Section 3 - Chapter 16

Question 1

AD RMS Databases

Answer 1

Windows Internal Database (WID) - does not support remote connections, only one server can use the db

SQL 2005 or later running on seperate server, provides ability to load balance, supports remote connects

Question 2

AD RMS Infrastructure

Answer 2

IIS - provides web services

Message Queueing - ensures transaction coordination in distributed environments

AD RMS Client - access from desktop

AD DS - provides integrated authentication

Question 3

AD RMS Root Cluster

Answer 3

Installed by default on first AD RMS server

Handles certs and licensing requests

Only one root cluster per forest

Licensing Only servers for a licensing cluster

Clusters only avail if AD RMS db is on a separate server

Root and licensing only clusters independent, cannot load balance jointly

Question 4

AD RMS and AD FS

Answer 4

Can integrate to extend rights management beyond the firewall

Must establish federation trust before install of AD RMS extension

Service Account must be trusted in each forest

Question 5

AD RMS Server Enrollment

Answer 5

Self enrolled when created

Creates a server licensor cert (SLC)

Question 6

AD RMS Administration Roles

Answer 6

AD RMS Enterprise Admins - manage all aspects

Ad RMS Template Admins - read info about infrastructure and list, create, modify, and export rights policy templates

AD RMS Auditors - manage logs and reports

AD RMS Service - contains service account specified on install

Question 7

AD RMS Admin Group

Answer 7

All groups are local, create global groups and insert them within the local groups

Question 8

Rights Account Certs

Answer 8

Issued by AD RMS server, identifies trusted entities that can create and publish rights enabled content

Can assign rights and conditions to the content it creates

AD RMS issues publishing license for content that is permanently attached

To view data, user must acces thru AD RMS enabled browser or application

Question 9

AD RMS Deployments

Answer 9

Single-server - WID db, components local, cannot scale, use in test environments

Internal - multi servers tied to AD DS, seperate server to host db to load balance

Entranet - provides internal services to authorized users outside the network, firewall exceptions and extranet URL on external facing web server needed

Multi-Forest - when there are exisiting partnerships based on AD DS forest trust, SSL cert to each website that hosts AD RMS clusters in each forest, extend forest schema to include AD RMS objects, AD RMS service account must be trusted in each forest

Licensing-only server - assign SSL cert to website hosting AD RMS root cluster and then install the root cluster

Question 10

AD RMS and AD FS deployment

Answer 10

SSL cert to website hosting AD RMS root cluster

Install root cluster

Prep federated trust relationship

Create claims aware app on resource partner

Assign Generate Security Audit user rights to AD RMS service account

Define extranet cluster URL in AD RMS

Install AD RMS Identity Federation Support

Question 11

Upgrade RMS to AD RMS

Answer 11

upgrade to latest RMS SP1

backup servers and config db

make sure all enrollment is complete

upgrade to SQL server

clear RMS Message Queuing

upgrade root cluster before upgrading licensing-only server

upgrade all other servers in the RMS cluster

Question 12

AD RMS and Core Server

Answer 12

Not Supported

Question 13

AD RMS Web Services Prerequisites

Answer 13

IIS with ASP.Net
Message Queuing
Web Server URL

Question 14

AD RMS & AD DS Domain

Answer 14

Windows 2000 SP3 or later

AD RMS must be installed in the same domain as its potential users

Question 15

AD RMS & Domain User Accounts

Answer 15

Email addresses config’d in AD DS

Question 16

AD RMS Service Account

Answer 16

Member of the Local Admins

Assigned Generate Security Audits user right

Question 17

AD RMS Installation Account

Answer 17

Local Admin

Enterprise Admin to generate service connection points

Systems Admin on external database

Must not be on a smart card

Question 18

AD RMS db instance

Answer 18

Create and name db instance

Start SQL Server Browser service before install

Question 19

AD RMS Install Cert

Answer 19

SSL cert for AD RMS cluster

Self signed cert in testing environment

Trusted external 3rd party, install cert before AD RMS install

Question 20

AD RMS Cluster Key Protection

Answer 20

Store key in AD RMS config db

Question 21

AD RMS and DNS Config

Answer 21

Create CNAME records for the root cluster URL and the db server

Question 22

AD RMS Client OS

Answer 22

Built In: Win 7, Vista & 2008 r2

Download RMS client for 2000, 2003 and XP

Question 23

AD RMS - Server Licensor Cert (SLC)

Answer 23

Self signed cert generated in setup of first server in a root cluster, other members of root cluster share this cert

