AD RMS in a Resource Forest – End-to-End Solution<br />Microsoft Corporation<br />Published: January 2010<br />Author: Bi...
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper
Upcoming SlideShare
Loading in...5
×

Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper

1,025

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,025
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper

  1. 1. AD RMS in a Resource Forest – End-to-End Solution<br />Microsoft Corporation<br />Published: January 2010<br />Author: Bill Mathers<br />Editor: John Andrilla<br />Acknowledgements<br />Special thanks to the following people for reviewing and providing invaluable feedback for this document: <br />Tao Wu, Microsoft Corporation.<br />Uwe Wizovsky, Microsoft Corporation.<br />Kevin Miller, Microsoft Corporation.<br />Jason Tyler, Microsoft Corporation.<br />Abstract<br />This document will assist architects, consultants, system engineers, and system administrators in deploying Active Directory Rights Management Services (AD RMS) in a resource forest topology.<br />Copyright<br />The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.<br />This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.<br />Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.<br />Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.<br />Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.<br />© 2009 Microsoft Corporation. All rights reserved.<br />Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.<br />The names of actual companies and products mentioned herein may be the trademarks of their respective owners.<br />Contents<br /> TOC o " 1-5" h AD RMS Deployment in a Resource Forest Step-by-Step Guide PAGEREF _Toc250521740 h 9<br />What This Guide Does Not Provide PAGEREF _Toc250521741 h 10<br />Scenario Overview PAGEREF _Toc250521742 h 11<br />Prerequisites for AD RMS Deployment in a Resource Forest PAGEREF _Toc250521743 h 15<br />See Also PAGEREF _Toc250521744 h 16<br />Limitations of This Deployment Design PAGEREF _Toc250521745 h 16<br />Implementing the Procedures in this Document PAGEREF _Toc250521746 h 18<br />See Also PAGEREF _Toc250521747 h 18<br />Step 1 - Create AccountsForestUsers Organizational Unit PAGEREF _Toc250521748 h 19<br />Creating the AccountsForestUsers organizational unit PAGEREF _Toc250521749 h 19<br />Step 2 - Create ResourceForestUsers Organizational Unit PAGEREF _Toc250521750 h 19<br />Creating the ResourceForestUsers organizational unit PAGEREF _Toc250521751 h 19<br />See Also PAGEREF _Toc250521752 h 20<br />Step 3 - Create Test Users in Accounts Forest PAGEREF _Toc250521753 h 20<br />Create the Test Users PAGEREF _Toc250521754 h 20<br />Add Employee ID to Test Users PAGEREF _Toc250521755 h 21<br />See Also PAGEREF _Toc250521756 h 21<br />Step 4 - Create Test Users in Resource Forest PAGEREF _Toc250521757 h 22<br />Create the Test Users PAGEREF _Toc250521758 h 22<br />Add Employee ID to Test Users PAGEREF _Toc250521759 h 23<br />See Also PAGEREF _Toc250521760 h 24<br />Step 5 - Create Test Groups in Resource Forest PAGEREF _Toc250521761 h 24<br />Create the Test Groups PAGEREF _Toc250521762 h 24<br />See Also PAGEREF _Toc250521763 h 26<br />Step 6 - Extend ILM Metaverse Schema PAGEREF _Toc250521764 h 26<br />Extending the ILM 2007 FP 1 schema PAGEREF _Toc250521765 h 26<br />See Also PAGEREF _Toc250521766 h 26<br />Step 7 - Create Accounts Forest Management Agent PAGEREF _Toc250521767 h 27<br />See Also PAGEREF _Toc250521768 h 29<br />Step 8 - Create Resource Forest Management Agent PAGEREF _Toc250521769 h 29<br />Step 9 - Create ACCOUNT Management Agent Run Profiles PAGEREF _Toc250521770 h 31<br />Creating the ACCOUNT Management Agent Run Profiles PAGEREF _Toc250521771 h 31<br />See Also PAGEREF _Toc250521772 h 32<br />Step 10 - Create RESOURCE Management Agent Run Profiles PAGEREF _Toc250521773 h 33<br />Creating the RESOURCE Management Agent Run Profiles PAGEREF _Toc250521774 h 33<br />See Also PAGEREF _Toc250521775 h 34<br />Step 11 - Create the Metaverse Rules Extension PAGEREF _Toc250521776 h 34<br />See Also PAGEREF _Toc250521777 h 35<br />Step 12 - Create SCP in Accounts Forest PAGEREF _Toc250521778 h 35<br />See Also PAGEREF _Toc250521779 h 36<br />Step 13 - Create Active Directory Migration Tool Options File PAGEREF _Toc250521780 h 36<br />See Also PAGEREF _Toc250521781 h 37<br />Step 14 - Create ADRMSPublic Shared Folder PAGEREF _Toc250521782 h 37<br />See Also PAGEREF _Toc250521783 h 37<br />Step 15 - Create Fabrikam Confidential Rights Policy Template PAGEREF _Toc250521784 h 37<br />See Also PAGEREF _Toc250521785 h 38<br />Step 16 - Create Fabrikam FTE Confidential Rights Policy Template PAGEREF _Toc250521786 h 38<br />See Also PAGEREF _Toc250521787 h 39<br />Step 17 - Enable Rights Management Scheduled Task on ACC-CLT1 PAGEREF _Toc250521788 h 39<br />See Also PAGEREF _Toc250521789 h 40<br />Step 18 - Add AdminTemplatePath Registry Key and Trusted Sites on ACC-CLT1 PAGEREF _Toc250521790 h 40<br />Add the AD RMS URL to Trusted Sites PAGEREF _Toc250521791 h 41<br />See Also PAGEREF _Toc250521792 h 41<br />Step 19 - Enable Rights Management Scheduled Task on RES-CLT1 PAGEREF _Toc250521793 h 41<br />See Also PAGEREF _Toc250521794 h 42<br />Step 20 - Add AdminTemplatePath Registry Key and Trusted Sites on RES-CLT1 PAGEREF _Toc250521795 h 42<br />Add the AD RMS URL to Trusted Sites PAGEREF _Toc250521796 h 43<br />See Also PAGEREF _Toc250521797 h 43<br />Testing the Implementation PAGEREF _Toc250521798 h 43<br />See Also PAGEREF _Toc250521799 h 44<br />Step 1 - Run ACCOUNT MA Full Import PAGEREF _Toc250521800 h 44<br />Running ACCOUNT Management Agent Full Import PAGEREF _Toc250521801 h 44<br />Step 2 - Run RESOURCE MA Full Import PAGEREF _Toc250521802 h 45<br />Running RESOURCE Management Agent Full Import PAGEREF _Toc250521803 h 45<br />Step 3 - Run ACCOUNT MA Full Synch PAGEREF _Toc250521804 h 45<br />Running ACCOUNT Management Agent Full Synchronization PAGEREF _Toc250521805 h 45<br />Step 4 - Run RESOURCE MA Export PAGEREF _Toc250521806 h 46<br />Running RESOURCE Management Agent Export PAGEREF _Toc250521807 h 46<br />Step 5 - Run RESOURCE MA Delta Import PAGEREF _Toc250521808 h 46<br />Running RESOURCE Management Agent Delta Import PAGEREF _Toc250521809 h 46<br />Step 6 - Use Active Directory Migration Tool to Migrate a Test User PAGEREF _Toc250521810 h 47<br />Using ADMT to Migrate a Test User PAGEREF _Toc250521811 h 47<br />Step 7 - Use Exchange System Manager to Create Linked Mailbox PAGEREF _Toc250521812 h 49<br />Using Exchange Management Console to Create a Linked Mailbox PAGEREF _Toc250521813 h 49<br />Step 8 - Add Users to Groups PAGEREF _Toc250521814 h 50<br />Add Test Users to Test Groups PAGEREF _Toc250521815 h 50<br />Step 9 - Run RESOURCE MA Delta Import PAGEREF _Toc250521816 h 51<br />Running RESOURCE Management Agent Delta Import PAGEREF _Toc250521817 h 51<br />Step 10 - Run RESOURCE MA Full Synch PAGEREF _Toc250521818 h 51<br />Running RESOURCE Management Agent Full Synchronization PAGEREF _Toc250521819 h 52<br />Step 11 - Run ACCOUNT MA Export PAGEREF _Toc250521820 h 52<br />Running ACCOUNT Management Agent Export PAGEREF _Toc250521821 h 52<br />Step 12 - Run ACCOUNT MA Delta Import PAGEREF _Toc250521822 h 53<br />Running ACCOUNT Management Agent Delta Import PAGEREF _Toc250521823 h 53<br />Step 13 - Create Protected E-mail Content on RES-CLT1 PAGEREF _Toc250521824 h 53<br />Step 14 - Consume Protected E-mail Content on ACC-CLT1 PAGEREF _Toc250521825 h 55<br />Step 15 - Create Protected E-mail Content on ACC-CLT1 PAGEREF _Toc250521826 h 56<br />Step 16 - Consume Protected E-mail Content on RES-CLT1 PAGEREF _Toc250521827 h 57<br />Automating the Implementation PAGEREF _Toc250521828 h 58<br />See Also PAGEREF _Toc250521829 h 58<br />Step 1 – Uncomment and rebuild MV Extension Code PAGEREF _Toc250521830 h 58<br />Uncomment and Recompile MVExtension PAGEREF _Toc250521831 h 59<br />Step 2 - Create UserSidTracking Database PAGEREF _Toc250521832 h 59<br />Creating the UserSidTracking Database PAGEREF _Toc250521833 h 59<br />Step 3 - Create Users Table PAGEREF _Toc250521834 h 60<br />Creating the Users Table PAGEREF _Toc250521835 h 60<br />Step 4 - Create SQL Management Agent PAGEREF _Toc250521836 h 61<br />Creating the SQL Management Agent PAGEREF _Toc250521837 h 61<br />Step 5 - Create SQL Management Agent Run Profiles PAGEREF _Toc250521838 h 63<br />Creating the SQL Management Agent Run Profiles PAGEREF _Toc250521839 h 63<br />Step 6 - Create the SQL Rules Extension PAGEREF _Toc250521840 h 65<br />Creating the SQL Management Agent Rules Extension PAGEREF _Toc250521841 h 65<br />Step 7 - Create the Operations folder PAGEREF _Toc250521842 h 66<br />Creating the Operations Folder PAGEREF _Toc250521843 h 66<br />Step 8 - Get the Management Agent GUIDs PAGEREF _Toc250521844 h 66<br />Retrieving the ILM FP1 GUIDs PAGEREF _Toc250521845 h 66<br />Step 9 - Edit and Build Automation Application PAGEREF _Toc250521846 h 67<br />Edit and Build Automation Application PAGEREF _Toc250521847 h 67<br />Testing the Automation PAGEREF _Toc250521848 h 69<br />See Also PAGEREF _Toc250521849 h 69<br />Step 1 - Run the Automation Application PAGEREF _Toc250521850 h 69<br />Running the Automation Application PAGEREF _Toc250521851 h 69<br />Step 2 - Enable Rights Management Scheduled Task on ACC-CLT2 PAGEREF _Toc250521852 h 70<br />Enabling the Rights Management Scheduled Task PAGEREF _Toc250521853 h 70<br />Step 3 - Add AdminTemplatePath Registry Key and Trusted Sites on ACC-CLT2 PAGEREF _Toc250521854 h 71<br />Add the AdminTemplatePath Registry Key PAGEREF _Toc250521855 h 71<br />Add the AD RMS URL to Trusted Sites PAGEREF _Toc250521856 h 71<br />Step 4 - Create Protected E-mail Content on RES-CLT1 PAGEREF _Toc250521857 h 72<br />Step 5 - Consume Protected E-mail Content on ACC-CLT1 PAGEREF _Toc250521858 h 73<br />Step 6 - Consume Protected E-mail Content on ACC-CLT2 PAGEREF _Toc250521859 h 73<br />Step 7 -Create Protected E-mail Content on ACC-CLT2 PAGEREF _Toc250521860 h 75<br />Step 8 - Consume Protected E-mail Content on RES-CLT1 PAGEREF _Toc250521861 h 76<br />Step 9 - Consume Protected E-mail Content on ACC-CLT1 PAGEREF _Toc250521862 h 76<br />Appendix A - UserSidTracking database T-SQL PAGEREF _Toc250521863 h 77<br />Appeindix B - Users Table T-SQL PAGEREF _Toc250521864 h 80<br />Appendix C - Metaverse Extension Code PAGEREF _Toc250521865 h 81<br />See Also PAGEREF _Toc250521866 h 84<br />Appendix D - SQL MA Extension PAGEREF _Toc250521867 h 84<br />Appendix E - Automation Application PAGEREF _Toc250521868 h 88<br />Appendix F - ADMT Options File PAGEREF _Toc250521869 h 103<br />Appendix G - MA GUID Retrieval Script PAGEREF _Toc250521870 h 104<br />Appendix H - Pre-Implementation Checklists PAGEREF _Toc250521871 h 105<br />See Also PAGEREF _Toc250521872 h 109<br />AD RMS Deployment in a Resource Forest Step-by-Step Guide<br />This step-by-step guide walks you through the process of configuring Active Directory Rights Management Services (AD RMS) in a test environment that includes a Microsoft® Exchange Server 2007 resource forest. An Exchange Server resource forest is also called a dedicated Exchange Server forest. A basic example of an Exchange Server resource forest topology has two forests. One forest contains the primary user accounts for your organization. This forest is called the accounts forest. The other forest does not contain any primary user accounts. It only contains the Exchange Server servers and disabled user accounts. It will also contain the AD RMS servers. This forest is called the resource forest. <br />In this guide, the AD RMS cluster will be extended to allow users from the accounts forest to create and consume protected content. Once complete, you can use the test AD RMS lab environment to assess how AD RMS on Windows Server® 2008 can be created and deployed within your organization to accommodate for a resource forest.