MI CROSOFT 20414C LEA RN I N G P RODU CT Implementing an Advanced Server Infrastructure MCT USE ONLY STUDENT USE PROHIBITED OFFI CI A L MCT USE ONLY STUDENT USE PROHIBITED ii Implementing an Advanced Server Infrastructure Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product Links may be provided to third party sites Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites Microsoft is not responsible for webcasting or any other form of transmission received from any linked site Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein © 2014 Microsoft Corporation All rights reserved Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies All other trademarks are property of their respective owners Product Number: 20414C Part Number: X19-30977 Released: 4/2014 MCT USE ONLY STUDENT USE PROHIBITED MICROSOFT LICENSE TERMS MICROSOFT INSTRUCTOR-LED COURSEWARE These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you Please read them They apply to your use of the content accompanying this agreement which includes the media on which you received it, if any These license terms also apply to Trainer Content and any updates and supplements for the Licensed Content unless other terms accompany those items If so, those terms apply BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT If you comply with these license terms, you have the rights below for each license you acquire DEFINITIONS a “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning Competency Member, or such other entity as Microsoft may designate from time to time b “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led Courseware conducted by a Trainer at or through an Authorized Learning Center c “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware d “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee e “Licensed Content” means the content accompanying this agreement which may include the Microsoft Instructor-Led Courseware or Trainer Content f “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a Microsoft Certified Trainer under the Microsoft Certification Program g “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that educates IT professionals and developers on Microsoft technologies A Microsoft Instructor-Led Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware h “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy Program i “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network program in good standing that currently holds the Learning Competency status j “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft Official Course that educates IT professionals and developers on Microsoft technologies k “MPN Member” means an active silver or gold-level Microsoft Partner Network program member in good standing MCT USE ONLY STUDENT USE PROHIBITED l “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device that you personally own or control that meets or exceeds the hardware level specified for the particular Microsoft Instructor-Led Courseware m “Private Training Session” means the instructor-led training classes provided by MPN Members for corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware These classes are not advertised or promoted to the general public and class attendance is restricted to individuals employed by or contracted by the corporate customer n “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program Member to teach an Authorized Training Session, and/or (ii) a MCT o “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft Instructor-Led Courseware Trainer Content may include Microsoft PowerPoint presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form To clarify, Trainer Content does not include any software, virtual hard disks or virtual machines USE RIGHTS The Licensed Content is licensed not sold The Licensed Content is licensed on a one copy per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed Content 2.1 Below are five separate sets of use rights Only one set of rights apply to you a If you are a Microsoft IT Academy Program Member: i Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices You may not install the Microsoft Instructor-Led Courseware on a device you not own or control ii For each license you acquire on behalf of an End User or Trainer, you may either: distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User who is enrolled in the Authorized Training Session, and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or provide one (1) End User with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv you will ensure each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, MCT USE ONLY STUDENT USE PROHIBITED vii you will only use qualified Trainers who have in-depth knowledge of and experience with the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Authorized Training Sessions, viii you will only deliver a maximum of 15 hours of training per week for each Authorized Training Session that uses a MOC title, and ix you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources for the Microsoft Instructor-Led Courseware b If you are a Microsoft Learning Competency Member: i Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices You may not install the Microsoft Instructor-Led Courseware on a device you not own or control ii For each license you acquire on behalf of an End User or Trainer, you may either: distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Authorized Training Session and only immediately prior to the commencement of the Authorized Training Session that is the subject matter of the Microsoft Instructor-Led Courseware provided, or provide one (1) End User attending the Authorized Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or you will provide one (1) Trainer with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv