Upgrading Domain Controllers to Windows Server 2008 / 2008 R2

Upgrading Domain Controllers to Windows Server 2008 / 2008 R2

Active Directory is named as ADDS (Active Directory Domain Service) in Windows Server 2008. Actually; ADDS is a directory service for authentication, authorizations and centralized management capabilities. It is also has full integration with thousands of applications.

Active Directory services was lunched with Windows Server 2000.

Most of the still running the Active Directory Service with Windows Server 2000 / 2003. Because of a lot of changes and features enhancement into windows server 2008, Every company is now looking to upgrade the infrastructure to ADDS with Windows Server 2008 / 2008 R2.

Upgrading the existing Active Directory infrastructure is too difficult but it requires full understating of ADDS upgrade procedure otherwise it could cause problem to the existing infra.

We have 3 ways to upgrade the active directory from windows server 2003 to server 2008 / 2008 R2. The easiest and the best way to upgrade the Active Directory is "In-place Upgrade".

In an in-place upgrade process, the existing domain controllers are directly upgraded to Windows Server 2008  / 2008 R2. Before you decide to upgrade the existing infrastructure to Windows Server 2008 / 2008 R2, you must ensure the the source / existing networking must have the domain controller running on Windows server 2003.

Note :- You can not directly upgrade your company infrastructure from 2000 server to Windows Server 2008 / R2. The following are the possibilities to upgrade your domain controllers to Server 2008 / 2008 R2.

Windows Server 2003 --- Windows Server 2008

Windows Server 2003 --- Windows Server 2008 R2

Consider the following point for Upgrading ADDS to Server 2008 / 2008 R2.

• Supported Hardware and applications
• Domain Controller Recovery Plan

Before you upgrade your Domain Controllers to Windows Server 2008 / 2008 R2, you must prepare your forest and domain for the new changes.

Adprep.exe tool is used to prepare your older versions of windows to have updated schema version. This table is providing the correct version of schema in windows Server.

Windows 2000          13

Windows 2003          30

Windows 2003 R2     31

Windows 2008          44

Windows 2008 R2     47

Adprep tool is available for both 32bit and 64 bit. This tool is pre-loaded in disk of Windows Server 2008 / 2008 R2 under \support\adprep folder.

Lets consider, You have a domain controller Serve1 for the domain itmaverick.com running on 2003 (X64). You need to upgrade this server to Windows Server 2008.

So, Insert the disc of Windows Server 2008 into the DVD-Drive and open the Command Prompt.

Access the CD ROM Drive (Consider D:) and put the following set of commands.

D:\> cd support\adprep

D:\support\adprep> Adprep /forestprep

D:\support\adprep> Adprep /domainprep

D:\support\adprep> Adprep /domainprep /gpprep

D:\support\adprep> Adprep /rodcprep

by executing this commands, you successively prepare your Forest, domain and Group Policy to upgrade to Windows Server 2008 / 2008 R2.

Now open My Computer and Auto play the CD. A dialog box will be appear on the screen; where you need to click Install Now.

Choose your language

 Type the valid activation keys that you can find on the computer of inside the windows package.

 You need to accept the license terms

Select the right editions of Windows Server 2008 / 2008 R2 which suits your company requirement / for that you have valid product keys.

 Simply choose Upgrade

You system will check compatibility for all those applications which have been installed by you on Windows Server 2003. If compatibility checker founds any miss compatible application on your current Operating System which would not available to use after upgrading your system to Windows Server 2008 by showing you the compatibility report. Click Close; if you want to proceed to upgrade your domain Controller to Sever 2008 / 2008 R2.

Now it will continue to to upgrade to Windows Server 2008 / 2008 R2. This can take several minutes / hours to finish it. In between of up gradation; you system will restart many time (2-3); but you do not need to do any thing in that case. Simple leave the machine to upgrade itself for new Domain Controller running on Windows Server 2008 / 2008 R2.

