Technical blog

What is AD RMS? configure AD RMS step by step

What is AD RMS and how to configure ?

AD RMS enables you to protect your intellectual property through the integration of several features. In fact, in addition to a direct integration with Active Directory Domain Services (AD DS),AD RMS can also rely on both Active Directory Certificate Services (AD CS) and Active Directory Federation Services (AD FS).

AD CS can generate the public key infrastructure (PKI) certificates that AD RMS can embed in documents. AD FS extends your AD RMS policies beyond the firewall and supports the protection of your intellectual property among your business partners.

https://www.free-online-training-courses.com/active-directory-rights-management-services/

AD RMS Configuration step by step

1. Here I have three servers

1.0 Windows server 2K12R2 AD (FQDN:- srv.adds.com IP 192.168.1.13)

1.1 Windows server 2K12R2 ADRMS (Host Name:- NodeB.adds.com IP 192.168.1.16)

1.2 Windows server 2K12R2 Client (Host Name:- NodeA.adds.com IP 192.168.1.15)

2. First step we need to create a service account and AD (ADRMSSRV) .

Open DSA.MSC

select user>R.C and select new user > Enter all details

Set password and check mark on both user can't change password and password never expire

3. Second we need to create two groups in AD

Group name as below

a. ADRMS_Full

b. ADRMS_limited

Enter ADRMS_Full and click OK

Enter ADRMS_Limited and click OK

Next, add a few users to ADRMS_Full group, for this Demo I choose 4 of my Marketing users to join ADRMS_Full.

Select Group Name > R.C and click on members

Enter Users Name to whom you want to add in member list and click on check names

Next, add few users to ADRMS_Limited group, for this Demo I choose 4 of my Marketing users to join ADRMS_Limited.

Select Group Name > R.C and click on members

and follow the steps as follow above

4. Fourth steps now we need to created Host (AA) record on same AD server and assign ADRMS SRV IP (NodeB.adds.com)

Name as below

ADRMS

Open DNS > R.C on domain name select New Host

Enter ADRMS name in Name field and IP address

Next, log in to NodeB.adds.com to start Install and configure the AD RMS server role

Open Server Manager, click Manage, and then click Add Roles and Features, in the Add Roles and Features Wizard, click Next 3 times

Then click Next 4 times

Next, click Install to proceed…

Click Close when installation successful

Next, on the All Servers Task Details page, click Perform Additional Configuration

Select create new ADRMS root cluster >Next

Select use windows internal database on this server

Specify new created service AD ID (ADRMSSRV)

Select Cryptographic mode

Select use ADRMS centrally managed key storage

Enter password

21 – On the Cluster Address box, provide the following information, and then click Next to proceed :

– Connection Type: Use an unencrypted connection (http://)

– Fully Qualified Domain Name: ADDS.COM

– Port: 80

On the Licensor Certificate box, type ADDS NodeB, and then click Next…

Click on install

Now the installation part has been completed.

Next, open Internet Information Services (IIS) Manager…

In Internet Information Services (IIS) Manager, expand Sites\Default Web Site and click _wmcs, then under /_wmcs Home, double-click Authentication

Then right-click Anonymous Authentication and click Enable…

In the Connections pane, expand _wmcs and click licensing and double-click Authentication

Right-click Anonymous Authentication and click Enable, then close IIS Manager…

Next, lets configure AD RMS ADRMS_Full group for NodeB

In Server Manager, click Tools, and then click Active Directory Rights Management Services…

In the Active Directory Rights Management Services console, expand the NodeB node, and then click Security Policies and click on change super user settings

Select Super users and click on enable super users

]

Now click on Change super users group > Type ADRMS_full@adds.com

Note :- there should be with email ID

Open Active Directory Rights Management Services console, then click Rights Policy Templates node and then in the Actions pane, click Create Distributed Rights Policy Template

In the Create Distributed Rights Policy Template Wizard box, on the Add Template Identification information box, click Add

On the Add User Rights box, click Add, then on the Add User or Group page, type ADRMS_Limite

When ADRMS_Limited is selected, under Rights, click View. Verify that Grant owner (author) full control right with no expiration is selected, and then click Next…

– On the Specify Expiration Policy box, you can do settings and then click Next

On the Specify Extended Policy box, click Require a new use license every time content is consumed (disable client-side caching), click Next, and then click Finish.

