Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper

AD RMS in a Resource Forest – End-to-End Solution

Microsoft Corporation

Published: January 2010

Author: Bill Mathers

Editor: John Andrilla

Acknowledgements

Special thanks to the following people for reviewing and providing invaluable feedback for this

document:

Tao Wu, Microsoft Corporation.

Uwe Wizovsky, Microsoft Corporation.

Kevin Miller, Microsoft Corporation.

Jason Tyler, Microsoft Corporation.

AbstractThis document will assist architects, consultants, system engineers, and system administrators in

deploying Active Directory Rights Management Services (AD RMS) in a resource forest topology.

Copyright

The information contained in this document represents the current view of Microsoft Corporation

on the issues discussed as of the date of publication. Because Microsoft must respond to

changing market conditions, it should not be interpreted to be a commitment on the part of

Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the

date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into a

retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission

of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places and events depicted herein are fictitious, and no association

with any real company, organization, product, domain name, e-mail address, logo, person, place

or event is intended or should be inferred.

© 2009 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either

registered trademarks or trademarks of Microsoft Corporation in the United States and/or other

countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.

Contents

AD RMS Deployment in a Resource Forest Step-by-Step Guide...................................................9

What This Guide Does Not Provide.......................................................................................10

Scenario Overview........................................................................................................................ 11

Prerequisites for AD RMS Deployment in a Resource Forest.......................................................15

See Also.................................................................................................................................... 16

Limitations of This Deployment Design.........................................................................................16

Implementing the Procedures in this Document...........................................................................18

See Also.................................................................................................................................... 18

Step 1 - Create AccountsForestUsers Organizational Unit...........................................................19

Creating the AccountsForestUsers organizational unit..............................................................19

Step 2 - Create ResourceForestUsers Organizational Unit..........................................................19

Creating the ResourceForestUsers organizational unit.............................................................19

See Also.................................................................................................................................... 20

Step 3 - Create Test Users in Accounts Forest.............................................................................20

Create the Test Users................................................................................................................20

Add Employee ID to Test Users.................................................................................................21

See Also.................................................................................................................................... 21

Step 4 - Create Test Users in Resource Forest............................................................................22

Create the Test Users................................................................................................................22

Add Employee ID to Test Users.................................................................................................23

See Also.................................................................................................................................... 24

Step 5 - Create Test Groups in Resource Forest..........................................................................24

Create the Test Groups.............................................................................................................24

See Also.................................................................................................................................... 26

Step 6 - Extend ILM Metaverse Schema......................................................................................26

Extending the ILM 2007 FP 1 schema.......................................................................................26

See Also.................................................................................................................................... 26

Step 7 - Create Accounts Forest Management Agent...................................................................27

See Also.................................................................................................................................... 29

Step 8 - Create Resource Forest Management Agent..................................................................29

Step 9 - Create ACCOUNT Management Agent Run Profiles.......................................................31

Creating the ACCOUNT Management Agent Run Profiles........................................................31

See Also.................................................................................................................................... 32

Step 10 - Create RESOURCE Management Agent Run Profiles..................................................33

Creating the RESOURCE Management Agent Run Profiles.....................................................33

See Also.................................................................................................................................... 34

Step 11 - Create the Metaverse Rules Extension.........................................................................34

See Also.................................................................................................................................... 35

Step 12 - Create SCP in Accounts Forest.....................................................................................35

See Also.................................................................................................................................... 36

Step 13 - Create Active Directory Migration Tool Options File......................................................36

See Also.................................................................................................................................... 37

Step 14 - Create ADRMSPublic Shared Folder...........................................................................37

See Also.................................................................................................................................... 37

Step 15 - Create Fabrikam Confidential Rights Policy Template...................................................37

See Also.................................................................................................................................... 38

Step 16 - Create Fabrikam FTE Confidential Rights Policy Template...........................................38

See Also.................................................................................................................................... 39

Step 17 - Enable Rights Management Scheduled Task on ACC-CLT1.........................................39

See Also.................................................................................................................................... 40

Step 18 - Add AdminTemplatePath Registry Key and Trusted Sites on ACC-CLT1......................40

Add the AD RMS URL to Trusted Sites......................................................................................41

See Also.................................................................................................................................... 41

Step 19 - Enable Rights Management Scheduled Task on RES-CLT1.........................................41

See Also.................................................................................................................................... 42

Step 20 - Add AdminTemplatePath Registry Key and Trusted Sites on RES-CLT1......................42


See Also.................................................................................................................................... 43

Testing the Implementation...........................................................................................................43

See Also.................................................................................................................................... 44

Step 1 - Run ACCOUNT MA Full Import.......................................................................................44

Running ACCOUNT Management Agent Full Import.................................................................44

Step 2 - Run RESOURCE MA Full Import....................................................................................45

Running RESOURCE Management Agent Full Import..............................................................45

Step 3 - Run ACCOUNT MA Full Synch.......................................................................................45

Running ACCOUNT Management Agent Full Synchronization..................................................45

Step 4 - Run RESOURCE MA Export...........................................................................................46

Running RESOURCE Management Agent Export.....................................................................46

Step 5 - Run RESOURCE MA Delta Import..................................................................................46

Running RESOURCE Management Agent Delta Import...........................................................46

Step 6 - Use Active Directory Migration Tool to Migrate a Test User.............................................47

Using ADMT to Migrate a Test User..........................................................................................47

Step 7 - Use Exchange System Manager to Create Linked Mailbox............................................49

Using Exchange Management Console to Create a Linked Mailbox.........................................49

Step 8 - Add Users to Groups.......................................................................................................50

Add Test Users to Test Groups..................................................................................................50

Step 9 - Run RESOURCE MA Delta Import..................................................................................51

Running RESOURCE Management Agent Delta Import...........................................................51

Step 10 - Run RESOURCE MA Full Synch...................................................................................51

Running RESOURCE Management Agent Full Synchronization...............................................52

Step 11 - Run ACCOUNT MA Export............................................................................................52

Running ACCOUNT Management Agent Export.......................................................................52

Step 12 - Run ACCOUNT MA Delta Import...................................................................................53

Running ACCOUNT Management Agent Delta Import..............................................................53

Step 13 - Create Protected E-mail Content on RES-CLT1............................................................53

Step 14 - Consume Protected E-mail Content on ACC-CLT1.......................................................55

Step 15 - Create Protected E-mail Content on ACC-CLT1............................................................56

Step 16 - Consume Protected E-mail Content on RES-CLT1.......................................................57

Automating the Implementation....................................................................................................58

See Also.................................................................................................................................... 58

Step 1 – Uncomment and rebuild MV Extension Code.................................................................58

Uncomment and Recompile MVExtension................................................................................59

Step 2 - Create UserSidTracking Database..................................................................................59

Creating the UserSidTracking Database...................................................................................59

Step 3 - Create Users Table..........................................................................................................60

Creating the Users Table...........................................................................................................60

Step 4 - Create SQL Management Agent.....................................................................................61

Creating the SQL Management Agent.......................................................................................61

Step 5 - Create SQL Management Agent Run Profiles.................................................................63

Creating the SQL Management Agent Run Profiles..................................................................63

Step 6 - Create the SQL Rules Extension.....................................................................................65

Creating the SQL Management Agent Rules Extension............................................................65

Step 7 - Create the Operations folder...........................................................................................66

Creating the Operations Folder.................................................................................................66

Step 8 - Get the Management Agent GUIDs.................................................................................66

Retrieving the ILM FP1 GUIDs..................................................................................................66

Step 9 - Edit and Build Automation Application.............................................................................67

Edit and Build Automation Application.......................................................................................67

Testing the Automation..................................................................................................................69

See Also.................................................................................................................................... 69

Step 1 - Run the Automation Application.......................................................................................69

Running the Automation Application..........................................................................................69

Step 2 - Enable Rights Management Scheduled Task on ACC-CLT2...........................................70

Enabling the Rights Management Scheduled Task...................................................................70

Step 3 - Add AdminTemplatePath Registry Key and Trusted Sites on ACC-CLT2........................71

Add the AdminTemplatePath Registry Key................................................................................71


Step 4 - Create Protected E-mail Content on RES-CLT1..............................................................72

Step 5 - Consume Protected E-mail Content on ACC-CLT1.........................................................73


Step 7 -Create Protected E-mail Content on ACC-CLT2...............................................................75

Step 8 - Consume Protected E-mail Content on RES-CLT1.........................................................76


Appendix A - UserSidTracking database T-SQL...........................................................................77

Appeindix B - Users Table T-SQL.................................................................................................80

Appendix C - Metaverse Extension Code.....................................................................................81

See Also.................................................................................................................................... 84

Appendix D - SQL MA Extension..................................................................................................84

Appendix E - Automation Application............................................................................................88

Appendix F - ADMT Options File.................................................................................................103

Appendix G - MA GUID Retrieval Script......................................................................................104

Appendix H - Pre-Implementation Checklists..............................................................................105

See Also.................................................................................................................................. 109

AD RMS Deployment in a Resource Forest Step-by-Step Guide

This step-by-step guide walks you through the process of configuring Active Directory Rights

Management Services (AD RMS) in a test environment that includes a Microsoft® Exchange

Server 2007 resource forest. An Exchange Server resource forest is also called a dedicated

Exchange Server forest. A basic example of an Exchange Server resource forest topology has

two forests. One forest contains the primary user accounts for your organization. This forest is

called the accounts forest. The other forest does not contain any primary user accounts. It only

contains the Exchange Server servers and disabled user accounts. It will also contain the AD

RMS servers. This forest is called the resource forest.

In this guide, the AD RMS cluster will be extended to allow users from the accounts forest to

create and consume protected content. Once complete, you can use the test AD RMS lab

environment to assess how AD RMS on Windows Server® 2008 can be created and deployed

within your organization to accommodate for a resource forest.

In order for the test environment to work, the security identifier (SID) of the user accounts

from the accounts forest are mapped to the sIDHistory attribute of their corresponding

disabled user account in the resource forest. It is important that you understand using

SIDs and sIDHistory across forests, which is outside the scope of this documentation.

For more information see Using SID History to Preserve Resource Access

(http://go.microsoft.com/fwlink/?LinkId=156709)

This version of deploying AD RMS does not represent the only acceptable architectural design.

Another possible design consists of having a certification-only cluster in the accounts forest and a

licensing-only AD RMS cluster in the resource forest.

In this document, the linked-mailboxes in the resource forest are either created manually, with

Exchange System Manager, or Windows PowerShell in the automated portion. Another

acceptable way of accomplishing this would be to modify the ILM FP1 provisioning code and use

the ExchangeUtils class. For additional information about ExchangeUtils see the ILM FP1 SDK

on MSDN (http://go.microsoft.com/fwlink/?LinkId=160779).

The infrastructure required before implementing the steps in this document is fairly extensive.

Although these steps are outside the scope of this document, the Appendix H - Pre-

Implementation Checklists topic provides some useful checklists in addition to reference links that

will help you set up your environment. The software requirements are listed in the Prerequisites

for AD RMS Deployment in a Resource Forest topic.

The Administrator account in each forest was installed with Pass1word$ as a password. If you

have setup your environment with a different password, make sure that you substitute it where

appropriate.

Important

9

http://go.microsoft.com/fwlink/?LinkId=160779


As you complete the steps in this guide, you will:

Configure Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) Feature Pack 1.

Write some code and compile it with Microsoft® Visual Studio 2008 Service Pack 1.

Use Active Directory Migration Tool (ADMT) to migrate an account user's SID to a resource

user's sIDHistory.

Use Microsoft Exchange Server 2007 and Windows PowerShell to create linked mailboxes.

Verify e-mail functionality after you complete the configuration.

Verify AD RMS functionality after you complete the configuration.

ILM 2007 FP1 is not required for AD RMS. However, we strongly recommend it for this

guide. It is used in this scenario to accomplish the following:

Automatically provision disabled user accounts into the resource forest based on their

corresponding accounts forest user account.

Automatically provision users to a SQL table and track when that user has had their

sIDHistory attribute populated.

Visual Studio 2008 is not required for AD RMS. It is used in the scenario described in

these topics to compile the ILM FP1 extensions and the automation application, which

uses the code provided in the Appendices. If the full version of Visual Studio 2008 is

unavailable, you can use the one of the express editions. For more information about

Visual Studio products see Visual Studio 2008 Express Editions

(http://go.microsoft.com/fwlink/?LinkId=154574).

What This Guide Does Not ProvideThis guide does not provide the following:

Guidance for setting up and configuring Active Directory Domain Services (AD DS) in either

a production or test environment. This guide assumes that AD DS is already configured and

both the accounts forest and the resource forest have been created. For more information

about configuring AD DS see, AD DS Installation and Removal Step-by-Step Guide


Guidance for setting up and configuring AD RMS in either a production or test environment.

This guide assumes that AD RMS is already configured and working in the resource forest.

For more information about configuring AD RMS, see the AD RMS Step-by-Step Guide

(http://go.microsoft.com/fwlink/?LinkID=154256).

Guidance for setting up and configuring Microsoft Exchange Server 2007 Service Pack 1 in

either a production or test environment. This guide assumes that Exchange Server 2007 SP1

is already setup and configured in the resource forest. For more information about configuring

Notes

Note

10

http://go.microsoft.com/fwlink/?LinkID=154256



Exchange Server 2007, see Microsoft Exchange Server 2007


Guidance for setting up and configuring Microsoft SQL Server 2008 Service Pack 1 in either a

production or test environment. This guide assumes that SQL Server 2008 SP1 is already

configured in the resource forest. For more information about how to configure SQL Server

2008 SP1, see Installing SQL Server 2008 (http://go.microsoft.com/fwlink/?LinkID=154569).

Guidance for setting up ILM 2007 FP1 in either a production or test environment. This guide

assumes that ILM 2007 FP1 is already configured in the resource forest. For more

information about how to install ILM 2007 FP1, see Getting Started with MIIS 2003

Walkthrough (http://go.microsoft.com/fwlink/?LinkId=154570).

