How to Configure Active Directory Rights Management Services in Server 2022

Posted on 20th June 2023

Active Directory Rights Management Services (AD RMS, or Rights Management Services) is a server software for information rights management deployed on Windows Server. It uses encryption and a form of selective functionality denial to protect documents and e-mail messages from unauthorized use.

RMS is designed to persistently protect and control the usage of information wherever it travels and wherever it resides, both within and beyond the firewall. By using RMS, an organization can encrypt its confidential documents and e-mail messages, and specify exactly who can read, edit, or print them and under what conditions.

RMS-protected content cannot be read or edited by unauthorized users, even if they manage to copy it from its original location. If an unauthorized user tries to open RMS-protected content, the RMS client will contact the licensing server to obtain the necessary usage rights. If the user is not licensed, the RMS client will not be able to open the content.

In this article, we will show you how to configure Active Directory Rights Management Services in Server 2022.

Before you begin, you will need to have the following:

• A Windows Server 2022 machine.

• Active Directory Domain Services installed and configured.

• A domain user account with administrative privileges.

RMS uses two types of servers: licensing servers and certification servers. The licensing server is used to issue usage licenses to users who request them. The certification server is used to issue certificates that are used to encrypt and decrypt content.

In most deployments, both the licensing server and the certification server are deployed on the same machine. However, it is also possible to deploy them on separate machines.

In this article, we will assume that both the licensing server and the certification server are deployed on the same machine.

1. Open the Server Manager console and select the “Add Roles and Features” option.

2. Select the “Role-based or feature-based installation” option and click Next.

3. Select the server on which you want to install AD RMS and click Next.

4. Select the “Active Directory Rights Management Services” role and click Next.

5. Click Next to confirm the installation options.

6. Click Install to begin the installation process.

7. Once the installation is complete, click Close.

8. Select the “AD RMS” role service and click Next.

9. Select the “Create a new AD RMS cluster” option and click Next.

10. Enter the fully qualified domain name (FQDN) of the server on which you are installing AD RMS and click Next.

11. Enter the service account credentials and click Next.

12. Enter the licensing server credentials and click Next.

13. Enter the certification server credentials and click Next.

14. Select the database options and click Next.

15. Select the web server options and click Next.

16. Click Install to begin the installation process.

17. Once the installation is complete, click Close.

Active Directory Rights Management Services (AD RMS) is a server role in Active Directory Domain Services (AD DS) that provides persistent protection for digital information. By using AD RMS, an organization can help control which users can access and use specific content, as well as help prevent unauthorized distribution of sensitive or confidential information. AD RMS uses encryption, identity, and authorization policies to help control access to content.

When you install AD RMS, you must also install the Web Server (IIS) server role. For information about installing AD RMS, see the AD RMS Installation Guide.

The following sections provide information about how to configure Active Directory Rights Management Services (AD RMS) in Server 2022:

Configure the AD RMS Cluster

The AD RMS cluster is a group of servers that work together to provide high availability for the AD RMS service. To configure the AD RMS cluster, you must first install the AD RMS server role on all servers that will be part of the cluster. For more information, see the AD RMS Installation Guide.

After you have installed the AD RMS server role on all cluster servers, you must configure the cluster. To do this, you must use the AD RMS Cluster Configuration Wizard. This wizard configures the cluster and creates the self-signed certificate that is used for communication between the cluster servers.

To launch the AD RMS Cluster Configuration Wizard

1. On the Start menu, click Administrative Tools, and then click AD RMS Cluster Configuration Wizard.
2. If the User Account Control dialog box appears, click Continue.
3. On the Welcome to the AD RMS Cluster Configuration Wizard page, click Next.
4. On the Specify the AD RMS Service Account page, specify the account that will be used to run the AD RMS service, and then click Next.
5. On the Specify the AD RMS Database Server page, specify the name of the server that will host the AD RMS database, and then click Next.
6. On the Specify the AD RMS Database Name page, specify the name of the AD RMS database, and then click Next.
7. On the Configure the Certificate for the AD RMS Cluster page, specify the following information, and then click Next.

• The name of the server that will be used to generate the self-signed certificate. This server must be part of the cluster.
• The name of the certificate. This name will be used to identify the certificate when it is installed on other servers.
• The length of time for which the certificate will be valid. The default length is one year.
8. On the Specify the Service Connection Point page, specify the following information, and then click Next.

• The name of the server that will host the Service Connection Point (SCP). This server must be part of the cluster.
• The name of the Active Directory domain in which the SCP will be registered.
9. On the Ready to Configure the Cluster page, review the settings, and then click Configure.
10. On the Configuration Results page, click Finish.

Configure the Web Server (IIS)

The Web Server (IIS) server role must be installed on all servers that are part of the AD RMS cluster. For more information, see the AD RMS Installation Guide.

