How To Configure AD RMS In Windows Server 2016

Active Directory Rights Management Services (AD RMS) is a service that protects sensitive and intellectual documents of an organization from the unauthorized users. One of the major advantages of using AD RMS over other security features such as NTFS permission is that AD RMS permission travels along with the documents. Does not matter how and where you copy or move the documents. In this post, we will see how to install and configure AD RMS in Windows Server 2016.

In order to install and configure AD RMS in Windows Server 2016, you need to perform the following high-level steps:

1. Preparing AD RMS server.
2. Installing the AD RMS server role.
3. Creating an AD RMS Cluster.
4. Configuring the AD RMS templates.
5. Testing and verifying AD RMS Configuration.

Preparing AD RMS Server

For the successful AD RMS deployment, first, you need to make sure that you fulfill all the AD RMS prerequisites. For this, first, you need to perform the following steps:

1. On DC1, create a user named ADRMSSRVC that will be used as AD RMS service account.
2. Add this account in to the member list of the Domain Admins group. Refer the following figure.
3. Now, create the following Active Directory objects:
   • Create an OU named Sales and create Peter user under it.
   • Create one more OU named Finance and create Shawn user under it.
4. When you make the users, ensure that you also set the email addresses for the respective user accounts. For example, set [email protected] email account for Peter user and [email protected] for Shawn user. Refer the following figure.
5. Now, create a shared folder named Secret that will be used as Shared Distribution Point (SDP).
6. Right-click Secret and navigate to Share with Specific people to share this folder.
7. On the File Sharing dialog box, type Peter, and then click Add.
8. Set the permission level as Read/Write.
9. Using the same steps, also set the Read/Write permission for the ADRMSSRVC user account.

Installing AD RMS in Windows Server 2016

In order to install the Active Directory Rights Management Services (AD RMS) role, you need to perform the following steps:

1. On DC1, using the Server Manager console, launch the Add Roles and Features Wizard.
2. Click Next and accept the default selections till the Select server roles page displays.
3. Select the Active Directory Right Management Services role and click Next.
4. Click Next and navigate to the Select role services page.
5. Ensure that Active Directory Management Server option is selected and then click Next to proceed.
6. Finally, click Install and complete the installation process.

Creating an AD RMS Cluster

After installing AD RMS server role, the next task is to create a new AD RMS cluster. For this, you need to perform the following steps:

1. On the Server Manager console, click the Notifications icon, and then click Perform additional configuration.
2. On the Configuration required for Active Directory Rights Management Services page, click Next.
3. On the AD RMS Cluster page, ensure that the Create a new AD RMS root cluster radio button is selected, and then click Next.
4. On the Configuration Database page, select the Use Windows Internal Database on this server option, and then click Next. Alternatively, you can also specify the SQL server database, if already configured.
5. On the Service Account page, click Specify to specify the ADRMS Service account that is mcsalab\adrmssrvc and click Next to proceed.
6. Accept the default selections till the AD RMS Cluster Key Password page. Specify a cluster key password and click Next to proceed.
7. On the Cluster Web Site page, accept the default selection, and then click Next.
8. On the Specify Cluster Address page, select the Use an unencrypted connection (http://) radio button, specify DC1.MCSALAB.LOCAL as FQDN name and click Next to proceed.
9. On the Licensor Certificate page, accept the default name, and then click Next.
10. On the SCP Registration page, accept the default selection, and then click Next.
11. On the Confirmation page, review all the options you have chosen. Click Previous to make the changes.
12. Finally, click Install and complete the installation process.
13. Ensure that installation process is completed without any error.
14. Now, Sign off to Administrator and Sign in to as MCSALAB\adrmssrvc user account.
15. Open the Active Directory Rights Management Services console using the Server Manager console. Verify that there is no error display.

Configure AD RMS in Windows Server 2016

Once you installed the AD RMS server role, the next step is to configure AD RMS templates. For this, you need to perform the following steps:

1. On the Active Directory Rights Management Services console, expand dc1.mcsalab.local, select and right-click Rights Policy Templates, and then select Properties.
2. Select the Enable export check box, type the path of SDP that is \\dc1.mcsalab.local\secret and then click OK.
3. Click Create distributed rights policy template to create the distributed rights policy template.
4. On the Add New Template Identification Information page, click Add.
5. Specify template name and description, click Add, and then click Next to proceed.
6. On the Add User Rights page, click Add. Type email of Peter user in The e-mail address of a user or group text box, and then click OK.
7. Using the same steps, add Shawn user account, assign the View permission, and proceed to Next.
8. On the Expiration Policy page, set the desired expiry date for this template and click Next to proceed.
9. On the Specify Extended Policy page, click Next.
10. On the Specify Revocation Policy page, click Finish.
11. Close the Active Directory Rights Management Services console.

Verifying AD RMS Client

Now, you have successfully configured AD RMS, the next step is to verify your AD RMS configuration. In order to verify the AD RMS configuration, you need to perform the following steps:

1. Switch and sign in to CLIENT1 as MCSALAB\Peter.
2. Open the Internet options, click the Security tab, click Local intranet, and then click Sites.
3. Click Advanced, type http://DC1.MCSALAB.LOCAL in the Add this website to the zone and then click Add.
4. Open a blank Word 2013 document and then type a descriptive message in the document.
5. Click Protect Document using the File tab and navigate to Restrict AccessRestricted Access > Connect to Rights Management Services.
6. Select the Restrict permission to this document check box in the Permission dialog box, and then type [email protected] in the Read text box.
7. Type [email protected] in the Change text box.
8. Click OK to close the Permission dialog box.
9. Click Save As from the File menu, and then save the file as \\DC1\Secret\ADRMS_Test.docx. You can notice that Peter user can make changes.
10. Switch user as MCSALAB\Shawn and open File Explorer, and then browse to \\DC1\Secret.
11. Try to open the ADRMS_Test.docx file. Notice the message that displays.
12. Click View Permission and verify that Shawn user has the view permission.
13. Click the File tab and notice that the Print option is not available.

In this article, we have learned how to install and configure AD RMS in Windows Server 2016. Drop your queries, suggestions, feedback in the comment box.