AD RMS Rights Policy Templates Deployment Step-by-Step Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

About this Guide

This step-by-step guide walks you through the process of creating and deploying Active Directory Rights Management Services (AD RMS) policy templates in a test environment. During this process you create a rights policy template, deploy this template to a client computer running Windows Vista® with Service Pack 1 (SP1) and Microsoft® Office Word 2007, and verify that the client computer can rights-protect a document by using the newly-created rights policy template.

Once complete, you can use the test lab environment to assess how AD RMS rights policy templates can be created with Windows Server® 2008 and deployed within your organization.

As you complete the steps in this guide, you will:

  • Create an AD RMS rights policy template.

  • Deploy the rights policy template.

  • Verify AD RMS functionality after you complete the configuration.

The goal of an AD RMS deployment is to be able to protect information, no matter where it is moved. Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the content owner is able to remove the protection from the file. The owner can grant rights to other users to perform actions on the content, such as the ability to view, copy, or print the file.

What This Guide Does Not Provide

This guide does not provide the following:

  • Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured for a test environment. For more information about configuring AD RMS, see Windows Server Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72134).

  • Complete technical reference for AD RMS or deploying AD RMS templates within your organization.

Deploying AD RMS in a Test Environment

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Microsoft products without accompanying documentation and should be used with discretion as a stand-alone document. Before you start the steps in this guide, you will need to use the steps provided in Windows Server Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72134), also in a lab environment. That guide prepares the basic infrastructure for an AD RMS deployment, with an AD RMS cluster, AD RMS databases, and a domain controller. This step-by-step guide builds on the previous guide, so it is important to complete it before starting this one. On completion of this step-by-step guide, you will have a working AD RMS cluster with a deployed rights policy template. You can then test and verify AD RMS rights policy template functionality through the simple task of restricting permissions on a Microsoft Office Word 2007 document with the rights policy template created in this guide.

The test environment described in this guide includes three computers connected to a private network and using the following operating systems, applications, and services:

Computer Name Operating System Applications and Services

ADRMS-SRV

Windows Server 2008

AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, Message Queuing (also known as MSMQ), and Windows Internal Database

CPANDL-DC

Windows Server 2003 with Service Pack 2 (SP2)

Active Directory®, Domain Name System (DNS)

ADRMS-DB

Windows Server 2003 with SP2

Microsoft SQL Server® 2005 Standard Edition

ADRMS-CLNT

Windows Vista with SP1

Microsoft Office Word 2007 Enterprise Edition

The computers form a private intranet and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment if desired. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com.

The following figure shows the configuration of the test environment: