SDK), available on the Microsoft Web site.
AD RMS is a new server role in Windows Server 2008, but it requires a client access license for
each AD RMS client. A similar product, Rights Management Server (RMS), is available for ear-
lier Windows Server versions, although it must be purchased separately. Some key features of the
new AD RMS server role include the following:
•
AD FS integration
—AD RMS can be integrated with AD FS to set up a federated trust
between organizations. With AD FS, the benefits of AD RMS can be extended outside the
corporate network to ensure document security in business-to-business relationships.
•
AD RMS Server self-enrollment
—An RMS server must connect to the Microsoft
Enrollment Service over the Internet to acquire a certificate, which allows the RMS server
to issue client licenses and certificates to access protected content. With AD RMS in
Windows Server 2008, the server can self-enroll in this certificate, so there's no need to
contact Microsoft servers.
•
Administrator role delegation
—AD RMS enables network administrators to delegate AD
RMS responsibilities to different users. There are three AD RMS administrator roles:
• AD RMS Enterprise Administrator: This role has full administrative authority over an
AD RMS installation.
• AD RMS Auditor: This role can view RMS-related logs and reports.
• AD RMS Template Administrator: This role can create and manage AD RMS templates.
12
An AD RMS environment, like an AD FS environment, consists of several components, usually
implemented as separate servers:
•
An AD RMS server
—The AD RMS server role can be installed on one or more servers.
Whether it's installed on one server or multiple servers, the installation is referred to as an
AD RMS root cluster
. Multiple servers can be used for redundancy and load balancing.
Only one AD RMS root cluster can be installed in an Active Directory forest. The AD
RMS server self-signs a server licensor certificate (SLC), allowing the server to issue AD
RMS client licenses and certificates. When the AD RMS role is installed, a number of Web
server roles are also installed.
•
An AD RMS database server
—AD RMS uses a database to store AD RMS configuration
data and Active Directory group membership information. A SQL database installed
on a separate server is recommended for production environments, but you can use the
Microsoft internal database for test environments.
•
An Active Directory domain controller
—Servers running the AD RMS server role must be
domain members, and users who use or publish AD RMS-enabled content must be in
Active Directory with a valid e-mail address.
•
An AD RMS-enabled client computer
—AD RMS client software must be installed on
computers using AD RMS content. Windows Vista and Server 2008 computers include the
necessary software, and older clients can download it from the Microsoft Web site.
The AD RMS process consists of two distinct actions: publication of AD RMS-protected doc-
uments and access of these documents by an AD RMS client. Publication of an AD RMS-protected
document requires the user authoring the document to acquire a rights account certificate (RAC)
Search WWH ::
Custom Search