AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2
Size: px
Start display at page:

Download "AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2"

Transcription

1 Contents AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2 Preparing for the migration or upgrade of an AD RMS cluster... 2 Checklist: Preparing to migrate or upgrade the AD RMS cluster... 3 Back up the AD RMS configuration database... 3 Export the server licensor certificate... 4 Export and install a software-based CSP key... 4 Performing the migration of AD RMS on Windows Server 2008 to Windows Server 2008 R Checklist: Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R Install Windows Server 2008 R2 on a new computer... 7 Install AD RMS and join the computer to the existing AD RMS cluster... 8 Join additional servers to the AD RMS cluster... 9 Performing the upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R Checklist: Upgrading AD RMS on Windows Server 2008 to Windows Server 2008 R Upgrade an existing AD RMS server to Windows Server 2008 R Run the AD RMS Upgrade wizard Upgrade remaining AD RMS servers to Windows Server 2008 R Completing the migration or upgrade of AD RMS Checklist: Completing the migration or upgrade of AD RMS Update cluster URL CNAME record Verify AD RMS client connectivity Verify successful cluster migration... 15

2 AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide If you want to upgrade an Active Directory Rights Management Services (AD RMS) cluster to Windows Server 2008 R2, you can migrate the cluster or upgrade the existing servers in the cluster. Migrating is the process of installing Windows Server 2008 R2 on a computer, adding the AD RMS server role to that computer, joining that computer to the existing AD RMS cluster, and then replacing the other servers in that cluster with computers running Windows Server 2008 R2. Upgrading is the process of doing an in-place upgrade of existing AD RMS servers in the cluster to AD RMS. About this guide This guide is intended for IT professionals who are interested in migrating or upgrading their existing AD RMS infrastructure to Windows Server 2008 R2. Using the checklists provided in this guide, you should be able to seamlessly move your infrastructure from AD RMS to Windows Server 2008 R2. Preparing for the migration or upgrade of an AD RMS cluster A migration or upgrade of an AD RMS cluster from Windows Server 2008 Windows Server 2008 R2 should be carefully planned so that clients are not affected by the migration or upgrade. You should complete the tasks in Checklist: Preparing to migrate or upgrade the AD RMS cluster to ensure that all prerequisites are met. When these tasks have been completed: For migrating AD RMS, perform the tasks in Performing the migration of AD RMS on Windows Server 2008 to Windows Server 2008 R2. For upgrading AD RMS, perform the tasks in Performing the upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2. 2

3 Checklist: Preparing to migrate or upgrade the AD RMS cluster Before starting a migration or upgrade, complete all the tasks in this checklist in the order in which they are presented to prepare your infrastructure for AD RMS on Windows Server 2008 R2. Checklist: Preparing to migrate or upgrade the AD RMS cluster Task To prevent loss of AD RMS data if you should need to roll back the migration or upgrade, be sure to back up the AD RMS configuration database. Before migrating or upgrading an AD RMS cluster, export the server licensor certificate (SLC). The SLC can be stored in either the AD RMS configuration database or a hardware security module. If you are using a softwarebased CSP to protect your AD RMS private key, you must export the key container and install it on the new computer. Reference Back up the AD RMS configuration database Export the server licensor certificate Export and install a softwarebased CSP key Back up the AD RMS configuration database The AD RMS configuration database stores all the configuration information for the AD RMS cluster as well as the private key that signs all rights-protected content. It is important to back up this database before moving to Windows Server 2008 R2. To back up the configuration database 1. Log on to the server hosting the AD RMS configuration database with a user account that is a member of the System Administrators database role. 2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click SQL 3