Guidance for setting up Windows Server 2008 forest trusts in either a production or test

environment. This guide assumes that there exists forest level trust between the accounts

forest and the resource forest. For more information about how to set up forest level trusts

see, Creating Forest Trusts (http://go.microsoft.com/fwlink/?LinkId=154632).

Guidance for setting up conditional forwarding for DNS in either a production or test

environment. This guide assumes that the conditional forwarding has already been set up

between the two DNS servers. For more information about how to set up forwarders see,

Configure a DNS Server to Use Forwarders (http://go.microsoft.com/fwlink/?LinkId=154636).

Guidance for setting up Visual Studio 2008 in either a production or test environment. This

guide assumes that Visual Studio 2008 is already installed on the ILM 2007 FP1 computer.

For more information about how to install Visual Studio 2008, see Installation and Setup

Essentials (http://go.microsoft.com/fwlink/?LinkId=154573).

Guidance for setting up the Active Directory Migration Tool (ADMT) in either a production or

test environment. This guide assumes that ADMT is set up and working correctly between the

accounts forest and the resource forest. For more information about how to set up ADMT for

Windows Server 2008 see, Active Directory Migration Tool version 3.1


Scenario Overview

Fabrikam, a fictitious company, has setup their e-mail infrastructure using a resource forest

design. Currently they are investigating moving away from this design to a single forest design.

However this will take some serious planning and will probably take significant time to implement.

In the interim, they want to deploy AD RMS and take advantage of its ability to protect content

from unauthorized use.

Fabrikam has two forests, corp.fabrikam.com, the accounts forest and resource.fabrikam.net, the

resource forest. These are shown in the texting environment diagram in this topic. Current users

reside in corp.fabrikam.com. They use Windows Vista® and the 2007 Microsoft Office system on

their desktops. New users are created directly in resource.fabrikam.net. They use Windows® 7

Ultimate and the 2007 Microsoft Office system on their desktop. All e-mail servers and the

11










AD RMS cluster will reside in the resource forest. Prior to being migrated, users in both forests

must be able to send and consume protected e-mail content.

The scenario detailed in this document is provided as an interim solution. Because of the

security concerns exposed by this scenario, the utmost consideration should be given to

moving to a single forest design.

The scenario outlined in this document has been developed and tested on two stand-alone

computers that are running the Windows Server 2008 operating system and Hyper-V™. The

servers have two 3.0 gigahertz (GHz) dual core processors and 4 gigabytes (GB) of RAM each.

The following table shows six virtual machines that were created in this step-by-step guide on the

hosts by using Hyper-V.

Note

12

Virtual Machines and Roles

Computer

Name

Forest Operating

System

Memory Applications

and Services

IP Address

ACC-DC corp.fabrikam.com Windows

Server 2008

512 Active

Directory®

Domain

Services,

Domain

Name

System

192.168.100.100

ACC-

CLT1

corp.fabrikam.com Windows Vista

with Service

Pack 2

1024 Microsoft

Office Word

2007

192.168.100.101

ACC-

CLT2

corp.fabrikam.com Windows Vista

with Service

Pack 2

1024 Microsoft

Office Word

2007

192.168.100.102

RES-DC resource.fabrikam.net Windows

Server 2008

with Service

Pack 2

2048 Active

Directory®

Domain

Services,

Domain

Name

System,

Microsoft

Exchange

2007,

IIS 7.0,

Microsoft

SQL Server

2008 with

Service

Pack 1,

Identity

Lifecycle

Manager

2007

Feature

Pack 1,

Microsoft®

Visual

192.168.100.1

13

Computer

Name

Forest Operating

System

Memory Applications

and Services

IP Address

Studio 2008,

Active

Directory

Migration

Tool version

3.1.

RES-

ADRMS

resource.fabrikam.net Windows

Server 2008

with Service

Pack 2

1024 AD RMS,

Microsoft

SQL Server

2008 with

Service

Pack 1, IIS

7.0

192.168.100.2

RES-

CLT1

resource.fabrikam.net Windows 7

Ultimate

1024 Microsoft

Office Word

2007

192.168.100.3

Hyper-V is not a requirement to complete the steps outlined in this guide. These steps can be

implemented on physical computers as long as they reflect the same roles as the preceding table.

The following table summarizes the accounts used in this step-by-step guide.

Required Accounts

Account Display

name

Forest Employe

e ID

Group

Membershi

p

Password Descriptio

n

bsimon Britta

Simon

corp.fabrikam.com 11111 All FTE Pass1word

$

User

account.

ljacobso

n

Lola

Jacobso

n

resource.fabrikam.ne

t

22222 All FTE Pass1word

$

User

account.

nholliday Nicole

Holliday

corp.fabrikam.com 33333 All FTE Pass1word

$

User

account.

lhenig Limor

Henig

corp.fabrikam.com 44444 All

Contractors

Pass1word

$

User

account.

srailson Stuart

Railson

corp.fabrikam.com 55555 All

Contractors

Pass1word

$

User

account.

14

The following table summarizes the universal groups used in this step-by-step guide.

Universal Group Summary

Group Name Group Scope Group Type

All Staff Universal Security

All FTE Universal Security

All Contractors Universal Security

Prerequisites for AD RMS Deployment in a Resource Forest

The following software is required to complete the steps in this guide. Although the setup steps

are outside the scope of this document, the Appendix H - Pre-Implementation Checklists topic

provides some useful checklists in addition to reference links that will help you set up your

environment.

Software Additional Information

Windows Server® 2008 Enterprise 32-bit

edition

Windows Server 2008 Enterprise


Windows Vista® with Service Pack 2 Windows Vista (http://go.microsoft.com/fwlink/?

LinkId=156711)

Windows® 7 Ultimate Windows 7 Ultimate


Active Directory Domain Service Active Directory Domain Service


Active Directory Rights Management Services

(AD RMS)

Active Directory Rights Management Services


Microsoft SQL Server 2008 Service Pack 1 –

32-bit edition

Microsoft SQL Server 2008


Microsoft Exchange Server 2007 Service Pack

1 – 32-bit edition (Evaluation copy)

Microsoft Exchange Server 2007


Microsoft Identity Lifecycle Manager 2007

Feature Pack 1



Microsoft Office 2007 with Service Pack 2 Microsoft Office 2007

15










Software Additional Information


Microsoft Visual Studio 2008 with Service Pack

1

Microsoft Visual Studio 2008


Microsoft Hyper-V Microsoft Hyper-V

(http://go.microsoft.com/fwlink/?LinkID=156719)

Active Directory Migration Tool Version 3.1 ADMT Version 3.1


Internet Information Services (IIS) 7.0 Internet Information Services


Rights Management Services Administration

Toolkit with SP2


Toolkit with SP2


See AlsoAD RMS Deployment in a Resource Forest Step-by-Step Guide

Appendix H - Pre-Implementation Checklists

Limitations of This Deployment Design

The design for AD RMS deployment that is used in this document does have some feature

limitations. These represent the supported features that come directly from the product group.

The following section lists the supported AD RMS features and also the features which are not

supported. This list may not include all of the features available in AD RMS. If the feature is not

listed here as supported then it should be considered to be unsupported for this deployment

scenario.

The following is a list of supported features:

Lockbox Certification - Organizations must identify the users who are trusted entities within

their AD RMS installation. To allow for this, AD RMS issues rights account certificates that

associate user accounts with a key pair that is protected specifically to the user's computer.

These certificates let users publish and consume rights-protected content. Each certificate

contains a public key that is used to license information that is intended for that user's

consumption.

Use licenses that enforce usage rights and conditions - A user who receives rights-

protected content must request and receive a use license (UL) from AD RMS to be able to

16







view the content. A UL is granted to an individual and lists the usage rights and conditions

when that person consumes that content.

Publishing licenses that define usage rights and conditions – The ability to assign

content-specific usage rights and conditions. These usage rights and conditions are defined

within publishing licenses that specify the authorized users who can consume the content and

how that content can be used and distributed.

Group Expansion – This has limited support in the resource forest only.

Rights Policy Templates - Administrators can create and distribute official rights policy

templates that define the usage rights and conditions for a predefined set of users. These

templates provide a manageable way for organizations to establish document classification

hierarchies for their content.

Super Users Group - The Active Directory Rights Management Services (AD RMS) super

users group is a special group that has full control over all rights-protected content managed

by the cluster. Its members are granted full owner rights in all use licenses that are issued by

the AD RMS cluster on which the super users group is configured. This means that members

of this group can decrypt any rights-protected content file and remove rights-protection from

it. The super users group is outside the scope of this document. For additional information

about the super users group see Setting up a Super Users Group


The following is a list of features that are not supported:

AD RMS Prelicensing Agent - You can use the Active Directory Rights Management

Services (AD RMS) Prelicensing agent to certify the Microsoft Office Outlook recipient's

authenticity. This would allow the recipient to open messages without receiving a credential

prompt on every attempt. This feature is not supported in this design.

The following is a list of features that have not been extensively tested:

The features listed below have not been thoroughly tested to work in this design. If you

choose to use them in a production environment, there is no guarantee that they will be

supported.

Group expansion across forests

Query based groups

Trusted Publishing Domains

Trusted User Domains

ADFS

Exclusion/Revocation

ServerBox

MobileBox

Decommission

Caution

17


Implementing the Procedures in this Document

The following steps will guide you through setting up and testing an initial user. This includes the

manual process of migrating a user from one forest to the other, using the Active Directory

Migration Tool (ADMT) to populate sIDHistory and then testing the implementation. Because this

can be time-consuming when applied to hundreds or thousands of users, the additional sections

discuss automation.

This section is comprised of the following steps:

Step 1 - Create AccountsForestUsers Organizational Unit

Step 2 - Create ResourceForestUsers Organizational Unit

Step 3 - Create Test Users in Accounts Forest

Step 4 - Create Test Users in Resource Forest

Step 5 - Create Test Groups in Resource Forest

Step 6 - Extend ILM Metaverse Schema

Step 7 - Create Accounts Forest Management Agent

Step 8 - Create Resource Forest Management Agent

Step 9 - Create ACCOUNT Management Agent Run Profiles

Step 10 - Create RESOURCE Management Agent Run Profiles

Step 11 - Create the Metaverse Rules Extension

Step 12 - Create SCP in Accounts Forest

Step 13 - Create Active Directory Migration Tool Options File

Step 14 - Create ADRMSPublic Shared Folder

Step 15 - Create Fabrikam Confidential Rights Policy Template

Step 16 - Create Fabrikam FTE Confidential Rights Policy Template

Step 17 - Enable Rights Management Scheduled Task on ACC-CLT1

Step 18 - Add AdminTemplatePath Registry Key and Trusted Sites on ACC-CLT1

Step 19 - Enable Rights Management Scheduled Task on RES-CLT1

Step 20 - Add AdminTemplatePath Registry Key and Trusted Sites on RES-CLT1



Testing the Implementation

Automating the Implementation

18

Step 1 - Create AccountsForestUsers Organizational Unit

In this step we will be creating an organizational unit in corp.fabrikam.com. This is the accounts

forest. This organizational unit will store all of our test users.

Creating the AccountsForestUsers organizational unitThis topic explains how to create the ResForest organizational unit.

1. Log on to ACC-DC.corp.fabrikam.com as Administrator

2. Click Start, select Administrative Tools, and click Active Directory Users and

Computers. This will open the Active Directory Users and Computers mmc.

3. In the Active Directory Users and Computers mmc, from the tree-view on the left,

right-click corp.fabrikam.com, select New, and then Organizational Unit.

4. In the Name textbox, type AccountsForestUsers. Click OK.

5. Close Active Directory Users and Computers.

Step 2 - Create ResourceForestUsers Organizational Unit

This step explains how to create an organizational unit in fabrikam.resource.net. This is the

resource forest. This organizational unit will store all of our synchronized users. These accounts

will all have mailboxes. These accounts will be disabled.

Creating the ResourceForestUsers organizational unitThe following steps show how to create the ResourceForestUsers organizational unit.

1. Log on to RES-DC.fabrikam.resource.net as Administrator


Computers. This will open the Active Directory Users and Computers mmc.

To create the organizational unit

To create the organizational unit

19

3. In the Active Directory Users and Computers mmc, from the tree-view on the left,

right-click corp.fabrikam.com, select New, and then Organizational Unit.

4. In the Name textbox, type ResourceForestUsers. Click OK.


See AlsoImplementing the Procedures in this Document

Step 3 - Create Test Users in Accounts Forest

This step explains how to create the test users in corp.fabrikam.com. These user accounts are in

the accounts forest. These are the accounts that will be synchronized to the resource forests.

Create the Test UsersThis section lists the steps for creating the test user accounts that are used in this scenario. The

following table summarizes the accounts that will be created.

Table 2 Required Accounts

First

Name

Last

Name

User logon

name

Display

name

Forest Employee

ID

Password

Britta Simon bsimon Britta

Simon

Corp.fabrikam.com 11111 Pass1word$

Nicole Holliday nholliday Nicole

Holliday


Limor Henig lhenig Limor

Henig


1. Log on to the ACC-DC.corp.fabrikam.com Server as Administrator.


Computers.

3. Expand corp.fabrikam.com, right-click AccountsForestUsers, select New and then

select User. This will bring up the New Object – User window.

4. On the New Object – User screen, in the First Name box, enter Britta.

To create the test User Accounts

20

5. On the New Object – User screen, in the Last Name box, enter Simon.

6. On the New Object – User screen, in the User logon name: box, enter bsimon and

click Next.

7. On the New Object – User screen, in the Password box, enter Pass1word!.

8. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.

9. On the New Object – User screen, remove the check from User must change

password at next logon.

10. On the New Object – User screen, add a check to Password never expires and click

Next.

11. Click Finish.

12. Repeat these steps for all of the accounts listed in the Account Summary table.

Add Employee ID to Test UsersThis section lists the steps for adding the employee ID once the test users are created.

1. Log on to the ACC-DC.corp.fabrikam.com Server as Administrator.


Computers.