<br />Important <br />In order for the test environment to work, the security identifier (SID) of the user accounts from the accounts forest are mapped to the sIDHistory attribute of their corresponding disabled user account in the resource forest. It is important that you understand using SIDs and sIDHistory across forests, which is outside the scope of this documentation. For more information see Using SID History to Preserve Resource Access (http://go.microsoft.com/fwlink/?LinkId=156709)<br />This version of deploying AD RMS does not represent the only acceptable architectural design. Another possible design consists of having a certification-only cluster in the accounts forest and a licensing-only AD RMS cluster in the resource forest.<br />In this document, the linked-mailboxes in the resource forest are either created manually, with Exchange System Manager, or Windows PowerShell in the automated portion. Another acceptable way of accomplishing this would be to modify the ILM FP1 provisioning code and use the ExchangeUtils class. For additional information about ExchangeUtils see the ILM FP1 SDK on MSDN (http://go.microsoft.com/fwlink/?LinkId=160779).<br />The infrastructure required before implementing the steps in this document is fairly extensive. Although these steps are outside the scope of this document, the Appendix H - Pre-Implementation Checklists topic provides some useful checklists in addition to reference links that will help you set up your environment. The software requirements are listed in the Prerequisites for AD RMS Deployment in a Resource Forest topic.<br />The Administrator account in each forest was installed with Pass1word$ as a password. If you have setup your environment with a different password, make sure that you substitute it where appropriate.<br />As you complete the steps in this guide, you will:<br />Configure Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) Feature Pack 1.<br />Write some code and compile it with Microsoft® Visual Studio 2008 Service Pack 1.<br />Use Active Directory Migration Tool (ADMT) to migrate an account user's SID to a resource user's sIDHistory.<br />Use Microsoft Exchange Server 2007 and Windows PowerShell to create linked mailboxes.<br />Verify e-mail functionality after you complete the configuration.<br />Verify AD RMS functionality after you complete the configuration.<br />Notes <br />ILM 2007 FP1 is not required for AD RMS. However, we strongly recommend it for this guide. It is used in this scenario to accomplish the following:<br />Automatically provision disabled user accounts into the resource forest based on their corresponding accounts forest user account.<br />Automatically provision users to a SQL table and track when that user has had their sIDHistory attribute populated.<br />Note <br />Visual Studio 2008 is not required for AD RMS. It is used in the scenario described in these topics to compile the ILM FP1 extensions and the automation application, which uses the code provided in the Appendices. If the full version of Visual Studio 2008 is unavailable, you can use the one of the express editions. For more information about Visual Studio products see Visual Studio 2008 Express Editions (http://go.microsoft.com/fwlink/?LinkId=154574).<br />What This Guide Does Not Provide<br />This guide does not provide the following:<br />Guidance for setting up and configuring Active Directory Domain Services (AD DS) in either a production or test environment. This guide assumes that AD DS is already configured and both the accounts forest and the resource forest have been created. For more information about configuring AD DS see, AD DS Installation and Removal Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=154567).<br />Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured and working in the resource forest. For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkID=154256).<br />Guidance for setting up and configuring Microsoft Exchange Server 2007 Service Pack 1 in either a production or test environment. This guide assumes that Exchange Server 2007 SP1 is already setup and configured in the resource forest. For more information about configuring Exchange Server 2007, see Microsoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?LinkId=154564).<br />Guidance for setting up and configuring Microsoft SQL Server 2008 Service Pack 1 in either a production or test environment. This guide assumes that SQL Server 2008 SP1 is already configured in the resource forest. For more information about how to configure SQL Server 2008 SP1, see Installing SQL Server 2008 (http://go.microsoft.com/fwlink/?LinkID=154569).<br />Guidance for setting up ILM 2007 FP1 in either a production or test environment. This guide assumes that ILM 2007 FP1 is already configured in the resource forest. For more information about how to install ILM 2007 FP1, see Getting Started with MIIS 2003 Walkthrough (http://go.microsoft.com/fwlink/?LinkId=154570).<br />Guidance for setting up Windows Server 2008 forest trusts in either a production or test environment. This guide assumes that there exists forest level trust between the accounts forest and the resource forest. For more information about how to set up forest level trusts see, Creating Forest Trusts (http://go.microsoft.com/fwlink/?LinkId=154632).<br />Guidance for setting up conditional forwarding for DNS in either a production or test environment. This guide assumes that the conditional forwarding has already been set up between the two DNS servers. For more information about how to set up forwarders see, Configure a DNS Server to Use Forwarders (http://go.microsoft.com/fwlink/?LinkId=154636).<br />Guidance for setting up Visual Studio 2008 in either a production or test environment. This guide assumes that Visual Studio 2008 is already installed on the ILM 2007 FP1 computer. For more information about how to install Visual Studio 2008, see Installation and Setup Essentials (http://go.microsoft.com/fwlink/?LinkId=154573).<br />Guidance for setting up the Active Directory Migration Tool (ADMT) in either a production or test environment. This guide assumes that ADMT is set up and working correctly between the accounts forest and the resource forest. For more information about how to set up ADMT for Windows Server 2008 see, Active Directory Migration Tool version 3.1 (http://go.microsoft.com/fwlink/?LinkId=158039).<br />Scenario Overview<br />Fabrikam, a fictitious company, has setup their e-mail infrastructure using a resource forest design. Currently they are investigating moving away from this design to a single forest design. However this will take some serious planning and will probably take significant time to implement. In the interim, they want to deploy AD RMS and take advantage of its ability to protect content from unauthorized use.<br />Fabrikam has two forests, corp.fabrikam.com, the accounts forest and resource.fabrikam.net, the resource forest. These are shown in the texting environment diagram in this topic. Current users reside in corp.fabrikam.com. They use Windows Vista® and the 2007 Microsoft Office system on their desktops. New users are created directly in resource.fabrikam.net. They use Windows® 7 Ultimate and the 2007 Microsoft Office system on their desktop. All e-mail servers and the AD RMS cluster will reside in the resource forest. Prior to being migrated, users in both forests must be able to send and consume protected e-mail content.<br />Note <br />The scenario detailed in this document is provided as an interim solution. Because of the security concerns exposed by this scenario, the utmost consideration should be given to moving to a single forest design.<br />The scenario outlined in this document has been developed and tested on two stand-alone computers that are running the Windows Server 2008 operating system and Hyper-V™. The servers have two 3.0 gigahertz (GHz) dual core processors and 4 gigabytes (GB) of RAM each. The following table shows six virtual machines that were created in this step-by-step guide on the hosts by using Hyper-V.<br />Virtual Machines and Roles<br />Computer NameForestOperating SystemMemoryApplications and ServicesIP AddressACC-DCcorp.fabrikam.comWindows Server 2008 512Active Directory® Domain Services, Domain Name System192.168.100.100ACC-CLT1corp.fabrikam.comWindows Vista with Service Pack 21024Microsoft Office Word 2007192.168.100.101ACC-CLT2corp.fabrikam.comWindows Vista with Service Pack 21024Microsoft Office Word 2007192.168.100.102RES-DCresource.fabrikam.netWindows Server 2008 with Service Pack 22048Active Directory® Domain Services, Domain Name System, Microsoft Exchange 2007, IIS 7.0, Microsoft SQL Server 2008 with Service Pack 1, Identity Lifecycle Manager 2007 Feature Pack 1, Microsoft® Visual Studio 2008, Active Directory Migration Tool version 3.1.192.168.100.1RES-ADRMSresource.fabrikam.netWindows Server 2008 with Service Pack 21024AD RMS, Microsoft SQL Server 2008 with Service Pack 1, IIS 7.0192.168.100.2RES-CLT1resource.fabrikam.netWindows 7 Ultimate1024Microsoft Office Word 2007192.168.100.3<br />Hyper-V is not a requirement to complete the steps outlined in this guide. These steps can be implemented on physical computers as long as they reflect the same roles as the preceding table.<br />The following table summarizes the accounts used in this step-by-step guide.<br />Required Accounts<br />AccountDisplay nameForestEmployee IDGroup MembershipPasswordDescriptionbsimonBritta Simoncorp.fabrikam.com11111All FTEPass1word$User account.ljacobsonLola Jacobsonresource.fabrikam.net22222All FTEPass1word$User account.nhollidayNicole Hollidaycorp.fabrikam.com33333All FTEPass1word$User account.lhenigLimor Henigcorp.fabrikam.com44444All ContractorsPass1word$User account.srailsonStuart Railsoncorp.fabrikam.com55555All ContractorsPass1word$User account.<br />The following table summarizes the universal groups used in this step-by-step guide.<br />Universal Group Summary<br />Group NameGroup ScopeGroup TypeAll StaffUniversalSecurityAll FTEUniversalSecurityAll ContractorsUniversalSecurity<br />Prerequisites for AD RMS Deployment in a Resource Forest<br />The following software is required to complete the steps in this guide. Although the setup steps are outside the scope of this document, the Appendix H - Pre-Implementation Checklists topic provides some useful checklists in addition to reference links that will help you set up your environment.