4 Server Management Studio. 3. When the Connect to Server window appears, ensure that the server hosting the AD RMS configuration database is in the Server name box, and then click Connect. 4. Expand Databases. 5. Right-click the AD RMS configuration database, point to Tasks, and then click Back Up. The default AD RMS configuration database name is in the form of DRMS_Config_<RMS_cluster_URL>_80, where RMS_cluster_URL is the URL of the AD RMS cluster. 6. Click OK and then click OK again. Export the server licensor certificate The server licensor certificate (SLC) of the AD RMS cluster is used to decrypt all content that was protected by the AD RMS cluster. If the SLC is lost, rights-protected content protected by the AD RMS cluster cannot be decrypted. If you are using a hardware security module (HSM) to store the SLC, you should contact the hardware manufacturer of the HSM and get instructions on how to back up the key. If you are using a private key password to protect the SLC, you can back up the certificate by using the Active Directory Rights Management Services console. To export the server licensor certificate 1. Open the Active Directory Rights Management Services console. 2. In the console tree, select the AD RMS cluster whose certificate you want to export. 3. Right-click the cluster name, and then click Properties. 4. On the Server Certificate tab, click Export Certificate. 5. The Export Certificate As dialog box appears. We recommend that you modify the.bin file name to include the name of your server, such as AD RMS_Cluster1_LicensorCert.bin. 6. Specify the location where the SLC certificate should be saved, and then click Save. Export and install a software-based CSP key When you installed AD RMS, you were able to select private key protection managed by AD RMS or cryptographic storage provider (CSP)-based key protection. Private key protection offers decreased administrative overhead because the AD RMS private key is stored in the AD RMS configuration database, and as servers are added to the AD RMS cluster, they share this key. A hardware-based CSP provides more security because the private key is not stored in software 4

5 anywhere. A software-based CSP stores the AD RMS private key locally on each AD RMS server. This option is not recommended because of this. If you are using a software-based CSP, you must export and install the AD RMS private key on a new computer that is joining the AD RMS cluster as part of the migration or upgrade to AD RMS. If you are using a hardware-based CSP, you should consult the manufacturer about steps for migrating the key. Important The.NET Framework 2.0 must be installed on the server that you are exporting the AD RMS private key from and the new server on which the private key will be installed. The.NET Framework 2.0 is available by using Windows Update. To retrieve the private key container name 1. Log on to the server hosting the AD RMS configuration database with a user account that is a member of the System Administrators database role. 2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click SQL Server Management Studio. 3. When the Connect to Server windows appears, ensure that the server hosting the AD RMS configuration database is in the Server name box, and then click Connect. 4. Expand Databases. 5. Expand the AD RMS configuration database, and then expand Tables. 6. Right-click the DRMS_LicensorPrivateKey table, and then click Open Table. The key container name is stored in the column named KeyContainerName. To export the RMS private key from a software-based CSP 1. Log on to the AD RMS server that has the AD RMS private key installed. 2. Click Start, and then click Command Prompt. 3. Type cd %windir%\microsoft.net\framework\v , and then press ENTER. 4. Type aspnet_regiis.exe px <keycontainername> privatekey.xml pri, where <keycontainername> is the key container name that you retrieved from the procedure named To retrieve the private key container name. 5. Copy privatekey.xml to the server that will be joined to the AD RMS cluster. To install a RMS private key protected by a software-based CSP 1. Log on to the server that will be joined to the AD RMS cluster. 2. Click Start, and then click Command Prompt. 3. Type cd %windir%\microsoft.net\framework\v , and then press ENTER. 4. Type aspnet_regiis.exe pi <keycontainername> privatekey.xml -exp, where <keycontainername> is the key container name that you retrieved from the procedure named To retrieve the private key container name, and then press ENTER. 5

6 Performing the migration of AD RMS on Windows Server 2008 to Windows Server 2008 R2 Follow the tasks in the Checklist: Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2 checklist to perform a migration of your AD RMS cluster from Windows Server 2008 to Windows Server 2008 R2. When these tasks have been completed, perform the tasks in Completing the migration or upgrade of AD RMS. Checklist: Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2 Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks. Checklist: Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2 Task On the computer that will be the first server of the new AD RMS cluster, install Windows Server 2008 R2. Install AD RMS and join the new AD RMS server to the existing AD RMS cluster. Replace or upgrade the remaining AD RMS servers in the cluster to Windows Server 2008 R2. Reference Install Windows Server 2008 R2 on a new computer Install AD RMS and join the computer to the existing AD RMS cluster Join additional servers to the AD RMS cluster 6

