Windows Server 2019: Active Directory Rights Management Service (Part 1)
Windows Server 2019: Active Directory Rights Management Service (Part 1)
// *************************
// Metadata:
// DC31:- Domain Controller (Yi.vn) - IP: 10.0.0.31
// DC32:- Exchange Server - IP: 10.0.0.32
// DC33:- Domain Member (Install AD RMS) - IP: 10.0.0.33
// DC34:- Domain Member (Install Certificate Server) - IP: 10.0.0.34
// WIN101, WIN102 clients
// Turn off firewall for all
// *************************
// --------
// DC31
// --------
1) DC31 > Server manager > Tools > Active Directory Users and Computers > Active Directory Users and Computers - Yi.vn - Services > New Object User:- Create in:- Yi.vn/Services - Last Name: rmsservices - User logon name:- rmsservices @Yi.vn > Password: **** **** - (x) Password never expires >
1) a) Active Directory Users and Computers - Yi.vn - Services -
Name: Type:
rmsservices User
// --------
// DC34 - Install Certificate Server
// --------
2) DC34 > Server manager > Manage > Add Roles and Services > Add Roles and Services - Server Selection - Server Pool:- Name: DC34.Yi.vn | IP Address: 10.0.0.34 > Add Roles and Services - Server Roles - Active Directory Certificate Services - Add Features > Add Roles and Services - AD CS - Role Services - (x) Certificate Authority | (x) Certification Authority Web Enrollment - Add Features > Configure Active Directory Certificate Services on the destination server > AD CS Configuration - Credentials - Credentials: YI/Administrator > AD CS Configuration - Role Services - (x) Certification Authority | (x) Certification Authority Web Enrollment > AD CS Configuration - Setup Type - (x) Enterprise CA > AD CS Configuration - CA Type - (x) Root CA > AD CS Configuration - Private key - (x) Create a new private key > AD CS Configuration - Private key - Cryptography - Select a cryptographic provider: RSA#Microsoft Software Key Storage Provider | Select the hash algorithm for signing certificates issued by this CA: SHA256 > AD CS Configuration - Private key - CA Name - Common Name for this CA: Yi-CA | Distinguished name suffix: DC=Yi,DC=vn | Preview of Distinguished name: CN=Yi-CA, DC=Yi,DC=vn > AD CS Configuration - Private key - Validity Period: 5 Years >
AD CS Configuration - Certificate Database - Certificate database location: C:\Windows\system32\Certlog | Certificate database log location: C:\Windows\system32\Certlog > Configure >
2) i) DC34 > Server manager > Tools > Certification Authority > certsrv - Certification Authority (Local) - Yi-CA - (right-click) Certificate Templates > Manage > Certificate Templates (DC31.Yi.vn) - (right-click) Web Server > Duplicate Template > Properties of new template - General - Template display name: SSL | Template name: SSL | Validity period: 2 years | Renewal Period: 6 weeks | (x) Publish certificate in Active Directory > Properties of new template - Request Handling - (x) Allow private key to be exported > Properties of new template - Security - Add - Enter object names to select:- DC32 (YI\DC32$) ; DC33 (YI\DC33$); DC34 (YI\DC34$) - Permissions for DC32: (x) Read | (x) Enrol - Permissions for DC33: (x) Read | (x) Enrol - Permissions for DC34: (x) Read | (x) Enrol >
2) ii) DC34 > Server manager > Tools > Certification Authority > certsrv - Certification Authority (Local) - Yi-CA - (right-click) Certificate Templates > New > Certificate Template to issue > (x) Name: SSL | Intended Purpose: Server Authentication >
2) iii) DC34 > run > wf.msc > Windows Defender Firewall Properties > Domain Profile - Firewall State: Off > Private Profile - Firewall State: Off > Public Profile - Firewall State: Off >
// --------
// DC33 - Login as Yi\Administrator - Install AD RMS Cluster
// --------
3) DC33 > run > mmc > File - Add or Remove Snap-ins - Certificates (Add) - This snap-in will always manage certificates for (x) Computer Account > Finish
3) i) DC33 > run > wf.msc > Windows Defender Firewall Properties > Domain Profile - Firewall State: Off > Private Profile - Firewall State: Off > Public Profile - Firewall State: Off >
3) ii) DC33 >mmc > Console Root - Certificates (Local Computer) - (right-click) Personal - Request New Certificate > (x) SSL | Status: Available > More information is required to enrol for this certificate. Click here to configure settings > Certificate Properties - Subject name:- Type: Common Name | Value: DC33 > Add > CN=DC33 || Alternative name:- Type: DNS | Value: DC33.Yi.vn Add > DC33.Yi.vn > Enrol
3) iii) DC33 > Server Manager > Manage > Add Roles and Services > Add Roles and Services - Server Selection - Server Pool:- Name: DC33.Yi.vn | IP Address: 10.0.0.33 > Add Roles and Services - Server Roles - Active Directory Rights Management Services - Add Features > Add Roles and Services - AD RMS - Role Services - (x) Active Directory Rights Management Server > Install