<br />SoftwareAdditional InformationWindows Server® 2008 Enterprise 32-bit edition Windows Server 2008 Enterprise (http://go.microsoft.com/fwlink/?LinkId=156710)Windows Vista® with Service Pack 2Windows Vista (http://go.microsoft.com/fwlink/?LinkId=156711)Windows® 7 UltimateWindows 7 Ultimate (http://go.microsoft.com/fwlink/?LinkId=160776)Active Directory Domain ServiceActive Directory Domain Service (http://go.microsoft.com/fwlink/?LinkId=156712)Active Directory Rights Management Services (AD RMS)Active Directory Rights Management Services (http://go.microsoft.com/fwlink/?LinkId=163969)Microsoft SQL Server 2008 Service Pack 1 – 32-bit editionMicrosoft SQL Server 2008 (http://go.microsoft.com/fwlink/?LinkId=156714)Microsoft Exchange Server 2007 Service Pack 1 – 32-bit edition (Evaluation copy) Microsoft Exchange Server 2007 (http://go.microsoft.com/fwlink/?LinkId=156715)Microsoft Identity Lifecycle Manager 2007 Feature Pack 1 Microsoft Identity Lifecycle Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=156716)Microsoft Office 2007 with Service Pack 2 Microsoft Office 2007 (http://go.microsoft.com/fwlink/?LinkId=156717)Microsoft Visual Studio 2008 with Service Pack 1Microsoft Visual Studio 2008 (http://go.microsoft.com/fwlink/?LinkId=156718)Microsoft Hyper-VMicrosoft Hyper-V (http://go.microsoft.com/fwlink/?LinkID=156719)Active Directory Migration Tool Version 3.1 ADMT Version 3.1 (http://go.microsoft.com/fwlink/?LinkId=158049)Internet Information Services (IIS) 7.0 Internet Information Services (http://go.microsoft.com/fwlink/?LinkId=160778)Rights Management Services Administration Toolkit with SP2 Rights Management Services Administration Toolkit with SP2 (http://go.microsoft.com/fwlink/?LinkId=158667)<br />See Also<br />AD RMS Deployment in a Resource Forest Step-by-Step Guide<br />Appendix H - Pre-Implementation Checklists<br />Limitations of This Deployment Design<br />The design for AD RMS deployment that is used in this document does have some feature limitations. These represent the supported features that come directly from the product group. The following section lists the supported AD RMS features and also the features which are not supported. This list may not include all of the features available in AD RMS. If the feature is not listed here as supported then it should be considered to be unsupported for this deployment scenario. <br />The following is a list of supported features:<br />Lockbox Certification - Organizations must identify the users who are trusted entities within their AD RMS installation. To allow for this, AD RMS issues rights account certificates that associate user accounts with a key pair that is protected specifically to the user's computer. These certificates let users publish and consume rights-protected content. Each certificate contains a public key that is used to license information that is intended for that user's consumption.<br />Use licenses that enforce usage rights and conditions - A user who receives rights-protected content must request and receive a use license (UL) from AD RMS to be able to view the content. A UL is granted to an individual and lists the usage rights and conditions when that person consumes that content.<br />Publishing licenses that define usage rights and conditions – The ability to assign content-specific usage rights and conditions. These usage rights and conditions are defined within publishing licenses that specify the authorized users who can consume the content and how that content can be used and distributed.<br />Group Expansion – This has limited support in the resource forest only.<br />Rights Policy Templates - Administrators can create and distribute official rights policy templates that define the usage rights and conditions for a predefined set of users. These templates provide a manageable way for organizations to establish document classification hierarchies for their content.<br />Super Users Group - The Active Directory Rights Management Services (AD RMS) super users group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it. The super users group is outside the scope of this document. For additional information about the super users group see Setting up a Super Users Group (http://go.microsoft.com/fwlink/?LinkId=160554).<br />The following is a list of features that are not supported:<br />AD RMS Prelicensing Agent - You can use the Active Directory Rights Management Services (AD RMS) Prelicensing agent to certify the Microsoft Office Outlook recipient's authenticity. This would allow the recipient to open messages without receiving a credential prompt on every attempt. This feature is not supported in this design.<br />The following is a list of features that have not been extensively tested:<br />Caution <br />The features listed below have not been thoroughly tested to work in this design. If you choose to use them in a production environment, there is no guarantee that they will be supported.<br />Group expansion across forests<br />Query based groups<br />Trusted Publishing Domains<br />Trusted User Domains<br />ADFS<br />Exclusion/Revocation<br />ServerBox<br />MobileBox<br />Decommission<br />Implementing the Procedures in this Document<br />The following steps will guide you through setting up and testing an initial user. This includes the manual process of migrating a user from one forest to the other, using the Active Directory Migration Tool (ADMT) to populate sIDHistory and then testing the implementation. Because this can be time-consuming when applied to hundreds or thousands of users, the additional sections discuss automation.<br />This section is comprised of the following steps:<br />Step 1 - Create AccountsForestUsers Organizational Unit<br />Step 2 - Create ResourceForestUsers Organizational Unit<br />Step 3 - Create Test Users in Accounts Forest<br />Step 4 - Create Test Users in Resource Forest<br />Step 5 - Create Test Groups in Resource Forest<br />Step 6 - Extend ILM Metaverse Schema<br />Step 7 - Create Accounts Forest Management Agent<br />Step 8 - Create Resource Forest Management Agent<br />Step 9 - Create ACCOUNT Management Agent Run Profiles<br />Step 10 - Create RESOURCE Management Agent Run Profiles<br />Step 11 - Create the Metaverse Rules Extension<br />Step 12 - Create SCP in Accounts Forest<br />Step 13 - Create Active Directory Migration Tool Options File<br />Step 14 - Create ADRMSPublic Shared Folder<br />Step 15 - Create Fabrikam Confidential Rights Policy Template<br />Step 16 - Create Fabrikam FTE Confidential Rights Policy Template<br />Step 17 - Enable Rights Management Scheduled Task on ACC-CLT1<br />Step 18 - Add AdminTemplatePath Registry Key and Trusted Sites on ACC-CLT1<br />Step 19 - Enable Rights Management Scheduled Task on RES-CLT1<br />Step 20 - Add AdminTemplatePath Registry Key and Trusted Sites on RES-CLT1<br />See Also<br />AD RMS Deployment in a Resource Forest Step-by-Step Guide<br />Prerequisites for AD RMS Deployment in a Resource Forest<br />Testing the Implementation<br />Automating the Implementation<br />Step 1 - Create AccountsForestUsers Organizational Unit<br />In this step we will be creating an organizational unit in corp.fabrikam.com. This is the accounts forest. This organizational unit will store all of our test users.<br />Creating the AccountsForestUsers organizational unit<br />This topic explains how to create the ResForest organizational unit.<br />To create the organizational unit<br />1.Log on to ACC-DC.corp.fabrikam.com as Administrator2.Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers mmc.3.In the Active Directory Users and Computers mmc, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then Organizational Unit.4.In the Name textbox, type AccountsForestUsers. Click OK.5.Close Active Directory Users and Computers.<br />Step 2 - Create ResourceForestUsers Organizational Unit<br />This step explains how to create an organizational unit in fabrikam.resource.net. This is the resource forest. This organizational unit will store all of our synchronized users. These accounts will all have mailboxes. These accounts will be disabled.<br />Creating the ResourceForestUsers organizational unit<br />The following steps show how to create the ResourceForestUsers organizational unit.<br />To create the organizational unit<br />1.Log on to RES-DC.fabrikam.resource.net as Administrator2.Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers mmc.3.In the Active Directory Users and Computers mmc, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then Organizational Unit.4.In the Name textbox, type ResourceForestUsers. Click OK.5.Close Active Directory Users and Computers.<br />See Also<br />Implementing the Procedures in this Document<br />Step 3 - Create Test Users in Accounts Forest<br />This step explains how to create the test users in corp.fabrikam.com. These user accounts are in the accounts forest. These are the accounts that will be synchronized to the resource forests.<br />Create the Test Users<br />This section lists the steps for creating the test user accounts that are used in this scenario. The following table summarizes the accounts that will be created.<br />Table 2 Required Accounts<br />First NameLast NameUser logon nameDisplay nameForestEmployee IDPasswordBrittaSimonbsimonBritta SimonCorp.fabrikam.com11111Pass1word$NicoleHollidaynhollidayNicole HollidayCorp.fabrikam.com33333Pass1word$LimorHeniglhenigLimor HenigCorp.fabrikam.com44444Pass1word$<br />To create the test User Accounts<br />1.Log on to the ACC-DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand corp.fabrikam.com, right-click AccountsForestUsers, select New and then select User. This will bring up the New Object – User window.4.On the New Object – User screen, in the First Name box, enter Britta.5.On the New Object – User screen, in the Last Name box, enter Simon.6.On the New Object – User screen, in the User logon name: box, enter bsimon and click Next.7.On the New Object – User screen, in the Password box, enter Pass1word!.8.On the New Object – User screen, in the Confirm Password box, enter Pass1word!.9.On the New Object – User screen, remove the check from User must change password at next logon.10.On the New Object – User screen, add a check to Password never expires and click Next.11.Click Finish.12.Repeat these steps for all of the accounts listed in the Account Summary table.<br />Add Employee ID to Test Users<br />This section lists the steps for adding the employee ID once the test users are created.<br />To add employee ID to the test users<br />1.Log on to the ACC-DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand corp.fabrikam.com, click AccountsForestUsers, right-click Britta Simon and then select Properties. This will bring up the Britta Simon Properties window.4.On the Britta Simon Properties screen, select the Attribute Editor tab.Note If you do not see the Attribute Editor tab, ensure that you have Advanced Features checked for Active Directory Users and Computers. To do this, at the top of Active Directory Users and Computers, click View and select Advanced Features.5.On the Attribute Editor tab, use the scroll bar on the right, select employeeID and click Edit. This will bring up the String Attribute Editor dialog box.6.On the String Attribute Editor dialog box, enter 11111 for the Value and click OK. This will close the String Attribute Editor dialog box.7.Click Apply. Click OK. This will close the Britta Simon Properties.8.Repeat these steps for all of the accounts listed in the Account Summary table, substituting the appropriate employee ID number.