7 Install Windows Server 2008 R2 on a new computer Install Windows Server 2008 R2 on a stand-alone server that will be used as a new server in the AD RMS cluster. After Windows Server 2008 R2 is installed, you should assign a static IP address and then join it to the same domain as the AD RMS cluster. If you have several servers in your AD RMS cluster, we recommend that you prepare at least half of your new servers for joining the AD RMS cluster at the same time because the database schema for AD RMS on Windows Server 2008 R2 is different from that for AD RMS on Windows Server When the first Windows Server 2008 R2 based AD RMS server joins the cluster, the AD RMS configuration database is upgraded to the Windows Server 2008 R2 schema. All Windows Server 2008 based AD RMS servers in the cluster will no longer be able to process client requests. To perform a new installation of Windows Server 2008 R2 1. Start your computer by using the Windows Server 2008 R2 product CD. 2. Follow the rest of the instructions that appear on your screen to finish the installation. We recommend that you use a static IP address for the server. To configure a static IP address 1. Log on to the computer as a member of the local Administrators group. 2. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties. 3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. 4. Click the Use the following IP address option. In the IP address box, type the appropriate IP address. In the Subnet mask box, type the appropriate subnet mask, and then click OK. 5. Click OK to close the Local Area Connection Properties dialog box. Finally, you should add this computer to the same domain as the servers in the AD RMS cluster. To join a computer to a domain 1. Click Start, right-click Computer, and then click Properties. 2. Click Change settings (at the right side under Computer name, domain, and workgroup settings), and then click Change. 3. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type the appropriate domain. 4. Click OK, and then click OK again. 7

8 5. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for a member of the Domain Admins group, and then click OK. 6. When a Computer Name/Domain Changes dialog box appears welcoming you to the domain, click OK. 7. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close. 8. Click Restart Now. Install AD RMS and join the computer to the existing AD RMS cluster A migration of an AD RMS cluster from Windows Server 2008 to Windows Server 2008 R2 is accomplished by joining a new Windows Server 2008 R2 AD RMS server to the AD RMS cluster and then migrating or removing the remaining Windows Server 2008 servers. Note In order to join a Windows Server 2008 R2 server to an existing AD RMS cluster, the AD RMS service connection point (SCP) must be registered in Active Directory or Active Directory Domain Services. To install AD RMS and join the AD RMS server to an existing cluster 1. Log on to the server that you want to join to the existing AD RMS cluster with a domain user account that is a member of the local Administrators group on both the AD RMS server and the database server, and that is a member of the System Administrators database role, or equivalent, on the database server. 2. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager. 3. In the Roles Summary box, click Add Roles. 4. Read the Before You Begin section, and then click Next. 5. On the Select Server Roles page, select the Active Directory Rights Management Services box check box. 6. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next. 7. Read the AD RMS introduction page, and then click Next. 8. On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next. 8

9 9. Select the Join an existing AD RMS cluster option, and then click Next. 10. Do the following and then click Next: a. Click Browse, type the name of the database server, and then click OK. b. Choose the appropriate database server instance from the Select or enter database server instance box. c. Type the name of the AD RMS configuration database in the Enter database name box. d. Click Validate. 11. If you are using AD RMS to centrally manage the cluster key, confirm that the database is correct, type the cluster key password in the Password and Confirm Password boxes, and then click Next. 12. Click Specify, type the User name and Password in the appropriate boxes, and then click OK. Click Next. 13. Select the appropriate Web site, and then click Next. 14. Read the Introduction to Web Server (IIS) page, and then click Next. 15. Keep the Web server default check box selections, and then click Next. 16. Click Install to join this computer to the existing AD RMS cluster. It can take up to 60 minutes to complete the installation. 17. Click Close. 18. Log off the server, and then log back on to update the permissions granted to the logged on user account. The user account that is logged on when the AD RMS server role is provisioned is automatically made a member of the AD RMS Enterprise Administrators group. Join additional servers to the AD RMS cluster Because the configuration database schema has changed for AD RMS on Windows Server 2008 R2, and the remaining Windows Server 2008 based AD RMS servers will no longer process requests, you must immediately replace the remaining Windows Server 2008 based AD RMS servers after the cluster is migrated to the first Windows Server 2008 R2 server. To decrease downtime, we recommend that you have Windows Server 2008 R2 installed on at least half of the servers you will use in the migrated cluster so that you can quickly install AD RMS and join them to the AD RMS cluster at the same time. Additionally, you should ensure that any Secure Sockets Layer (SSL) certificates are imported into the new servers and that your network load balancing (NLB) environment is configured appropriately. Important All servers in an AD RMS cluster must be running the same version of Windows Server. 9