3. Expand corp.fabrikam.com, click AccountsForestUsers, right-click Britta Simon and

then select Properties. This will bring up the Britta Simon Properties window.

4. On the Britta Simon Properties screen, select the Attribute Editor tab.

Note

If you do not see the Attribute Editor tab, ensure that you have Advanced

Features checked for Active Directory Users and Computers. To do this, at

the top of Active Directory Users and Computers, click View and select

Advanced Features.

5. On the Attribute Editor tab, use the scroll bar on the right, select employeeID and click

Edit. This will bring up the String Attribute Editor dialog box.

6. On the String Attribute Editor dialog box, enter 11111 for the Value and click OK. This

will close the String Attribute Editor dialog box.

7. Click Apply. Click OK. This will close the Britta Simon Properties.

8. Repeat these steps for all of the accounts listed in the Account Summary table,

substituting the appropriate employee ID number.

To add employee ID to the test users

21


Step 4 - Create Test Users in Resource Forest

This step explains how to create the test users in resource.fabrikam.net. These user accounts

are in the resource forest. These are the accounts that represent new users.

Create the Test UsersThis section lists the steps for creating the users in the resource forest. The following table

summarizes the accounts that will be created.

Table 2 Required Accounts

First

Name

Last Name User

logon

name

Display

name

Forest Employee

ID

Password

Lola Jacobson ljacobson Lola

Jacobson

Resource.fabrikam.net 22222 Pass1word$

1. Log on to the RES-DC.corp.fabrikam.com Server as Administrator.


Computers.

3. Expand resource.fabrikam.net, right-click ResourceForestUsers, select New and then

select User. This will bring up the New Object – User window.

4. On the New Object – User screen, in the First Name box, enter Lola.

5. On the New Object – User screen, in the Last Name box, enter Jacobson.

6. On the New Object – User screen, in the User logon name: box, enter ljacobson and

click Next.

7. On the New Object – User screen, in the Password box, enter Pass1word!.

8. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.

9. On the New Object – User screen, remove the check from User must change

password at next logon.

10. On the New Object – User screen, add a check to Password never expires and click

Next.

To create the test User Accounts

22

11. Click Finish.

Add Employee ID to Test UsersThis section lists the steps for adding the employee ID once the test users are created.



Computers.

3. Expand resource.fabrikam.net, click ResourceForestUsers, right-click Lola Jacobson

and then select Properties. This will bring up the Lola Jacobson Properties window.

4. On the Lola Jacobson Properties screen, select the Attribute Editor tab.

Note

If you do not see the Attribute Editor tab, ensure that you have Advanced

Features checked for Active Directory Users and Computers. To do this, at

the top of Active Directory Users and Computers, click View and select

Advanced Features.

5. On the Attribute Editor tab, use the scroll bar on the right, select employeeID and click

Edit. This will bring up the String Attribute Editor dialog box.

6. On the String Attribute Editor dialog box, enter 22222 for the Value and click OK. This

will close the String Attribute Editor dialog box.

7. Click Apply. Click OK. This will close the Lola Jacobson Properties.

1. Click Start, click All Programs, click Microsoft Exchange Server 2007, and click

Exchange Management Console.

2. In the Exchange Management Console, expand Recipient Configuration, and click

Mailbox.

3. On the right, in the Actions pane, click New Mailbox… to start the New Mailbox wizard.

4. On the Introduction screen, select User Mailbox and click Next.

5. On the User Type select Existing Users and click Add. This will bring up the Select

User – resource.fabrikam.net screen.

6. From the list, select Lola Jacobson and click OK.

7. Click Next.

8. On the Mailbox Settings screen, next to Mailbox database click Browse. This will

bring up the Select Mailbox Database screen.

9. On the Select Mailbox Database screen, verify the First Storage Group is selected and

To add employee ID to the test users

To Mailbox Enable the User

23

click OK.

10. Click Next.

11. On the New Mailbox screen, click New.

12. On the Completion screen, verify that it was successful and click Finish

13. Close Exchange Management Console


Step 5 - Create Test Groups in Resource Forest

This step explains how to create the test groups in resource.fabrikam.net. These groups are in

the resource forest.

Create the Test GroupsThis section lists the steps for creating the test groups that are used in this scenario. 3 total

groups will be created for this scenario. The following table summarizes the groups that will be

created.

Table Group Summary

Group Name Group Scope Group Type

All Staff Universal Security

All FTE Universal Security

All Contractors Universal Security



Computers.

3. Expand resource.fabrikam.net, right-click ResourceForestUsers, select New and then

select Group. This will bring up the New Object – Group window.

4. On the New Object – Group screen, in the Group Name box, enter All Staff.

5. On the New Object – Group screen, under Group scope , select Universal.

To create the test Groups

24

6. On the New Object – Group screen, under Group type, select Security.

7. Click Ok.

8. Repeat these steps for all of the groups listed in the Group Summary table.




Distribution Group.

3. On the right, in the Actions pane, click New Distribution Group… to start the New

Distribution Group wizard.

4. On the Introduction screen, select Existing group and click Browse. This will bring up

the Select Group – resource.fabrikam.net screen.

5. From the list, select All Staff and click OK.

6. Click Next.

7. On the Group Information click Next.

8. On the New Distribution Group screen click New.

9. On the Completion screen, verify that it was successful and click Finish

10. Close Exchange Management Console

11. Repeat these steps for all of the groups listed in the Group Summary table.



Computers.

3. Expand resource.fabrikam.net, select ResourceForestUsers, right-click All Staff, and

select Properties. This will bring up the All Staff Properties window.

4. On the Members tab, click Add. This will bring up the Select Groups dialog box.

5. On the Select Groups dialog box, under Enter the object names to select (examples)

box, enter All FTE and click Check Names. This should resolve with an underline.

6. Click Ok. This will close the Select Groups dialog box.

7. On the Members tab, click Add. This will bring up the Select Groups dialog box.


box, enter All Contractors and click Check Names. This should resolve with an

underline.


10. On the All Staff Properties window, click Apply.

11. Click Ok. This will close the All Staff Properties dialog box.

To Mail-Enable the Security Groups

Add All FTE group and All Contractors group to All Staff group

25



Step 6 - Extend ILM Metaverse Schema

In This step explains how to extend the Identity Lifecycle Manager 2007 schema. This will allow

us to flow the SID and sAMAccountName attribute from the accounts forest into the resource

forest.

Extending the ILM 2007 FP 1 schemaThe following steps show how to extend the ILM schema.

1. Log on to RES-DC.resource.fabrikam.net as Administrator

2. Click Start, click All Programs, click Microsoft Identity Integration Server, and click

Identity Manager.

3. In Identity Manager, click the Metaverse Designer button at the top.

4. In the Metaverse Designer, under Object Types select person so that it is highlighted

and in the lower right corner click Add Attribute. This will bring up the Add Attribute To

Object Type dialog box.

5. On the Add Attribute To Object Type dialog box, click New attribute. This will bring up

the New Attribute dialog box.

6. On the New Attribute dialog box, enter sIDHistory for Attribute name and select

Binary (indexable) for the Attribute type:. Click OK. This will close the New Attribute

dialog box.

7. On the Add Attribute To Object Type dialog box, click OK. This will close the Add

Attribute To Object Type dialog box.

8. Close Identity Manager.


To extend the ILM schema

26

Step 7 - Create Accounts Forest Management Agent

This step explains how to create the Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) with

FP1 management agent for the accounts forest. This will allow you to synchronize user accounts

into the resource forest.

1. Log on to RES-DC.resource.fabrikam.net as Administrator.

2. Click Start, click All Programs, click Microsoft Identity Integration Server, and then

click Identity Manager.

3. In Identity Manager, click the Management Agents button at the top.

4. In the Management Agents view, under Actions, click Create. This will bring up the

Create Management Agent dialog box.

5. On the Create Management Agent dialog box, under Management Agent for, select

Active Directory. Under Name enter ACCOUNT and then click Next.

6. On the Connect to Active Directory Forest dialog box, enter corp.fabrikam.com for

Forest name. Enter Administrator for the User name. Enter Pass1word$ for the

Password. Enter CORP for the Domain. Click Next.

7. On the Configure Directory Partitions dialog box, under Select directory partitions,

put a check in DC=corp,DC=fabrikam,DC=com. Under Select containers for this

partition, click the Containers button. This will bring up the Select Containers dialog

box.

8. On the Select Containers dialog box, clear the check in the root

DC=corp,DC=fabrikam,DC=com box. This will remove the check marks in all of the

boxes. Now place a check in the AccountsForestsUsers box. Click OK. This will close

the Select Containers dialog box.

9. On the Configure Directory Partitions dialog box, click Next.

10. On the Select Object Types dialog box, check user and then click Next.

11. On the Select Attributes dialog box, place a check in the Show All box in the upper-

right.

12. On the Select Attributes dialog box, place a check in the box for each attribute in the

following list. When finished click Next.

cn

displayName

givenName

sn

employeeID

To create the management agent

27

mail

13. On the Configure Connector Filter dialog box, click Next.

14. On the Configure Join and Projection Rules dialog box, select user and then click

New Projection Rule. This will bring up the Projection dialog box.

15. On the Projection dialog box select Declared and then click OK. This will close the

Projection dialog box.

16. On the Configure Join and Projection Rules dialog box, click Next.

17. On the Configure Attribute Flow dialog box, under Data source object type select

user.

18. On the Configure Attribute Flow dialog box, under Metaverse object type select

person.

19. On the Configure Attribute Flow dialog box, under Data source attribute select cn.

20. On the Configure Attribute Flow dialog box, under Mapping Type select Direct.

21. On the Configure Attribute Flow dialog box, under Flow Direction select Import.

22. On the Configure Attribute Flow dialog box, under Metaverse attribute select cn.

23. On the Configure Attribute Flow dialog box, click New. This flow rule will appear

above. Repeat these steps for each attribute in the following table. When finished, click

Next.

CORP MA Attribute Flow

Data

Source

Object

Type

Metaverse

Object Type

Data Source

Attribute

Mapping

Type

Flow

Direction

Metaverse

Attribute

user person cn Direct Import cn

user person displayName Direct Import displayName

user person sn Direct Import sn

user person employeeID Direct Import employeeID

user person givenName Direct Import givenName

user person mail Direct Export mail

24. On the Configure Deprovisioning dialog box, click Next.

25. On the Configure Extensions dialog box, click Finish.


28


Step 8 - Create Resource Forest Management Agent

This step explains how to create the Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) FP1

resource management agent for the accounts forest. This will allow you to synchronize user

accounts into the resource forest.


2. Click Start, click All Programs, click Microsoft Identity Integration Server, and then

click Identity Manager.





Active Directory. Under Name enter RESOURCE and then click Next.

6. On the Connect to Active Directory Forest dialog box, enter resource.fabrikam.net for

Forest name. Enter Administrator for the User name. Enter Pass1word$ for the

Password. Enter RESOURCE for the Domain. Click Next.

7. On the Configure Directory Partitions dialog box, under Select directory partitions,

put a check in DC=resource,DC=fabrikam,DC=net. Under Select containers for this

partition, click the Containers button. This will bring up the Select Containers dialog

box.

8. On the Select Containers dialog box, clear the check from the root

DC=resource,DC=fabrikam,DC=net box. This will remove the check marks in all of the

boxes. Now place a check in the ResourceForestUsers box. Click OK. This will close

the Select Containers dialog box.

9. On the Configure Directory Partitions dialog box, click Next.

10. On the Select Object Types dialog box, check user and then click Next.

11. On the Select Attributes dialog box, place a check in the Show All box in the upper-

right.

12. On the Select Attributes dialog box, place a check in the box for each attribute in the

following list. When finished click Next.

cn

To create the management agent

29

displayName

employeeID

givenName

mail

sIDHistory

sn


14. On the Configure Join and Projection Rules dialog box, select user and then click

New Join Rule. This will bring up the Join Rule for user dialog box.

15. On the Join Rule for user dialog box, under Data source attribute select employeeID.

16. On the Join Rule for user dialog box, under Mapping Type select Direct.

17. On the Join Rule for user dialog box, under Metaverse Object Type select person.

18. On the Join Rule for user dialog box, under Metaverse attribute select employeeID.

19. On the Join Rule for user dialog box, click Add Condition. If you see a dialog box that

says, You are attempting a join mapping with a non-indexed metaverse attribute,

you can safely ignore it and click OK.

20. On the Join Rule for user dialog box, click OK. This will close the Join Rule for user

dialog box.



user.


person.

24. On the Configure Attribute Flow dialog box, under Data source attribute select cn.


26. On the Configure Attribute Flow dialog box, under Flow Direction select Export.

27. On the Configure Attribute Flow dialog box, under Metaverse attribute select cn.


above. Repeat these steps for each attribute in the following table. When finished, click

Next.

CORP MA Attribute Flow

Data

Source

Object

Type

Metaverse

Object Type

Data Source

Attribute

Mapping

Type

Flow

Direction

Metaverse

Attribute

user person cn Direct Export cn

30

Data

Source

Object

Type

Metaverse

Object Type

Data Source

Attribute

Mapping

Type

Flow

Direction

Metaverse

Attribute

user person displayName Direct Export displayName

user person sn Direct Export sn

user person employeeID Direct Export employeeID

user person givenName Direct Export givenName

user person sIDHistory Direct Import sIDHistory

user person mail Direct Import mail

29. On the Configure Deprovisioning dialog box, click Next.

30. On the Configure Extensions dialog box, click Finish.


Step 9 - Create ACCOUNT Management Agent Run Profiles

This step explains how to create ACCOUNT management agent run profiles.

Creating the ACCOUNT Management Agent Run ProfilesThe following steps show how to create the ACCOUNT MA run profiles.



Identity Manager.


4. In the Management Agents view, select ACCOUNT, then under Actions, click

Configure Run Profiles. This will bring up the Configure Run Profiles for

“ACCOUNT” dialog box.

