This guide is intended to help you quickly set up a server running the Active Directory Rights Management Services (AD RMS) server role in Windows Server 2008 or Windows Server 2008 R2 so that you can evaluate it and decide if you want to do a more wide-scale deployment in your organization. This guide assumes that you know how to perform basic tasks for administering an Active Directory domain and a Windows Server 2008 computer.

Note   For more information on how to perform a simple deployment of AD RMS in Windows Server 2012 for evaluation purposes, see Test Lab Guide: Deploying an AD RMS Cluster.

Step 1: Prepare for AD RMS

AD RMS depends on other components that you install and configure before you use the service. Your infrastructure will satisfy the basic requirements after you complete the following tasks:

1. Create an Active Directory forest running at the Windows Server 2003 level or later. (If you have an existing forest that you want to use for this purpose, you can skip this step.)
2. In the Active Directory domain, create two user accounts:
   • An account that the AD RMS service will run under. Be sure to configure the password settings of the account to match the service-account password policy of your organization. For example, if your organization allows service account passwords to never expire, make sure that this option is selected.

     Note: Microsoft recommends against running AD DS and AD RMS on the same server in production environments. If you choose to do this in your evaluation setup, however, you must add the AD RMS service account to the Domain Admins group.

   • An account that will be used to administer AD RMS. Add this account to the Enterprise Admins security group of the domain. (You should remove the account from this group after AD RMS is installed.)
3. If you want to use a SQL database on a separate server to store the AD RMS configuration and logging databases, set up a server running Microsoft SQL server 2005 or later, and make sure that the AD RMS administrator account has the privileges needed to create a database on the server while you are adding the AD RMS server role.

   Note: When you install AD RMS, you choose where you want the configuration and logging databases to be stored. You can choose a separate database server, or you can store the databases on the Windows Internal Database that is available in Windows Server 2008 and Windows Server 2008 R2. Microsoft recommends that you use the internal database only for test and evaluation purposes. You cannot easily change databases after AD RMS has been installed.

4. If you do not have one already, obtain a secure sockets layer (SSL) certificate from a recognized certification authority that you can install on the AD RMS server before you add the AD RMS server role. If you do not want to use an SSL certificate for this purpose, you can choose to install AD RMS with an unencrypted connection or by using a self-signed certificate. Neither of these options is recommended in production environments, however.

Step 2: Install and configure the AD RMS server

After you have finished setting up the prerequisite infrastructure for AD RMS, you can add and configure the AD RMS server role by completing the following tasks:

1. Install Windows Server 2008 or Windows Server 2008 R2 on a computer, and join the computer to the Active Directory domain.
2. If you want to configure AD RMS to use a hardware- or software-based cryptographic service provider (CSP)—such as a hardware security module (HSM)—to protect the cluster key, make sure the CSP is properly configured. If you are using a CSP to protect the cluster key and add another server to the cluster, you must manually move the cluster key to the new server before you add the AD RMS server role.
3. Add the the AD RMS administrator account to the computer’s local Administrators group.
4. Log on to the computer using the AD RMS administrator account.
5. Open Server Manager, click Roles, and then in the Roles Summary box, click Add Roles, and then click Next.
6. In the Select Server Roles page, select Active Directory Rights Management Services, and then click Next.
7. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next three times until you reach the Create or Join an AD RMS Cluster page.
8. Make sure that Create a new AD RMS cluster is selected, and then click Next. (If this option is not available, it means that an AD RMS root cluster already exists in the forest and you cannot create another AD RMS root cluster there.)
9. Select the database server you want to use:
   1. If you are not using the Windows Internal Database, select Use a different database server.
   2. Type the name of the server in the Server box
   3. Click Get database instances, and then select the database instance you want to use.
   4. Click Validate, and then click Next.
10. On the Specify Service Account page, click Specify, enter the credentials of the AD RMS service account domain account, click OK and then click Next.
11. On the Configure AD RMS Cluster Key Storage page, select the method you want to use to protect the cluster key:
    • If you want to store the cluster key in the AD RMS configuration database, select Use AD RMS centrally managed key storage, click Next, type a password to be used to protect the cluster key, and then click Next.
    • If you want to store the cluster key in a CSP, select Use CSP key storage, click Next, select the CSP you want to use, and then click Next.
12. Select the Web site you want to use for the AD RMS virtual directory, and then click Next.
13. In the Specify Cluster Address page, select the connection type you want to use:
    • If you have imported an SSL certificate for use with the AD RMS Web site, or if you want to use a self-signed certificate, select Use an SSL-encrypted connection (https://).
    • If you do not wish to use a secure connection (not recommended), select Use an unencrypted connection (http://).
14. In the Fully qualified domain name box, type the FQDN of the address to be used inside your organization for accessing the AD RMS cluster. (In production environments, it is strongly recommended that you create a DNS CNAME record for this URL so it can be changed without requiring all rights-protected files to be republished.) Click Validate, and then click Next.
15. If you are using a secure connection, select the certificate you want to use (if you are not using a secure connection, the wizard skips this step):
    • If you have already imported an SSL certificate, or have a certificate available to import, select Choose an existing certificate for SSL encryption (recommended) and then select the certificate in the list, or click Import to import the certificate from a file.
    • If you want to use a self-signed certificate for evaluation purposes, select Create a self-signed certificate for SSL encryption. Because this certificate is not issued by a recognized certification authority, you will need to export this certificate and install it on all client computers that will access the AD RMS cluster.
    • If you do not have a certificate installed but do not want to use a self-signed certificate, select Choose a certificate for SSL encryption later.

      Important: You will not be able to administer AD RMS until you have imported the certificate and configured the AD RMS Web site to use it.

16. Type an easy-to-remember name for the server licensor certificate, click Next, and then click Install.
17. After the installation completes, log off the AD RMS server and remove the AD RMS administrator account from the domain Enterprise Admins group. 

     

Step 3: Test AD RMS

Now that AD RMS is running on a server in the forest, you can verify that it is working properly by completing the following tasks:

1. If you have not already done so, join a client computer running Windows Vista or Windows 7 to a domain in the forest.
2. On the client computer, install an AD RMS–enabled application, such as the Enterprise, Professional Plus, or Ultimate version of Microsoft Office 2007.
3. Use a domain account to log on to the client computer, open the AD RMS–enabled application, create and save a rights-protected document in a publicly available folder.
4. Use another domain account to log on to the client computer and then attempt to open and change the document created in the previous step. Your ability to read or change the document should be controlled by the rights specified in the previous step. For example, if you granted Everyone read-only rights, you should be able to open the document, but not change it.