<br />See Also<br />Implementing the Procedures in this Document<br />Step 4 - Create Test Users in Resource Forest<br />This step explains how to create the test users in resource.fabrikam.net. These user accounts are in the resource forest. These are the accounts that represent new users.<br />Create the Test Users<br />This section lists the steps for creating the users in the resource forest. The following table summarizes the accounts that will be created.<br />Table 2 Required Accounts<br />First NameLast NameUser logon nameDisplay nameForestEmployee IDPasswordLolaJacobsonljacobsonLola JacobsonResource.fabrikam.net22222Pass1word$<br />To create the test User Accounts<br />1.Log on to the RES-DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand resource.fabrikam.net, right-click ResourceForestUsers, select New and then select User. This will bring up the New Object – User window.4.On the New Object – User screen, in the First Name box, enter Lola.5.On the New Object – User screen, in the Last Name box, enter Jacobson.6.On the New Object – User screen, in the User logon name: box, enter ljacobson and click Next.7.On the New Object – User screen, in the Password box, enter Pass1word!.8.On the New Object – User screen, in the Confirm Password box, enter Pass1word!.9.On the New Object – User screen, remove the check from User must change password at next logon.10.On the New Object – User screen, add a check to Password never expires and click Next.11.Click Finish.<br />Add Employee ID to Test Users<br />This section lists the steps for adding the employee ID once the test users are created.<br />To add employee ID to the test users<br />1.Log on to the RES-DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand resource.fabrikam.net, click ResourceForestUsers, right-click Lola Jacobson and then select Properties. This will bring up the Lola Jacobson Properties window.4.On the Lola Jacobson Properties screen, select the Attribute Editor tab.Note If you do not see the Attribute Editor tab, ensure that you have Advanced Features checked for Active Directory Users and Computers. To do this, at the top of Active Directory Users and Computers, click View and select Advanced Features.5.On the Attribute Editor tab, use the scroll bar on the right, select employeeID and click Edit. This will bring up the String Attribute Editor dialog box.6.On the String Attribute Editor dialog box, enter 22222 for the Value and click OK. This will close the String Attribute Editor dialog box.7.Click Apply. Click OK. This will close the Lola Jacobson Properties.<br />To Mailbox Enable the User<br />1.Click Start, click All Programs, click Microsoft Exchange Server 2007, and click Exchange Management Console.2.In the Exchange Management Console, expand Recipient Configuration, and click Mailbox.3.On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.4.On the Introduction screen, select User Mailbox and click Next.5.On the User Type select Existing Users and click Add. This will bring up the Select User – resource.fabrikam.net screen.6.From the list, select Lola Jacobson and click OK.7.Click Next.8.On the Mailbox Settings screen, next to Mailbox database click Browse. This will bring up the Select Mailbox Database screen.9.On the Select Mailbox Database screen, verify the First Storage Group is selected and click OK.10.Click Next.11.On the New Mailbox screen, click New.12.On the Completion screen, verify that it was successful and click Finish13.Close Exchange Management Console<br />See Also<br />Implementing the Procedures in this Document<br />Step 5 - Create Test Groups in Resource Forest<br />This step explains how to create the test groups in resource.fabrikam.net. These groups are in the resource forest.<br />Create the Test Groups<br />This section lists the steps for creating the test groups that are used in this scenario. 3 total groups will be created for this scenario. The following table summarizes the groups that will be created.<br />Table Group Summary<br />Group NameGroup ScopeGroup TypeAll StaffUniversalSecurityAll FTEUniversalSecurityAll ContractorsUniversalSecurity<br />To create the test Groups<br />1.Log on to the RES-DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand resource.fabrikam.net, right-click ResourceForestUsers, select New and then select Group. This will bring up the New Object – Group window.4.On the New Object – Group screen, in the Group Name box, enter All Staff.5.On the New Object – Group screen, under Group scope , select Universal.6.On the New Object – Group screen, under Group type, select Security.7.Click Ok.8.Repeat these steps for all of the groups listed in the Group Summary table.<br />To Mail-Enable the Security Groups<br />1.Click Start, click All Programs, click Microsoft Exchange Server 2007, and click Exchange Management Console.2.In the Exchange Management Console, expand Recipient Configuration, and click Distribution Group.3.On the right, in the Actions pane, click New Distribution Group… to start the New Distribution Group wizard.4.On the Introduction screen, select Existing group and click Browse. This will bring up the Select Group – resource.fabrikam.net screen.5.From the list, select All Staff and click OK.6.Click Next.7.On the Group Information click Next.8.On the New Distribution Group screen click New.9.On the Completion screen, verify that it was successful and click Finish10.Close Exchange Management Console11.Repeat these steps for all of the groups listed in the Group Summary table.<br />Add All FTE group and All Contractors group to All Staff group<br />1.Log on to the RES-DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand resource.fabrikam.net, select ResourceForestUsers, right-click All Staff, and select Properties. This will bring up the All Staff Properties window.4.On the Members tab, click Add. This will bring up the Select Groups dialog box.5.On the Select Groups dialog box, under Enter the object names to select (examples) box, enter All FTE and click Check Names. This should resolve with an underline.6.Click Ok. This will close the Select Groups dialog box.7.On the Members tab, click Add. This will bring up the Select Groups dialog box.8.On the Select Groups dialog box, under Enter the object names to select (examples) box, enter All Contractors and click Check Names. This should resolve with an underline.9.Click Ok. This will close the Select Groups dialog box.10.On the All Staff Properties window, click Apply.11.Click Ok. This will close the All Staff Properties dialog box.12.Close Active Directory Users and Computers.<br />See Also<br />Implementing the Procedures in this Document<br />Step 6 - Extend ILM Metaverse Schema<br />In This step explains how to extend the Identity Lifecycle Manager 2007 schema. This will allow us to flow the SID and sAMAccountName attribute from the accounts forest into the resource forest.<br />Extending the ILM 2007 FP 1 schema<br />The following steps show how to extend the ILM schema.<br />To extend the ILM schema<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, click the Metaverse Designer button at the top.4.In the Metaverse Designer, under Object Types select person so that it is highlighted and in the lower right corner click Add Attribute. This will bring up the Add Attribute To Object Type dialog box.5.On the Add Attribute To Object Type dialog box, click New attribute. This will bring up the New Attribute dialog box.6.On the New Attribute dialog box, enter sIDHistory for Attribute name and select Binary (indexable) for the Attribute type:. Click OK. This will close the New Attribute dialog box.7.On the Add Attribute To Object Type dialog box, click OK. This will close the Add Attribute To Object Type dialog box.8.Close Identity Manager.<br />See Also<br />Implementing the Procedures in this Document<br />Step 7 - Create Accounts Forest Management Agent<br />This step explains how to create the Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) with FP1 management agent for the accounts forest. This will allow you to synchronize user accounts into the resource forest.<br />To create the management agent<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator.2.Click Start, click All Programs, click Microsoft Identity Integration Server, and then click Identity Manager.3.In Identity Manager, click the Management Agents button at the top.4.In the Management Agents view, under Actions, click Create. This will bring up the Create Management Agent dialog box.5.On the Create Management Agent dialog box, under Management Agent for, select Active Directory. Under Name enter ACCOUNT and then click Next.6.On the Connect to Active Directory Forest dialog box, enter corp.fabrikam.com for Forest name. Enter Administrator for the User name. Enter Pass1word$ for the Password. Enter CORP for the Domain. Click Next.7.On the Configure Directory Partitions dialog box, under Select directory partitions, put a check in DC=corp,DC=fabrikam,DC=com. Under Select containers for this partition, click the Containers button. This will bring up the Select Containers dialog box.8.On the Select Containers dialog box, clear the check in the root DC=corp,DC=fabrikam,DC=com box. This will remove the check marks in all of the boxes. Now place a check in the AccountsForestsUsers box. Click OK. This will close the Select Containers dialog box.9.On the Configure Directory Partitions dialog box, click Next.10.On the Select Object Types dialog box, check user and then click Next.11.On the Select Attributes dialog box, place a check in the Show All box in the upper-right.12.On the Select Attributes dialog box, place a check in the box for each attribute in the following list. When finished click Next.cndisplayNamegivenNamesnemployeeIDmail13.On the Configure Connector Filter dialog box, click Next.14.On the Configure Join and Projection Rules dialog box, select user and then click New Projection Rule. This will bring up the Projection dialog box.15.On the Projection dialog box select Declared and then click OK. This will close the Projection dialog box.16.On the Configure Join and Projection Rules dialog box, click Next.17.On the Configure Attribute Flow dialog box, under Data source object type select user.18.On the Configure Attribute Flow dialog box, under Metaverse object type select person.19.On the Configure Attribute Flow dialog box, under Data source attribute select cn.20.On the Configure Attribute Flow dialog box, under Mapping Type select Direct.21.On the Configure Attribute Flow dialog box, under Flow Direction select Import.22.On the Configure Attribute Flow dialog box, under Metaverse attribute select cn.23.On the Configure Attribute Flow dialog box, click New. This flow rule will appear above. Repeat these steps for each attribute in the following table. When finished, click Next.CORP MA Attribute FlowData Source Object TypeMetaverse Object TypeData Source AttributeMapping TypeFlow DirectionMetaverse AttributeuserpersoncnDirectImportcnuserpersondisplayNameDirectImportdisplayNameuserpersonsnDirectImportsnuserpersonemployeeIDDirectImportemployeeIDuserpersongivenNameDirectImportgivenNameuserpersonmailDirectExportmail24.On the Configure Deprovisioning dialog box, click Next.25.On the Configure Extensions dialog box, click Finish.26.Close Identity Manager.