5. On the Configure Run Profiles for “ACCOUNT” dialog box, click New Profile. This will

To create the management agent run profiles

31

bring up the Configure Run Profile dialog box.

6. On the Profile Name screen, enter FI for Name. Click Next.

7. On the Configure Step screen, under Type, select Full Import (Stage Only). Click

Next.

8. On the Management Agent Configuration screen, click Finish. This will close the

Configure Run Profile dialog box.



10. On the Profile Name screen, enter FS for Name. Click Next.

11. On the Configure Step screen, under Type, select Full Synchronization. Click Next.





14. On the Profile Name screen, enter DI for Name. Click Next.

15. On the Configure Step screen, under Type, select Delta Import (Stage Only). Click

Next.





18. On the Profile Name screen, enter DS for Name. Click Next.

19. On the Configure Step screen, under Type, select Delta Synchronization. Click Next.





22. On the Profile Name screen, enter E for Name. Click Next.

23. On the Configure Step screen, under Type, select Export. Click Next.



25. On the Configure Run Profiles for “ACCOUNT” dialog box, click Apply. Click OK.

This will close the Configure Run Profiles for “ACCOUNT” dialog box.



32

Step 10 - Create RESOURCE Management Agent Run Profiles

This step explains how to create the RESOURCE management agent run profiles.

Creating the RESOURCE Management Agent Run ProfilesThe following steps show how to create the RESOURCE MA run profiles.



Identity Manager.


4. In the Management Agents view, select RESOURCE, then under Actions, click

Configure Run Profiles. This will bring up the Configure Run Profiles for “RES”

dialog box.

5. On the Configure Run Profiles for “RESOURCE” dialog box, click New Profile. This

will bring up the Configure Run Profile dialog box.



Next.











14. On the Profile Name screen, enter DI for Name. Click Next.

15. On the Configure Step screen, under Type, select Delta Import (Stage Only). Click

Next.



To create the management agent run profiles

33













25. On the Configure Run Profiles for “RESOURCE” dialog box, click Apply. Click OK.

This will close the Configure Run Profiles for “RESOURCE” dialog box.



Step 11 - Create the Metaverse Rules Extension

This step explains how to create the metaverse rules extension.



Identity Manager.

3. In Identity Manager, go to the top and select Tools, and select Options. This will bring

up the Options dialog box.

4. On the Options dialog box, check Enable metaverse rules extension and click Create

Rules Extension Project. This will bring up the Create Extension Project dialog box.

5. On the Create Extension Project dialog box, select Visual C# from the drop-down next

to Programming Language.

6. On the Create Extension Project dialog box, select Rules Extension from the drop-

down next to Project Type.

To create the metaverse rules extension

34

7. On the Create Extension Project dialog box, leave the default of MVExtension next to

Project name.

8. On the Create Extension Project dialog box, leave the default for Project Location.

9. On the Create Extension Project dialog box, leave a check in Launch in VS.NET IDE.

10. On the Create Extension Project dialog box, click OK. This will launch Visual Studio.

Note

When this project opens the Visual Studio Conversion Wizard will start so

that it can convert the project to a Visual Studio 2008 version. Simply click

Next and then Finish. Then select Load this project normally. Then close

the conversion wizard once it is complete. Also, if you have not opened

Visual Studio 2008 yet, it will ask you to configure it for first time use. Simply

select General Settings and then wait momentarily until it finishes. When it is

done, the Visual Studio Conversion Wizard will start.

11. In Visual Studio, under the Solution Explorer, double-click MVExtension.cs.

12. Delete all of the code that appears in the large window on the left. Copy the code from

Appendix C – Metaverse Extension Code into this area.

13. In Visual Studio, at the top, select Build and then select Build Solution. Down at the

bottom, in the Output section, you should see Build: 1 succeeded or up-to-date, 0

failed, 0 skipped. Close Visual Studio. This will return you to the Options dialog box.

14. In Identity Manager, on the Options dialog box, next to Rules extension name click

Browse. This will bring up the Select File dialog box.

15. On the Select File dialog box, select MVExtension.dll and click OK. This will close the

Select File dialog box.

16. On the Options dialog box, place a check in Enable Provisioning Rules Extension and

click OK. This will close the Options dialog box.



Step 12 - Create SCP in Accounts Forest

This step explains how to create the Service Connection Point (SCP) in the accounts forest. This

will allow the clients in the accounts forest to locate the AD RMS cluster without having to use the

registry overrides. Prior to completing this step, be sure that the Rights Management Services

Administration Toolkit with SP2 has been downloaded and installed on ACC-

DC.corp.fabrikam.com.

35

1. Log on to ACC-DC.corp.fabrikam.com as Administrator.

2. Click Start, click Run, type cmd in the Open: box, and click OK. This will bring up the

command shell.

3. Navigate to C:\Program Files\RMS SP2 Administration Toolkit\ADScpRegister.

4. Enter the following at the prompt: ADScpRegister registerscp https://res-

adrms.resource.fabrikam.net:443/_wmcs/certification and then press ENTER.

5. Once that has Successfully committed SCP changes to AD close the command

window.

At this point, the SCP should be registered. This can be verified by using ADSI Edit.

Connect to the configuration context and drill down to CN=Services\

CN=RightsManagementServices\CN=SCP. You can view the properties of the SCP from

here.


Step 13 - Create Active Directory Migration Tool Options File

This step explains how to create the ADMT options file. The options file is used for efficiency. It

is often more efficient to use an option file to specify command-line options when using ADMT.


2. Click Start, click Computer, and then double-click Local Disk (C:), double-click

Windows, double-click ADMT.

3. Click File, point to New, and then click Text Document.

4. Type options for the new folder, and then press ENTER.

5. Double-click the new options file. This will open the file.

6. Copy the text from Appendix F – ADMT Options File, of this document, and paste it into

the new options file.

7. Click File and click Save. Close the options file.

To create the Service Connection Point

Note

To create the ADMT options file

36


Step 14 - Create ADRMSPublic Shared Folder

This step explains how to create the ADRMSPublic shared folder.

1. Log on to RES-ADRMS.resource.fabrikam.net as Administrator.

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. Click File, point to New, and then click Folder.

4. Type ADRMSPublic for the new folder, and then press ENTER.

5. Right-click ADRMSPublic, and then click Share.

6. On the File Sharing window, in the box under Type the name of the person you want

to share with and click Add… enter Everyone and click Add. The Everyone group

should now appear in the box below. The Permission Level should be Reader.

7. On the File Sharing window, in the box under Type the name of the person you want

to share with and click Add… enter ADRMS Service and click Add. The Everyone

group should now appear in the box below. The Permission Level should be Reader.

Using the arrow next to Reader, change the Permission Level to Contributor.

8. Click Share. The window should change and you should now see Your folder is

shared.

9. Click Done.


Step 15 - Create Fabrikam Confidential Rights Policy Template

This step explains how to create the Fabrikam Confidential Rights Policy Template


To create the ADRMSPublic shared folder

To create the Fabrikam Confidential Rights Policy Template

37

2. Open the Active Directory Rights Management Services Administration console. Click

Start, point to Administrative Tools, and then click Active Directory Rights

Management Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is

what you want, and then click Continue.

4. In the Active Directory Rights Management Services Administration console, expand the

cluster name.

5. Click Rights Policy Templates and ensure that Distributed Rights Policy Template

information appears in the center pane. On the right, in the Actions pane, click

Properties. This will bring up the Rights Policy Templates Properties dialog box.

6. On the Rights Policy Templates Properties dialog box, select the Enable export check

box, type \\res-adrms\ADRMSPublic in the Specify templates file location (UNC) box,

and then click OK.

7. On the right, in the Actions pane, click Create Distributed Rights Policy Template to

start the Create Distributed Rights Policy Template wizard.

8. Click Add.

9. In the Language box, choose the appropriate language for the rights policy template.

10. Type Fabrikam Confidential in the Name box.

11. Type This content is confidential and proprietary information intended for Fabrikam

employees only and provides the following user rights: View, Reply, Reply All,

Save, Edit, and Forward in the Description box, and then click Add.

12. Click Next.

13. Click Add, type [email protected] in The e-mail address of a user or

group box, and then click OK.

14. Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.

15. Click Finish.


Step 16 - Create Fabrikam FTE Confidential Rights Policy Template

This step explains how to create the Fabrikam FTE Confidential Rights Policy Template


To create the Fabrikam Confidential Rights Policy Template

38

2. Open the Active Directory Rights Management Services Administration console. Click

Start, point to Administrative Tools, and then click Active Directory Rights

Management Services.

3. In the Active Directory Rights Management Services Administration console, expand the

cluster res-adrms.resource.fabrikam.net.

4. Click Rights Policy Templates.

5. On the right, in the Actions pane, click Create Distributed Rights Policy Template to

start the Create Distributed Rights Policy Template wizard.

6. Click Add.

7. In the Language box, choose the appropriate language for the rights policy template.

8. Type Fabrikam FTE Confidential in the Name box.

9. Type This content is confidential and proprietary information intended for Fabrikam

full-time employees only and provides the following user rights: View, Reply, Reply

All, Save, Edit, and Forward in the Description box, and then click Add.

10. Click Next.

11. Click Add, type [email protected] in The e-mail address of a user or

group box, and then click OK.

12. Select the View, Reply, Reply All, Save, Edit, and Forward check boxes.

13. Click Finish.



This step explains how to enable the rights management scheduled task which is disabled by

default on the Windows Vista client.

1. Log on to ACC-CLT1 as corp\Administrator.

2. Click Start, and then click Control Panel.

3. Double-click Administrative Tools, and then double-click Task Scheduler.

Note

If you do not see Administrative Tools, switch to Classic View.


To enable the rights management scheduled task

39


5. Expand Task Scheduler Library, expand Microsoft, expand Windows, and then click

Active Directory Rights Management Services Client.

6. Right-click AD RMS Rights Policy Template Management (Automated), and then click

Enable.

7. Close Task Scheduler.



In this step you will add the AdminTemplatePath registry key for the user Britta Simon. This must

be done for each individual user that will use the client computer. This is because this key

resides under HKEY_CURRENT_USER and is specific to the user that is currently logged on.

Also, you will add the AD RMS URL to the Trusted Sites of the current user’s instance of Internet

Explorer.

1. Log on to ACC-CLT1 as corp\bsimon.

2. Click Start, type regedit.exe in the Start Search box, and then press ENTER.

3. Expand the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM

Note

If DRM was not already created as a part of the key, you must create it

manually.

4. Right-click DRM, click New, and then click Expandable String Value.

5. In the Value name box, type AdminTemplatePath, and then press ENTER.

Note

If AdminTemplatePath already exists, just modify it to match the entry that is

shown here.

6. Double-click the AdminTemplatePath registry value and type %LocalAppData%\

Microsoft\DRM\Templates in the Value data box, and then click OK.

7. Close Registry Editor.

To add the AdminTemplatePath registry key

40

Add the AD RMS URL to Trusted SitesThe following steps show you how to add the AD RMS URL to trusted sites in Internet Explorer.

1. Log on to ACC-CLT1 as corp\bsimon.

2. Click Start, click All Programs and select Internet Explorer.

3. Once Internet Explorer opens, in the upper-right corner, select Tools and then click

Internet Options from the drop-down. This will bring up the Internet Options window.

4. From the Internet Options screen, click the Security tab, and select Trusted Sites from

the Select a zone to view or change security settings box.

5. Click the Sites button. This will display a Trusted Sites window.

6. In the Add this website to the zone: box, type https://res-

adrms.resource.fabrikam.net, and then click Add.

7. Click Close.

8. From the Internet Options screen, click OK.

9. Close Internet Explorer.


Step 19 - Enable Rights Management Scheduled Task on RES-CLT1

This step explains how to enable the rights management scheduled task which is disabled by

default on the Windows 7 client.

1. Log on to RES-CLT1 as resource\Administrator.


3. Click System and Security.

4. Click Administrative Tools, and then double-click Task Scheduler.

Note




To add the AD RMS URL


41




Enable.



Step 20 - Add AdminTemplatePath Registry Key and Trusted Sites on RES-CLT1

This step explains how to add the AdminTemplatePath registry key for the user Lola Jacobson.

Also, we will be adding the AD RMS URL to the Trusted Sites of Lola Jacobson’s instance of

Internet Explorer.

1. Log on to RES-CLT1 as resource\ljacobson.

2. Click Start, type regedit.exe in the Search programs and files box, and then press

ENTER.



Note


manually.



Note

If AdminTemplatePath already exists, simply modify it to match the entry

below.





42


1. Log on to RES-CLT1 as corp\ljacobson.


3. Once Internet Explorer opens, in the top right corner, select Tools and click Internet

Options from the drop-down. This will bring up the Internet Options window.



5. Click the Sites button. This will bring up a Trusted Sites window.


adrms.resource.fabrikam.net, and click Add.

7. Click Close.





The steps in this section explain how to test the implementation of the previous section. Once

you complete these steps, AD RMS should be working in the resource forest and users from the

accounts forest should be able to log on in order to create and consume protected e-mail content.

Subsequent sections will show how to automate this solution.

This section includes the following steps:

Step 1 - Run ACCOUNT MA Full Import

Step 2 - Run RESOURCE MA Full Import

Step 3 - Run ACCOUNT MA Full Synch

Step 4 - Run RESOURCE MA Export

Step 5 - Run RESOURCE MA Delta Import

Step 6 - Use Active Directory Migration Tool to Migrate a Test User

Step 7 - Use Exchange System Manager to Create Linked Mailbox

Step 8 - Add Users to Groups



43

Step 10 - Run RESOURCE MA Full Synch

Step 11 - Run ACCOUNT MA Export

Step 12 - Run ACCOUNT MA Delta Import

Step 13 - Create Protected E-mail Content on RES-CLT1

Step 14 - Consume Protected E-mail Content on ACC-CLT1

Step 15 - Create Protected E-mail Content on ACC-CLT1

Step 16 - Consume Protected E-mail Content on RES-CLT1





Step 1 - Run ACCOUNT MA Full Import

In this step we will be initializing the Identity Lifecycle Manager 2007 environment by running a

full import on the ACCOUNT management agent.