you will ensure that each End User attending an Authorized Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training Session, v you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi you will ensure that each Trainer teaching an Authorized Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Authorized Training Session, vii you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training Sessions, viii you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Authorized Training Sessions using MOC, ix you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x you will only provide access to the Trainer Content to Trainers MCT USE ONLY STUDENT USE PROHIBITED c If you are a MPN Member: i Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft Instructor-Led Courseware in the form provided to you If the Microsoft Instructor-Led Courseware is in digital format, you may install one (1) copy on up to three (3) Personal Devices You may not install the Microsoft Instructor-Led Courseware on a device you not own or control ii For each license you acquire on behalf of an End User or Trainer, you may either: distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End User attending the Private Training Session, and only immediately prior to the commencement of the Private Training Session that is the subject matter of the Microsoft Instructor-Led Courseware being provided, or provide one (1) End User who is attending the Private Training Session with the unique redemption code and instructions on how they can access one (1) digital version of the Microsoft Instructor-Led Courseware, or you will provide one (1) Trainer who is teaching the Private Training Session with the unique redemption code and instructions on how they can access one (1) Trainer Content, provided you comply with the following: iii you will only provide access to the Licensed Content to those individuals who have acquired a valid license to the Licensed Content, iv you will ensure that each End User attending an Private Training Session has their own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session, v you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led Courseware will be presented with a copy of this agreement and each End User will agree that their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to providing them with the Microsoft Instructor-Led Courseware Each individual will be required to denote their acceptance of this agreement in a manner that is enforceable under local law prior to their accessing the Microsoft Instructor-Led Courseware, vi you will ensure that each Trainer teaching an Private Training Session has their own valid licensed copy of the Trainer Content that is the subject of the Private Training Session, vii you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training Sessions, viii you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the subject of the MOC title being taught for all your Private Training Sessions using MOC, ix you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and x you will only provide access to the Trainer Content to Trainers d If you are an End User: For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your personal training use If the Microsoft Instructor-Led Courseware is in digital format, you may access the Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to three (3) Personal Devices You may also print one (1) copy of the Microsoft Instructor-Led Courseware You may not install the Microsoft Instructor-Led Courseware on a device you not own or control e If you are a Trainer i For each license you acquire, you may install and use one (1) copy of the Trainer Content in the form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized Training Session or Private Training Session, and install one (1) additional copy on another Personal Device as a backup copy, which may be used only to reinstall the Trainer Content You may not install or use a copy of the Trainer Content on a device you not own or control You may also print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training Session or Private Training Session MCT USE ONLY STUDENT USE PROHIBITED ii You may customize the written portions of the Trainer Content that are logically associated with instruction of a training session in accordance with the most recent version of the MCT agreement If you elect to exercise the foregoing rights, you agree to comply with the following: (i) customizations may only be used for teaching Authorized Training Sessions and Private Training Sessions, and (ii) all customizations will comply with this agreement For clarity, any use of “customize” refers only to changing the order of slides and content, and/or not using all the slides or content, it does not mean changing or modifying any slide or content 2.2 Separation of Components The Licensed Content is licensed as a single unit and you may not separate their components and install them on different devices 2.3 Redistribution of Licensed Content Except as expressly provided in the use rights above, you may not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any third parties without the express written permission of Microsoft 2.4 Third Party Programs and Services The Licensed Content may contain third party programs or services These license terms will apply to your use of those third party programs or services, unless other terms accompany those programs and services 2.5 Additional Terms Some Licensed Content may contain components with additional terms, conditions, and licenses regarding its use Any non-conflicting terms in those conditions and licenses also apply to your use of that respective component and supplements the terms described in this agreement LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY