Additional Active Directory Server Roles - MCTS Guide to Microsoft Windows Server 2008 Active Directory Configuration

Information Technology Reference

In-Depth Information

and a client licensor certificate (CLC). With these certificates, the user can publish AD RMS-

protected content, which involves the following steps.

1. Create a document with an AD RMS-enabled application and specify rights for the docu-

ment. A publishing document with usage policies is created.

2. The document is encrypted by the AD RMS application, and the publishing certificate is

bound to the document. The AD RMS server cluster is the only entity that can issue licenses

to decrypt the file.

3. The document author can now distribute the application for users to access it.

A user accesses an AD RMS-protected document with the following steps:

1. A user attempts to access the document by using an AD RMS-enabled application.

2. The AD RMS client reads the publishing license.

3. The AD RMS server specified in the publishing license is contacted to request a use license.

4. After verifying that the user is authorized to access the document, the AD RMS server issues

a use license to the client.

5. The document is decrypted, and the user can use the document according to the granted rights.

AD RMS Deployment

Before installing the AD RMS role, you must address the following requirements:

• Prepare a domain member server for the AD RMS role; its users should be people who

will be using AD RMS-protected content.

• Create a regular domain user account to be used as the AD RMS service account. This

account can't be the same account used to install the AD RMS role.

• Make sure the user account for installing AD RMS has the right to create new databases

on the SQL server, if you use an external database.

• If an external database is used, install the database server before installing AD RMS.

• Create a DNS CNAME record for the AD RMS cluster URL; this record is used to access

the AD RMS service.

When you're ready to install AD RMS, install the role and the required role services in Server

Manager with these steps:

1. The Select Role Services window (see Figure 12-8) has the following choices:

• Active Directory Rights Management Server —The main role service required to protect

documents from unauthorized use.

• Identity Federation Support —Select this option if you're integrating AD RMS with

AD FS to extend document protection outside the corporate network to federated

business partners.

Figure 12-8

The Select Role Services window

Search WWH ::

Custom Search

Home