So; finally you have upgraded your company's Domain Controller to Windows Server 2008 / 2008 R2 by using (In-place upgrade method)

Installing, Configuring & Managing AD-RMS

                 Demonstration :           Installing AD-RMS

Okay, let’s go for the demonstration of installing first AD-RMS Cluster in Single Active Directory Forest. In this lab setup, I have 4 workstations,

1.       Test-DC as Domain Controller named as (itmaverick.com)

2.       Test-RMS (member of domain itmaverick.com)

3.       Test-Client1 (member of domain itmaverick.com)

4.       Test-Client2 (member of domain itmaverick.com)

Network Setup Diagram for AD-RMS

All right; I have already setup my domain controller as itmaverick.com and joined all rest 3 workstations Test-RMS, Test-Client1 and Test-Client2 to the domain itmaverick.com

First of all, create a user account in your active directory named as rms-svc. This user account will be use as “Service Account” for AD-RMS.

Switch to workstation Test-RMS where you will install the role of AD-RMS.

So, Click on Start menu and point to Administrative tools and finally let me click on Server Manager.

Under the console of Server Manger; you have options to install roles and remove roles. Click Add Roles.

On the Before You Begin page, click Next.

On the Select Server Roles page, select the Active Directory Rights Management Services check box.

When prompted, click Add Required Role Services, and then click Next and Click Next twice.

On the Create or Join an AD RMS Cluster page, select Create a new AD RMS cluster, and then clickNext.

On the Select Configuration Database page, select Use Windows Internal Database on this server, and then click Next because you may not have External Database (SQL), you can use Internal Database.

On the Specify Service Account page, click Specify, type ITMAVERICK\rms-svc, type Pa$$w0rd for the password, click OK to provide a domain user account for the AD-RMS service account, and then click Next.

On the Configure AD RMS Cluster Key Storage page, select Use AD RMS centrally managed key storage, and then click Next.

On the Specify AD RMS Cluster Key Password page, type Pa$$w0rd as the AD RMS cluster key password, and then click Next.

On the Select AD RMS Cluster Web Site page, ensure that Default Web Site is selected, and then click Next.

On the Specify Cluster Address page, in the Internal Address box, type test-rms.itmaverick.com, selectUse an unencrypted connection (http://), click Validate, and then click Next.

On the Name the Server Licensor Certificate page, in the Name box, type IT Maverick, and then clickNext.

On the Register AD RMS Service Connection Point page, ensure that Register the AD RMS service connection point now is selected, and then click Next three times.

On the Confirm Installation Selections page, view the informational messages, and then click Install to complete the installation.

After the installation is complete, click Close, and then log off from server and re-login as Tes\Administrator.

Congrates!!! We have successfully install AD-RMS server in our infrastructure.

So; it’s time to work with AD-RMS Server

To test; your AD-RMS Server Setup, you must have 2 users and 2 computers. So such to Test-Clent1 machine where you need to logon as user1 (Shivajee). Once you logon to machine, Quickly open MS Word 2007. Here you need to create a document that can be save on your local drives or on the shared storage over a file server.

Now you need to encrypt this document through my RMS sever. To do so, click on “Office Button” and point to prepare restricted permissions and finally click Restricted Access. Now this is going to contact to RMSServer and will configure it.

Now click on”Restrict permission to this document” and type hardik@itmaverick.com in read text box. Finally; save and close this document.

Let’s try to open this document “confidential.docx” from Test-Client2 as user “hardik”. See this document is read only for the user Hardik and he is not able to edit it that’s that expected behavior on this document Read-only.

AD RMS Certificates and Licenses

                                   AD RMS Certificates and Licenses

The AD RMS components use certificates and licenses to establish identity and allow clients to work with protected content. The following list shows certificates and licenses that AD RMS uses:

• Server Licensor Certificate: This is the certificate created when the AD RMS Server Cluster is initially created. This certificate signs all of the licenses and certificates granted by the cluster. It contains the public key of the server and can be exported to establish a trust with other AD RMS cluster.

• Machine certificate: On each client computer, the first time an AD RMS-enabled application is used, a machine certificate is created. The machine certificate contains the public key of the client computer.

• Rights Account Certificate: When a user first attempts to consume protected content, the AD RMSclient obtains a rights account certificate (RAC) from the AD RMS cluster. By default, a standard RAC is valid for 365 days.

• Client licensor certificate: The client licensor certificate (CLC) is obtained by the client computer while it is connected to the corporate network where the AD RMS cluster resides. It gives the user the right to publish protected content when not connected to the corporate network.

