Leverage the Mobile Device Extension for ad rms


Deploying the rights management server



Yüklə 3,87 Mb.
səhifə15/20
tarix16.08.2018
ölçüsü3,87 Mb.
#63133
1   ...   12   13   14   15   16   17   18   19   20

Deploying the rights management server


To deploy the AD RMS server, proceed with the following steps in order:

  1. Opening a remote desktop connection on the target computer.

  2. Issuing a SSL/TLS certificate.

  3. Configuring HTTPS on the default web site.

  4. Configuring a new AD RMS root cluster.

Important note You must have domain administrator permissions to deploy the AD RMS role.

  1. Testing the rights management server.

The following subsections describe each of these steps in the context of our test lab environment. Unless noticed otherwise, all these steps are executed on the ADRMS1 computer.

Opening a remote desktop connection on the target computer


To open a remote desktop connection on the ADRMS1 computer, proceed as illustrated before with the DC1 computer but with the ADRMS1 computer instead. As previously illustrated, log on as LITWARE369\AzureAdmin with “pass@word1” as password since ADRMS1 is a domain-joined computer.


Issuing a SSL/TLS certificate


The AD RMS role service will require a Secure Socket Layer (SSL) server certificate. The certificate MUST have the following attributes:

  • Subject Name (CN): adrms.litware369.com

  • Subject Alternative Name (DNS): adrms.litware369.com

To issue the SSL certificate, proceed with the following steps:

  1. Open a remote desktop session if needed as LITWARE369\AzureAdmin.

  2. Open an elevated Windows PowerShell command prompt, and run the following command:

PS C:\users\AzureAdmin.LITWARE369> Get-Certificate -Template SSLCertificates -SubjectName CN=adrms.litware369.com –DnsName adrms.litware369.com -CertStoreLocation cert:\LocalMachine\My


Status Certificate Request

------ ----------- -------

Issued [Subject]…
PS C:\users\AzureAdmin.LITWARE369>

Note If you have not configured a new certificate template (e.g. the SSLCertificates in our configuration), you can use the WebServer certificate template in lieu of in the above command.


Configuring HTTPS on the default web site


To configure HTTPS on the default web site, proceed with the following steps:

  1. Open an elevated Windows PowerShell command prompt if none, and run the following command to add a SSL binding to the default web Site:

PS C:\users\AzureAdmin.LITWARE369> New-WebBinding -Name "Default Web Site" -IP "*" -Port 443 -Protocol https

PS C:\users\AzureAdmin.LITWARE369>


  1. Run the following commands to associate the imported SSL certificate to the newly created SSL binding:

PS C:\users\AzureAdmin.LITWARE369> Get-ChildItem cert:\LocalMachine\MY | where { $_.Subject -match "CN\=adrms.litware369.com" } | select -First 1 | New-Item IIS:\SslBindings\0.0.0.0!443


IP Address Port Host Name Store Sites

---------- ---- --------- ----- -----

0.0.0.0 443 MY Default Web Site

PS C:\Users\AzureAdmin.LITWARE369>




  1. Open a browsing session and navigate to the default web site at https://adrms.litware369.com.


Configuring a new AD RMS root cluster


In Windows Server 2012 R2, adding the AD RMS role and deploying of a new AD RMS cluster are two separate processes. The role was added as part of the base configuration:
Install-WindowsFeature ADRMS -IncludeManagementTools

Install-WindowsFeature NET-Framework-Core


Additional configuration is now required to deploy the AD RMS server role. The AD RMS server role in Windows Server 2012 R2 is manageable by two sets of Windows PowerShell cmdlets. One set (AdRmsInstall) assists in deploying and configuring AD RMS, and the second set (AdRmsAdmin) can be later used to administer an AD RMS cluster.

To run these two set of cmdlets, you need to import these modules:


PS C:\Windows\system32> Import-Module AdRms

PS C:\Windows\system32> Import-Module AdRmsAdmin


After the modules are imported, you can manage and administer AD RMS installations and components through Windows PowerShell.

Note For additional information, you can refer to the Microsoft TechNet articles AD RMS Cmdlets in Windows PowerShell73 and Using Windows PowerShell to Deploy AD RMS74.

Deploying a new AD RMS root cluster


To deploy a new AD RMS root cluster, proceed with the following steps:

Note Additional details can be found in the Microsoft TechNet article Installing an AD RMS Cluster75. To provide high availability for the cluster, you must install additional cluster members. For information on this installation, see the Microsoft TechNet article Joining an Existing Cluster76.