3) iv) DC33 > Post-Deployment Configuration > Perform additional configuration (i.e. configuration required for Active Directory Rights management Services at DC33) > AD RMS - AD RMS Cluster - (x) Create a new AD RMS Root Cluster > AD RMS - AD RMS Cluster - Configuration Database - (x) Use Windows Internal Database on this server > AD RMS - AD RMS Cluster - Service Account - Domain User Account (i.e. Standard Domain User Account: YI/rmsservices ) :- User name: mmsservices | Password: ******** | Domain: Yi > AD RMS - AD RMS Cluster - Cryptographic Mode: (x) Cryptographic Mode 2 (RSA 2048-bit keys/Sha-256 hashes) > AD RMS - AD RMS Cluster - Cluster Key Storage - (x) use AD RMS centrally managed key storage > AD RMS - AD RMS Cluster - Cluster Key Password - Password: ******** > AD RMS - AD RMS Cluster - Cluster Address > Connection Type: (x) Use an SSL-encrypted connection (https) | Fully Qualified Domain Name: https:// dc33.Yi.vn > AD RMS - AD RMS Cluster - Server Certificate - (x) Choose an existing certificate for SSL encryption (recommended):-
Issued to: Issued by: Expiration Date:
DC33 Yi-Ca 11/17/2020
3) v) DC33 > AD RMS - AD RMS Cluster - Licensor Certificate - Name: DC33 > AD RMS - AD RMS Cluster - SCP Registration - (x) Register the SCP now > Install >
3) vi) DC33 > Reboot >
3) vii) DC33 > Server Manager > Tools > IIS Manager > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site > (right-hand side) Edit Site - Bindings - (click Edit) Type: https | Port: 443 > Edit Site Binding - SSL Certificate: DC33 > OK > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - Authentication:- Name: Anonymous Authentication | Status: Enabled > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - certification - Authentication:- Name: Anonymous Authentication | Status: Enabled > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - licensing - Authentication:- Name: Anonymous Authentication | Status: Enabled >
3) viii) DC33> IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - certification - (right-click) switch to content view > /_wmcs/certification Content - (x) ServerCertification.asmx (Edit permissions) > ServerCertification.asmx Properties - Security - Edit > Add > Enter Object Names to select:- DC32; Exchange Servers; rmsservices (rmsservices@Yi.vn) > (ServiceLocator.asmx) Switch to Features View > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - certification - ServiceLocator.asmx - Authentication:- Name: Anonymous Authentication | Status: Disabled >
// *************************
// Metadata:
// DC31:- Domain Controller (Yi.vn) - IP: 10.0.0.31
// DC32:- Exchange Server - IP: 10.0.0.32
// DC33:- Domain Member (Install AD RMS) - IP: 10.0.0.33
// DC34:- Domain Member (Install Certificate Server) - IP: 10.0.0.34
// WIN101, WIN102 clients
// Turn off firewall for all
// *************************
// --------
// DC31
// --------
1) DC31 > Server manager > Tools > Active Directory Users and Computers > Active Directory Users and Computers - Yi.vn - Services > New Object User:- Create in:- Yi.vn/Services - Last Name: rmsservices - User logon name:- rmsservices @Yi.vn > Password: **** **** - (x) Password never expires >
1) a) Active Directory Users and Computers - Yi.vn - Services -
Name: Type:
rmsservices User
// --------
// DC34 - Install Certificate Server
// --------
2) DC34 > Server manager > Manage > Add Roles and Services > Add Roles and Services - Server Selection - Server Pool:- Name: DC34.Yi.vn | IP Address: 10.0.0.34 > Add Roles and Services - Server Roles - Active Directory Certificate Services - Add Features > Add Roles and Services - AD CS - Role Services - (x) Certificate Authority | (x) Certification Authority Web Enrollment - Add Features > Configure Active Directory Certificate Services on the destination server > AD CS Configuration - Credentials - Credentials: YI/Administrator > AD CS Configuration - Role Services - (x) Certification Authority | (x) Certification Authority Web Enrollment > AD CS Configuration - Setup Type - (x) Enterprise CA > AD CS Configuration - CA Type - (x) Root CA > AD CS Configuration - Private key - (x) Create a new private key > AD CS Configuration - Private key - Cryptography - Select a cryptographic provider: RSA#Microsoft Software Key Storage Provider | Select the hash algorithm for signing certificates issued by this CA: SHA256 > AD CS Configuration - Private key - CA Name - Common Name for this CA: Yi-CA | Distinguished name suffix: DC=Yi,DC=vn | Preview of Distinguished name: CN=Yi-CA, DC=Yi,DC=vn > AD CS Configuration - Private key - Validity Period: 5 Years >
AD CS Configuration - Certificate Database - Certificate database location: C:\Windows\system32\Certlog | Certificate database log location: C:\Windows\system32\Certlog > Configure >