After you have installed the Web Server (IIS) server role, you must configure IIS to work with AD RMS. To do this, you must use the IIS Manager console.

To configure IIS to work with AD RMS

1. On the Start menu, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. In the left pane, expand the server name, and then expand Sites.
3. In the right pane, click Default Web Site.
4. In the Actions pane, click Bindings.
5. In the Site Bindings dialog box, click Add.
6. In the Add Site Binding dialog box, do the following:

• In the Type drop-down list, select https.
• In the SSL Certificate drop-down list, select the self-signed certificate that was created when you configured the AD RMS cluster.
• Click OK.
7. In the Site Bindings dialog box, click Close.
8. In the left pane, expand the server name, and then expand Sites.
9. In the right pane, click Default Web Site.
10. In the Actions pane, click Restart.

Configure the Firewall

If a firewall is running on the server, you must configure it to allow traffic to pass through to the AD RMS cluster. To do this, you must open the following ports:

• TCP port 80: Used for HTTP traffic.
• TCP port 443: Used for HTTPS traffic.
• UDP port 3544: Used for the AD RMS discovery process.

You can use the Windows Firewall with Advanced Security console to configure the firewall.

To configure the firewall

1. On the Start menu, click Administrative Tools, and then click Windows Firewall with Advanced Security.
2. In the left pane, click Inbound Rules.
3. In the right pane, click New Rule.
4. In the New Inbound Rule Wizard, do the following:

• In the Rule Type dialog box, click Port, and then click Next.
• In the Protocol and Ports dialog box, do the following:

» In the Protocol drop-down list, select TCP.
» In the Specific local ports text box, type 80, and then click Next.
• In the Action dialog box, do the following:

» In the Action drop-down list, select Allow the connection, and then click Next.
• In the Profile dialog box, do the following:

» Select the appropriate profile for your environment, and then click Next.
• In the Name dialog box, specify a name for the rule, and then click Finish.
5. In the left pane, click Inbound Rules.
6. In the right pane, click New Rule.
7. In the New Inbound Rule Wizard, do the following:

• In the Rule Type dialog box, click Port, and then click Next.
• In the Protocol and Ports dialog box, do the following:

» In the Protocol drop-down list, select TCP.
» In the Specific local ports text box, type 443, and then click Next.
• In the Action dialog box, do the following:

» In the Action drop-down list, select Allow the connection, and then click Next.
• In the Profile dialog box, do the following:

» Select the appropriate profile for your environment, and then click Next.
• In the Name dialog box, specify a name for the rule, and then click Finish.
8. In the left pane, click Inbound Rules.
9. In the right pane, click New Rule.
10. In the New Inbound Rule Wizard, do the following:

• In the Rule Type dialog box, click Port, and then click Next.
• In the Protocol and Ports dialog box, do the following:

» In the Protocol drop-down list, select UDP.
» In the Specific local ports text box, type 3544, and then click Next.
• In the Action dialog box, do the following:

» In the Action drop-down list, select Allow the connection, and then click Next.
• In the Profile dialog box, do the following:

» Select the appropriate profile for your environment, and then click Next.
• In the Name dialog box, specify a name for the rule, and then click Finish.

Configure the AD RMS Service Connection Point

The AD RMS Service Connection Point (SCP) is an object in Active Directory Domain Services (AD DS) that contains information about the AD RMS cluster. The SCP must be registered in AD DS so that clients can discover the AD RMS cluster.

To configure the SCP

1. On the Start menu, click Administrative Tools, and then click AD RMS Service Connection Point Management.
2. In the results pane, right-click the SCP, and then click Properties.
3. In the SCP Properties dialog box, do the following:

• In the Display name text box, type the name of the AD RMS cluster.
• In the Contact e-mail address text box, type the e-mail address of a contact for the AD RMS cluster.
• In the Location text box, type the location of the AD RMS cluster.
• Click OK.

Configure the AD RMS Proxy

The AD RMS proxy is a component of AD RMS that allows AD RMS-enabled clients that are not members of the AD RMS trusted user domain to access AD RMS-protected content. The proxy provides a mechanism for authenticating these clients and for routing requests to the appropriate AD RMS cluster.

To configure the AD RMS proxy

1. On the Start menu, click Administrative Tools, and then click AD RMS Proxy Configuration.
2. In the results pane, click Enable AD RMS Proxy.
3. In the Enable AD RMS Proxy dialog box, do the following:

• In the AD RMS Proxy

Previous Post - How to Use AirDrop in Mac OS Mojave

Next Post - How to Format Text in Microsoft PowerPoint on Windows 11

How to Configure Active Directory Rights Management Services in Server 2022

Posted on 20th June 2023

Categories

Archives