AD RMS Deployment in a Resource Forest Step-by-Step Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

Authored By: Bill Mathers

This step-by-step guide walks you through the process of configuring Active Directory Rights Management Services (AD RMS) in a test environment that includes a Microsoft® Exchange Server 2007 resource forest. An Exchange Server resource forest is also called a dedicated Exchange Server forest. A basic example of an Exchange Server resource forest topology has two forests. One forest contains the primary user accounts for your organization. This forest is called the accounts forest. The other forest does not contain any primary user accounts. It only contains the Exchange Server servers and disabled user accounts. It will also contain the AD RMS servers. This forest is called the resource forest. A full copy of this document for download can be found at Active Directory Rights Management Services in a Resource Forest – End-to-End Solution (https://go.microsoft.com/fwlink/?LinkID=190263).

In this guide, the AD RMS cluster will be extended to allow users from the accounts forest to create and consume protected content. Once complete, you can use the test AD RMS lab environment to assess how AD RMS on Windows Server® 2008 can be created and deployed within your organization to accommodate for a resource forest.

Important

In order for the test environment to work, the security identifier (SID) of the user accounts from the accounts forest are mapped to the sIDHistory attribute of their corresponding disabled user account in the resource forest. It is important that you understand using SIDs and sIDHistory across forests, which is outside the scope of this documentation. For more information see Using SID History to Preserve Resource Access (https://go.microsoft.com/fwlink/?LinkId=156709)

This version of deploying AD RMS does not represent the only acceptable architectural design. Another possible design consists of having a certification-only cluster in the accounts forest and a licensing-only AD RMS cluster in the resource forest.

In this document, the linked-mailboxes in the resource forest are either created manually, with Exchange System Manager, or Windows PowerShell in the automated portion. Another acceptable way of accomplishing this would be to modify the ILM FP1 provisioning code and use the ExchangeUtils class. For additional information about ExchangeUtils see the ILM FP1 SDK on MSDN (https://go.microsoft.com/fwlink/?LinkId=160779).

The infrastructure required before implementing the steps in this document is fairly extensive. Although these steps are outside the scope of this document, the Appendix H - Pre-Implementation Checklists topic provides some useful checklists in addition to reference links that will help you set up your environment. The software requirements are listed in the Prerequisites for AD RMS Deployment in a Resource Forest topic.

The Administrator account in each forest was installed with Pass1word$ as a password. If you have setup your environment with a different password, make sure that you substitute it where appropriate.

As you complete the steps in this guide, you will:

• Configure Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) Feature Pack 1.

• Write some code and compile it with Microsoft® Visual Studio 2008 Service Pack 1.

• Use Active Directory Migration Tool (ADMT) to migrate an account user's SID to a resource user's sIDHistory.

• Use Microsoft Exchange Server 2007 and Windows PowerShell to create linked mailboxes.

• Verify e-mail functionality after you complete the configuration.

• Verify AD RMS functionality after you complete the configuration.

Note

ILM 2007 FP1 is not required for AD RMS. However, we strongly recommend it for this guide. It is used in this scenario to accomplish the following:

• Automatically provision disabled user accounts into the resource forest based on their corresponding accounts forest user account.
  
  
• Automatically provision users to a SQL table and track when that user has had their sIDHistory attribute populated.
  
  

Note

Visual Studio 2008 is not required for AD RMS. It is used in the scenario described in these topics to compile the ILM FP1 extensions and the automation application, which uses the code provided in the Appendices. If the full version of Visual Studio 2008 is unavailable, you can use the one of the express editions. For more information about Visual Studio products see Visual Studio 2008 Express Editions (https://go.microsoft.com/fwlink/?LinkId=154574).

What This Guide Does Not Provide

This guide does not provide the following:

• Guidance for setting up and configuring Active Directory Domain Services (AD DS) in either a production or test environment. This guide assumes that AD DS is already configured and both the accounts forest and the resource forest have been created. For more information about configuring AD DS see, AD DS Installation and Removal Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=154567).

• Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured and working in the resource forest. For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=154256).

• Guidance for setting up and configuring Microsoft Exchange Server 2007 Service Pack 1 in either a production or test environment. This guide assumes that Exchange Server 2007 SP1 is already setup and configured in the resource forest. For more information about configuring Exchange Server 2007, see Microsoft Exchange Server 2007 (https://go.microsoft.com/fwlink/?LinkId=154564).

• Guidance for setting up and configuring Microsoft SQL Server 2008 Service Pack 1 in either a production or test environment. This guide assumes that SQL Server 2008 SP1 is already configured in the resource forest. For more information about how to configure SQL Server 2008 SP1, see Installing SQL Server 2008 (https://go.microsoft.com/fwlink/?LinkID=154569).

• Guidance for setting up ILM 2007 FP1 in either a production or test environment. This guide assumes that ILM 2007 FP1 is already configured in the resource forest. For more information about how to install ILM 2007 FP1, see Getting Started with MIIS 2003 Walkthrough (https://go.microsoft.com/fwlink/?LinkId=154570).

• Guidance for setting up Windows Server 2008 forest trusts in either a production or test environment. This guide assumes that there exists forest level trust between the accounts forest and the resource forest. For more information about how to set up forest level trusts see, Creating Forest Trusts (https://go.microsoft.com/fwlink/?LinkId=154632).

• Guidance for setting up conditional forwarding for DNS in either a production or test environment. This guide assumes that the conditional forwarding has already been set up between the two DNS servers. For more information about how to set up forwarders see, Configure a DNS Server to Use Forwarders (https://go.microsoft.com/fwlink/?LinkId=154636).

• Guidance for setting up Visual Studio 2008 in either a production or test environment. This guide assumes that Visual Studio 2008 is already installed on the ILM 2007 FP1 computer. For more information about how to install Visual Studio 2008, see Installation and Setup Essentials (https://go.microsoft.com/fwlink/?LinkId=154573).

• Guidance for setting up the Active Directory Migration Tool (ADMT) in either a production or test environment. This guide assumes that ADMT is set up and working correctly between the accounts forest and the resource forest. For more information about how to set up ADMT for Windows Server 2008 see, Active Directory Migration Tool version 3.1 (https://go.microsoft.com/fwlink/?LinkId=158039).