10 The instructions to prepare new servers are the same as the procedures in Install Windows Server 2008 R2 on a new computer and Install AD RMS and join the computer to the existing AD RMS cluster. To upgrade existing servers in the AD RMS cluster, follow the instructions in Upgrade an existing AD RMS server to Windows Server 2008 R2 and Run the AD RMS Upgrade wizard. Performing the upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2 Follow the tasks in the Checklist: Upgrading AD RMS on Windows Server 2008 to Windows Server 2008 R2 checklist to perform an in-place upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2. When these tasks have been completed, perform the tasks in Checklist: Completing the migration or upgrade of AD RMS. Checklist: Upgrading AD RMS on Windows Server 2008 to Windows Server 2008 R2 Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks. Checklist: Upgrading AD RMS on Windows Server 2008 to Windows Server 2008 R2 Task On an existing AD RMS server in the cluster, upgrade to Windows Server 2008 R2. Upgrade the AD RMS cluster to Windows Server 2008 R2 Upgrade the remaining AD RMS servers in the cluster to Windows Server 2008 R2. Reference Upgrade an existing AD RMS server to Windows Server 2008 R2 Run the AD RMS Upgrade wizard Upgrade remaining AD RMS servers to Windows Server 2008 R2 10

11 Important If you installed a Multilanguage User Interface (MUI) language pack and changed the display UI before adding the AD RMS server role on a server running Windows Server 2008, you must reinstall the same MUI language pack and set the display UI to the same language before upgrading AD RMS. You must do this after upgrading the operating system to Windows Server 2008 R2 but before running the AD RMS Upgrade wizard. Failing to do so can cause the AD RMS cluster to stop functioning. Upgrade an existing AD RMS server to Windows Server 2008 R2 The first step in performing an in-place upgrade of a Windows Server 2008 based AD RMS cluster to Windows Server 2008 R2 is to install Windows Server 2008 R2 on one AD RMS server in the cluster. To perform an upgrade installation of Windows Server 2008 R2 1. On the AD RMS server to be upgraded, log on with a user account that is a member of the local Administrators group. 2. Insert the Windows Server 2008 R2 product CD, and then click Install now. 3. If your server is connected to the Internet, click Go online to get the latest updates for installation. If the server is not connected to the Internet, click Do not get the latest updates for installation. 4. Enter the product key provided with your copy of Windows Server 2008 R2, and then click Next. 5. Select the I accept the license terms check box, and then click Next. 6. Click Upgrade. 7. On the Compatibility Report page, click Next. 8. When the installation is complete, the AD RMS server will be restarted. Run the AD RMS Upgrade wizard The AD RMS Upgrade Wizard must be completed after the operating system is upgraded to Windows Server 2008 R2. If you do not run the AD RMS Upgrade Wizard, your AD RMS infrastructure will not function. It is only necessary to run the AD RMS Upgrade Wizard on the first computer that you upgrade to Windows Server 2008 R2. 11