<br />See Also<br />Implementing the Procedures in this Document<br />Step 8 - Create Resource Forest Management Agent<br />This step explains how to create the Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) FP1 resource management agent for the accounts forest. This will allow you to synchronize user accounts into the resource forest.<br />To create the management agent<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator.2.Click Start, click All Programs, click Microsoft Identity Integration Server, and then click Identity Manager.3.In Identity Manager, click the Management Agents button at the top.4.In the Management Agents view, under Actions, click Create. This will bring up the Create Management Agent dialog box.5.On the Create Management Agent dialog box, under Management Agent for, select Active Directory. Under Name enter RESOURCE and then click Next.6.On the Connect to Active Directory Forest dialog box, enter resource.fabrikam.net for Forest name. Enter Administrator for the User name. Enter Pass1word$ for the Password. Enter RESOURCE for the Domain. Click Next.7.On the Configure Directory Partitions dialog box, under Select directory partitions, put a check in DC=resource,DC=fabrikam,DC=net. Under Select containers for this partition, click the Containers button. This will bring up the Select Containers dialog box.8.On the Select Containers dialog box, clear the check from the root DC=resource,DC=fabrikam,DC=net box. This will remove the check marks in all of the boxes. Now place a check in the ResourceForestUsers box. Click OK. This will close the Select Containers dialog box.9.On the Configure Directory Partitions dialog box, click Next.10.On the Select Object Types dialog box, check user and then click Next.11.On the Select Attributes dialog box, place a check in the Show All box in the upper-right.12.On the Select Attributes dialog box, place a check in the box for each attribute in the following list. When finished click Next.cndisplayNameemployeeIDgivenNamemailsIDHistorysn13.On the Configure Connector Filter dialog box, click Next.14.On the Configure Join and Projection Rules dialog box, select user and then click New Join Rule. This will bring up the Join Rule for user dialog box.15.On the Join Rule for user dialog box, under Data source attribute select employeeID.16.On the Join Rule for user dialog box, under Mapping Type select Direct.17.On the Join Rule for user dialog box, under Metaverse Object Type select person.18.On the Join Rule for user dialog box, under Metaverse attribute select employeeID.19.On the Join Rule for user dialog box, click Add Condition. If you see a dialog box that says, You are attempting a join mapping with a non-indexed metaverse attribute, you can safely ignore it and click OK.20.On the Join Rule for user dialog box, click OK. This will close the Join Rule for user dialog box.21.On the Configure Join and Projection Rules dialog box, click Next.22.On the Configure Attribute Flow dialog box, under Data source object type select user.23.On the Configure Attribute Flow dialog box, under Metaverse object type select person.24.On the Configure Attribute Flow dialog box, under Data source attribute select cn.25.On the Configure Attribute Flow dialog box, under Mapping Type select Direct.26.On the Configure Attribute Flow dialog box, under Flow Direction select Export.27.On the Configure Attribute Flow dialog box, under Metaverse attribute select cn.28.On the Configure Attribute Flow dialog box, click New. This flow rule will appear above. Repeat these steps for each attribute in the following table. When finished, click Next.CORP MA Attribute FlowData Source Object TypeMetaverse Object TypeData Source AttributeMapping TypeFlow DirectionMetaverse AttributeuserpersoncnDirectExportcnuserpersondisplayNameDirectExportdisplayNameuserpersonsnDirectExportsnuserpersonemployeeIDDirectExportemployeeIDuserpersongivenNameDirectExportgivenNameuserpersonsIDHistoryDirectImportsIDHistoryuserpersonmailDirectImportmail29.On the Configure Deprovisioning dialog box, click Next.30.On the Configure Extensions dialog box, click Finish.31.Close Identity Manager.<br />Step 9 - Create ACCOUNT Management Agent Run Profiles<br />This step explains how to create ACCOUNT management agent run profiles.<br />Creating the ACCOUNT Management Agent Run Profiles<br />The following steps show how to create the ACCOUNT MA run profiles.<br />To create the management agent run profiles<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, click the Management Agents button at the top.4.In the Management Agents view, select ACCOUNT, then under Actions, click Configure Run Profiles. This will bring up the Configure Run Profiles for “ACCOUNT” dialog box.5.On the Configure Run Profiles for “ACCOUNT” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.6.On the Profile Name screen, enter FI for Name. Click Next.7.On the Configure Step screen, under Type, select Full Import (Stage Only). Click Next.8.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.9.On the Configure Run Profiles for “ACCOUNT” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.10.On the Profile Name screen, enter FS for Name. Click Next.11.On the Configure Step screen, under Type, select Full Synchronization. Click Next.12.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.13.On the Configure Run Profiles for “ACCOUNT” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.14.On the Profile Name screen, enter DI for Name. Click Next.15.On the Configure Step screen, under Type, select Delta Import (Stage Only). Click Next.16.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.17.On the Configure Run Profiles for “ACCOUNT” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.18.On the Profile Name screen, enter DS for Name. Click Next.19.On the Configure Step screen, under Type, select Delta Synchronization. Click Next.20.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.21.On the Configure Run Profiles for “ACCOUNT” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.22.On the Profile Name screen, enter E for Name. Click Next.23.On the Configure Step screen, under Type, select Export. Click Next.24.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.25.On the Configure Run Profiles for “ACCOUNT” dialog box, click Apply. Click OK. This will close the Configure Run Profiles for “ACCOUNT” dialog box.26.Close Identity Manager.<br />See Also<br />Implementing the Procedures in this Document<br />Step 10 - Create RESOURCE Management Agent Run Profiles<br />This step explains how to create the RESOURCE management agent run profiles.<br />Creating the RESOURCE Management Agent Run Profiles<br />The following steps show how to create the RESOURCE MA run profiles.<br />To create the management agent run profiles<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, click the Management Agents button at the top.4.In the Management Agents view, select RESOURCE, then under Actions, click Configure Run Profiles. This will bring up the Configure Run Profiles for “RES” dialog box.5.On the Configure Run Profiles for “RESOURCE” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.6.On the Profile Name screen, enter FI for Name. Click Next.7.On the Configure Step screen, under Type, select Full Import (Stage Only). Click Next.8.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.9.On the Configure Run Profiles for “RESOURCE” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.10.On the Profile Name screen, enter FS for Name. Click Next.11.On the Configure Step screen, under Type, select Full Synchronization. Click Next.12.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.13.On the Configure Run Profiles for “RESOURCE” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.14.On the Profile Name screen, enter DI for Name. Click Next.15.On the Configure Step screen, under Type, select Delta Import (Stage Only). Click Next.16.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.17.On the Configure Run Profiles for “RESOURCE” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.18.On the Profile Name screen, enter DS for Name. Click Next.19.On the Configure Step screen, under Type, select Delta Synchronization. Click Next.20.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.21.On the Configure Run Profiles for “RESOURCE” dialog box, click New Profile. This will bring up the Configure Run Profile dialog box.22.On the Profile Name screen, enter E for Name. Click Next.23.On the Configure Step screen, under Type, select Export. Click Next.24.On the Management Agent Configuration screen, click Finish. This will close the Configure Run Profile dialog box.25.On the Configure Run Profiles for “RESOURCE” dialog box, click Apply. Click OK. This will close the Configure Run Profiles for “RESOURCE” dialog box.26.Close Identity Manager.<br />See Also<br />Implementing the Procedures in this Document<br />Step 11 - Create the Metaverse Rules Extension<br />This step explains how to create the metaverse rules extension.<br />To create the metaverse rules extension<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator.2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Tools, and select Options. This will bring up the Options dialog box.4.On the Options dialog box, check Enable metaverse rules extension and click Create Rules Extension Project. This will bring up the Create Extension Project dialog box.5.On the Create Extension Project dialog box, select Visual C# from the drop-down next to Programming Language.6.On the Create Extension Project dialog box, select Rules Extension from the drop-down next to Project Type.7.On the Create Extension Project dialog box, leave the default of MVExtension next to Project name.8.On the Create Extension Project dialog box, leave the default for Project Location.9.On the Create Extension Project dialog box, leave a check in Launch in VS.NET IDE.10.On the Create Extension Project dialog box, click OK. This will launch Visual Studio.Note When this project opens the Visual Studio Conversion Wizard will start so that it can convert the project to a Visual Studio 2008 version. Simply click Next and then Finish. Then select Load this project normally. Then close the conversion wizard once it is complete. Also, if you have not opened Visual Studio 2008 yet, it will ask you to configure it for first time use. Simply select General Settings and then wait momentarily until it finishes. When it is done, the Visual Studio Conversion Wizard will start.11.In Visual Studio, under the Solution Explorer, double-click MVExtension.cs.12.Delete all of the code that appears in the large window on the left. Copy the code from Appendix C – Metaverse Extension Code into this area.13.In Visual Studio, at the top, select Build and then select Build Solution. Down at the bottom, in the Output section, you should see Build: 1 succeeded or up-to-date, 0 failed, 0 skipped. Close Visual Studio. This will return you to the Options dialog box.14.In Identity Manager, on the Options dialog box, next to Rules extension name click Browse. This will bring up the Select File dialog box.15.On the Select File dialog box, select MVExtension.dll and click OK. This will close the Select File dialog box.16.On the Options dialog box, place a check in Enable Provisioning Rules Extension and click OK. This will close the Options dialog box.17.Close Identity Manager.