limws: May 2014

Friday, 30 May 2014

Install and Configure AD RMS Cluster - Part 3

After you have completed the AD RMS role installation as shown in the Install and Configure AD RMS Cluster - Part 2. I'm going to start the AD RMS cluster configuration. The first AD RMS cluster known as AD RMS root cluster. During the setup, you will need to access MS SQL server. Thus, make sure you have completed the MS SQL installation.

Create AD RMS Root Cluster
1. Logon to RMS01 by using RMSAdmin domain accoount, click perform additional configuration

2. Next

3. Select Create a new AD RMS root cluster

4. Enter the database server name and instance name. This database is hosted in MS SQL server

5. Enter rmssvc domain account with password as service account of AD RMS server

6. Select Cryptographic Mode 2 for better security.
NOTE: Not all client machines is supported Cryptographic Mode 2

7. Use AD RMS centrally managed key storage

8. Enter the password. This password is important and do not lose it

9. Leave Default and Next

10. Enter the cluster address. This address must match the name in the certificate. I'm using spit DNS, thus internal and external URL will be the same.

11. Select the imported certificate which is the same certificate used in UAG01, UAG02, EXCH01, EXCH02 and RMS02

12. Name the server licensor certificate

13. Register the SCP now

14. Click Install

15. Close

16. Status of AD RMS in health

Thursday, 29 May 2014

Install and Configure AD RMS Cluster - Part 2

AD RMS is a role based service in Windows Server 2012. In this post, i will show you how to install AD RMS role.

Install AD RMS Role
1. Logon to RMS01, click Add roles and features in server manager

2. Next

3. Select Role-based or feature-based installation

4. Select destination server and Next

5. Select Active Directory Rights Management Services

6. Add features

7. Next

8. Next

9. Select Active Directory Rights Management Server

10. Next

11. Leave default and Next

12. Click Install to start installation

13. Close

14. Repeat step 1 to step 13 for RMS02

Install and Configure AD RMS Cluster - Part 1

I'm going to show you how to install and configure AD RMS cluster.

Here with some little information of my setup.

2 AD RMS servers - named RMS01 and RMS02. . Both AD RMS servers will need to join domain.
A MS SQL cluster server. I will not show you the MS SQL installation here.
Both AD RMS servers will be load balanced by hardware load balance. I will not show you the HLB configuration here
A SAN certificate which will be used for OWA, EAS, OA & RMS publishing. I'm using a certificate issued by DigiCert. Example for SAN name: mail.external.com; autodiscover.external.com; rms.external.com

Pre-Requisite

1. Import Certificate

The importing certificate into RMS01 and RMS02 is similar as importing certificate for UAG01 or UAG02 in Install and Configure UAG 2010 - Part 1

2. Domain Account and Distribution Group

Create the following ID in domain and create distribution group in Exchange.

The RMSSU is a distribution group with Federated mailbox as the member of RMSSU. I will show you in the later post when integrating with IRM in Exchange.

Logon ID	Member of	Remarks
RMSAdmin	Domain Users, Active Directory Rights Management Services Enterprise Administrators of local RMS, Administrators Group of local RMS, Administrators Group of local SQL Server, System Administrators (sysadmins) database	Active Directory Rights Management Services Enterprise Administrators, System Administrators (sysadmins) database
RMSSU	NA	Distribution group for RMS Super User Group
RMSSvc	Domain Users, Administrators Group of local RMS	AD RMS service account

3. MS SQL Browser Service

Install the MS SQL browser service into both AD RMS servers. This service can be obtained from the MS SQL setup disc. This MS SQL browser service is required for AD RMS to access MS SQL instance. You may get more information from technet - AD RMS SQL Server Requirements

Wednesday, 28 May 2014

Install and Configure UAG 2010 - Part 8

In this post, i will show you on the Advanced Trunk Configuration. I have made some adjustment to advanced trunk configuration before the system go live.

Advanced Trunk Configuration for Mail
1. To access advanced trunk configuration, click configure under trunk configuration

Disable Authentication at Session Logon
Because i'm using pass-through authentication, thus i will disable the UAG pre-authentication in UAG.

1. Untick “Require users to authenticate at session logon”. This setting is enabled by default

Disable Endpoint Client installation
I do not wish to install/use the endpoint client because this UAG is purely used by Exchange and AD RMS only. If you are using other services, you may enable endpoint client.

1. Tick the “Disable component installation and activation” and “Disable scripting for portal applications”. This setting is enabled by default

2. Click OK for confirmation

Add URL Set for OWA Password Expiry

I have enabled the change expired password feature in Exchange 2010. You may refer to http://technet.microsoft.com/en-us/library/bb684904(v=exchg.141).aspx for more information on how to enable password feature in Exchange 2010. Without doing the following, you will not able to get the change password page via UAG.

1. In the URL Set of Advanced Trunk Configuration, click Add Primary. Add in the following URL Set
Name: ExchangePub2010_Rule43
Action: Accept
URL: /owa/auth/expiredpassword.aspx
Parameters: Ignore
Method: POST, GET

Save and Activate Configuration
1. Click Save and Activate

2. Click Activate

3. Activation completed successfully on this array manager. Now you may test the functionality of UAG.

Install and Configure UAG 2010 - Part 7

In this post, i will show you how to publishing AD RMS via UAG. The AD RMS will share the same trunk with all the Exchange services.

Microsoft Active Directory Right Management Services Publishing
1. In the mail trunk, click Add under Applications