If the Licensed Content’s subject matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the other provisions in this agreement, these terms also apply: a Pre-Release Licensed Content This Licensed Content subject matter is on the Pre-release version of the Microsoft technology The technology may not work the way a final version of the technology will and we may change the technology for the final version We also may not release a final version Licensed Content based on the final version of the technology may not contain the same information as the Licensed Content based on the Pre-release version Microsoft is under no obligation to provide you with any further content, including any Licensed Content based on the final version of the technology b Feedback If you agree to give feedback about the Licensed Content to Microsoft, either directly or through its third party designee, you give to Microsoft without charge, the right to use, share and commercialize your feedback in any way and for any purpose You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Microsoft product, or service that includes the feedback You will not give feedback that is subject to a license that requires Microsoft to license its software, technologies, or products to third parties because we include your feedback in them These rights survive this agreement c Pre-release Term If you are an Microsoft IT Academy Program Member, Microsoft Learning Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”) Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies of the Licensed Content in your possession or under your control MCT USE ONLY STUDENT USE PROHIBITED SCOPE OF LICENSE The Licensed Content is licensed, not sold This agreement only gives you some rights to use the Licensed Content Microsoft reserves all other rights Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement In doing so, you must comply with any technical limitations in the Licensed Content that only allows you to use it in certain ways Except as expressly permitted in this agreement, you may not:  access or allow any individual to access the Licensed Content if they have not acquired a valid license for the Licensed Content,  alter, remove or obscure any copyright or other protective notices (including watermarks), branding or identifications contained in the Licensed Content,  modify or create a derivative work of any Licensed Content,  publicly display, or make the Licensed Content available for others to access or use,  copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or distribute the Licensed Content to any third party,  work around any technical limitations in the Licensed Content, or  reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the Licensed Content except and only to the extent that applicable law expressly permits, despite this limitation RESERVATION OF RIGHTS AND OWNERSHIP Microsoft reserves all rights not expressly granted to you in this agreement The Licensed Content is protected by copyright and other intellectual property laws and treaties Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Licensed Content EXPORT RESTRICTIONS The Licensed Content is subject to United States export laws and regulations You must comply with all domestic and international export laws and regulations that apply to the Licensed Content These laws include restrictions on destinations, end users and end use For additional information, see www.microsoft.com/exporting SUPPORT SERVICES Because the Licensed Content is “as is”, we may not provide support services for it TERMINATION Without prejudice to any other rights, Microsoft may terminate this agreement if you fail to comply with the terms and conditions of this agreement Upon termination of this agreement for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in your possession or under your control LINKS TO THIRD PARTY SITES You may link to third party sites through the use of the Licensed Content The third party sites are not under the control of Microsoft, and Microsoft is not responsible for the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites Microsoft is not responsible for webcasting or any other form of transmission received from any third party sites Microsoft is providing these links to third party sites to you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party site 10 ENTIRE AGREEMENT This agreement, and any additional terms for the Trainer Content, updates and supplements are the entire agreement for the Licensed Content, updates and supplements 11 APPLICABLE LAW a United States If you acquired the Licensed Content in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort MCT USE ONLY STUDENT USE PROHIBITED b Outside the United States If you acquired the Licensed Content in any other country, the laws of that country apply 12 LEGAL EFFECT This agreement describes certain legal rights You may have other rights under the laws of your country You may also have rights with respect to the party from whom you acquired the Licensed Content This agreement does not change your rights under the laws of your country if the laws of your country not permit it to so 13 DISCLAIMER OF WARRANTY THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT 14 LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES YOU CAN RECOVER FROM MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO US$5.00 YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES This limitation applies to o anything related to the Licensed Content, services, content (including code) on third party Internet sites or third-party programs; and o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law It also applies even if Microsoft knew or should have known about the possibility of the damages