• Publishing license: When an AD RMS client saves rights-protected content, a publishing license is created. The license contains the authorized users that can view the content, the conditions attached to the content (for example, requiring a connection to verify a user’s permission upon opening), and the actual rights that the authorized users have to the content (Read only or ability to print are some examples).

• Used license: The used license contains the rights that apply to the protected content. The license relies on the RAC being present. If the RAC is not present, the used license does not open the protected content.

How AD-RMS works

This is always a pin point for IT Administrators; how this AD-RMS works? So, Here I am going to explain the work-flow of AD-RMS.

1. When the author initially protects content, the AD RMS cluster issues a RAC and a client licensor certificate (CLC). This establishes the author’s AD RMS credentials. The author can now publish secure information offline.

2. The author creates a file and specifies usage rights and conditions by using an AD RMS–enabled application. A publishing license that contains the usage policies is generated. The publishing license is tied to the protected file.

3. The application encrypts the file with a symmetric key, which is encrypted by the public key of the ADRMS cluster. The key is inserted into the publishing license and the publishing license is bound to the file.

4. The author distributes the file. Some distribution methods are email, SharePoint document libraries, and file servers.

5. A recipient obtains the protected file and opens it by using an AD RMS–enabled application. If the recipient does not have a RAC on the current computer, a RAC is issued from the AD RMS cluster.

6. The application requests a used license. This request is sent to the AD RMS cluster that issued the publishing license for the secured information.

7. The AD RMS cluster confirms that the recipient is authorized, checks that the recipient is a named user, and creates a used license. The server decrypts the symmetric key by using the private key of the server, re-encrypts the symmetric key by using the public key of the recipient, and then adds the encrypted symmetric key to the used license. The used license also includes the content expiration (if applicable).

8. After the confirmation is complete, the licensing server returns the used license to the recipient’s client computer. Deploying and Configuring Active Directory Rights Management Services 6-9

9. After receiving the used license, the application verifies the license and the account certificate of the recipient. This helps determine whether any certificate, in either chain of trust, requires a revocation list. If required, the application checks for a local copy of the revocation list that has not expired. If required, it retrieves a current copy of the revocation list. The application then applies any relevant revocation conditions in the current context. If the revocation conditions allow access to the file, the application renders the data. Users can then apply their granted rights.

AD-RMS (Active Directory Right Management Services)-- Introduction

Okay let me explain “What is AD-RMS (Active Directory Right Management Services)?

All right; AD-RMS is server role in Windows Server 2008 which helps you to protect your digital information from unauthorized use. It establishes the identity of users and provides authorized users with licenses for that protected information.

AD RMS includes email message protection, rights enforcement, and content protection in your word documents, spreadsheets and presentations.

Let me take an example, here I have a document where I want user1 to have read only access to this document and user2 need read and print access. There is one more user (User3) who needs read, write and print permissions. So to achieve this goal for the protection of this document; I can use AD-RMS(Active Directory Right Management Services)

                                                           AD-RMS Components

AD-RMS has several components that work together to provide a comprehensive information rights management (IRM) solution.

Component	What does it do?
AD RMS  Server Cluster	It is used for AD RMS administration and configuration and handles all of the major AD RMS functions, including licensing, publishing, account certification, and recovery. There is a limit of one AD RMSCertification Server Cluster per AD DS forest.
AD RMS  Licensing-only Cluster	It is used to segment the AD RMS templates. With a single ADRMS Certification Server Cluster, all templates are shared among all users. By deploying a Licensing-only Cluster, templates can be created for use by a specific group of users such as the Legal department of the executive management team. It offers better separation and resource tracking when the AD RMSdeployment includes business partners.
SQL Database	The AD RMS database stores the configuration and log data. A Windows Internal Database can be used in place of SQL but it is not supported in a production environment.
AD DS	AD DS is an AD RMS prerequisite and is used to store users and groups used within AD RMS. Clients query AD DS for the service connection point (SCP) to discover registered AD RMS services.
AD RMS Client	The client, which comes built-in to Windows Vista®, Windows® 7 and Windows Server® 2008, is a free download for earlier Windows versions. There is also an add-on client for Internet Explorer. It serves as the client component and interacts with the AD RMSCertificate Server Cluster to encrypt and decrypt data.