Running ACCOUNT Management Agent Full ImportThe following steps show how to run a full import on the ACCOUNT management agent.



Identity Manager.

3. In Identity Manager, go to the top and select Management Agents.

4. Under Management Agents, select ACCOUNT and on the right, under Actions, click

Run. This will bring up the Run Management Agent window.

5. On the Run Management Agent window, select FI and click OK.

6. In the lower right, verify the status is Success.


To run a full import on the ACCOUNT MA

44

Step 2 - Run RESOURCE MA Full Import

In this step we will be initializing the Identity Lifecycle Manager 2007 environment by running a

full import on the RESOURCE management agent.

Running RESOURCE Management Agent Full ImportThe following steps show how to run a full import on the RESOURCE management agent.



Identity Manager.


4. Under Management Agents, select RESOURCE and on the right, under Actions, click


5. On the Run Management Agent window, select FI and click OK.



Step 3 - Run ACCOUNT MA Full Synch

In this step we will be populating the metaverse and provisioning the users from the accounts

forest into the resource forest.

Running ACCOUNT Management Agent Full SynchronizationThe following steps show how to run a full synchronization on the ACCOUNT management agent.



Identity Manager.



To run a full import on the RESOURCE MA

To run a full synch on the ACCOUNT MA

45


5. On the Run Management Agent window, select FS and click OK.



Step 4 - Run RESOURCE MA Export

In this step we will be exporting the newly provisioned users into the resource forest. This step

will create the new disabled users in the resource forest.

Running RESOURCE Management Agent ExportThe following steps show how to run an export on the RESOURCE management agent.



Identity Manager.




5. On the Run Management Agent window, select E and click OK.




In this step we will be confirming the export to the resource forest environment by running a delta

import on the RESOURCE management agent.

Running RESOURCE Management Agent Delta ImportThe following steps show how to run a delta import on the RESOURCE management agent.

To run an export on the RESOURCE MA

To run a delta import on the RESOURCE MA46



Identity Manager.




5. On the Run Management Agent window, select DI and click OK.



Step 6 - Use Active Directory Migration Tool to Migrate a Test User

In this step we use ADMT to migrate a test user. The user has already been created in the

previous steps. This step is done in order to migrate the accounts forest users SID.

Using ADMT to Migrate a Test UserThe following steps show how to use ADMT to migrate a test user.


2. Click Start, click Administrative Tools, and click Active Directory Migration Tool. This

will bring up ADMT.

3. At the top, in the left pane, right-click Active Directory Migration Tool, and select User

Account Migration Wizard. This will launch the User Account Migration Wizard.

4. On the Welcome to the User Account Migration Wizard screen, click Next.

5. On the Domain Selection screen, under Source for Domain enter corp.fabrikam.com.

6. On the Domain Selection screen, under Source for Domain controller enter ACC-

DC.corp.fabrikam.com.

7. On the Domain Selection screen, under Target for Domain enter

resource.fabrikam.net.

8. On the Domain Selection screen, under Target for Domain controller enter RES-

DC.resource.fabrikam.net. Click Next.

9. On the User Selection Option screen, leave the radio button select for Select users

from domain. Click Next.

To migrate a test user using ADMT

47

10. On the User Selection screen, click Add. This will bring up the Select Users dialog box.

11. On the Select Users dialog box, under Enter the object names to select, enter Britta

Simon and click Check Names. Once that has resolved and is underlined, click OK.

This will close the Select Users dialog box.

12. On the User Selection screen, click Next.

13. On the Organizational Unit Selection screen, next to the box for Target OU, click

Browse. This will bring up the Browse for Container dialog box.

14. On the Browse for Container dialog box, select ResourceForestUsers. Click OK. This

will close the Browse for Container dialog box.

15. On the Organizational Unit Selection screen, click Next.

16. On the Password Options screen, leave the defaults and click Next.

17. On the Account Transition Options screen, under Target Account State, select

Disable target accounts.

18. On the Account Transition Options screen, place a check in Migrate user SIDs to

target domain. Click Next.

19. On the User Account screen, under User name: enter Administrator.

20. On the User Account screen, under Password enter Pass1word!.

21. On the User Account screen, under Domain enter CORP.

22. On the User Account screen, click Next.

23. On the User Options screen, leave the defaults and click Next.

24. On the Object Property Exclusion screen, leave the defaults and click Next.

25. On the Conflict Management screen, select Migrate and merge conflicting objects.

Click Next.

26. On the Completing the User Account Migration Wizard screen, review the summary

and click Finish. This will launch the Migration Progress window.

27. On the Migration Progress screen, verify the Status: is Completed, that under Users it

reports 1 for Examined and it reports 1 for Copied.

28. On the Migration Progress screen, click Close.

29. Close Active Directory Migration Tool.

Step 7 - Use Exchange System Manager to Create Linked Mailbox

In this step we use the Exchange Management console to create a linked mailbox for the user we

just migrated. A linked mailbox is a mailbox that is associated with an external account.

48

Using Exchange Management Console to Create a Linked MailboxThe following steps show how to use Exchange Management Console to create a linked mailbox.





Mailbox.

4. On the right, in the Actions pane, click New Mailbox to start the New Mailbox wizard.

5. On the Introduction screen, select Linked Mailbox and click Next.

6. On the User Type screen, select Existing users and click Browse. This will bring up the

Select User – resource.fabrikam.net dialog box.

7. On the Select User – resource.fabrikam.net screen, select Britta Simon and click OK.

This will close the Select User – resource.fabrikam.net dialog box.

8. On the User Type screen, click Next.

9. On the Mailbox Settings screen, under Alias enter bsimon.

10. On the Mailbox Settings screen, under Mailbox database click Browse. This will bring

up the Select Mailbox Database screen.

11. On the Select Mailbox Database screen, select the database that appears and click OK.

. This will close the Select Mailbox Database screen.

12. On the Mailbox Settings screen, click Next.

13. On the Master Account screen, under Trusted forest or domain click Browse. This

will bring up the Select Trusted Forest or Domain dialog box.

14. On the Select Trusted Forest or Domain screen, select corp.fabrikam.com and click

OK. This will close the Select Trusted Forest or Domain dialog box.

15. On the Master Account screen, under Linked domain controller click Browse. This

will bring up the Select Global Catalog dialog box.

16. On the Select Global Catalog screen, select ACC-DC.corp.fabrikam.com and click

OK. This will close the Select Global Catalog dialog box.

17. On the Master Account screen, under Linked master account click Browse. This will

bring up the Select User dialog box.

18. On the Select User screen, select Britta Simon and click OK. This will close the Select

User dialog box.

19. On the Master Account screen, click Next.

20. On the New Mailbox screen, review the summary and click New.

To create a linked mailbox

49

21. On the Completion screen, verify that it was successful and click Finish.

22. Close Exchange Management Console.

Step 8 - Add Users to Groups

In this step we will be adding the users in the resource forest to specific security groups

Add Test Users to Test GroupsThis section lists the steps for adding our test users to our test groups.

Table Account Summary

First Name Last Name User logon name Member of

Britta Simon bsimon All FTE

Lola Jacobson ljacobson All FTE

Nicole Holliday nholliday All FTE

Limo Henig lhenig All Contractors



Computers.

3. Expand resource.fabrikam.net, select ResourceForestUsers, right-click Britta Simon,

and select Properties. This will bring up the Britta Simon Properties window.

4. On the Member of tab, click Add. This will bring up the Select Groups dialog box.


box, enter All FTE and click Check Names. This should resolve with an underline.


7. On the Britta Simon Properties window, click Apply.

8. Click Ok. This will close the Britta Simon Properties dialog box.

9. Repeat these steps for all of the accounts listed in the Account Summary table,

substituting the appropriate Member of value.


To add test user accounts to test groups

50


In this step we will be importing the resource users mail attribute into the Identity Lifecycle

Manager 2007 FP1 connector space. This attribute was newly populated in the last step when

we created the linked mailboxes.

Running RESOURCE Management Agent Delta ImportThe following steps show how to run a delta import on the RESOURCE management agent.



Identity Manager.







Step 10 - Run RESOURCE MA Full Synch

In this step we will be populating the metaverse with the newly imported mail attribute.

Running RESOURCE Management Agent Full SynchronizationThe following steps show how to run a full synchronization on the RESOURCE management

agent. The reason a full synchronization is being run over a delta is that this management agent

has never had a synchronization run on it yet.



Identity Manager.

To run a delta import on the RESOURCE MA

To run a full synch on the RESOURCE MA

51




5. On the Run Management Agent window, select FS and click OK.



Step 11 - Run ACCOUNT MA Export

In this step we will exporting the mail attribute. This will populate the mail attribute of the users in

the ACCOUNTS forest.

Running ACCOUNT Management Agent ExportThe following steps show how to run an export on the ACCOUNT management agent.



Identity Manager.




5. On the Run Management Agent window, select E and click OK.



Step 12 - Run ACCOUNT MA Delta Import

In this step we will confirming the export of the mail attribute.

Running ACCOUNT Management Agent Delta ImportThe following steps show how to run a delta import on the ACCOUNT management agent.

To run an export on the ACCOUNT MA

52



Identity Manager.








In this step you will log on to the client computer and create a protected e-mail message.

1. Log on to RES-CLT1.resource.fabrikam.net as Lola Jacobson.

2. Click Start, select All Programs, click Microsoft Office, and select Microsoft Office

Outlook 2007. This will bring up the Add New E-mail Account wizard.

3. The Auto Account Setup screen should contain Lola Jacobson’s information. Click

Next.

4. On the Choose E-mail Service screen, select the radio button next to Microsoft

Exchange. Click Next.

5. On the Congratulations! screen, click Finish. This will start Microsoft Office Outlook

2007.

6. Inside Outlook, at the top select New. This will display a new e-mail window.

7. On the e-mail screen, click To. This will bring up the Select Names: Global Address

List screen.

8. On the Select Names: Global Address List screen, select All Staff, click To and then

click OK. This will close the Select Names: Global Address List screen.

9. On the e-mail screen, next to Subject, enter Test e-mail.

10. On the e-mail screen, in the main box, after Subject, enter This is a rights protected

test e-mail.

11. On the e-mail screen, in the upper-left corner, click the Office icon button. This will reveal

a drop-down menu.

12. From the drop-down, select Permission, and then Fabrikam Confidential.

To run an export on the ACCOUNT MA

To create a protected e-mail message

53

Note

If you do not see Fabrikam Confidential, verify that the template has been

copied and resides in the following C:\Users\ljacobson\AppData\Local\

Microsoft\DRM\Templates. If it does not, you can manually copy the

templates from \\res-adrms\ADRMSPublic and put them in the Templates

folder.

13. This may display a Select User screen that says: Select one of the following user

accounts to create or open content with restricted permission. To use an account

not listed below, click Add. If this window appears, select

[email protected] and then click OK.

14. This will display a Security Alert screen that says This page requires a secure

connection which includes server authentication. The Certificate issuer for this

site is untrusted or unknown. Do you wish to proceed? Click View Certificate. This

will bring up the certificate.

15. On the certificate, click Install Certificate. This will start the Welcome to the Certificate

Import Wizard. Click Next.

16. On the Certificate Store screen, leave Automatically select the certificate store

based on the type of certificate selected and then click Next.

17. On the Completing the Certificate Import Wizard screen, review the summary and

then click Finish. This should display a dialog box that reports The import was

successful. Click OK.

18. On the certificate, click OK. This will close certificate.

19. On the Security Alert screen, click Yes.

20. This will display a credential box that has the header Connect to res-

dc.resource.fabrikam.net. For User Name enter ljacobson. For password enter

Pass1word!. Click OK.

21. At this point, you should notice the following at the top of your e-mail: Fabrikam

Confidential. Click Send.


In this step, you will log on to a client computer and attempt to read the e-mail message that was

sent in the previous step.

1. Log on to the ACC-CLT1.corp.fabrikam.com Server as Britta Simon.

To consume a protected e-mail message

54



3. On the E-mail Accounts screen, under You can configure Outlook to connect to

Internet E-mail, Microsoft Exchange, or other E-mail server. Would you like to

configure an E-mail account? Select Yes and then click Next.

4. On the Auto Account Setup screen, place a check in Manually configure server

settings or additional server types. Click Next.



6. On the Microsoft Exchange Settings screen, next to Microsoft Exchange Server,

enter RES-DC.resource.fabrikam.net.

7. On the Microsoft Exchange Settings screen, next to User Name, enter Britta Simon.

Click Check Name. This should resovle with an underline.

8. On the Microsoft Exchange Settings screen, click Next.


2007.

10. In Outlook, there should be an e-mail in Britta Simon’s inbox. This is the e-mail that was

sent in the previous step. Click it.






List screen.













adrms.resource.fabrikam.net. For User Name enter corp\bsimon. For password

enter Pass1word!. Click OK.

20. At this point, the e-mail should open and you should be able to view the contents.

55

A user will not have to install the certificate every time that they attempt to create or

consume a piece of e-mail. This only has to be done the first time. The user will be

prompted for credentials every time. This is because the AD RMS Prelicensing Agent is

not supported in this configuration.

Step 15 - Create Protected E-mail Content on ACC-CLT1

In this step you log on to the client computer and create a protected e-mail message.

1. Log on to the ACC-CLT1.corp.fabrikam.com as Britta Simon.

2. Click Start, select All Programs, click Microsoft Office, and then select Microsoft

Office Outlook 2007.



List screen.



6. On the e-mail screen, next to Subject, enter Another test e-mail.


test e-mail.


a drop-down menu.

9. From the drop-down, select Permission, and then select Fabrikam Confidential.

Note


copied over and resides in the following C:\Users\ljacobson\AppData\Local\

Microsoft\DRM\Templates. If they do not, you can manually copy over the


folder.



site is untrusted or unknown. Do you wish to proceed? Click Yes.


dc.resource.fabrikam.net. For User Name enter corp\bsimon. For password enter


Note


56

12. At this point, you should notice that at the top of your e-mail is the following: Fabrikam





1. Log on to the RES-CLT1.resource.fabrikam.net server as Lola Jacobson.


Outlook 2007.