2) i) DC34 > Server manager > Tools > Certification Authority > certsrv - Certification Authority (Local) - Yi-CA - (right-click) Certificate Templates > Manage > Certificate Templates (DC31.Yi.vn) - (right-click) Web Server > Duplicate Template > Properties of new template - General - Template display name: SSL | Template name: SSL | Validity period: 2 years | Renewal Period: 6 weeks | (x) Publish certificate in Active Directory > Properties of new template - Request Handling - (x) Allow private key to be exported > Properties of new template - Security - Add - Enter object names to select:- DC32 (YI\DC32$) ; DC33 (YI\DC33$); DC34 (YI\DC34$) - Permissions for DC32: (x) Read | (x) Enrol - Permissions for DC33: (x) Read | (x) Enrol - Permissions for DC34: (x) Read | (x) Enrol >
2) ii) DC34 > Server manager > Tools > Certification Authority > certsrv - Certification Authority (Local) - Yi-CA - (right-click) Certificate Templates > New > Certificate Template to issue > (x) Name: SSL | Intended Purpose: Server Authentication >
2) iii) DC34 > run > wf.msc > Windows Defender Firewall Properties > Domain Profile - Firewall State: Off > Private Profile - Firewall State: Off > Public Profile - Firewall State: Off >
// --------
// DC33 - Login as Yi\Administrator - Install AD RMS Cluster
// --------
3) DC33 > run > mmc > File - Add or Remove Snap-ins - Certificates (Add) - This snap-in will always manage certificates for (x) Computer Account > Finish
3) i) DC33 > run > wf.msc > Windows Defender Firewall Properties > Domain Profile - Firewall State: Off > Private Profile - Firewall State: Off > Public Profile - Firewall State: Off >
3) ii) DC33 >mmc > Console Root - Certificates (Local Computer) - (right-click) Personal - Request New Certificate > (x) SSL | Status: Available > More information is required to enrol for this certificate. Click here to configure settings > Certificate Properties - Subject name:- Type: Common Name | Value: DC33 > Add > CN=DC33 || Alternative name:- Type: DNS | Value: DC33.Yi.vn Add > DC33.Yi.vn > Enrol
3) iii) DC33 > Server Manager > Manage > Add Roles and Services > Add Roles and Services - Server Selection - Server Pool:- Name: DC33.Yi.vn | IP Address: 10.0.0.33 > Add Roles and Services - Server Roles - Active Directory Rights Management Services - Add Features > Add Roles and Services - AD RMS - Role Services - (x) Active Directory Rights Management Server > Install
3) iv) DC33 > Post-Deployment Configuration > Perform additional configuration (i.e. configuration required for Active Directory Rights management Services at DC33) > AD RMS - AD RMS Cluster - (x) Create a new AD RMS Root Cluster > AD RMS - AD RMS Cluster - Configuration Database - (x) Use Windows Internal Database on this server > AD RMS - AD RMS Cluster - Service Account - Domain User Account (i.e. Standard Domain User Account: YI/rmsservices ) :- User name: mmsservices | Password: ******** | Domain: Yi > AD RMS - AD RMS Cluster - Cryptographic Mode: (x) Cryptographic Mode 2 (RSA 2048-bit keys/Sha-256 hashes) > AD RMS - AD RMS Cluster - Cluster Key Storage - (x) use AD RMS centrally managed key storage > AD RMS - AD RMS Cluster - Cluster Key Password - Password: ******** > AD RMS - AD RMS Cluster - Cluster Address > Connection Type: (x) Use an SSL-encrypted connection (https) | Fully Qualified Domain Name: https:// dc33.Yi.vn > AD RMS - AD RMS Cluster - Server Certificate - (x) Choose an existing certificate for SSL encryption (recommended):-
Issued to: Issued by: Expiration Date:
DC33 Yi-Ca 11/17/2020
3) v) DC33 > AD RMS - AD RMS Cluster - Licensor Certificate - Name: DC33 > AD RMS - AD RMS Cluster - SCP Registration - (x) Register the SCP now > Install >
3) vi) DC33 > Reboot >
3) vii) DC33 > Server Manager > Tools > IIS Manager > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site > (right-hand side) Edit Site - Bindings - (click Edit) Type: https | Port: 443 > Edit Site Binding - SSL Certificate: DC33 > OK > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - Authentication:- Name: Anonymous Authentication | Status: Enabled > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - certification - Authentication:- Name: Anonymous Authentication | Status: Enabled > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - licensing - Authentication:- Name: Anonymous Authentication | Status: Enabled >
3) viii) DC33> IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - certification - (right-click) switch to content view > /_wmcs/certification Content - (x) ServerCertification.asmx (Edit permissions) > ServerCertification.asmx Properties - Security - Edit > Add > Enter Object Names to select:- DC32; Exchange Servers; rmsservices (rmsservices@Yi.vn) > (ServiceLocator.asmx) Switch to Features View > IIS Manager - DC33 (YI\Administrator) - sites - Default Web Site - _wmcs - certification - ServiceLocator.asmx - Authentication:- Name: Anonymous Authentication | Status: Disabled >
Comments
Post a Comment