Create several users in AD
| User Name | Email Address |
| Administrator | Administrator@aaa.com |
| Nicole | Nicole@aaa.com |
| Jim | Jim@aaa.com |
| Sim | Sim@aaa.com |
Both 'Active Directory Rights Management Services' and 'SharePoint 2010 Server' use the default instance of SQL Server 2008 R2.
The Windows Firewalls on both computers are turned off.
K2.AAA.COM
K1.AAA.COM
K2.AAA.COM
SharePoint Central Administration
Enable Information Rights Management on Document Library
Administrator logs onto K1.AAA.COM, where the AD RMS is installed.
When you open a word document in SharePoint Library, a popup window shows.
Administrator logs onto K2.AAA.COM, where the SharePoint 2010 Server is installed.
An unexpected error has occurred while trying to restrict permission to your document. Contact your administrator for assistance.
When accessing the word document on the SharePoint website that has the Rights Management enabled, error pops up.
Could not open 'http://k2/Shared Documents/Chapter Eight empires.docx.
Solution:
Duplicate the Domain Controller template in Certificate Template
Issue "Copy of Domain Controller" template in Certificate console
Delete the domain controller certificate
Request a new domain controller certificate
Problems still exist.
Redo the lab
K1 and K2
Install Windows 2008 R2 Standard--Run Updates
Disable Windows Firewall
Disable TCTIPv6
Install Application Role
Install Office 2010 Professional
K1 computer
Add "Active Directory Domain Services"
Run DCPROMO for aaa.com
Default Domain Controller Policy --Assign "Allow Logon locally" to Domain Users group
Active Directory Users and Computers
Create several users with email address assigned.
| user account | email address |
| Administrator | administrator@aaa.com |
| Jim | jim@aaa.com |
| Simon | Simon@aaa.com |
| Stuart | Stuart@aaa.com |
| Nicole | Nicole@aaa.com |
Active Directory Rights Management Services must use email addresses.
Because I will install AD RMS in domain controller and use aaa\jim as the service account, I will add aaa\jim to Enterprise Admins group.
K1 Computer
Add role "Active Directory Certificate Services"
AD RMS will be installed in DC. I will request a customized certificate with multiple domains for my domain controller.
Duplicate "Domain Controller" certificate template
Default Domain Policy--Trusted the certificate authority
K1 computer
Add Active Directory Rights Management Services role
Logoff and log back on
Internet Explorer
K2 computer
Join the domain
Logon as aaa\administrator
Enable AD RMS Client schedule
Wait for a hour.
Open MS Word 2010
Logon as Stuart, a regular domain user
K2 Computer
Install SharePoint Server 2010--Stand alone
SharePoint Central Administration--Security
The required Windows Rights Management client is present but the server refused access. IRM will not work until the server grants permission. Domain account name used: "K2$@aaa.com.
K1 computer
c:\inetpub\wwwroot\_wmcs\
K2 computer
Create a word document:James Bond and restrict Stuart to change permission.
Upload the word document to Shared Library of SharePoint site
information Rights Management
Logon the K2 computer as Stuart
Accessing the SharePoint site
When Nicole is logging onto K2 computer and opening the document in SharePoint site, the warning window shows. She does not have the permission.
Upload several word documents without security
Log onto K2 as Stuart
Open the word document from SharePoint Library
Observations
Certificate for AD RMS is the most important.
For SharePoint to use AD RMS, the permissions of _wmcs directory are important.
If AD RMS is installed on DC, add the account used to Enterprise Admins group.