3. In Outlook, there should be an e-mail in Lola Jacobson’s inbox from Britta Simon. This is

the e-mail that was sent in the previous step. Double-click it.





adrms.resource.fabrikam.net. For User Name enter resource\ljacobson. For

password enter Pass1word!. Click OK.

6. At this point, the e-mail should open and you should be able to view the contents.

A user will not have to install the certificate every time that they attempt to create or

consume a piece of e-mail. This only has to be done the first time. The user will be

prompted for credentials every time. This is because the AD RMS Prelicensing Agent is

not supported in this configuration.


In this section you can add an additional database and management agent, which are required to

automate the solution. The database and management agent will keep track of all the users who

have had their sIDHistory attribute populated. This will enable ADMT to be run only on the users

who have not had this attribute populated.


Step 1 – Uncomment and rebuild MV Extension Code


Note

57

Step 2 - Create UserSidTracking Database

Step 3 - Create Users Table

Step 4 - Create SQL Management Agent

Step 5 - Create SQL Management Agent Run Profiles

Step 6 - Create the SQL Rules Extension

Step 7 - Create the Operations folder

Step 8 - Get the Management Agent GUIDs

Step 9 - Edit and Build Automation Application





Step 1 – Uncomment and rebuild MV Extension Code

In this step, you will be uncommenting out a portion of the MVExtension code and recompiling it.

Uncomment and Recompile MVExtensionThe following steps show how to uncomment and recompile the MVExtension.


2. Click Start, click All Programs, click Microsoft Visual Studio 2008, and click Microsoft

Visual Studio 2008. This will open Microsoft Visual Studio 2008.

3. In Microsoft Visual Studio 2008, go to the top and select File, select New, and select

Project. This will bring up the New Project window.

4. Under Recent Projects double-click MVExtension. This will bring up the MVExtension

code in Visual Studio.

5. Scroll down to void IMVSynchronization.Provision(MVEntry mventry). Under this

block of code, you should see // provisionToSQL(mventry).

6. Remove the // so that only provisionToSQL(mventry) remains.



To uncomment and recompile the MVExtension

58

failed, 0 skipped. Close Visual Studio.

Step 2 - Create UserSidTracking Database

In this step we will be creating the UserSidTracking database. This database is used to track the

users that have had their sIDHistory attribute successfully populated.

Creating the UserSidTracking DatabaseThe following steps show how to create the UserSidTracking database.


2. Click Start, click All Programs, click Microsoft SQL Server 2008, and click SQL Server

Management Studio.

3. On the Connect to Server dialog box, under Server Type: select Database Engine.

4. On the Connect to Server dialog box, under Server name: select RES-DC.

Note

Do not select RES-DC\MS_ADMT. This is instance is used by the Active

Directory Migration Tool. You should just select RES-DC.

5. On the Connect to Server dialog box, under Authentication: select Windows

Authentication.

6. Click Connect.

7. At the top, click New Query. This will bring up a new query pane in the center of

Microsoft SQL Server Management Studio.

8. Copy the code from Appendix A – UserSidTracking database and paste it into the center.

9. Click Execute! The pane will split and you will see the following message –

Command(s) completed successfully.

10. Close Microsoft SQL Server Management Studio.

Step 3 - Create Users Table

In this step we will be creating the Users table in the UserSidTracking database. This table is

used to track the users that have had their sIDHistory attribute successfully populated.

To create the UserSidTracking database

59

Creating the Users TableThe following steps show how to create the Users table.


2. Click Start, click All Programs, click Microsoft SQL Server 2008, and click SQL Server

Management Studio.

3. On the Connect to Server dialog box, under Server Type: select Database Engine.

4. On the Connect to Server dialog box, under Server name: select RES-DC.

5. On the Connect to Server dialog box, under Authentication: select Windows

Authentication.

6. Click Connect.

7. At the top, click New Query. This will bring up a new query pane in the center of

Microsoft SQL Server Management Studio.

8. Copy the code from Appendix B – Users Table and paste it into the center.

9. Click Execute! The pane will split and you will see the following message –

Command(s) completed successfully.

10. Close Microsoft SQL Server Management Studio.

Step 4 - Create SQL Management Agent

In this step we will be creating the ILM 2007 FP1 SQL management agent. This management

agent will be used with the SQL database we create to track which users have had their SIDs

successfully migrated. This database is used to build a list of users to run ADMT against. If the

flag in the database is set to No, then this user will be included in the list of users our automation

program will use.

Creating the SQL Management AgentThe following steps show how to create the SQL management agent.



Identity Manager.



To create the Users table

To create the SQL management agent

60



SQL Server. Under Name enter SQL and click Next.

6. On the Connect to Database dialog box, for Server enter RES-DC.

7. On the Connect to Database dialog box, for Database enter UserSidTracking.

8. On the Connect to Database dialog box, for Table enter Users.

9. On the Connect to Database dialog box, under Authentication mode, select Windows

integrated authentication.

10. On the Connect to Database dialog box, under User name enter Administrator.

11. On the Connect to Database dialog box, under Password enter Pass1word$.

12. On the Connect to Database dialog box, under Domain enter RESOURCE.

13. On the Connect to Database dialog box, click Next.

14. On the Configure Columns dialog box, click Set Anchor. This will bring up the Set

Anchor dialog box.

15. On the Set Anchor dialog box, under Available attributes, select EmpID and click Add.

This will add the EmpID to the Selected attributes column.

16. On the Set Anchor dialog box, Click OK. This will close the Set Anchor dialog box.

17. On the Configure Columns dialog box, click Next.


19. On the Configure Join and Projection Rules dialog box, select person and click New

Join Rule. This will bring up the Join Rule for person dialog box.

20. On the Join Rule for person dialog box, under Data source attribute select EmpID.

21. On the Join Rule for person dialog box, under Mapping Type select Direct.

22. On the Join Rule for person dialog box, under Metaverse Object Type select person.

23. On the Join Rule for person dialog box, under Metaverse attribute select employeeID.

24. On the Join Rule for person dialog box, click Add Condition. If you see a dialog box

that says, You are attempting a join mapping with a non-indexed metaverse

attribute, you can safely ignore it and click OK.

25. On the Join Rule for person dialog box, click OK. This will close the Join Rule for

person dialog box.



person.


person.

29. On the Configure Attribute Flow dialog box, under Data source attribute select

FirstName.


61


32. On the Configure Attribute Flow dialog box, under Metaverse attribute select

givenName.


above. Repeat these steps for each attribute in the following table.

SQL MA Direct Attribute Flow

Data

Source

Object

Type

Metaverse

Object Type

Data Source

Attribute

Mapping

Type

Flow

Direction

Metaverse

Attribute

person person FirstName Direct Export givenName

person person LastName Direct Export sn

person person sIDHistoryPresent Rules

Extension

Export sIDHistory


person.


person.

36. On the Configure Attribute Flow dialog box, under Data source attribute select

sIDHistoryPresent.

37. On the Configure Attribute Flow dialog box, under Mapping Type select Advanced.


39. On the Configure Attribute Flow dialog box, under Metaverse attribute select

sIDHistory.

40. On the Configure Attribute Flow dialog box, click New. This will open the Advanced

Export Attribute Flow Options dialog box.

41. On the Advanced Export Attribute Flow Options dialog box, make sure the radio

button for Rule extension is selected.

42. On the Advanced Export Attribute Flow Options dialog box, next to Flow rule name:

clear what is in the box and enter SidHistory. Click OK. This will close the Advanced

Export Attribute Flow Options dialog box.

SQL MA Advanced Attribute Flow

Data

Source

Object

Type

Metaverse

Object Type

Data Source

Attribute

Mapping

Type

Flow

Direction

Metaverse

Attribute

62

person person SidHistoryPresent Advanced Export sIDHistory

43. On the Configure Attribute Flow dialog box, click Next.

44. On the Configure Deprovisioning dialog box, select Stage a delete on the object for

the next export run and click Next.

45. On the Configure Extensions dialog box, under Rules extension name: make sure

SQLExtension.dll is in the box and click Finish.


Step 5 - Create SQL Management Agent Run Profiles

In this step we will be creating the SQL management agent run profiles.

Creating the SQL Management Agent Run ProfilesThe following steps show how to create the SQL MA run profiles.



Identity Manager.


4. In the Management Agents view, select CORP, then under Actions, click Configure

Run Profiles. This will bring up the Configure Run Profiles for “SQL” dialog box.

5. On the Configure Run Profiles for “SQL” dialog box, click New Profile. This will bring

up the Configure Run Profile dialog box.



Next.







To create the SQL management agent run profiles

63















21. On the Configure Run Profiles for “SQL” dialog box, click Apply. Click OK. This will

close the Configure Run Profiles for “SQL” dialog box.


Step 6 - Create the SQL Rules Extension

In this step we will be creating the SQL Management Agent rules extension.

Creating the SQL Management Agent Rules ExtensionThe following steps show how to create the SQL MA rules extension.



Identity Manager.


4. On the Management Agents screen, click SQL and then select Create Extension

Projects from the right. This will bring up the Create Extension Project dialog box.

5. On the Create Extension Project dialog box, select Visual C# from the drop-down next

to Programming Language.

To create the SQL MA rules extension

64

6. On the Create Extension Project dialog box, select Rules Extension from the drop-

down next to Project Type.

7. On the Create Extension Project dialog box, leave the default of SQLExtension next to

Project name.

8. On the Create Extension Project dialog box, leave the default for Project Location.

9. On the Create Extension Project dialog box, leave a check in Launch in VS.NET IDE.

10. On the Create Extension Project dialog box, click OK. This will launch Visual Studio.

Note

When this project opens the Visual Studio Conversion Wizard will start so

that it can convert the project to a Visual Studio 2008 version. Simply click

Next and then Finish. Then select Load this project normally. Then close

the conversion wizard.

11. In Visual Studio, under the Solution Explorer, double-click SQLExtension.cs.


Appendix D – SQL MA Extension into this area.



failed, 0 skipped. Close Visual Studio. This will return you to the Options dialog box.

14. On the Management Agents screen, click SQL and then select Properties from the

right. This will bring up the Properties dialog box.

15. On the Properties screen, select Configure Extensions on the left and then ensure

SQLExtension.dll is specified in the Rules extension name box.

16. Close Properties.


Step 7 - Create the Operations folder

In this step we will be creating the Operations folder. This folder will be used as the container for

the maguid.vbs script, which is used to obtain the management agent guids and the automation

application

Creating the Operations FolderThe following steps show how to create Operations folder.


To create the Operations Folder

65

2. Click Start, click Computer, and then double-click Local Disk (C:), double-click

Program Files, double-click Microsoft Identity Integration Server

3. Click File, point to New, and then click Folder.

4. Type Operations for the new folder, and then press ENTER.

5.

Step 8 - Get the Management Agent GUIDs

In this step we will be retrieving the GUIDs for the Identity Lifecycle Manager FP 1 management

agents. The management agent GUIDs are required for our automation application. After

retrieving them we will be replacing the GUIDs that are in the automation application with the new

GUIDs that we get from this step.

Retrieving the ILM FP1 GUIDsThe following steps show how to get the management agent GUIDs.


2. Click Start, enter notepad in the Start Search box and hit enter. This will open a blank

text document.

3. Copy the script from Appendix G into the blank text document.

4. At the top, click File, select Save As, and for File name: enter maguid.vbs and for Save

as type:, select All Files. For location you can save this file in the Operations folder that

was already created.

5. On the Save As dialog box, click Browse Folders, on the left, click Computer then

double-click Local Disk (C:), double-click Program Files, double-click Microsoft

Identity Integration Server, double-click Operations, and click Save.

6. After saving the file, navigate to the Operations folder.

7. Double-click maguid.vbs. This will display the name of the management agent and

GUID associated with it. Write all 3 GUIDS down. They will be used in the next step.

Note

If you receive an 800A0408 error when attempting to run the script, you may

need to create it manually. This issue can arise from copying and pasting the

code into notepad.

To get the MA GUIDs

66

Step 9 - Edit and Build Automation Application

In this step, you will be replacing the GUIDs that are currently in the appendix code with the GUID

from the management agents you created. Then you will compile the application.

Existing Management Agent GUIDs

Management Agent Name GUID

ACCOUNT 3FB465E8-319F-42BC-ADEF-2A6B83BF358F

RESOURCE 78D3CE93-811A-4779-8057-3553EDAD3A89

SQL 3509863F-647E-487A-86D6-62EF434AD60D

Edit and Build Automation ApplicationThe following steps show how to edit and build the automation application.


2. Click Start, click All Programs, click Microsoft Visual Studio 2008, and click Microsoft

Visual Studio 2008. This will open Microsoft Visual Studio 2008.

3. In Microsoft Visual Studio 2008, go to the top and select File, select New, and select

Project. This will bring up the New Project window.

4. On the New Project screen, on the left under Project types:, select Visual C# and then

under Templates: select Console Application.

5. On the New Project screen, under Name: enter Automator.

6. On the New Project screen, leave the defaults for Location: and Solution Name: and

click OK. This will bring up the Automator in Visual Studio.


Appendix E – Automator application.

8. On the right, under Solution Explorer, right-click Automator and select Add Reference.

This will bring up the Add Reference dialog box.

9. On the Add Reference dialog box, click the .NET tab and select System.Management

from the list and click OK.

10. On the right, under Solution Explorer, right-click Automator and select Add Reference.

This will bring up the Add Reference dialog box.

11. On the Add Reference dialog box, click the Browse tab navigate to C:\Program Files\

Reference Assemblies\Microsoft\WindowsPowerShell\v1.0 select

To edit and build the automation application

67

System.Management.Automation and click OK.

12. At the top, select Edit, select Find and Replace, and select Quick Replace. This will

bring up the Find and Replace dialog box.