Licensing-only cluster generates its own cert and shares with other members of its cluster

Default duration 250 years

Question 24

AD RMS - Rights Account Cert (RAC)

Answer 24

Issued to trusted users with email enabled AD DS accounts

Generated first time user opens rights protected content

Standard RACs identify users in relation to their computers, duration 365 days

Temporary RACs not tied to a specific computer, duration 15 minutes

RAC have public and private key

Question 25

AD RMS - Client Licensor Cert (CLC)

Answer 25

RAC requests CLC, computer must be online

Once obtained, can apply policies offline

CLC has public and private key and AD RMS cluster’s public key

Question 26

AD RMS - Machine Cert

Answer 26

Created first time AD RMS enable app used on a client

Creates a lockbox on computer to correlate machine cert with user’s profile

Machine cert has public key for computer, private key is in lockbox

Question 27

AD RMS - Publishing License

Answer 27

Created when user saves content in rights protected mode

Lists users who can use content, conditions of use and rights to content

Publishing license includes symmetric content key and public key of the cluster

Question 28

AD RMS - Use License

Answer 28

Assigned to user who opens rights protected content, tied to RAC, lists rights to content

Use license has symmetric key for decrypting, encrypted with the public key of user

Question 29

AD RMS Server Editions

Answer 29

Standard, Enterprise or Datacenter

Question 30

AD RMS Installation

Answer 30

Do not install on DC
Installs IIS, .NET Framework, Message Queuing and RSAT
Create or Join AD RMS cluster
Select db config
Locate server that hosts db
Validate db instance
Specify Service Account
Config AD RMS cluster key storage
Select AD RMS cluster web site
Specify Cluster Address, use SSL Connection
Specify cluster address (FQDN) and port
Choose a Server Authentication Cert for SSL
Name the Server Licensor Cert
Register AD RMS Service Connection
Review IIS info
Select Web Server
Install

Question 31

AD RMS - Upgrade or Migrate

Answer 31

Can update, migration easier
Add new servers, decommission old

Before:
Backup config db
Export SLC
Export and Install CSP Key on each server

After:
Update CNAME record for cluster (add new, remove old)
Run AD RMS console to check cluster
Test AD RMS connectivity from client

Question 32

AD RMS - Win PS

Answer 32

ADRmsInstall and ADRMSAdmin

Run import for modules
Import-Module Adrms
Import-Module AdRmsAdmin

Question 33

AD RMS Outside the Network

Answer 33

Server, Properties, Cluster URL tab - enable extranet URLs

Point to IIS installation, register URLs in DNS, use SSL for http, https connections, create virtual directories to host data

Question 34

AD RMS with Partners

Answer 34

Config proxy settings and install Federation Support

Config trust policies with other clusters

Trusted user domains - process requests for clusters in different forests, import Server Licensor Cert from other cluster into your cluster

Trusted publishing domain - issue use licenses for protected content from other cluster, import publishing clusters SLC and private key to your cluster

Question 35

AD RMS Certs Validation Periods

Answer 35

Must config proper periods for org

Question 36

AD RMS - Targeted

Answer 36

Config exclusion policies

Question 37

AD RMS - Export Server Licensor Cert

Answer 37

Any server that is member of cluster, Properties, Server Cert Tab, Export Cert, select location to save .bin file to

Question 38

AD RMS - Preping Certs

Answer 38

Mandatory:
Specify duration of rights account certs

Optional:
Enable certification for mobile devices

Enable certification for server services

Authenticate clients through smart cards

Question 39

AD RMS - Specify duration of rights account cert

Answer 39

Any server member of cluster, Rights Account Cert Policies

Change Standard RAC Validity Period

Standard RAC Tab - Change Standard RAC Validity Period

Temporary RAC Tab - Change

Question 40

AD RMS - Exclusion Policies

Answer 40

Can be created for: users, applications, lockbox version and Win OSs

Any server member of cluster, Exclusion Policies, Users

Enable User Exclusion link
Exclude User link

can exclude by email address or public key assigned to user

Select exclusion method - locate user account or type public key

Question 41

AD RMS - Preparing Accounts and Access Rights

Answer 41

AD RMS includes account in db

create a store procedure in SQL server to auto remove account when deleted or a script that runs on a scheduled basis

Create a Super Users Group - users that have full access to all content to recover or modify data, usually a Universal group

Server, Security Properties, Change Super Users Settings link, Enable Super Users, Change Super User Group link, specify group