  1. Open an elevated Windows PowerShell command prompt if none, and run the following command to import the AdRmsInstall set of Windows PowerShell cmdlets:

PS C:\Users\AzureAdmin.LITWARE369> Import-Module AdRms

PS C:\Users\AzureAdmin.LITWARE369>


  1. Run the following command to create a Windows PowerShell drive to represent the server we are provisioning:

PS C:\Users\AzureAdmin.LITWARE369> New-PSDrive -Name RC -PSProvider ADRMSInstall -Root RootCluster


Name Used (GB) Free (GB) Provider Root CurrentLocation

---- --------- --------- -------- ---- ---------------

RC ADRmsInstall RootCluster
PS C:\Users\AzureAdmin.LITWARE369>
At this stage, we can now set properties on objects in the drive namespace RC:\ that represent required configuration settings. Setting properties on objects in the drive namespace is similar to using a wizard to specify configuration settings when installing a server role.


  1. Run the following command to configure the AD RMS server to use the SQL1 server and the default instance:

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty –Path RC:\ClusterDatabase -Name UseWindowsInternalDatabase -Value $false

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty –Path RC:\ClusterDatabase -Name ServerName -Value "SQL1"

WARNING: Verifying the specified database information. This may take a few minutes.

PS C:\Users\AzureAdmin.LITWARE369>



  1. Run the following command to set the AD RMS service account:

PS C:\Users\AzureAdmin.LITWARE369> $svcacct = Get-Credential


cmdlet Get-Credential at command pipeline position 1

Supply values for the following parameters:

Credential

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty –Path RC:\ -Name ServiceAccount -Value $svcacct

PS C:\Users\AzureAdmin.LITWARE369>
When prompted, enter the following credential in the dialog below and click OK:

Username: LITWARE369\ADRMSSVC

Password: pass@word1



  1. Run the following command to securely store the cluster key password string in a variable and assign it to the AD RMS installation:

PS C:\Users\AzureAdmin.LITWARE369> $password = Read-Host -AsSecureString -Prompt "ClusterPassword:"

ClusterPassword:: **********

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty -Path RC:\ClusterKey -Name UseCentrallyManaged -Value $true

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty -Path RC:\ClusterKey -Name CentrallyManagedPassword -Value $password

PS C:\Users\AzureAdmin.LITWARE369>


When prompted, enter the following password: pass@word1

Note We choose to protect the AD RMS cluster key by using this option because it simplifies the configuration and does not require additional components. However, you should normally provide the best protection for this key through hardware Cryptographic Security Provider (CSP) for a HSM.

  1. Run the following command to set the AD RMS cluster address:

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty -Path RC:\ -Name ClusterURL -Value "https://adrms.litware369.com:443"

PS C:\Users\AzureAdmin.LITWARE369>
Note As a security best practice, the AD RMS cluster should be provisioned by using an SSL/TLS-encrypted connection. You should be using a certificate provided by a third-party public certification authority (CA) so that it can be automatically trusted by all parties. This certificate should already be installed on the server so that you can select it as you proceed through the installation.


  1. Run the following command to set the SLC name for the AD RMS installation:

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty -Path RC:\ -Name SLCName -Value "ADRMS"

PS C:\Users\AzureAdmin.LITWARE369>


  1. Run the following command to register the SCP connection point:

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty -Path RC:\ -Name RegisterSCP -Value $true

PS C:\Users\AzureAdmin.LITWARE369>
Note As noticed before, the service connection point (SCP) is an object in the Active Directory configuration partition that holds the Web address of the AD RMS cluster. As depicted at the beginning of this document, this object is not used by the Mobile Device Extension. The Mobile Device Extension rather relies on a DNS-based service discovery mechanism. However, since such an object is typically registered in AD RMS deployment, we will do the same here.

Only one SCP can exist in your Active Directory forest. If you try to install an AD RMS cluster and an SCP already exists in your forest from a previous AD RMS installation (attempt) that was not properly de-provisioned, the new SCP will not install properly. It must be removed before you can establish the new SCP. You can remove an SCP by using the ADScpRegister.exe tool included in the Rights Management Services Administration Toolkit with SP2 available for download on the Microsoft Download Center77.


  1. Run the following command to install the AD RMS root cluster using the settings provided in the Windows PowerShell drive:

PS C:\Users\AzureAdmin.LITWARE369> Install-ADRMS –Path RC:\

This will install and configure AD RMS on this computer. Do you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

WARNING: Before you can administer AD RMS on this server, you must log off and log on again.

WARNING: Please configure SSL certificates on IIS before using AD RMS Server.