13. On the Find and Replace dialog box, under Find what: enter the GUID of the

ACCOUNT management agent from the table above - 3FB465E8-319F-42BC-ADEF-

2A6B83BF358F.

14. On the Find and Replace dialog box, under Replace with: enter the GUID for your

ACCOUNT management agent.

15. On the Find and Replace dialog box, click Replace All. This should complete with the

message 5 occurrence(s) replaced. Click OK.

Note

Repeat the above process for each management agent. There should be 5

occurrences for the RESOURCE management agent and 4 occurrences for

the SQL management agent.

16. Close the Find and Replace dialog box.



failed, 0 skipped. Close Visual Studio.

18. Click Start, click Computer, and then double-click Local Disk (C:), double-click Users,

double-click Administrator, double-click Documents, double-click Visual Studio 2008,

double-click Projects, double-click Automator, double-click Automator, double-click

bin, double-click Debug. Copy the Automator application to the Operations folder.

Testing the Automation

This section explains both how to run the automation application and how to confirm that the

solution for the given scenario is working. These steps will migrate the remaining users to the

new forest, populate their sIDHistory, and create linked mailboxes for them. Once this is

complete you can test the solution to verify that it has worked successfully and that AD RMS is

working.


Step 1 - Run the Automation Application






68

Step 7 -Create Protected E-mail Content on ACC-CLT2







Step 1 - Run the Automation Application

In this step we will be running the automation applicaton

Running the Automation ApplicationThe following steps show how to run the automation application.


2. Click Start, enter cmd in the Start Search box and hit enter. This will open a cmd.exe

window.

3. Navigate to C:\Program Files\Microsoft Identity Integration Server\Operations.

4. From the command line, enter Automator and hit Enter.

5. Once this is complete, close the cmd window.


In this step we will be enabling the rights management scheduled task which is disabled by

default on the Windows Vista client.

Enabling the Rights Management Scheduled TaskThe following steps show how to enable the rights management scheduled task.

To run the automation application

69

1. Log on to ACC-CLT2 as corp\Administrator.


3. Double-click Administrative Tools, and then double-click Task Scheduler.

Note







Enable.



In this step we will be adding the AdminTemplatePath registry key for the user Britta Simon. At

this time you should note that this must be done for each individual user that will use the client.

This is because this key resides under HKEY_CURRENT_USER and is specific to the user that

is currently logged on. Also, we will be adding the AD RMS URL to the Trusted Sites of Britta

Simons instance of Internet Explorer.

Add the AdminTemplatePath Registry KeyThe following steps show how to add the AdminTemplatePath registry key.

1. Log on to ACC-CLT2 as corp\lhenig.

2. Click Start, type regedit.exe in the Start Search box, and then press ENTER.



Note


manually.



70



Note

If AdminTemplatePath already exists, simply modify it to match the entry

below.





1. Log on to ACC-CLT1 as corp\lhenig.


3. Once Internet Explorer opens, in the top right corner, select Tools and click Internet

Options from the drop-down. This will bring up the Internet Options window.



5. Click the Sites button. This will bring up a Trusted Sites window.


adrms.resource.fabrikam.net, and click Add.

7. Click Close.




In this step, you will log on to the client computer and create a protected e-mail message.

1. Log on to the RES-CLT1.resource.fabrikam.net as Lola Jacobson.




71




List screen.



6. On the e-mail screen, next to Subject, enter Test FTE e-mail.


test e-mail.


a drop-down menu.

9. From the drop-down, select Permission, and then select Fabrikam FTE Confidential.





dc.resource.fabrikam.net. For User Name enter ljacobson. For password enter


12. At this point, you should notice that at the top of your e-mail is as follows: Fabrikam FTE



In this step you will log on to a client computer and attempt to read the e-mail message that was




Outlook 2007.

3. In Outlook, there should be an e-mail in Britta Simon’s inbox from Lola Jacobson. This is

the e-mail that was sent in the previous step. Double-click it.





72




6. At this point, the e-mail should open and you can view the contents.




1. Log on to the ACC-CLT2.corp.fabrikam.com Server as Limor Henig.



3. On the E-mail Accounts screen, under You can configure Outlook to connect to

Internet E-mail, Microsoft Exchange, or other E-mail server. Would you like to

configure an E-mail account? Select Yes and then click Next.

4. On the Auto Account Setup screen, place a check in Manually configure server

settings or additional server types. Click Next.



6. On the Microsoft Exchange Settings screen, next to Microsoft Exchange Server,

enter RES-DC.resource.fabrikam.net.

7. On the Microsoft Exchange Settings screen, next to User Name, enter Limor Henig.

Click Check Name. This should resolve with an underline.

8. On the Microsoft Exchange Settings screen, click Next.


2007.

10. In Outlook, there should be an e-mail in Limor Henig’s inbox. This is the e-mail that was

sent in the previous step by Lola Jacobson. Click it.






List screen.


73















20. At this point, the e-mail should not open and you should not be able to view the contents.

Limor does not have the rights to view this protected content.

Step 7 -Create Protected E-mail Content on ACC-CLT2

In this step, you will log on to the client computer and create a protected e-mail message.

1. Log on to the ACC-CLT2.corp.fabrikam.com as Limor Henig.


Outlook 2007.

3. Within Outlook, at the top select New. This will display a new e-mail window.


List screen.



6. On the e-mail screen, next to Subject, enter One last test e-mail.


test e-mail.


a drop-down menu.


74

9. From the drop-down, select Permission, and then select Fabrikam Confidential.

Note


copied over and resides in the following C:\Users\ljacobson\AppData\Local\

Microsoft\DRM\Templates. If they do not, you can manually copy over the


folder.





dc.resource.fabrikam.net. For User Name enter corp\lhenig. For password enter


12. At this point, you should notice that at the top of your e-mail is as follows: Fabrikam





1. Log on to the RES-CLT1.resource.fabrikam.net server as Lola Jacobson.


Outlook 2007.

3. In Outlook, there should be a message in Lola Jacobson’s inbox from Limor Henig. This

is the message that was sent in the previous step. Double-click it.





adrms.resource.fabrikam.net. For User Name enter resource\ljacobson. For

password enter Pass1word!. Click OK.



75


In this step you will log on to a client computer and attempt to read the e-mail message that was




Outlook 2007.

3. In Outlook, there should be an e-mail in Britta Simon’s inbox from Limo Henig. This is the

e-mail that was sent in the previous step. Double-click it.








Appendix A - UserSidTracking database T-SQL

The following is the T-SQL code for creating the UserSidTracking database.

USE [master]

GO

/****** Object: Database [UserSidTracking] Script Date: 07/14/2009 16:34:53 ******/

CREATE DATABASE [UserSidTracking] ON PRIMARY

( NAME = N'MigrationTracker', FILENAME = N'C:\Program Files\Microsoft SQL Server\

MSSQL10.MSSQLSERVER\MSSQL\DATA\MigrationTracker.mdf' , SIZE = 2048KB , MAXSIZE =

UNLIMITED, FILEGROWTH = 1024KB )

LOG ON


76

( NAME = N'MigrationTracker_log', FILENAME = N'C:\Program Files\Microsoft SQL Server\

MSSQL10.MSSQLSERVER\MSSQL\DATA\MigrationTracker_log.ldf' , SIZE = 1024KB , MAXSIZE =

2048GB , FILEGROWTH = 10%)

GO

ALTER DATABASE [UserSidTracking] SET COMPATIBILITY_LEVEL = 100

GO

IF (1 = FULLTEXTSERVICEPROPERTY('IsFullTextInstalled'))

begin

EXEC [UserSidTracking].[dbo].[sp_fulltext_database] @action = 'enable'

end

GO

ALTER DATABASE [UserSidTracking] SET ANSI_NULL_DEFAULT OFF

GO

ALTER DATABASE [UserSidTracking] SET ANSI_NULLS OFF

GO

ALTER DATABASE [UserSidTracking] SET ANSI_PADDING OFF

GO

ALTER DATABASE [UserSidTracking] SET ANSI_WARNINGS OFF

GO

ALTER DATABASE [UserSidTracking] SET ARITHABORT OFF

GO

ALTER DATABASE [UserSidTracking] SET AUTO_CLOSE OFF

GO

ALTER DATABASE [UserSidTracking] SET AUTO_CREATE_STATISTICS ON

GO

77

ALTER DATABASE [UserSidTracking] SET AUTO_SHRINK OFF

GO

ALTER DATABASE [UserSidTracking] SET AUTO_UPDATE_STATISTICS ON

GO

ALTER DATABASE [UserSidTracking] SET CURSOR_CLOSE_ON_COMMIT OFF

GO

ALTER DATABASE [UserSidTracking] SET CURSOR_DEFAULT GLOBAL

GO

ALTER DATABASE [UserSidTracking] SET CONCAT_NULL_YIELDS_NULL OFF

GO

ALTER DATABASE [UserSidTracking] SET NUMERIC_ROUNDABORT OFF

GO

ALTER DATABASE [UserSidTracking] SET QUOTED_IDENTIFIER OFF

GO

ALTER DATABASE [UserSidTracking] SET RECURSIVE_TRIGGERS OFF

GO

ALTER DATABASE [UserSidTracking] SET DISABLE_BROKER

GO

ALTER DATABASE [UserSidTracking] SET AUTO_UPDATE_STATISTICS_ASYNC OFF

GO

ALTER DATABASE [UserSidTracking] SET DATE_CORRELATION_OPTIMIZATION OFF

GO

78

ALTER DATABASE [UserSidTracking] SET TRUSTWORTHY OFF

GO

ALTER DATABASE [UserSidTracking] SET ALLOW_SNAPSHOT_ISOLATION OFF

GO

ALTER DATABASE [UserSidTracking] SET PARAMETERIZATION SIMPLE

GO

ALTER DATABASE [UserSidTracking] SET READ_COMMITTED_SNAPSHOT OFF

GO

ALTER DATABASE [UserSidTracking] SET HONOR_BROKER_PRIORITY OFF

GO

ALTER DATABASE [UserSidTracking] SET READ_WRITE

GO

ALTER DATABASE [UserSidTracking] SET RECOVERY FULL

GO

ALTER DATABASE [UserSidTracking] SET MULTI_USER

GO

ALTER DATABASE [UserSidTracking] SET PAGE_VERIFY CHECKSUM

GO

ALTER DATABASE [UserSidTracking] SET DB_CHAINING OFF

GO

79

Appeindix B - Users Table T-SQL

The following is the T-SQL code for creating the ADMTHelper table.

USE [UserSidTracking]

GO

/****** Object: Table [dbo].[Users] Script Date: 07/14/2009 16:34:06 ******/

SET ANSI_NULLS ON

GO

SET QUOTED_IDENTIFIER ON

GO

CREATE TABLE [dbo].[Users](

[EmpID] [nchar](10) NULL,

[FirstName] [nchar](10) NULL,

[LastName] [nchar](30) NULL,

[SidHistoryPresent] [char](1) NULL

) ON [PRIMARY]

GO

Appendix C - Metaverse Extension Code

The following is the metaverse extension code that is used in Step 12 - Run ACCOUNT MA Delta

Import.

using System;

using Microsoft.MetadirectoryServices;

namespace Mms_Metaverse

{

80

/// <summary>

/// Summary description for MVExtensionObject.

/// </summary>

public class MVExtensionObject : IMVSynchronization

{

public MVExtensionObject()

{

//

// TODO: Add constructor logic here

//

}

void IMVSynchronization.Initialize()

{

//

// TODO: Add initialization logic here

//

}

void IMVSynchronization.Terminate()

{

//

// TODO: Add termination logic here

//

}

void IMVSynchronization.Provision(MVEntry mventry)

{

provisionToAD(mventry);

// provisionToSQL(mventry);

}

bool IMVSynchronization.ShouldDeleteFromMV(CSEntry csentry, MVEntry mventry)

81

{

//

// TODO: Add MV deletion logic here

//

throw new EntryPointNotImplementedException();

}

public void provisionToAD(MVEntry mventry)

{

ConnectedMA MA;

int Connectors = 0;

CSEntry csentry;

ReferenceValue DN;

MA = mventry.ConnectedMAs["RESOURCE"];

Connectors = MA.Connectors.Count;

DN = MA.EscapeDNComponent("CN=" +

mventry["cn"].Value).Concat("OU=ResourceForestUsers,DC=resource,DC=fabrikam,DC=net");

if (0 == Connectors)

{

csentry = MA.Connectors.StartNewConnector("user");

csentry.DN = DN;

csentry.CommitNewConnector();

}


{

}

82

}

public void provisionToSQL(MVEntry mventry)

{

ConnectedMA MA;

int Connectors = 0;

string empID;

CSEntry csentry;

string sidHist;

MA = mventry.ConnectedMAs["SQL"];

Connectors = MA.Connectors.Count;

empID = mventry["employeeID"].Value;

sidHist = "N";

if (mventry["sIDHistory"].IsPresent)

{

sidHist = "Y";

}


{

csentry = MA.Connectors.StartNewConnector("person");

csentry["EmpID"].Value = empID;

csentry["SidHistoryPresent"].Value = sidHist;

csentry.CommitNewConnector();

}


{

}

}

83

}

}

See AlsoStep 12 - Run ACCOUNT MA Delta Import


Appendix D - SQL MA Extension

The following is the SQL management agent.

using System;

using Microsoft.MetadirectoryServices;

namespace Mms_ManagementAgent_SQLExtension

{

/// <summary>

/// Summary description for MAExtensionObject.

