Removing Active Directory Rights Management Services Step-by-Step Guide

Similar documents
Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

AD RMS Step-by-Step Guide

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Deploying Remote Desktop Web Access with Remote Desktop Connection Broker Step-by- Step Guide

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Active Directory Rights Management Service Integration Guide

Windows Server Update Services 3.0 SP2 Step By Step Guide

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

Technical Brief for Windows Home Server Remote Access

Lab Answer Key for Module 9: Active Directory Domain Services. Table of Contents Lab 1: Exploring Active Directory Domain Services 1

Information Rights Management in Office for Mac 2011 Deployment Guide

EventTracker: Support to Non English Systems

Deploying the Workspace Application for Microsoft SharePoint Online

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Windows BitLocker Drive Encryption Step-by-Step Guide

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Overview of Microsoft Office 365 Development

How To Install Outlook Addin On A 32 Bit Computer

How To Set Up A Load Balancer With Windows 2010 Outlook 2010 On A Server With A Webmux On A Windows Vista V (Windows V2) On A Network With A Server (Windows) On

Lab Answer Key for Module 6: Configuring and Managing Windows SharePoint Services 3.0. Table of Contents Lab 1: Configuring and Managing WSS 3.

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

Windows Small Business Server 2003 Upgrade Best Practices

Implementing and Supporting Windows Intune

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Enable File and Folder Auditing

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Management Reporter Integration Guide for Microsoft Dynamics GP

Exclaimer Alias Manager for Exchange Deployment Guide - Exclaimer Alias Manager for Exchange Outlook Add-In

The 2007 R2 Version of Microsoft Office Communicator Mobile for Windows Mobile: Frequently Asked Questions

MICROSOFT STEP BY STEP INTERACTIVE VERSION 3.0 ADMINISTRATION GUIDE

Implementing and Supporting Windows Intune

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Management Reporter Integration Guide for Microsoft Dynamics AX

Lab Answer Key for Module 11: Managing Transactions and Locks

Overview of Active Directory Rights Management Services with Windows Server 2008 R2

Hyper-V Server 2008 Getting Started Guide

How to Install MS SQL Server Express

File and Printer Sharing with Microsoft Windows

AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2

Office Language Interface Pack for Farsi (Persian) Content

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Microsoft Corporation. Status: Preliminary documentation

How to Secure a Groove Manager Web Site

Using Apple Remote Desktop to Deploy Centrify DirectControl

Hyper-V Server 2008 Setup and Configuration Tool Guide

Business Portal for Microsoft Dynamics GP Field Service Suite

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

Introduction to DirectAccess in Windows Server 2012

Lab Answer Key for Module 1: Installing and Configuring Windows Server Table of Contents Lab 1: Configuring Windows Server

Integrating Business Portal 3.0 with Microsoft Office SharePoint Portal Server 2003: A Natural Fit

Integrate Cisco IronPort Web Security Appliance (WSA)

Microsoft Business Solutions Navision 4.0 Development I C/SIDE Introduction Virtual PC Setup Guide. Course Number: 8359B

Lab 02 Working with Data Quality Services in SQL Server 2014

Active Directory Provider User s Guide

User Guide. Live Meeting. MailStreet Live Support:

How to Install Microsoft Mobile Information Server 2002 Server ActiveSync. Joey Masterson

Preface. Microsoft Office Sharepoint Server 2007 Integration Guide SafeNet, Inc. All rights reserved. Part Number: (Rev A, 06/2009)

Connector for Microsoft Dynamics Configuration Guide for Microsoft Dynamics SL

White Paper. Software version: 5.0

Mailbox Recovery for Microsoft Exchange 2000 Server. Published: August 2000 Updated: July 2002 Applies To: Microsoft Exchange 2000 Server SP3

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

Distributed File System Replication Management Pack Guide for System Center Operations Manager 2007

Microsoft Lync Server 2010

All other trademarks are property of their respective owners.

UPGRADE. Upgrading Microsoft Dynamics Entrepreneur to Microsoft Dynamics NAV. Microsoft Dynamics Entrepreneur Solution.

How To Set Up A Virtual Pc Classroom Setup Guide For A Student Computer Course

Connector for Microsoft Dynamics Configuration Guide for Microsoft Dynamics NAV

Microsoft Dynamics GP. Electronic Signatures

Microsoft Office Communicator 2007 Getting Started Guide. Published: July 2007

Troubleshooting File and Printer Sharing in Microsoft Windows XP

DriveLock Quick Start Guide

Microsoft Dynamics CRM Adapter for Microsoft Dynamics GP

2007 Microsoft Office System Document Encryption

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Managing Linux Servers with System Center 2012 R2

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

Deploying Microsoft RemoteFX for Personal Virtual Desktops Step-by-Step Guide

Windows Azure Pack Installation and Initial Configuration

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Thales nshield HSM. ADRMS Integration Guide for Windows Server 2008 and Windows Server 2008 R2.