PS C:\Users\AzureAdmin.LITWARE369>
When prompted to confirm the installation and the configuration of AD RMS on the computer, type “Y” and press ENTER.

In addition to installing the AD RMS server role and provisioning the server, this cmdlet also installs if necessary any other features required by AD RMS like Message Queuing to end the logs to the database server.





  1. Restart the ADRMS1 computer.

Finalizing the configuration of the new AD RMS root cluster


To finalize the configuration of the newly installed AD RMS root cluster and fulfill the prerequisites of the Mobile Device Extension, proceed with the following steps:

Note Additional details can be found in the Microsoft TechNet articles Using Windows PowerShell to Administer AD RMS78 and Configuring AD RMS Cluster Properties79.

  1. Open a remote desktop session if needed as LITWARE369\AzureAdmin.

  2. Open an elevated Windows PowerShell command prompt, and run the following command to import this time the AdRmsAdmin set of Windows PowerShell cmdlets:

PS C:\Users\AzureAdmin.LITWARE369> Import-Module AdRmsAdmin

PS C:\Users\AzureAdmin.LITWARE369>


  1. Run the following command to create a Windows PowerShell drive that represents the newly installed cluster hosted by the local computer ADRMS1:

PS C:\Users\AzureAdmin.LITWARE369> New-PSDrive -Name AdrmsCluster -PsProvider AdRmsAdmin -Root https://localhost


Security Alert

Information you exchange with this site cannot be viewed or changed by others. However, there are the following

problems with the site's security certificate:

The name of the security certificate is not valid or does not match the name of the site.

Do you want to continue?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y


Name Used (GB) Free (GB) Provider Root CurrentLocation

---- --------- --------- -------- ---- ---------------

AdrmsCl... AdRmsAdmin AdrmsCluster:\
PS C:\Users\AzureAdmin.LITWARE369>
When prompted to confirm, type “Y” and press ENTER.

At this stage, we can now set properties on objects in the drive namespace AdrmsCluster:\ that represent the configuration settings.



  1. Run the following command to add an Extranet Cluster URL:

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty -Path AdrmsCluster:\ -Name ExtranetLicensingURL -Value https://adrms.litware369.com:443/_wmcs/licensing

PS C:\Users\AzureAdmin.LITWARE369> Set-ItemProperty -Path AdrmsCluster:\ -Name ExtranetCertificationURL -Value https://adrms.litware369.com:443/_wmcs/certification

PS C:\Users\AzureAdmin.LITWARE369>




  1. Close the Windows PowerShell command prompt.

The AD RMS root cluster is now installed and configured.

Once having completed logging in again, we can further manage AD RMS using the Active Directory Rights Management Services console.

To open the Active Directory Rights Management Services console, in Server Manager, click Local Server in the console tree, then click Tools, and then click Active Directory Rights Management Services. The console opens up.

From the console, you can configure trust policies, configure exclusion policies, and create rights policy templates.



The base configuration is now complete with all the dependencies in place for the Mobile Device Extension.

To avoid spending your credit when you don’t work on the test lab, you can shut down the 5 VMs (DC1, ADFS1, SQL1, ADRMS1, and EDGE1) when you don’t work on the test lab.

To shut down the VMs of the test lab environment, proceed with the following steps:



  1. From within the Azure management portal, select VIRTUAL MACHINES on the left pane.

  2. Under VIRTUAL MACHINE INSTANCES, select edge1 and then click SHUTDOWN at the tray of the bottom.

  3. Repeat step 2 with adrms1, adfs1, sql1, and then dc1.



  1. Click YES. Once all the allocated resources will be deallocated, the status of the VMs will then change to Stopped (Deallocated).

To resume working on the test lab, you will then need to start in order the DC1 computer, then the ADFS1 computer, the SQL1 computer, the ADRMS1 computer, and finally EDGE1.

To start the VMs of the test lab environment, proceed with the following steps:


  1. From within the Azure management portal, select VIRTUAL MACHINES on the left pane.

  2. Under VIRTUAL MACHINE INSTANCES, select dc1 and then click START at the tray of the bottom.

  3. Click dc1, and then select DASHBOARD.



  1. Verify under quick glance that the INTERNAL IP ADDRESS is set to 10.0.2.4 in our configuration.

  2. Select adfs1 on the left and then click START at the tray of the bottom.

  3. Repeat step 5 in order with sql1, adrms1, and edge1.

You are now in a position to install and configure the Mobile Device Extension for AD RMS on your "on-premises" test lab environment.


Yüklə 3,87 Mb.

Dostları ilə paylaş:
1   ...   12   13   14   15   16   17   18   19   20



Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət
    Ana səhifə
Psixologiya