The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franỗais EXONẫRATION DE GARANTIE Le contenu sous licence visé par une licence est offert « tel quel » Toute utilisation de ce contenu sous licence est votre seule risque et péril Microsoft n’accorde aucune autre garantie expresse Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation un usage particulier et d’absence de contrefaỗon sont exclues LIMITATION DES DOMMAGES-INTẫRấTS ET EXCLUSION DE RESPONSABILITẫ POUR LES DOMMAGES Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US Vous ne pouvez prétendre aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices Cette limitation concerne:  tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et  les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur MCT USE ONLY STUDENT USE PROHIBITED Elle s’applique également, même si Microsoft connaissait ou devrait conntre l’éventualité d’un tel dommage Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas votre égard EFFET JURIDIQUE Le présent contrat décrit certains droits juridiques Vous pourriez avoir d’autres droits prévus par les lois de votre pays Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas Revised September 2012 To open the Active Directory Rights Management Services console MCT USE ONLY STUDENT USE PROHIBITED L13-136 Implementing an Advanced Server Infrastructure On TREY-DC1, in Server Manager, click Tools, and then click Active Directory Rights Management Services Verify that the Active Directory Rights Management Services console opens without errors Close the Active Directory Rights Management Services console  Task 4: Configure the AD RMS Templates To create a new AD RMS rights policy template Switch to LON-DC1 In Server Manager, click Tools, and then click Active Directory Rights Management Services In the Active Directory Rights Management Services console, expand lon-dc1.adatum.com Select and then right-click Rights Policy Templates, and then click Properties Select the Enable export check box, in the Specify templates file location (UNC) box, type \\LONDC1\public, and then click OK In the Actions pane, click Create Distributed Rights Policy Template to start the Create Distributed Rights Policy Template Wizard Click Add In the Language box, choose English (United States) In the Name box, type Adatum.com RC In the Description box, type Adatum.com Research Confidential, click Add, and then click Next Click Add, in the The e-mail address of a user or group box, type Managers@adatum.com, and then click OK 10 Select the View check box to grant the Managers@adatum.com group Read access to any document created by using this AD RMS rights policy template 11 Click Add, in the The e-mail address of a user or group box, type research@adatum.com, and then click OK 12 Select the Full Control check box to grant the research@adatum.com group full control access to any document created by using this AD RMS rights policy template 13 Click Finish, and then close the Active Directory Rights Management Services console To enable the automated scheduled task Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd On the Start screen, type Schedule tasks, and then sclick on Schedule tasks item Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click Active Directory Rights Management Services Client In the top details pane, right-click AD RMS Rights Policy Template Management (Automated), and then click Enable Close Task Scheduler Right-click the Windows Start icon, click Run, in the Run text box, type regedit.exe, and then press Enter Expand the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common\ MCT USE ONLY STUDENT USE PROHIBITED L13-137 Right-click Common and select New, and then click Key Type DRM, and then press Enter Right-click DRM, click New, and then click Expandable String Value 10 In the Value name box, type AdminTemplatePath, and then press Enter 11 Double-click the AdminTemplatePath registry value, in the Value data box, type %LocalAppData%\Microsoft\DRM\Templates, and then click OK 12 Close Registry Editor 13 In the taskbar, click File Explorer 14 In the This PC console tree, right-click This PC, and then select Properties 15 In the System console tree, select Remote settings 16 In the System Properties window, click Select Users 17 In the Remote Desktop Users window, click Add 18 In the Select Users or Groups window, in the Enter the object names to select text box, type Domain Users, and then click OK three times 19 Sign out of LON-CL1  Task 5: Configure AD RMS Exclusion Policies A Datum has a contract with a management consulting group A Datum has given Toni Poe, a management consultant from that group, office space and an A Datum computer system to perform office work She has an Active Directory Domain Services (AD DS) account, and A Datum has placed her in the Management universal group However, she should not have Read permissions on restricted Research Confidential files to which the Management group has view access To that end, we will create an exclusion policy on the AD RMS cluster for her Create a RAC for Toni Poe On LON-CL1, sign in as Adatum\Toni with the password Pa$$w0rd From the Start screen, click the Desktop tile From the desktop taskbar, click Internet Explorer In the URL bar, type http://lon-dc1.adatum.com Close any pop-up warnings Click the gear icon in the upper-right of the Internet Explorer window, and then click Internet options Click the Security tab, click Local intranet, and then click Sites Click Advanced, in the Add this website to the zone box, type http://LON-DC1.adatum.com, and then click Add Click Close, and then click OK twice 10 Close Internet Explorer ® 11 Click to the Start screen 12 On the Start screen, type Word, in the Search area, select Word 2013, and then click Blank document 13 Click the File tab