Next step, lets configure the rights policy template distribution…

Now you need to create two folders in C:\

C:\RMSTemplates Full access to ADDS\ADRMSSRV

C:\DocShare Full access to ADDS\Everyone

On the ADRMS console, click the Rights Policy Templates node, and in the Distributed Rights Policy Templates area, click Change distributed rights policy templates file location, then in the Rights Policy Templates dialog box, click Enable Export…

Next, in the Specify Templates File Location (UNC), type \\NodeB\RMSTEMPLATES, and then click OK

Next, open Windows Explorer and navigate to the C:\rmstemplates folder, and verify that Test Full Access.xml is present

Next, on the ADRMS Console, click the Exclusion Policies node, and then click Manage application exclusion list

Actions pane, click Enable Application Exclusion…

Now All Done wait for next part

ESXI PowerShell command to Automate ESXI configuration

# Prompt for vCenter password

$VCCred = Get-Credential

$vCenter = Read-Host "Enter vCenterName"

#$targetVC = 192.168.1.20

#Connect vCenter

#Connect-VIServer -Server $vCenter -Credential $VCCred

$DataCenter1= Read-Host "Enter Datacenter host"

#$datacenter = Get-Datacenter "Demo_DC"

#Prompt for ESXI

$ESXI = Read-Host "Enter ESXI hostName"

$ESXICred= Get-Credential

#Connect ESXI host

Connect-VIServer -Server $ESXI -Credential $ESXICred

# Add NTP server details

$NTPServer=Read-Host "Write NTP server details"

#Add-VmHostNtpServer -VMHost $esxi -NtpServer servername

#Add-VMHostNtpServer -VMHost $esxi -NtpServer 192.168.1.16

Add-VMHostNtpServer -VMHost $ESXI -NtpServer $NTPServer

# Create Datastore

$DataStore= Read-Host "Volume Name"

#Storage Device path

$DevicePath= Read-Host "Enter Storage device path"

#New-Datastore -VMHost $ESXI -Name $DataStore -Path mpx.vmhba0:C0:T1:L0 -VMFS -FileSystemVersion 6

New-Datastore -VMHost $ESXI -Name $DataStore -Path $DevicePath -Vmfs -FileSystemVersion 6

# To update Domain name, prefered DNS and SearchDomain

$vmHostNetworkInfo = Get-VmHostNetwork -Host $ESXI

Set-VmHostNetwork -Network $vmHostNetworkInfo -VMKernelGateway 192.168.1.1 -DomainName ads.com -SearchDomain ads.com -DnsAddress 192.168.1.16 -DnsFromDhcp $false

#Add host to vCenter

Add-VMHost -Server $targetVC -Name $ESXI -Location $DataCenter1 -Credential $ESXICred -Force

#Enable Storage IO Control

Set-Datastore -Datastore $DataStore -StorageIOControlEnabled $true

Set default homepage and startup page in Chrome and Microsoft Edge | Windows 10 Workgroup Machine

Set default homepage and startup page of Chrome and Microsoft Edge in windows 10 workgroup machine

If you want to set the homepage and startup page in Windows10 that is part of domain member then it is possible but if you want to apply same thing in workgroup machine then it won’t work.

To apply the homepage and startup page in Google chrome you can use an alternate method. Once you set the homepage and startup page using this method it will apply to all local users and all local users will be able to open the same homepage.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs

Right click on Google Chrome -> Properties

Shortcut -> Target -> Enter homepage URL name at the end of file path “ ………………………………

Apply and Ok

Do the same with Microsoft Edge and apply Okay

Remove existing shortcut from desktop and taskbar and

Use below link to apply same window tiles and taskbar for all users

or create new shortcut from start menu

http://www.mytechinfoit.com/2022/04/steps-to-customize-windows-start-layout.html

Cisco UCS Dynamic Pinning Overview

Dynamic Pinning

This is the default pin group setting. In dynamic pinning, Fabric Interconnect automatically binds server vNICs to uplink FI ports. The mapping of server vNICs to uplink FI ports depends upon the total number of active uplinks configured, which could be either 1, 2, 4, or 8 (for older 6100 series FIs, uplinks could only be 1, 2, and 4).

Failure Response in Dynamic Pinning

Both Fabric Interconnects are in Active/Active mode with respect to Ethernet data traffic movement. Each server is pinned to a single Fabric Interconnect uplink port or port channel. This means that the data traffic from some servers will move using Fabric Interconnect A and for other servers using Fabric Interconnect B.

In case of a northbound uplink or port channel failure where a server is currently pinned to, the server connection will be automatically pinned to another port or port channel on the same Fabric Interconnect. In case of a complete Fabric Interconnect failure, the server will be automatically pinned to any uplink port or port channel on the second Fabric Interconnect provided that the Fabric failover is configured for the vNIC. The Fabric Interconnect will update the northbound switch about this change using Gratuitous Address Resolution Protocol (GARP).

The dynamically pinned server vNIC uplinks are automatically rebalanced after 300 seconds to distribute the data traffic load on both Fabric Interconnects.

No user configuration is required for dynamic pinning. If no static pin groups are configured, dynamic pinning will be automatically used. Dynamic pinning is the recommended configuration and static pinning should only be used for business use cases.