/// </summary>

public class MAExtensionObject : IMASynchronization

{

public MAExtensionObject()

{

//

// TODO: Add constructor logic here

//

}

void IMASynchronization.Initialize ()

{

//

// TODO: write initialization code

//

}

84

void IMASynchronization.Terminate ()

{

//

// TODO: write termination code

//

}

bool IMASynchronization.ShouldProjectToMV (CSEntry csentry, out string

MVObjectType)

{

//

// TODO: Remove this throw statement if you implement this method

//


}

DeprovisionAction IMASynchronization.Deprovision (CSEntry csentry)

{

//

// TODO: Remove this throw statement if you implement this method

//


}

bool IMASynchronization.FilterForDisconnection (CSEntry csentry)

{

//

// TODO: write connector filter code

//


}

85

void IMASynchronization.MapAttributesForJoin (string FlowRuleName, CSEntry csentry, ref

ValueCollection values)

{

//

// TODO: write join mapping code

//


}

bool IMASynchronization.ResolveJoinSearch (string joinCriteriaName, CSEntry

csentry, MVEntry[] rgmventry, out int imventry, ref string MVObjectType)

{

//

// TODO: write join resolution code

//


}

void IMASynchronization.MapAttributesForImport( string FlowRuleName, CSEntry

csentry, MVEntry mventry)

{

//

// TODO: write your import attribute flow code

//


}

void IMASynchronization.MapAttributesForExport (string FlowRuleName, MVEntry

mventry, CSEntry csentry)

{

//

// TODO: write your export attribute flow code

//

switch (FlowRuleName)

86

{

case "SidHistory":

if (mventry["sIDHIstory"].IsPresent)

{

csentry["SidHistoryPresent"].Value = "Y";

}

else

{

csentry["SidHistoryPresent"].Value = "N";

}

break;

default:

// TODO: remove the following statement and add your default script here


}

}

}

}

Appendix E - Automation Application

The following is code for the automation application.

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.Diagnostics;

using System.Data;

using System.Data.Sql;

87

using System.Data.SqlClient;

using System.Management;

using System.Management.Automation;

using System.Management.Automation.Runspaces;

using System.Management.Automation.Host;

using System.Reflection;

using System.Collections.ObjectModel;

namespace Automator

{

class Program

{

static void Main(string[] args)

{

Program myP = new Program();

DataSet myda = myP.ADMTUsers();

myP.AccountMAFullImport();

myP.ResourceMAFullImport();

myP.SQLFullImport();

myP.AccountMAFullSynch();

myP.ResourceMAFullSynch();

myP.SQLFullSynch();

myP.ResourceMAExport();

myP.SQLExport();

myP.ResourceMADeltaImport();

myP.SQLFullImport();

myP.MigrateSids(myda);

myP.CreateLinkedMailboxes(myda);

myP.ResourceMADeltaImport();

88

myP.ResourceMADeltaSynch();

myP.AccountMAExport();

myP.AccountMADeltaImport();

myP.SQLFullSynch();

myP.SQLExport();

}

public void MigrateSids(DataSet da)

{

System.Diagnostics.Process proc1 = new System.Diagnostics.Process();

proc1.EnableRaisingEvents = false;

string q = "\"";

string strCmdLine;

for (int i = 0; i <= da.Tables["admtusers"].Rows.Count - 1; i++)

{

string fname =

da.Tables["admtusers"].Rows[i].ItemArray.GetValue(0).ToString();

string lname =


fname = fname.Trim();

lname = lname.Trim();

string sourcename = "CN=" + fname + " " + lname;

string targetname = fname + " " + lname;

89

strCmdLine = (@"user /N " + q + sourcename + q + " " + q + targetname + q

+ " " + "/O:" + q + @"C:\Windows\ADMT\options.txt" + q);

proc1.StartInfo.FileName = @"C:\Windows\ADMT\admt.exe";

proc1.StartInfo.RedirectStandardOutput = true;

proc1.StartInfo.UseShellExecute = false;

proc1.StartInfo.Arguments = strCmdLine;

Console.WriteLine("Migrating: " + targetname);

proc1.Start();

string result = proc1.StandardOutput.ReadToEnd();

}

if (proc1.HasExited)

proc1.Dispose();

}

public DataSet ADMTUsers()

{

SqlConnection conn = new SqlConnection("Data Source=localhost;Initial

Catalog=UserSidTracking;Integrated Security=True");

SqlCommand cmd = new SqlCommand();

cmd.CommandType = CommandType.Text;

cmd.CommandText = ("select FirstName,LastName from Users where

SidHistoryPresent = 'N'");

cmd.Connection = conn;

SqlDataAdapter adapter = new SqlDataAdapter(cmd);

DataSet da = new DataSet();

adapter.Fill(da, "admtusers");

conn.Close();

return da;

}

90

public void CreateLinkedMailboxes(DataSet da)

{

RunspaceConfiguration rc = RunspaceConfiguration.Create();

PSSnapInException warning;

PSSnapInInfo info =

rc.AddPSSnapIn("Microsoft.Exchange.Management.Powershell.Admin", out warning);

if (warning != null)

{

Console.WriteLine(warning.Message);

}

Runspace runspace = RunspaceFactory.CreateRunspace(rc);

runspace.Open();

for (int i = 0; i <= da.Tables["admtusers"].Rows.Count - 1; i++)

{

string fname =


string lname =


fname = fname.Trim();

lname = lname.Trim();

string mailnick = fname.Substring(0, 1).ToLower() + lname.ToLower();

string fullname = fname + " " + lname;

Pipeline pipeline = runspace.CreatePipeline();

string script = (@"Enable-Mailbox -Identity

'resource.fabrikam.net/ResourceForestUsers/" + fullname + "' -Alias '" + mailnick + @"' -

Database 'RES-DC\First Storage Group\Mailbox Database' -LinkedMasterAccount 'corp\" +

mailnick + @"' -LinkedDomainController 'ACC-DC.corp.fabrikam.com' -LinkedCredential

$null");

91

Console.WriteLine();

Console.Write("Creating Linked Mailbox for " + fullname + "... ");

pipeline.Commands.AddScript(script);

Collection<PSObject> results = pipeline.Invoke();

Console.Write("Done!");

pipeline.Dispose();

}

runspace.Close();

}

public void AccountMAFullImport()

{

try

{

ConnectionOptions opt = new ConnectionOptions();

opt.Authentication = AuthenticationLevel.PacketPrivacy;

ManagementScope myScope = new ManagementScope("root\\

MicrosoftIdentityIntegrationServer", opt);

SelectQuery myQuery = new SelectQuery("MIIS_ManagementAgent",

"GUID='{CFF78843-4450-4902-B18A-C10C24A67513}'");

ManagementObjectSearcher searcher = new ManagementObjectSearcher(myScope,

myQuery);

foreach (ManagementObject ma in searcher.Get())

{

Console.WriteLine("ACCOUNT.Execute( \"FI\" )...");

ma.InvokeMethod("Execute", new object[1] { "FI" });

}

}

catch (Exception ex)

92

{

Console.WriteLine("Error: " + ex.Message);

}

}

public void AccountMADeltaImport()

{

try

{






"GUID='{CFF78843-4450-4902-B18A-C10C24A67513}'");


myQuery);


{

Console.WriteLine("ACCOUNT.Execute( \"DI\" )...");

ma.InvokeMethod("Execute", new object[1] { "DI" });

}

}


{


}

}

93

public void AccountMAFullSynch()

{

try

{






"GUID='{CFF78843-4450-4902-B18A-C10C24A67513}'");


myQuery);


{

Console.WriteLine("ACCOUNT.Execute( \"FS\" )...");

ma.InvokeMethod("Execute", new object[1] { "FS" });

}

}


{


}

}

public void AccountMADeltaSynch()

{

try

{

94






"GUID='{CFF78843-4450-4902-B18A-C10C24A67513}'");


myQuery);


{

Console.WriteLine("ACCOUNT.Execute( \"DS\" )...");

ma.InvokeMethod("Execute", new object[1] { "DS" });

}

}


{


}

}

public void AccountMAExport()

{

try

{






"GUID='{CFF78843-4450-4902-B18A-C10C24A67513}'");

95


myQuery);


{

Console.WriteLine("ACCOUNT.Execute( \"E\" )...");

ma.InvokeMethod("Execute", new object[1] { "E" });

}

}


{


}

}

public void SQLFullImport()

{

try

{






"GUID='{4089d66f-39b2-449e-8f7e-a8630e931fcf}'");


myQuery);


{

Console.WriteLine("SQL.Execute( \"FI\" )...");


96

}

}


{


}

}

public void SQLFullSynch()

{

try

{








myQuery);


{

Console.WriteLine("SQL.Execute( \"FS\" )...");


}

}


{


}

}

97

public void SQLDeltaSynch()

{

try

{








myQuery);


{

Console.WriteLine("SQL.Execute( \"DS\" )...");


}

}


{


}

}

public void SQLExport()

{

try

{



98






myQuery);


{

Console.WriteLine("SQL.Execute( \"E\" )...");


}

}


{


}

}

public void ResourceMAFullImport()

{

try

{






"GUID='{AF8EA810-b232-4850-bf8b-6c2e2b32578c}'");


myQuery);


{

99

Console.WriteLine("RESOURCE.Execute( \"FI\" )...");


}

}


{


}

}

public void ResourceMAFullSynch()

{

try

{








myQuery);


{

Console.WriteLine("RESOURCE.Execute( \"FS\" )...");


}

}


{


}

100

}

public void ResourceMADeltaImport()

{

try

{








myQuery);


{

Console.WriteLine("RESOURCE.Execute( \"DI\" )...");

ma.InvokeMethod("Execute", new object[1] { "DI" });

}

}


{


}

}

public void ResourceMADeltaSynch()

{

try

{


101







myQuery);


{

Console.WriteLine("RESOURCE.Execute( \"DS\" )...");


}

}


{


}

}

public void ResourceMAExport()

{

try

{








myQuery);


102

{

Console.WriteLine("RESOURCE.Execute( \"E\" )...");


}

}


{


}

}

}

}

Appendix F - ADMT Options File

The following is used for the ADMT Options file.

[Migration]

IntraForest=No

SourceDomain="corp.fabrikam.com"

SourceOu="AccountsForestUsers"

TargetDomain="resource.fabrikam.net"

TargetOU="ResourceForestUsers"

[User]

DisableOption=DisableTarget

MigrateSIDs=Yes

UpdatePreviouslyMigratedObjects=Yes

ConflictOptions=Merge

PasswordOption=Complex

103

Appendix G - MA GUID Retrieval Script

The following script is used to obtain the Management Agent GUIDs.

Set MASet = GetObject(“winmgmts:root\

MicrosoftIdentityIntegrationServer”).ExecQuery(“Select * from MIIS_ManagementAgent”)

for each MA in MASet

WScript.Echo "MA Name: " + MA.Name + " - GUID: " + MA.GUID

next

Appendix H - Pre-Implementation Checklists

The tables in this appendix are checklists that can be used while you build the initial environment.

Each checklist here is designed for the following test environment computers:

RES-DC

RES-ADRMS

RES-CLT1

ACC-DC

ACC-CLT1

ACC-CLT2

Although the detailed steps required to build the test environment are outside the scope of this

document, these can be used to help guide the process. These steps represent those taken

while developing this document.

RES-DC Checklist

Step Reference

Install Operating System Hyper-V Getting Started Guide


Install Hyper-V Integration Services Hyper-V Getting Started Guide


104



Step Reference

Change timezone/computer name/verify

networking



Change IP Address Windows Server 2008 Enterprise


Run DCPROMO AD DS Installation and Removal Step-by-Step

Guide (http://go.microsoft.com/fwlink/?

LinkId=160742)

Install Internet Information Services 7.0 Installing IIS 7.0 on Windows Server 2008


Install Windows PowerShell Windows PowerShell


Install Microsoft Exchange 2007 with Service

Pack 1

Microsoft Exchange Server 2007


Install Microsoft SQL 2008 Installing SQL Server 2008


Install Microsoft SQL 2008 Service Pack 1 Microsoft SQL Server 2008 SP1


Install Active Directory Migration Tool 3.1 ADMT v3.1 (http://go.microsoft.com/fwlink/?

LinkId=158049)

Install Visual Studio 2008 Microsoft Visual Studio 2008 Installation and

Setup Essentials


Install Visual Studio 2008 Service Pack 1 Microsoft Visual Studio 2008 SP1


Install Identity Lifecycle Manager Feature Pack

1



Configure DNS Conditional Forwarding Configure a DNS Server to Use Forwarders


Create Trust between Forests Create a Forest Trust


Configure ADMT 3.1 ADMT v3.1 (http://go.microsoft.com/fwlink/?

LinkId=158049)

105


















RES-ADRMS Checklist

Step Reference






networking





Join the RESOURCE domain How to Join the Domain on the Domain

Controller (http://go.microsoft.com/fwlink/?

LinkId=160744)

Install Internet Information Services 7.0 Installing IIS 7.0 on Windows Server 2008


Install Microsoft SQL 2008 Installing SQL Server 2008


Install Microsoft SQL 2008 Service Pack 1 Microsoft SQL Server 2008 SP1


RES-CLT1 Checklist

Step Reference



Change IP Address Windows Client Networking


Join the RESOURCE domain Windows 7 Domain Join


Install Microsoft Office 2007 How to install and activate 2007 Microsoft

Office system programs


Install Microsoft Office 2007 Service Pack 1 Microsoft Office 2007 Service Pack 1


106
















ACC-DC Checklist

Step Reference






networking





Run DCPROMO AD DS Installation and Removal Step-by-Step

Guide (http://go.microsoft.com/fwlink/?

LinkId=160742)

Install Rights Management Services

Administration Toolkit with SP2


Toolkit with SP2


ACC-CLT1 Checklist

Step Reference





Change IP Address Windows Vista Networking


Join the ACCOUNT domain Joining a Windows Vista Wired Client to a

Domain (http://go.microsoft.com/fwlink/?

LinkId=160734)






107

















ACC-CLT2 Checklist

Step Reference





Change IP Address Windows Vista Networking


Join the ACCOUNT domain Joining a Windows Vista Wired Client to a

Domain (http://go.microsoft.com/fwlink/?

LinkId=160734)






See AlsoScenario Overview


108









Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper

Technology

Transcript of Microsoft Windows Server 2008 R2 - AD RMS In A Resource Forest End to End Solution Whitepaper