in the ribbon, on the Info page, click Protect Document, and then click Restrict Access, Connect to Digital Rights Management Servers and get templates Click Protect Document, click Restrict Access, and then click Restricted Access MCT USE ONLY STUDENT USE PROHIBITED L13-138 Implementing an Advanced Server Infrastructure 14 In the Permission dialog box, select the Restrict permission to this document check box, and then click OK 15 Save the document as Text.docx to the local Documents library, close all open windows, and then sign out of LON-CL1 Exclude Rights Account Certificates On LON-DC1, in Server Manager, click Tools, and then click Active Directory Rights Management Services In the Active Directory Rights Management Services console, expand lon-dc1.adatum.com Expand Exclusion policies, and then click Users In the Actions pane, click Enable User Exclusion In the Actions pane, click Exclude RAC On the Add RAC to be excluded page, ensure that Use this option for excluding rights accounts certificates of internal users who have an Active Directory Domain Services account is selected In the User Name box, type toni@adatum.com Click Finish Toni’s email address and public key should now be in the table on the User Exclusion Information page If the public key is missing, this is because Toni has never consumed information rights In order to complete this action, Toni must sign in to a client computer, which you just did, and then use a protected document Close the Active Directory Rights Management Services console  Task 6: Validate the internal deployment To verify the functionality of the AD RMS deployment, you will sign in as Hani Loza, and then restrict permissions on a Microsoft Word document The permissions will enable the members of the Management group to read the document but not make changes to it or print or copy it, while members of the Research group will have full control Then you will sign in as Limor Henig, verifying that only the appropriate permission to read the document has been granted Before you can consume rights-protected content, you must add the AD RMS cluster URL to the Local Intranet security zone Add the AD RMS cluster URL to the Local Intranet security zone for all users who will be consuming rightsprotected content To add AD RMS cluster to Local Intranet security zone Sign in to LON-CL1 as Hani (Adatum\Hani) with the password Pa$$w0rd Click the Desktop tile From the taskbar, click Internet Explorer Click Tools (the gear icon in upper right), and then click Internet options Click the Security tab, click Local intranet, and then click Sites Click Advanced In the Add this website to the zone box, type http://LON-DC1.adatum.com, and then click Add Click Close Click OK twice and then close Internet Explorer Sign out of LON-CL1 10 Repeat steps to for Adatum\Limor MCT USE ONLY STUDENT USE PROHIBITED L13-139 To restrict permissions on a Microsoft Word document Sign in to LON-CL1 as Hani with a password of Pa$$w0rd On the Start screen, type Word, and then press Enter In the Search area, select Word 2013 In the First things first window, click Use recommended settings, and click Accept On the User Account Control pop-up, click No, and on the Microsoft Word pop-up, click OK In the Office dialog box, click Next three times, and then click All done Select the Blank document template in the Recent page, and on the blank document page, type Managers can read this document, but they cannot change, print, or copy it Research group members have Full control From the File tab, on the Info page, click Protect Document, click Restrict Access, and then click Connect to Digital Rights Management Servers and get templates On the Info page, click Protect Document, click Restrict Access, and then click Restricted Access In Permissions, select the Restrict permission to this document check box, and then in the Read box, type Managers@adatum.com In the Change box, type research@adatum.com Click OK to close the Permission dialog box From the File menu, click Save As, click Browse, in the Save As File name text box, type \\LONDC1\ConfidentialResearch\ADRMS-TST.docx, and then click Save Close Microsoft Word, and then sign out of LON-CL1 To view a rights-protected document Sign in to LON-CL1 as Limor Henig (ADATUM\limor) with the password Pa$$w0rd Click the Desktop tile Open File Explorer, and then browse to \\LON-DC1\ConfidentialResearch Double-click ADRMSTST.docx to open it in Microsoft Word 2013 Repeat the same steps you performed earlier for Hani when opening Word for the first time When the document opens, note that the Restricted Access yellow bar shows: Permission is currently restricted Only specified users can access this content Click the File tab Notice that the Print option is not available Close Microsoft Word and sign out of LON-CL1 Results: You should have a working AD RMS cluster in both the Adatum.com and TreyResearch.net forests In addition, you should be able to protect Microsoft Office documents with IRM, and see the results of that protection Exercise 3: Implementing AD RMS Integration with Dynamic Access Control  Task 1: Enable resource properties To enable resource properties MCT USE ONLY STUDENT USE PROHIBITED L13-140 Implementing an Advanced Server Infrastructure On LON-DC1, and from Server Manager, click Tools, click Active Directory Administrative Center, and then in the console tree, switch to Tree View Expand Dynamic Access Control, and then select Resource Properties In the Display Name column, scroll down to the Impact property Right-click Impact, and then click Enable In the Display Name column, scroll down to the Personally Identifiable Information property Right-click Personally Identifiable Information, and then click Enable To publish the resource properties in the