<br />See Also<br />Implementing the Procedures in this Document<br />Step 12 - Create SCP in Accounts Forest<br />This step explains how to create the Service Connection Point (SCP) in the accounts forest. This will allow the clients in the accounts forest to locate the AD RMS cluster without having to use the registry overrides. Prior to completing this step, be sure that the Rights Management Services Administration Toolkit with SP2 has been downloaded and installed on ACC-DC.corp.fabrikam.com.<br />To create the Service Connection Point<br />1.Log on to ACC-DC.corp.fabrikam.com as Administrator.2.Click Start, click Run, type cmd in the Open: box, and click OK. This will bring up the command shell.3.Navigate to C:Program FilesRMS SP2 Administration ToolkitADScpRegister.4.Enter the following at the prompt: ADScpRegister registerscp https://res-adrms.resource.fabrikam.net:443/_wmcs/certification and then press ENTER. 5.Once that has Successfully committed SCP changes to AD close the command window.<br />Note <br />At this point, the SCP should be registered. This can be verified by using ADSI Edit. Connect to the configuration context and drill down to CN=ServicesCN=RightsManagementServicesCN=SCP. You can view the properties of the SCP from here.<br />See Also<br />Implementing the Procedures in this Document<br />Step 13 - Create Active Directory Migration Tool Options File<br />This step explains how to create the ADMT options file. The options file is used for efficiency. It is often more efficient to use an option file to specify command-line options when using ADMT.<br />To create the ADMT options file<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator.2.Click Start, click Computer, and then double-click Local Disk (C:), double-click Windows, double-click ADMT.3.Click File, point to New, and then click Text Document.4.Type options for the new folder, and then press ENTER.5.Double-click the new options file. This will open the file.6.Copy the text from Appendix F – ADMT Options File, of this document, and paste it into the new options file.7.Click File and click Save. Close the options file. <br />See Also<br />Implementing the Procedures in this Document<br />Step 14 - Create ADRMSPublic Shared Folder<br />This step explains how to create the ADRMSPublic shared folder.<br />To create the ADRMSPublic shared folder<br />1.Log on to RES-ADRMS.resource.fabrikam.net as Administrator.2.Click Start, click Computer, and then double-click Local Disk (C:).3.Click File, point to New, and then click Folder.4.Type ADRMSPublic for the new folder, and then press ENTER.5.Right-click ADRMSPublic, and then click Share.6.On the File Sharing window, in the box under Type the name of the person you want to share with and click Add… enter Everyone and click Add. The Everyone group should now appear in the box below. The Permission Level should be Reader.7.On the File Sharing window, in the box under Type the name of the person you want to share with and click Add… enter ADRMS Service and click Add. The Everyone group should now appear in the box below. The Permission Level should be Reader. Using the arrow next to Reader, change the Permission Level to Contributor.8.Click Share. The window should change and you should now see Your folder is shared. 9.Click Done. <br />See Also<br />Implementing the Procedures in this Document<br />Step 15 - Create Fabrikam Confidential Rights Policy Template<br />This step explains how to create the Fabrikam Confidential Rights Policy Template<br />To create the Fabrikam Confidential Rights Policy Template<br />1.Log on to RES-ADRMS.resource.fabrikam.net as Administrator.2.Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.3.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.4.In the Active Directory Rights Management Services Administration console, expand the cluster name.5.Click Rights Policy Templates and ensure that Distributed Rights Policy Template information appears in the center pane. On the right, in the Actions pane, click Properties. This will bring up the Rights Policy Templates Properties dialog box.6.On the Rights Policy Templates Properties dialog box, select the Enable export check box, type es-adrmsADRMSPublic in the Specify templates file location (UNC) box, and then click OK.7.On the right, in the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed Rights Policy Template wizard.8.Click Add.9.In the Language box, choose the appropriate language for the rights policy template.10.Type Fabrikam Confidential in the Name box.11.Type This content is confidential and proprietary information intended for Fabrikam employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, and Forward in the Description box, and then click Add.12.Click Next.13.Click Add, type AllStaff@resource.fabrikam.net in The e-mail address of a user or group box, and then click OK.14.Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.15.Click Finish.<br />See Also<br />Implementing the Procedures in this Document<br />Step 16 - Create Fabrikam FTE Confidential Rights Policy Template<br />This step explains how to create the Fabrikam FTE Confidential Rights Policy Template<br />To create the Fabrikam Confidential Rights Policy Template<br />1.Log on to RES-ADRMS.resource.fabrikam.net as Administrator.2.Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.3.In the Active Directory Rights Management Services Administration console, expand the cluster res-adrms.resource.fabrikam.net.4.Click Rights Policy Templates.5.On the right, in the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed Rights Policy Template wizard.6.Click Add.7.In the Language box, choose the appropriate language for the rights policy template.8.Type Fabrikam FTE Confidential in the Name box.9.Type This content is confidential and proprietary information intended for Fabrikam full-time employees only and provides the following user rights: View, Reply, Reply All, Save, Edit, and Forward in the Description box, and then click Add.10.Click Next.11.Click Add, type AllFTE@resource.fabrikam.net in The e-mail address of a user or group box, and then click OK.12.Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.13.Click Finish.<br />See Also<br />Implementing the Procedures in this Document<br />Step 17 - Enable Rights Management Scheduled Task on ACC-CLT1<br />This step explains how to enable the rights management scheduled task which is disabled by default on the Windows Vista client.<br />To enable the rights management scheduled task<br />1.Log on to ACC-CLT1 as corpAdministrator.2.Click Start, and then click Control Panel.3.Double-click Administrative Tools, and then double-click Task Scheduler.Note If you do not see Administrative Tools, switch to Classic View.4.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.5.Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client.6.Right-click AD RMS Rights Policy Template Management (Automated), and then click Enable.7.Close Task Scheduler.<br />See Also<br />Implementing the Procedures in this Document<br />Step 18 - Add AdminTemplatePath Registry Key and Trusted Sites on ACC-CLT1<br />In this step you will add the AdminTemplatePath registry key for the user Britta Simon. This must be done for each individual user that will use the client computer. This is because this key resides under HKEY_CURRENT_USER and is specific to the user that is currently logged on. Also, you will add the AD RMS URL to the Trusted Sites of the current user’s instance of Internet Explorer.<br />To add the AdminTemplatePath registry key<br />1.Log on to ACC-CLT1 as corpsimon.2.Click Start, type regedit.exe in the Start Search box, and then press ENTER.3.Expand the following registry key:HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0CommonDRMNote If DRM was not already created as a part of the key, you must create it manually.4.Right-click DRM, click New, and then click Expandable String Value.5.In the Value name box, type AdminTemplatePath, and then press ENTER.Note If AdminTemplatePath already exists, just modify it to match the entry that is shown here.6.Double-click the AdminTemplatePath registry value and type %LocalAppData%MicrosoftDRMTemplates in the Value data box, and then click OK.7.Close Registry Editor.<br />Add the AD RMS URL to Trusted Sites<br />The following steps show you how to add the AD RMS URL to trusted sites in Internet Explorer.<br />To add the AD RMS URL<br />1.Log on to ACC-CLT1 as corpsimon.2.Click Start, click All Programs and select Internet Explorer.3.Once Internet Explorer opens, in the upper-right corner, select Tools and then click Internet Options from the drop-down. This will bring up the Internet Options window.4.From the Internet Options screen, click the Security tab, and select Trusted Sites from the Select a zone to view or change security settings box.5.Click the Sites button. This will display a Trusted Sites window.6.In the Add this website to the zone: box, type https://res-adrms.resource.fabrikam.net, and then click Add.7.Click Close.8.From the Internet Options screen, click OK.9.Close Internet Explorer.<br />See Also<br />Implementing the Procedures in this Document<br />Step 19 - Enable Rights Management Scheduled Task on RES-CLT1<br />This step explains how to enable the rights management scheduled task which is disabled by default on the Windows 7 client.<br />To enable the rights management scheduled task<br />1.Log on to RES-CLT1 as resourceAdministrator.2.Click Start, and then click Control Panel.3.Click System and Security.4.Click Administrative Tools, and then double-click Task Scheduler.Note If you do not see Administrative Tools, switch to Classic View.5.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.6.Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client.7.Right-click AD RMS Rights Policy Template Management (Automated), and then click Enable.8.Close Task Scheduler.<br />See Also<br />Implementing the Procedures in this Document<br />Step 20 - Add AdminTemplatePath Registry Key and Trusted Sites on RES-CLT1<br />This step explains how to add the AdminTemplatePath registry key for the user Lola Jacobson. Also, we will be adding the AD RMS URL to the Trusted Sites of Lola Jacobson’s instance of Internet Explorer.<br />To add the AdminTemplatePath registry key<br />1.Log on to RES-CLT1 as resourceljacobson.2.Click Start, type regedit.exe in the Search programs and files box, and then press ENTER.3.Expand the following registry key:HKEY_CURRENT_USERSoftwareMicrosoftOffice12.0CommonDRMNote If DRM was not already created as a part of the key, you must create it manually.4.Right-click DRM, click New, and then click Expandable String Value.5.In the Value name box, type AdminTemplatePath, and then press ENTER.Note If AdminTemplatePath already exists, simply modify it to match the entry below.6.Double-click the AdminTemplatePath registry value and type %LocalAppData%MicrosoftDRMTemplates in the Value data box, and then click OK.7.Close Registry Editor.<br />Add the AD RMS URL to Trusted Sites<br />The following steps show you how to add the AD RMS URL to trusted sites in Internet Explorer.