Redeploying Microsoft CRM 3.0

Windows SharePoint Services Installation Guide

Step-by-Step Secure Wireless for Home / Small Office and Small Organizations

How To- Create Local Account and Active Directory Authentication EventTracker Enterprise

Integrating Symantec Endpoint Protection

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Windows Scheduled Tasks Management Pack Guide for System Center Operations Manager. Published: 07 March 2013

How To Configure A Windows 8.1 On A Windows (Windows) With A Powerpoint (Windows 8) On A Blackberry) On An Ipad Or Ipad (Windows 7) On Your Blackberry Or Black

Module 1: Introduction to Active Directory Infrastructure

Microsoft Hyper-V Server 2008 R2 Getting Started Guide

Migrating Active Directory to Windows Server 2012 R2

Transcription:

Removing Active Directory Rights Management Services Step-by-Step Guide Microsoft Corporation Published: March 2008 Author: Brian Lich Editor: Carolyn Eller Abstract This step-by-step guide provides instructions for modifying a test environment to decommission and remove Active Directory Rights Management Services (AD RMS) within your organization.

This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents Decommissioning Active Directory Rights Management Services Step-by-Step Guide... 5 About This Guide... 5 What This Guide Does Not Provide... 5 Deploying AD RMS in a Test Environment... 5 Step 1: Decommission AD RMS Root Cluster... 7 Enable the decommissioning service... 7 Set permission on the decommissioning pipeline... 8 Configure the AD RMS-enabled application to use the decommissioning pipeline... 9 Step 2: Verifying AD RMS Functionality... 9

Decommissioning Active Directory Rights Management Services Step-by-Step Guide About This Guide This step-by-step walks you through the process of decommissioning Active Directory Rights Management Services (AD RMS) in your organization. Removing AD RMS requires that all rightsprotected content that you want to be able to use be decrypted before all servers are removed from the AD RMS cluster. Once complete, you can use the test lab environment to learn about AD RMS decommissioning on Windows Server 2008 and assess how it might be deployed in your organization. As you complete the steps in this guide, you will: Decommission an AD RMS cluster. Verify the removal of AD RMS functionality after you complete the configuration. This guide assumes that you previously completed the steps in the Windows Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?linkid=72134), and that you have already deployed the following components: An AD RMS server An AD RMS database server One AD RMS-enabled client One Active Directory domain controller What This Guide Does Not Provide This guide does not provide the following: An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see http://go.microsoft.com/fwlink/?linkid=84726. Guidance for setting up and configuring AD RMS in a production environment. Complete technical reference for AD RMS. Deploying AD RMS in a Test Environment We recommend that you first use the steps provided in this guide in a test lab environment. Stepby-step guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a stand-alone document. 5

Upon completion of this step-by-step guide, you will have a decommissioned AD RMS infrastructure. You can then test and verify AD RMS functionality by opening a rights-protected document and ensuring that the document is decrypted. The test environment described in this guide includes four computers connected to a private network and using the following operating systems, applications, and services: Computer Name Operating System Applications and Services ADRMS-SRV Windows Server 2008 AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing CPANDL-DC ADRMS-DB Windows Server 2008 or Windows Server 2003 with Service Pack 2 (SP2) Note Service Pack 2 for Windows Server 2003 is not required but will be used for the purposes of this guide. Windows Server 2003 with SP2 Note Service Pack 2 for Windows Server 2003 is not required but will be used for the purposes of this guide. Active Directory or Active Directory Domain Services (AD DS), Domain Name System (DNS) Microsoft SQL Server 2005 Standard Edition with Service Pack 2 (SP2) Note Service Pack 2 for SQL Server 2005 Standard Edition is not required but will be used for the purposes of this guide. ADRMS-CLNT Windows Vista Microsoft Office Word 2007 Enterprise Edition Note For more information about the system requirements for installing AD RMS, see http://go.microsoft.com/fwlink/?linkid=84733. The computers form a private intranet and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment if desired. This stepby-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for 6

the domain named cpandl.com. The following figure shows the configuration of the test environment: Step 1: Decommission AD RMS Root Cluster Decommissioning refers to the entire process of removing the AD RMS cluster and its associated databases from an organization. This process allows you to save rights-protected files as ordinary files before you remove AD RMS from your infrastructure so that you do not lose access to these files. Decommissioning an AD RMS cluster is achieved by doing the following: Enable the decommissioning service. Modify permissions on the decommissioning pipeline. Configure the AD RMS-enabled application to use the decommissioning pipeline. Enable the decommissioning service The decommissioning service disables all other AD RMS services in the cluster. When the decommissioning service is enabled, AD RMS clients can request only a key to decrypt rightsprotected content. The decommissioning service is enabled by using the Active Directory Rights Management Services console. To enable the decommissioning service 1. Log on to ADRMS-SRV as cpandl\adrmsadmin. 2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. Expand the AD RMS cluster, expand Security Policies, and then click 7