Global Resource List, in the left pane, click Dynamic Access Control, in the details pane, double-click Resource Property Lists, and then double-click Global Resource Property List (expand this window) Under Resource Properties, click Add, scroll down to and click Impact, and then add Impact to the list by clicking the >> button Do the same for Personally Identifiable Information Click OK twice to finish Note that these resource properties may be in the list already If so, the OK button may be grayed out In that case, simply verify they are in the list, and then click Cancel  Task 2: Create classification rules This task explains how to create the High Impact classification rule This rule will search the content of documents, and if it finds the string “Adatum Confidential”, it will classify this document as having high business impact This classification will override any previously assigned classification of low-business impact You will also create a High PII rule This rule searches the content of documents, and if it finds a Social Security number, it classifies the document as having high personally identifiable information (PII) Create the high-impact classification rule Sign in to LON-SVR1 by using Adatum\Administrator with the password Pa$$w0rd On the taskbar, click File Explorer In File Explorer, in the console tree, expand This PC, and then click Local Disk (C:) Right-click Research Documents, and then select Share with and then click Specific People In the blank text box, click the drop-down list box arrow, select Everyone, and then click Add In the Everyone entry, click the drop-down list box arrow by Read and change to Read/Write Click the Share button, and then click Done Close File Explorer Maximize Server Manager, if it is not maximized already In Server Manager, click Add roles and features Click Next three times until you reach the Select server roles page Expand File And Storage Services (Installed) and expand File And iSCSI Services (Installed) Select the check box next to File Server Resource Manager Click Add Features, click Next two times, and then click Install When the installation is finished, click Close MCT USE ONLY STUDENT USE PROHIBITED L13-141 10 You need to refresh the Global Resource Properties from Active Directory Open Windows PowerShell®, type the following cmdlet at the command prompt, and then press Enter: Update-FSRMClassificationPropertyDefinition 11 Close Windows PowerShell 12 In Server Manager, click Tools, and then click File Server Resource Manager 13 In the left pane of File Server Resource Manager, expand Classification Management, and then select Classification Rules In the Actions pane, click Configure Classification Schedule On the Automatic Classification tab, select Enable fixed schedule, select Sunday, and then select the Allow continuous classification for new files check box Click OK 14 In the Classification Rules node, in the Actions pane, click Create Classification Rule This opens the Create Classification Rule dialog box 15 In the Rule name box, type High Business Impact 16 In the Description box, type Determines if the document has a high business impact based on the presence of the string “Adatum Confidential” 17 On the Scope tab, click Set Folder Management Properties, select Folder Usage, click Add, click Browse, browse to C:\Research Documents, and then click OK 18 Under Value, select the Group Files check box, click OK, and then click Close 19 On the Scope tab, select Group Files 20 Click the Classification tab Under Choose a method to assign the property to files, select Content Classifier from the drop-down list box 21 Under Choose a property to assign to files, select Impact from the drop-down list box 22 Under Specify a value, select High from the drop-down list box 23 Under Parameters, click Configure In the Classification Parameters dialog box, in the Expression Type list, select String In the Expression box, type Adatum Confidential, and then click OK 24 Click the Evaluation Type tab Click Re-evaluate existing property values, click Overwrite the existing value, and then click OK to finish To create the high-PII classification rule 25 In the left pane of File Server Resource Manager, expand Classification Management, and then click Classification Rules 26 In the Actions pane, click Create Classification Rule 27 In the Rule name box, type High PII In the Description box, type Determines if the document has a high PII based on the presence of a Social Security Number 28 Click the Scope tab, and then select the Group Files check box The C:\Research Documents folder should show as included in the scope 29 Click the Classification tab Under Choose a method to assign the property to files, select Content Classifier from the drop-down list box 30 Under Choose a property to assign to files, select Personally Identifiable Information from the drop-down list box 31 Under Specify a value, select High from the drop-down list box MCT USE ONLY STUDENT USE PROHIBITED L13-142 Implementing an Advanced Server Infrastructure 32 Under Parameters, click Configure In the Classification Parameters window, in the Expression Type list, select Regular Expression In the Expression box, type the following expression without including any line breaks, and then click OK: ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$ Note: This expression will allow invalid social security numbers This allows us to use fictitious social security numbers in the lab 33 Click the Evaluation Type tab Select Re-evaluate existing property values, overwrite the existing value, and then click OK to finish 34 You should now have two classification rules: • High Business Impact • High PII  Task 3: Automatically protect documents with AD RMS Now that you have created rules to classify