<br />To add the AD RMS URL<br />1.Log on to RES-CLT1 as corpljacobson.2.Click Start, click All Programs and select Internet Explorer.3.Once Internet Explorer opens, in the top right corner, select Tools and click Internet Options from the drop-down. This will bring up the Internet Options window.4.From the Internet Options screen, click the Security tab, and select Trusted Sites from the Select a zone to view or change security settings box.5.Click the Sites button. This will bring up a Trusted Sites window.6.In the Add this website to the zone: box, type https://res-adrms.resource.fabrikam.net, and click Add.7.Click Close.8.From the Internet Options screen, click OK.9.Close Internet Explorer.<br />See Also<br />Implementing the Procedures in this Document<br />Testing the Implementation<br />The steps in this section explain how to test the implementation of the previous section. Once you complete these steps, AD RMS should be working in the resource forest and users from the accounts forest should be able to log on in order to create and consume protected e-mail content. Subsequent sections will show how to automate this solution.<br />This section includes the following steps:<br />Step 1 - Run ACCOUNT MA Full Import<br />Step 2 - Run RESOURCE MA Full Import<br />Step 3 - Run ACCOUNT MA Full Synch<br />Step 4 - Run RESOURCE MA Export<br />Step 5 - Run RESOURCE MA Delta Import<br />Step 6 - Use Active Directory Migration Tool to Migrate a Test User<br />Step 7 - Use Exchange System Manager to Create Linked Mailbox<br />Step 8 - Add Users to Groups<br />Step 9 - Run RESOURCE MA Delta Import<br />Step 10 - Run RESOURCE MA Full Synch<br />Step 11 - Run ACCOUNT MA Export<br />Step 12 - Run ACCOUNT MA Delta Import<br />Step 13 - Create Protected E-mail Content on RES-CLT1<br />Step 14 - Consume Protected E-mail Content on ACC-CLT1<br />Step 15 - Create Protected E-mail Content on ACC-CLT1<br />Step 16 - Consume Protected E-mail Content on RES-CLT1<br />See Also<br />AD RMS Deployment in a Resource Forest Step-by-Step Guide<br />Prerequisites for AD RMS Deployment in a Resource Forest<br />Implementing the Procedures in this Document<br />Automating the Implementation<br />Step 1 - Run ACCOUNT MA Full Import<br />In this step we will be initializing the Identity Lifecycle Manager 2007 environment by running a full import on the ACCOUNT management agent.<br />Running ACCOUNT Management Agent Full Import<br />The following steps show how to run a full import on the ACCOUNT management agent.<br />To run a full import on the ACCOUNT MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select ACCOUNT and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select FI and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 2 - Run RESOURCE MA Full Import<br />In this step we will be initializing the Identity Lifecycle Manager 2007 environment by running a full import on the RESOURCE management agent.<br />Running RESOURCE Management Agent Full Import<br />The following steps show how to run a full import on the RESOURCE management agent.<br />To run a full import on the RESOURCE MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select RESOURCE and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select FI and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 3 - Run ACCOUNT MA Full Synch<br />In this step we will be populating the metaverse and provisioning the users from the accounts forest into the resource forest.<br />Running ACCOUNT Management Agent Full Synchronization<br />The following steps show how to run a full synchronization on the ACCOUNT management agent.<br />To run a full synch on the ACCOUNT MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select ACCOUNT and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select FS and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 4 - Run RESOURCE MA Export<br />In this step we will be exporting the newly provisioned users into the resource forest. This step will create the new disabled users in the resource forest.<br />Running RESOURCE Management Agent Export<br />The following steps show how to run an export on the RESOURCE management agent.<br />To run an export on the RESOURCE MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select RESOURCE and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select E and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 5 - Run RESOURCE MA Delta Import<br />In this step we will be confirming the export to the resource forest environment by running a delta import on the RESOURCE management agent.<br />Running RESOURCE Management Agent Delta Import<br />The following steps show how to run a delta import on the RESOURCE management agent.<br />To run a delta import on the RESOURCE MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select RESOURCE and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select DI and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 6 - Use Active Directory Migration Tool to Migrate a Test User<br />In this step we use ADMT to migrate a test user. The user has already been created in the previous steps. This step is done in order to migrate the accounts forest users SID.<br />Using ADMT to Migrate a Test User<br />The following steps show how to use ADMT to migrate a test user.<br />To migrate a test user using ADMT<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click Administrative Tools, and click Active Directory Migration Tool. This will bring up ADMT.3.At the top, in the left pane, right-click Active Directory Migration Tool, and select User Account Migration Wizard. This will launch the User Account Migration Wizard.4.On the Welcome to the User Account Migration Wizard screen, click Next.5.On the Domain Selection screen, under Source for Domain enter corp.fabrikam.com.6.On the Domain Selection screen, under Source for Domain controller enter ACC-DC.corp.fabrikam.com.7.On the Domain Selection screen, under Target for Domain enter resource.fabrikam.net.8.On the Domain Selection screen, under Target for Domain controller enter RES-DC.resource.fabrikam.net. Click Next.9.On the User Selection Option screen, leave the radio button select for Select users from domain. Click Next.10.On the User Selection screen, click Add. This will bring up the Select Users dialog box.11.On the Select Users dialog box, under Enter the object names to select, enter Britta Simon and click Check Names. Once that has resolved and is underlined, click OK. This will close the Select Users dialog box.12.On the User Selection screen, click Next.13.On the Organizational Unit Selection screen, next to the box for Target OU, click Browse. This will bring up the Browse for Container dialog box.14.On the Browse for Container dialog box, select ResourceForestUsers. Click OK. This will close the Browse for Container dialog box.15.On the Organizational Unit Selection screen, click Next.16.On the Password Options screen, leave the defaults and click Next.17.On the Account Transition Options screen, under Target Account State, select Disable target accounts.18.On the Account Transition Options screen, place a check in Migrate user SIDs to target domain. Click Next.19.On the User Account screen, under User name: enter Administrator.20.On the User Account screen, under Password enter Pass1word!.21.On the User Account screen, under Domain enter CORP.22.On the User Account screen, click Next.23.On the User Options screen, leave the defaults and click Next.24.On the Object Property Exclusion screen, leave the defaults and click Next.25.On the Conflict Management screen, select Migrate and merge conflicting objects. Click Next.26.On the Completing the User Account Migration Wizard screen, review the summary and click Finish. This will launch the Migration Progress window. 27.On the Migration Progress screen, verify the Status: is Completed, that under Users it reports 1 for Examined and it reports 1 for Copied.28.On the Migration Progress screen, click Close.29.Close Active Directory Migration Tool.<br />Step 7 - Use Exchange System Manager to Create Linked Mailbox<br />In this step we use the Exchange Management console to create a linked mailbox for the user we just migrated. A linked mailbox is a mailbox that is associated with an external account.<br />Using Exchange Management Console to Create a Linked Mailbox<br />The following steps show how to use Exchange Management Console to create a linked mailbox.<br />To create a linked mailbox<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Exchange Server 2007, and click Exchange Management Console.3.In the Exchange Management Console, expand Recipient Configuration, and click Mailbox.4.On the right, in the Actions pane, click New Mailbox to start the New Mailbox wizard.5.On the Introduction screen, select Linked Mailbox and click Next.6.On the User Type screen, select Existing users and click Browse. This will bring up the Select User – resource.fabrikam.net dialog box.7.On the Select User – resource.fabrikam.net screen, select Britta Simon and click OK. This will close the Select User – resource.fabrikam.net dialog box.8.On the User Type screen, click Next.9.On the Mailbox Settings screen, under Alias enter bsimon.10.On the Mailbox Settings screen, under Mailbox database click Browse. This will bring up the Select Mailbox Database screen.11.On the Select Mailbox Database screen, select the database that appears and click OK. . This will close the Select Mailbox Database screen.12.On the Mailbox Settings screen, click Next.13.On the Master Account screen, under Trusted forest or domain click Browse. This will bring up the Select Trusted Forest or Domain dialog box.14.On the Select Trusted Forest or Domain screen, select corp.fabrikam.com and click OK. This will close the Select Trusted Forest or Domain dialog box.15.On the Master Account screen, under Linked domain controller click Browse. This will bring up the Select Global Catalog dialog box.16.On the Select Global Catalog screen, select ACC-DC.corp.fabrikam.com and click OK. This will close the Select Global Catalog dialog box.17.On the Master Account screen, under Linked master account click Browse. This will bring up the Select User dialog box.18.On the Select User screen, select Britta Simon and click OK. This will close the Select User dialog box.19.On the Master Account screen, click Next.20.On the New Mailbox screen, review the summary and click New.21.On the Completion screen, verify that it was successful and click Finish.22.Close Exchange Management Console.<br />Step 8 - Add Users to Groups<br />In this step we will be adding the users in the resource forest to specific security groups<br />Add Test Users to Test Groups<br />This section lists the steps for adding our test users to our test groups.<br />Table Account Summary<br />First NameLast NameUser logon nameMember ofBrittaSimonbsimonAll FTELolaJacobsonljacobsonAll FTENicoleHollidaynhollidayAll FTELimoHeniglhenigAll Contractors<br />To add test user accounts to test groups<br />1.Log on to the RES-DC.corp.fabrikam.com Server as Administrator.2.Click Start, select Administrative Tools, and click Active Directory Users and Computers.3.Expand resource.fabrikam.net, select ResourceForestUsers, right-click Britta Simon, and select Properties. This will bring up the Britta Simon Properties window.4.On the Member of tab, click Add. This will bring up the Select Groups dialog box.5.On the Select Groups dialog box, under Enter the object names to select (examples) box, enter All FTE and click Check Names. This should resolve with an underline.6.Click Ok. This will close the Select Groups dialog box.7.On the Britta Simon Properties window, click Apply.8.Click Ok. This will close the Britta Simon Properties dialog box.9.Repeat these steps for all of the accounts listed in the Account Summary table, substituting the appropriate Member of value.10.Close Active Directory Users and Computers.