Decommissioning. 5. In the Actions pane, click Enable Decommissioning. 6. Click Decommission. Caution Once decommissioning has been enabled on the AD RMS cluster, it cannot be reversed. 7. Click Yes, confirming that you want to decommission the AD RMS cluster. Set permission on the decommissioning pipeline After the decommissioning service is enabled on the AD RMS cluster, you must modify the permissions on the decommissioning pipeline so that AD RMS users can connect to it. By default, only the local SYSTEM account has access to the pipeline. You should give the AD RMS Service Group the Read & execute permission on the decommission folder. Then on the decommission.asmx file, you should give everyone the Read & execute permission. The decommission pipeline is located in the %systemroot%\inetpub\wwwroot\_wmcs folder, where %systemroot% is the volume on which Windows Server 2008 is installed. To modify the permissions on the decommissioning pipeline 1. Log on to ADRMS-SRV as cpandl\administrator. 2. Click Start, type %systemdrive%\inetpub\wwwroot\_wmcs in the Start Search box, and then press ENTER. 3. Right-click the decommission folder, and then click Properties. 4. Click the Security tab, click Edit, and then click Add. 5. In the Select Users, Computers, or Groups box, type ADRMS-SRV\AD RMS Service Group, and then click OK. 6. Click OK twice to close the decommission properties. 7. Double-click the decommission folder, right-click decommission.asmx, and then click Properties. 8. Click the Security tab, click Edit, and the click Add. 9. In the Select Users, Computers, or Groups box, type Everyone, and then click OK. In the Windows Security dialog box, enter the name and password of the cpandl\administrator account. 10. Click OK twice to close the properties sheet. Caution When the AD RMS cluster is operating in decommissioning mode, all users, whether or not they had rights to the original rights-protected content, can obtain a content key and gain full rights to the content. 8

Configure the AD RMS-enabled application to use the decommissioning pipeline Once the AD RMS cluster is in decommissioning mode, you must configure the AD RMS-enabled applications to obtain a content key from the decommissioning service and permanently decrypt the rights-protected content. The AD RMS client itself has no part in the decommissioning process. To configure the AD RMS-enabled application to use the decommissioning pipeline 1. Log on to ADRMS-CLNT as cpandl\nhollida. 2. Click Start, type regedit in the Start Search box, and then press ENTER. Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. 3. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM. 4. Right-click DRM, point to New, and then click Key. 5. Type Decommission as the name for the registry key, and then press ENTER. 6. Right-click Decommission, point to New, and then click String Value. 7. Type https://adrms-srv.cpandl.com/_wmcs/licensing, and then press ENTER. 8. Double-click the registry entry. 9. In the Value data box, type https://adrms-srv.cpandl.com/_wmcs/decommission, and then click OK. 10. Close Registry Editor. 11. Repeat steps 1-10 for Stuart Railson and Limor Henig. Step 2: Verifying AD RMS Functionality Once the content is decrypted, the user should then save the content without AD RMS protection. To use the decommissioning service, the user must have been previously enrolled within the AD RMS infrastructure. A user without an activated AD RMS client cannot use the decommissioning service to gain access to rights-protected content. If the decommissioning service is working correctly, any user in the domain, using a computer with the AD RMS-enabled application configured to use the decommissioning service, can open any file that was rights-protected by the AD RMS cluster being decommissioned, remove the rights protection, and save the file. To verify this, you log on as Limor Henig, open the ADRMS- TST.docx file that was created with rights protection in the Windows Server Active Directory Rights Management Services Step-by-Step Guide, remove the rights protection, and save the file. 9

To save a document without rights protection 1. Log on to ADRMS-CLNT as Limor Henig (cpandl\lhenig). 2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007. 3. Click the Microsoft Office Button, click Open, and then type \\ADRMS-DB\PUBLIC \ADRMS-TST.docx. 4. When the document opens, click the Change Permissions button and clear the Restrict permissions to this document check box, and then click OK. 5. Save the file as you normally would anything other document. You have successfully enabled the AD RMS decommissioning service, removed rights-protection from a document, and then saved it without rights-protection. Once you have ensured that all rights-protected content is decrypted and saved without rights-protection, you can unregister the SCP by using the Active Directory Rights Management Services console, uninstall AD RMS, and reprovision these servers for other services. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information