documents automatically based on content, you must create a file management task that uses AD RMS to protect certain documents automatically based on their classification In this step, you will create a file management task that protects any documents with a high PII automatically Only members of the Research group will have access to documents that contain high PII To add LON-DC1 to the Local Intranet security zone on LON-SVR1 On LON-SVR1, click to the Start screen, and then click Internet Explorer Click Tools (the gear icon in the upper right), and then click Internet options Click the Security tab, click Local intranet, and then click Sites Click Advanced In the Add this website to the zone box, type http://LON-DC1.adatum.com, and then click Add Click Close Click OK twice, and then close Internet Explorer To protect documents with AD RMS In File Server Resource Manager, in the left pane, select File Management Tasks In the Actions pane, select Create File Management Task In the Task name field, type High PII In the Description field, type Automatic RMS protection for high PII documents Click the Scope tab, and then select the Group Files check box The C:\Research Documents location should show as being part of the scope Click the Action tab Under Type, select RMS Encryption Select the Adatum.com RC template Click the Condition tab, and then click Add Under Property, select Personally Identifiable Information Under Operator, select Equal Under Value, select High Click OK Click the Schedule tab In the Schedule section, click Weekly, and then select Sunday Running the task once a week will ensure that you catch any documents that may have been missed due to a service outage or other disruptive event In the Continuous operation section, select Run continuously on new files, and then click OK You should now have a file management task named High PII MCT USE ONLY STUDENT USE PROHIBITED L13-143  Task 4: Verify the deployment On LON-SVR1, open File Explorer, and then navigate to C:\Research Documents Right-click the Finance Memo document, click Properties, click the Classification tab, and then notice that both properties currently have no value Click Cancel Right-click the Request for Approval to Hire document, and then select Properties Click the Classification tab, and notice that the both properties currently have no value Click Cancel Switch to LON-CL1, and sign in as Adatum\Hani with the password Pa$$w0rd From the desktop, click the File Explorer icon in the taskbar, and in the URL text area, type \\LONSVR1\Research Documents, and then press Enter Open the Finance Memo document Type Adatum Confidential, and then press Enter twice Save the document, and then close Microsoft Word Open the Request for Approval to Hire document Type Social Security #:, press Enter, on a new line, type 777-77-7777, and then press Enter twice This must be on a new line for Dynamic Access Control to notice the expression quickly Save the document, and then close Microsoft Word Switch to LON-SVR1 In File Explorer, navigate to C:\Research Documents 10 Right-click Finance Memo, and click Properties Click the Classification tab Notice that the Impact property is now set to High Click Cancel 11 Right-click the Request for Approval to Hire document, and then click Properties 12 Click the Classification tab Notice that the Personally Identifiable Information property is now set to High Click Cancel 13 If either of the properties in step 11 or step 12 is not set properly, open the File Server Resource Manager, and then select File Management Tasks Select High PII in the details pane, and in the Actions pane, click Run File Management Task Now In the message box, select Run task in Background, and then click OK The Run File Management Task item will be grayed out After a few moments, it will be plain text again, indicating the management task is finished Repeat steps through 12 above 14 On all machines except LON-DC1, close all open windows, and then sign out Results: You should have applied Dynamic Access Control classification rules to IRM-protected content Exercise 4: Implementing AD RMS Integration for External Users  Task 1: Export the trusted user domain policy Export a trusted user domain MCT USE ONLY STUDENT USE PROHIBITED L13-144 Implementing an Advanced Server Infrastructure On LON-DC1, from Server Manager, click Tools, and then click Active Directory Rights Management Services In the console tree, expand lon-dc1.adatum.com, expand Trust Policies, and then click Trusted User Domains In the Actions pane, click Export Trusted User Domain The Export Trusted User Domain As dialog box opens In the File name box, type C:\ADRMS_LON-DC1_LicensorCert.bin Click Save to save the file with the name and location that you specified Repeat steps to on TREY-DC1, but use the name C:\ADRMS_TREY-DC1_LicensorCert.bin for the bin file  Task 2: Export the trusted publishing domain policy Export a trusted publishing domain policy On LON-DC1, from Server Manager, click Tools, and then click Active Directory Rights Management Services In the console tree, expand lon-dc1.adatum.com, expand Trust Policies, and then click Trusted Publishing Domains In the results pane, select LON-DC1, and then in the Actions pane, click Export Trusted Publishing Domain In the Export Trusted Publishing domain dialog box, click Save As, and then type C:\AdatumTrustedPubDomain.xml Click Save In the Password and Confirm password boxes, type Pa$$w0rd Click Finish to create the trusted publishing domain file Repeat steps to on TREY-DC1 by using the file name C:\TreyTrustedPubDomain.xml with the password Pa$$word  Task 3: Import the trusted user domain policy from the partner domain On LON-DC1, in Server Manager, click Tools, and in the drop-down list box, click DNS Expand