12 Note If you are using a hardware security module (HSM) to protect the cluster s private key, you must install the Windows Server 2008 R2 version of the HSM drivers before starting the AD RMS Upgrade Wizard. To run the AD RMS Upgrade Wizard 1. Log on to the AD RMS server that was just upgraded to Windows Server 2008 R2 with a user account that is a member of the local Administrators group and that is a member of the System Administrators database role, or equivalent, on the database server. 2. Click Start, point to Administrative Tools, and then click Server Manager. 3. Expand Roles, and then click Active Directory Rights Management Services. 4. In the results pane, click Complete Installation of Active Directory Rights Management Services. 5. On the Upgrading Active Directory Rights Management Services page, click Next. 6. Type the service account password in the Password and Confirm password boxes, and then click Next. 7. If AD RMS is managing the cluster s private key, on the Provide AD RMS Private Key Password page, type the AD RMS private key password in the Password and Confirm password boxes, and then click Next. 8. On the Confirm Installation Options page, click Next. 9. After the installation has finished, click Close. Important If the Identify Federation Support role service was installed and configured before you performed the upgrade, you must remove and then reinstall Identity Federation Support after running the AD RMS Upgrade wizard. If you do not, federation support will stop functioning. Upgrade remaining AD RMS servers to Windows Server 2008 R2 Because the configuration database schema has changed for AD RMS on Windows Server 2008 R2, and the remaining Windows Server 2008 based AD RMS servers will no longer process requests, you must immediately upgrade the remaining AD RMS servers in the cluster to Windows Server 2008 R2. To decrease downtime, we recommend that you have Windows Server 2008 R2 installed on at least half of the servers you will use in the upgraded cluster so that you can quickly upgrade AD RMS on them. 12

13 Important All servers in an AD RMS cluster must be running the same version of Windows Server. The instructions to upgrade the remaining servers are the same as the procedures in Upgrade an existing AD RMS server to Windows Server 2008 R2 and Run the AD RMS Upgrade wizard. Completing the migration or upgrade of AD RMS After you have performed all the tasks in either Performing the migration of AD RMS on Windows Server 2008 to Windows Server 2008 R2 or Performing the upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2, perform the tasks in Checklist: Completing the migration or upgrade of AD RMS to complete the migration or upgrade of AD RMS from Windows Server 2008 to Windows Server 2008 R2. Checklist: Completing the migration or upgrade of AD RMS Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks. Checklist: Completing the migration or upgrade of AD RMS Task If you are using a CNAME record for your AD RMS cluster name, you must update it to reflect the new AD RMS server name. Verify that the cluster migration or upgrade was successful by opening the AD RMS console. Verify that AD RMS-enabled clients can connect to the AD RMS cluster by browsing to the AD RMS certification Reference Update cluster URL CNAME record Verify successful cluster migration Verify AD RMS client connectivity 13

14 Task pipeline. Reference Update cluster URL CNAME record We recommend that you use a Domain Name Service (DNS) CNAME record for the AD RMS cluster URL. If a CNAME record is used and the AD RMS server name changes, you can update the cluster URL CNAME record to point to the new server name. Otherwise, you must reprovision AD RMS with the new cluster URL. To update the AD RMS cluster URL CNAME record 1. Log on as a member of the Domain Admins group to a DNS server. 2. Click Start, point to All Programs, and then click DNS. 3. Expand Forward Lookup Zones, and then expand the zone for your domain. 4. In the Results pane, right-click the CNAME record for the AD RMS cluster URL, and then click Properties. 5. In the Fully qualified domain name (FQDN) for target host box, click Browse, type the new domain name of the AD RMS server, and then click OK. Verify AD RMS client connectivity You can verify that the AD RMS-enabled clients can connect to the AD RMS cluster by browsing to the certification pipeline by using Internet Explorer. To open the certification pipeline 1. Log on to an AD RMS-enabled client. 2. Click Start, and then click Internet. 3. In the address bar, type the following, and then press ENTER: http(s)://<adrms_cluster_url>/_wmcs/certification/certification.asmx 4. The certification pipeline should open successfully without error or certification prompts. If you encounter a credential prompt, add the AD RMS cluster URL to the Local Intranet security zone and try again. 14

15 Verify successful cluster migration When the Active Directory Rights Management Services console is opened, the AD RMS cluster is queried and then displayed in the console. If the AD RMS cluster was not migrated or upgraded properly, the Active Directory Rights Management Services console will not open correctly. To open the Active Directory Rights Management Services console 1. Log on to a server in the AD RMS cluster. 2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. Verify that the Active Directory Rights Management Services console opens without error. 15

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information