Implementing and administering AD RMS

 Aug 21, 2015

Active directory Rights Management Service (RMS) is an information protection technology that can protect data while in transit or at rest. Using Rights Management Services, you can protect the documents sent via email ensuring that the messages cannot be opened by wrong recipients. You can also protect documents stored in USB drives or documents residing in SharePoint document libraries, or even company file servers.

In an RMS deployment, the key components are the AD RMS server, AD RMS client, and AD RMS enabled applications. The RMS server is the core component that stores all licenses for RMS protected documents. The RMS client is built into client operating systems, and allows RMS enabled applications to enforce whatever functionality is specified in the AD RMS template. RMS enabled applications (such as Microsoft Word) can create and consume AD RMS protected content.

AD-RMS

A series of certificates are required for the AD RMS implementation, they are server licensor certificate, AD RMS machine certificate, RAC, Client licensor certificate and an end user license.

Now let us see how RMS works.

  1. Firstly the author configures the rights protection for the file.
  2. The author then receives a client licensor certificate.
  3. The author defines rights on the file
  4. The file then gets encrypted by a symmetric key.
  5. The RMS server identifies if the recipient is authorised.
  6. The RMS server uses its private key to decrypt the symmetric key.
  7. The RMS server re-encrypts the symmetric key and then adds the encrypted session key to the use license.

AD-RMS

AD RMS can be deployed in various deployment scenarios such as in a single forest model, in multiple forest, on extranet and it can also be integrated with AD federation services.

In order to prevent data loss, one should back up the AD RMS server. You can run AD RMS as a virtual machine and then use snapshots or use backup products such as Microsoft data protection manager.

If you want to decommission your AD RMS server, you must put the AD RMS server in a state where consumers can still obtain keys to decrypt the files. If you simply remove the AD RMS server from your network, the consumers will not be able to access the files anymore.

AD RMS provides a series of monitoring and reporting capabilities. You have various reports such as statistics, health and troubleshooting reports. Operations manager can also monitor active directory rights management services with additional management packs.

How do your Excel skills stack up?   

Test Now  

About the Author:

San Roy  

San is a highly skilled IT Infrastructure professional with over 15 years experience in a technical training capacity. Throughout his career as a technical training consultant San Has been responsible for the development of numerous IT professionals, providing knowledge and expertise in the areas of Server Operating Systems, Database Management Systems, Messaging and Collaboration. San primarily specialises in delivering training in Microsoft products including Windows Server OS, Windows Client OS, SQL Server, SharePoint Server and Exchange Server. Through his years of practical experience as a technical trainer he is able to provide added insight and value to students that reach beyond the scope of a standard course outline. San has established himself as one of New Horizons' preferred trainers by continually bringing a combination of technical expertise and personality to the classroom each day.

Read full bio
top
Back to top