LONDC1, select and right-click Conditional Forwarders, and then click New Conditional Forwarder Under DNS Domain, type TreyResearch.net In the IP addresses of the master servers box, type 172.16.10.10 Press Enter, and then click OK Close DNS Manager On TREY-DC1, repeat steps and Use the DNS domain Adatum.com and set the IP Address of the master servers as 172.16.0.10 On LON-DC1, open the Active Directory Rights Management Services console, and then expand londc1.adatum.com In the console tree, expand Trust Policies, and then click Trusted User Domains In the Actions pane, click Import Trusted User Domain In the Trusted user domain file box, type \\TREY-DC1\C$\ADRMS_TREY-DC1_LicensorCert.bin MCT USE ONLY STUDENT USE PROHIBITED L13-145 In the Display name box, type TreyResearch Click Finish Repeat steps to on TREY-DC1, replacing the file name above with \\LON-DC1\C$\ADRMS_LONDC1_LicensorCert.bin and Display name with Adatum  Task 4: Import the trusted publishing domains policy from the partner domain Add a trusted publishing domain On LON-DC1, open the Active Directory Rights Management Services console and expand londc1.adatum.com In the console tree, expand Trust Policies, and then click Trusted Publishing Domains In the Actions pane, click Import Trusted Publishing Domain In the Trusted Publishing Domain file box, type \\TREY-DC1\c$\TreyTrustedPubDomain.xml Type Pa$$w0rd in the Password box In the Display name box, type TreyResearch Domain Click Finish Repeat steps to on TREY-DC1 by using the file name \\LONDC1\C$\AdatumTrustedPubDomain.xml and a Display name of Adatum Domain  Task 5: Configure anonymous access to the AD RMS licensing server Switch to LON-DC1 In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager If the Internet Information Services (IIS) Manager message box appears, click Cancel In Internet Information Services (IIS) Manager, expand LON-DC1\Sites\Default Web Site\_wmcs Right-click licensing, and then click Switch to Content View Right-click license.asmx, and then click Switch to Features View Double-click Authentication, click Anonymous Authentication, and then in the Actions pane, click Enable Click Windows Authentication, and then click Disable Right-click licensing, and then click Switch to Content View Right-click ServiceLocator.asmx, and then click Switch to Features View 10 Double-click Authentication, click Anonymous Authentication, and then in the Actions pane, click Enable 11 Click Windows Authentication, and then click Disable 12 Close Internet Information Services (IIS) Manager  Task 6: Verify user access to the protected document Sign in to LON-CL1 as user Adatum\Hani with the password Pa$$w0rd From the Start screen, type \\LON-DC1\ConfidentialResearch, and then press Enter Double-click ADRMS-TST.docx On the Restricted Access yellow bar, click Change Permission In the box next to the Read permission, place a semicolon after Managers@adatum.com, and then add liberty@treyresearch.net Click OK Save the ADRMS-TST.docx file, close Microsoft Word, and then sign out of LON-CL1 Switch to LON-DC1, and then open File Explorer Copy the ADRMS-TST.docx file from C:\ConfidentialReseach to \\TREY-DC1\Public Sign in to TREY-CL1 as user TreyResearch\Liberty with the password Pa$$w0rd Click the Desktop tile 10 From the taskbar, click Internet Explorer 11 Click Tools (the gear icon in upper right), and then click Internet options 12 Click the Security tab, click Local intranet, and then click Sites 13 Click Advanced MCT USE ONLY STUDENT USE PROHIBITED L13-146 Implementing an Advanced Server Infrastructure 14 In the Add this website to the zone box, type http://TREY-DC1.TreyResearch.net, and then click Add Click Close 15 Click OK twice and then close Internet Explorer 16 From the Start screen, type \\TREY-DC1\Public, and then press Enter 17 Double-click the ADRMS-TST.docx file 18 An Active Directory Rights Management Services pop-up window will appear that says, “To create and consume content with restricted access… Click OK 19 Repeat the First things first and Office first time steps you used previously to open the document In the document, in the yellow Restricted Access bar, click View Permission Note: The permission for Liberty@treyresearch.net is what Hani Loza assigned previously 20 Click OK 21 Close all windows, and sign out of all virtual machines  Task 7: To prepare for the next module When you finish the lab, revert the virtual machines to their initial state To this, complete the following steps: On the host computer, start Hyper-V® Manager In the Virtual Machines list, right-click 20414C-LON-DC1, and then click Revert In the Revert Virtual Machine dialog box, click Revert Repeat steps and for 20414C-LON-SVR1, 20414C-LON-CL1, 20414C-TREY-DC1, and 20414CTREY-CL1 Results: You should have both a working trusted user and trusted publishing domain policy between the Adatum.com and TreyResearch.net forests In addition, you should be able to protect Microsoft Office documents with IRM for external users across the domains MCT USE ONLY STUDENT USE PROHIBITED Notes MCT USE ONLY STUDENT USE PROHIBITED Notes MCT USE ONLY STUDENT USE PROHIBITED Notes MCT USE ONLY STUDENT USE PROHIBITED Notes ... Manager) server 20414CLON-WSUS A Windows Server Update Services server 20414CLON-CA1 A standalone server 20414CLON-CL1 A client computer with Microsoft® Office 2013 in the Adatum.com domain 20414C- LON-CL2... uses: Virtual machine Role 20414CLON-Host1, LON-Host2 A Windows Server 2012 host machines (boot to vhd file) 20414CLON-DC1 A domain controller in the Adatum.com domain 20414CLON-SVR1, LON-SVR2,... Adatum.com domain 20414CLON-VMM1 A System Center Virtual Machine Manager (VMM) 2012 server 20414CTOR-SVR1 A member server in the Adatum.com domain, in a branch office location 20414CTOR-SS1 A Windows