<br />Step 9 - Run RESOURCE MA Delta Import<br />In this step we will be importing the resource users mail attribute into the Identity Lifecycle Manager 2007 FP1 connector space. This attribute was newly populated in the last step when we created the linked mailboxes.<br />Running RESOURCE Management Agent Delta Import<br />The following steps show how to run a delta import on the RESOURCE management agent.<br />To run a delta import on the RESOURCE MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select RESOURCE and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select DI and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 10 - Run RESOURCE MA Full Synch<br />In this step we will be populating the metaverse with the newly imported mail attribute.<br />Running RESOURCE Management Agent Full Synchronization<br />The following steps show how to run a full synchronization on the RESOURCE management agent. The reason a full synchronization is being run over a delta is that this management agent has never had a synchronization run on it yet.<br />To run a full synch on the RESOURCE MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select RESOURCE and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select FS and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 11 - Run ACCOUNT MA Export<br />In this step we will exporting the mail attribute. This will populate the mail attribute of the users in the ACCOUNTS forest.<br />Running ACCOUNT Management Agent Export<br />The following steps show how to run an export on the ACCOUNT management agent.<br />To run an export on the ACCOUNT MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select ACCOUNT and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select E and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 12 - Run ACCOUNT MA Delta Import<br />In this step we will confirming the export of the mail attribute.<br />Running ACCOUNT Management Agent Delta Import<br />The following steps show how to run a delta import on the ACCOUNT management agent.<br />To run an export on the ACCOUNT MA<br />1.Log on to RES-DC.resource.fabrikam.net as Administrator2.Click Start, click All Programs, click Microsoft Identity Integration Server, and click Identity Manager.3.In Identity Manager, go to the top and select Management Agents.4.Under Management Agents, select ACCOUNT and on the right, under Actions, click Run. This will bring up the Run Management Agent window.5.On the Run Management Agent window, select DI and click OK.6.In the lower right, verify the status is Success.7.Close Identity Manager.<br />Step 13 - Create Protected E-mail Content on RES-CLT1<br />In this step you will log on to the client computer and create a protected e-mail message.<br />To create a protected e-mail message<br />1.Log on to RES-CLT1.resource.fabrikam.net as Lola Jacobson.2.Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Outlook 2007. This will bring up the Add New E-mail Account wizard.3.The Auto Account Setup screen should contain Lola Jacobson’s information. Click Next.4.On the Choose E-mail Service screen, select the radio button next to Microsoft Exchange. Click Next.5.On the Congratulations! screen, click Finish. This will start Microsoft Office Outlook 2007.6.Inside Outlook, at the top select New. This will display a new e-mail window.7.On the e-mail screen, click To. This will bring up the Select Names: Global Address List screen.8.On the Select Names: Global Address List screen, select All Staff, click To and then click OK. This will close the Select Names: Global Address List screen.9.On the e-mail screen, next to Subject, enter Test e-mail.10.On the e-mail screen, in the main box, after Subject, enter This is a rights protected test e-mail.11.On the e-mail screen, in the upper-left corner, click the Office icon button. This will reveal a drop-down menu.12.From the drop-down, select Permission, and then Fabrikam Confidential.Note If you do not see Fabrikam Confidential, verify that the template has been copied and resides in the following C:UsersljacobsonAppDataLocalMicrosoftDRMTemplates. If it does not, you can manually copy the templates from es-adrmsADRMSPublic and put them in the Templates folder.13.This may display a Select User screen that says: Select one of the following user accounts to create or open content with restricted permission. To use an account not listed below, click Add. If this window appears, select bsimon@resource.fabrikam.net and then click OK.14.This will display a Security Alert screen that says This page requires a secure connection which includes server authentication. The Certificate issuer for this site is untrusted or unknown. Do you wish to proceed? Click View Certificate. This will bring up the certificate.15.On the certificate, click Install Certificate. This will start the Welcome to the Certificate Import Wizard. Click Next.16.On the Certificate Store screen, leave Automatically select the certificate store based on the type of certificate selected and then click Next.17.On the Completing the Certificate Import Wizard screen, review the summary and then click Finish. This should display a dialog box that reports The import was successful. Click OK.18.On the certificate, click OK. This will close certificate.19.On the Security Alert screen, click Yes.20.This will display a credential box that has the header Connect to res-dc.resource.fabrikam.net. For User Name enter ljacobson. For password enter Pass1word!. Click OK.21.At this point, you should notice the following at the top of your e-mail: Fabrikam Confidential. Click Send.<br />Step 14 - Consume Protected E-mail Content on ACC-CLT1<br />In this step, you will log on to a client computer and attempt to read the e-mail message that was sent in the previous step.<br />To consume a protected e-mail message<br />1.Log on to the ACC-CLT1.corp.fabrikam.com Server as Britta Simon.2.Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Outlook 2007. This will bring up the Add New E-mail Account wizard.3.On the E-mail Accounts screen, under You can configure Outlook to connect to Internet E-mail, Microsoft Exchange, or other E-mail server. Would you like to configure an E-mail account? Select Yes and then click Next. 4.On the Auto Account Setup screen, place a check in Manually configure server settings or additional server types. Click Next.5.On the Choose E-mail Service screen, select the radio button next to Microsoft Exchange. Click Next.6.On the Microsoft Exchange Settings screen, next to Microsoft Exchange Server, enter RES-DC.resource.fabrikam.net.7.On the Microsoft Exchange Settings screen, next to User Name, enter Britta Simon. Click Check Name. This should resovle with an underline.8.On the Microsoft Exchange Settings screen, click Next.9.On the Congratulations! screen, click Finish. This will start Microsoft Office Outlook 2007.10.In Outlook, there should be an e-mail in Britta Simon’s inbox. This is the e-mail that was sent in the previous step. Click it.11.This will display a Security Alert screen that says This page requires a secure connection which includes server authentication. The Certificate issuer for this site is untrusted or unknown. Do you wish to proceed? Click View Certificate. This will bring up the certificate.12.On the e-mail screen, click To. This will bring up the Select Names: Global Address List screen. 13.On the Select Names: Global Address List screen, select All Staff, click To and then click OK. This will close the Select Names: Global Address List screen.14.On the certificate, click Install Certificate. This will start the Welcome to the Certificate Import Wizard. Click Next.15.On the Certificate Store screen, leave Automatically select the certificate store based on the type of certificate selected and then click Next.16.On the Completing the Certificate Import Wizard screen, review the summary and then click Finish. This should display a dialog box that reports The import was successful. Click OK.17.On the certificate, click OK. This will close certificate.18.On the Security Alert screen, click Yes.19.This will display a credential box that has the header Connect to res-adrms.resource.fabrikam.net. For User Name enter corpsimon. For password enter Pass1word!. Click OK.20.At this point, the e-mail should open and you should be able to view the contents.<br />Note <br />A user will not have to install the certificate every time that they attempt to create or consume a piece of e-mail. This only has to be done the first time. The user will be prompted for credentials every time. This is because the AD RMS Prelicensing Agent is not supported in this configuration.<br />Step 15 - Create Protected E-mail Content on ACC-CLT1<br />In this step you log on to the client computer and create a protected e-mail message.<br />To create a protected e-mail message<br />1.Log on to the ACC-CLT1.corp.fabrikam.com as Britta Simon.2.Click Start, select All Programs, click Microsoft Office, and then select Microsoft Office Outlook 2007.3.Inside Outlook, at the top select New. This will display a new e-mail window.4.On the e-mail screen, click To. This will bring up the Select Names: Global Address List screen.5.On the Select Names: Global Address List screen, select All Staff, click To and then click OK. This will close the Select Names: Global Address List screen.6.On the e-mail screen, next to Subject, enter Another test e-mail.7.On the e-mail screen, in the main box, after Subject, enter This is a rights protected test e-mail.8.On the e-mail screen, in the upper-left corner, click the Office icon button. This will reveal a drop-down menu.9.From the drop-down, select Permission, and then select Fabrikam Confidential.Note If you do not see Fabrikam Confidential, verify that the template has been copied over and resides in the following C:UsersljacobsonAppDataLocalMicrosoftDRMTemplates. If they do not, you can manually copy over the templates from es-adrmsADRMSPublic and put them in the Templates folder.10.This will display a Security Alert screen that says This page requires a secure connection which includes server authentication. The Certificate issuer for this site is untrusted or unknown. Do you wish to proceed? Click Yes.11.This will display a credential box that has the header Connect to res-dc.resource.fabrikam.net. For User Name enter corpsimon. For password enter Pass1word!. Click OK.12.At this point, you should notice that at the top of your e-mail is the following: Fabrikam Confidential. Click Send.<br />Step 16 - Consume Protected E-mail Content on RES-CLT1<br />In this step, you will log on to a client computer and attempt to read the e-mail message that was sent in the previous step.<br />To consume a protected e-mail message<br />1.Log on to the RES-CLT1.resource.fabrikam.net server as Lola Jacobson.2.Click Start, select All Programs, click Microsoft Office, and select Microsoft Office Outlook 2007.3.In Outlook, there should be an e-mail

×