Question 42

AD RMS - Policy Templates

Answer 42

Create Template
Specify Location
Config Offline Folder Settings

Users that have access to only pre-created content do not require access to policy templates

Server, Rights Policy Templates, Create Distributed Rights Policy Template link, Specify Name and language, add user rights, specify expiration, specify extended policy, specify revocation policy

Question 43

AD RMS - Add User Rights

Answer 43

Select user or group for access to template

Select user and assign rights

Grant Owner (Author) Full Control Right With No Expiration (default)

Rights Request URL - gives users the ability to request additional rights by going to URL

Question 44

AD RMS - Specify Extended Policy Templates

Answer 44

Choose Enable Users to View Protected Content Using a Browser Add-On

Require A New User License Every Time Content is Consumed (disable client-side caching)

If You Would Like To Specify Additional Information For Your AD RMS Enabled Apps - usually reserved for developers

Question 45

AD RMS - Specify Revocation Policy Templates

Answer 45

Require Revocation check box

Specify URL where revocation is published http or https//

Refresh Interval for Revocation List (Days) - specify

File Containing Public Key Corresponding To the Signed Revocation List - specify file

Question 46

AD RMS Databases

Answer 46

Configuration db

Logging db - Message Queuing sends events to here

Directory Services db - users and their data, accessed by LDAP

Question 47

AD RMS Client Discovery

Answer 47

AD DS Service Connection Point

In complex multi forest deployments - registry overrides are placed directly on client computers

URLs in the issuance licenses for the content

Question 48

AD RMS Service Account

Answer 48

Operations: accessing network resources, querying AD DS, looking up info on database

To change service account - rc server name, change service account

Question 49

AD RMS Server Hierarchy

Answer 49

Trust Policies - trusted user domains & trusted publishing domains

Rights Policy Templates - rules and conditions applied to the content protected by using the template

Rights Account Cert Policies - change standard or temporary validity period

Exclusion Policies - user, application or lockbox exclusions

Security Policies - super users, cluster key password reset, and decommissioning (removes AD RMS from org)

Reports - statistics, health and troubleshooting reports

Question 50

AD RMS Server Properties

Answer 50

General Tab - current cluster connection point, admin contact

Cluster URLs - Intranet & Extranet, Licensing & Certification

AD RMS Servers - servers in cluster

Server Cert - Server Licensor Cert (SLC), export cert .bin file

Proxy Settings - access to external networks

Logging - enable: logging service uses Message Queuing to send log messages to logging db

SCP - provides clients the cert URL for forest, shows current and can change

Question 51

AD RMS Trusted Policies

Answer 51

rc Trusted Policies to add MS Federated Gateway Services

rc Trusted User Domains to import a domain or trust Windows Live ID, rc Enterprise to export this domain

Can select trusted users by all email domains or specific email domains

rc Trusted Publishing Domain to import a domain, rc Contoso DRM to export this domain

Question 52

AD RMS Rights Policy Templates

Answer 52

rc to Manage or archive rights policy templates

rc, Properties - specify file location for stored templates and enable export

rc Template to: create, archive, copy or view rights summary

Rc, Properties - ID Info tab, User Rights tab, Expiration Policy tab, Extended Policy tab, Revocation Policy tab

Question 53

AD RMS Exclusion Policies

Answer 53

rc Users or Applications- enable/disable user exclusion, exclude user

rc Lockbox - enable/disable exclusion

Question 54

AD RMS Security Policies

Answer 54

rc Super Users or Decommission - enable/disable

Question 55

AD RMS Certificates & Licenses

Answer 55

Server Licensor Cert (SLC) - represents the server cluster, used to sign other identity certs and by clients to encrypt materials for the server to decrypt

Security Processor Cert (SPC) - identifies client machines, used to encrypt elements stored locally

Rights Account Cert (RAC) - issued to user at first authentication against cert URL of cluster, used for future identification, by server to encrypt licenses sent to user and by client to sign CLC

Client Licensor Cert (CLC) - obtained during client activation, used to sign publishing licenses embedded in encrypted docs

Publishing Licenses - used to express rights over a document

Use License - expresses the rights one user has over one doc

Question 56

AD RMS Cert Standard

Answer 56

XrML format - expresses complex lists of rights

As opposed to a X.509 format which attests one claim about one subject

Question 57

AD RMS - Template User Rights

Answer 57

Full Control, View, Edit, Save, Export (Save As), Print, Forward, Reply, Reply All, Extract, Allow Macros, View Rights, Edit Rights