AD RMS Infrastructure Concepts

AD RMS Infrastructure Concepts

AD RMS infrastructure

AD RMS, like any IT service, relies on some infrastructure to work. In the case of AD RMS there are several components that work together in order for the solution to deliver a useful service. The most relevant ones are:
· AD RMS servers and clusters
· The AD RMS SQL Server database
· Active Directory
· The Rights Management Services client and RMS-enabled applications in the client
· AD RMS-integrated server applications



While there are other components that work along with AD RMS to make the whole thing work, those should cover the most important ones needed to understand other topics in this blog.

AD RMS Servers and Clusters

AD RMS provides its services to other elements as a web-service, and it is thus hosted inside Internet Information Services in a Windows Server. It normally runs over HTTPs (though running it over HTTP is also possible) providing a few web service operations that can be consumed by clients and services to perform information protection and consumption tasks.
AD RMS actually not only uses IIS in the hosting server, but it also uses Message Queuing to interact with the AD RMS database which we will be discussing later. That ensures that operations in the AD RMS services that need to send data to the database can be performed asynchronously and that in turn increases performance and resiliency of the database services.
Multiple AD RMS servers are typically joined together forming AD RMS clusters, which are basically collections of identically-configured AD RMS servers connected to the same AD RMS database and working together to resolve requests from other clients and servers. In an AD RMS cluster it doesn’t matter which server resolves a request, so the requests are typically load balanced through a mechanisms such as Network Load Balancing in Windows or an external load balancer.

AD RMS Database

As stated, a group of identical AD RMS servers form an AD RMS cluster. Servers in a cluster don’t host persistent service-related data in their own disks. All configurations, logs, persistent status and operation data and caches are actually hosted externally to the AD RMS servers in a SQL Server database called the AD RMS Database. That way, all servers share a common configuration and if a server fails users can continue to work through other servers in the cluster.
There’s actually not a single AD RMS database but three. Those three databases are typically hosted in the same server and are:
· The AD RMS Configuration Database, which hosts all the configurations defining the behavior of the cluster such as its URLs and caching behavior, as well as copies of some certificates and other items needed to keep the service running. It typically also holds the core certificates and keys for the AD RMS servers themselves.
· The AD RMS Caching database, which is used to cache frequently used data about the users and groups defined in Active Directory, in order to avoid impacting the performance of AD every time the service needs anything from the directory.
· The AD RMS Logging Database, in which AD RMS puts information about transactions that have been performed by the service. This information is not used by AD RMS for anything other than for reporting.

Active Directory

AD RMS uses Active Directory to authenticate users of the system within the forest where it is installed. It also uses AD to obtain information about the email address of the users, which is used as the users’ identifier thorough the system, and to obtain information about group membership when the rights assigned to a document refer to a group instead of an individual user.
As stated above, AD RMS caches data from AD in the AD RMS AD Caching database in order to avoid hitting the domain controllers too hard.

Client-side components

AD RMS typically works together with client-side components to perform the encryption, decryption and policy enforcement tasks.
The main client-side components in an AD RMS system are the Rights Management Services client and AD RMS-enabled applications.
The Rights Management Services client, which comes installed as part of Windows Vista SP1 and later and in Windows 7, and that can be installed in earlier versions of Windows, deals with all the key management, communicates with the AD RMS services in requesting licenses and providing certificates and communicates with the client applications to perform the encryption and decryption of content. It also provides a secure environment for all these tasks to occur, helping prevent tampering and potential key disclosures.

AD RMS enabled server-side applications

While most AD RMS-related operations are performed between the clients and the AD RMS servers, having some level of integration between certain server-side services and AD RMS can provide for a better user experience and more efficient IT services. For example, Exchange Server 2010 can acquire licenses for content on behalf of the users so users don’t have to wait for a license to be acquired when they open email they have in their inbox. It also provides the ability to create and consume protected content in the browser when using OWA, along with other capabilities.

How to Backup and Restore Active Directory on Server 2008

• By Eric English

Have you ever accidentally deleted a user account or an OU in Active Directory and wished you could restore it?
I recently had a client call me after they installed updates and rebooted their server. They noticed after the reboot that there was a message that said “Active Directory is rebuilding indices. Please wait”.
Their Active Directory database had become corrupted from the updates. So what do you do? How can you restore AD?
Let’s talk about how to backup AD in Windows Server 2008 and how to restore it. Today I’ll show you:

• what you need to do to get your Server 2008 ready for backup
• how to backup Active Directory on Server 2008
• how to perform an Authoritative Restore of Active Directory
• how to perform Active Directory Snapshots

Prerequisites: Getting Server 2008 Ready for Backup

Before you can backup Server 2008 you need to install the backup features from the Server Manager.
1. To install the backup features click Start → Server Manager.


2. Next click Features → Add Features



3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools



4. Click Next, then click Install

Backing up Server 2008 Active Directory

Now that we have the backup features installed we need to backup Active Directory. You could do a complete server backup, but what if you need to do an authoritative restore of Active Directory?
As you’ll notice in Server 2008, there isn’t an option to backup the System State data through the normal backup utility.



So what do we do? We need to go “command line” to backup Active Directory.
1. Open up your command prompt by clicking Start and type “cmd” and hit enter.
2. In your command prompt type “wbadmin start systemstatebackup -backuptarget:e:” and press enter.
Note: You can use a different backup target of your choosing
3. Type “y” and press enter to start the backup process.



When the backup is finished running you should get a message that the backup completed successfully. If it did not complete properly you will need to troubleshoot.



Now you have a system state backup of your 2008 Server!

Authoritative Restore of Active Directory

So now what if you accidentally delete an OU, group, or a user account and it’s already replicated to your other servers? We will need to perform an authoritative restore of the Active Directory object you accidentally deleted.
1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your server and pressing F8 during the restart.
2.Choose Directory Services Restore Mode from the Advanced Boot menu.



3. Login to your server with your DSRM password you created during Active Directory installation.
4. Once you’re logged into your server and in DSRM safe mode, open a command prompt by clicking Start, type “cmd“, and press enter.
5. To make sure you restore the correct backup it’s a good idea to use the “wbadmin get versions” command and write down the version you need to use.



6. Now we need to perform a non-authoritative restore of Active Directory by typing “wbadmin start systemstaterecovery -version:04/14/2009-02:39“.
Note: The version of backup will vary depending on your situation. Type “y” and press enter to start the non authoritative restore.
7. Go grab some coffee and take a break while the restore completes.



8. You can mark the sysvol as authoritative by adding the –authsysvol switch to the end of the wbadmin command.



9. But if you want to restore a specific Active Directory object then you can use the ever familiar ntdsutil.
For this example we are going to restore a user account with a distinguished name of CN=Test User,CN=Users,DC=home,DC=local. So the commands would be:

ntdsutil
activate instance ntds
authoritative restore
restore object “cn=Test User,cn=Users,dc=home,dc=local”

Note: The quotes are required



10. Reboot your server into normal mode and you’re finished. The object will be marked as authoritative and replicate to the rest of your domain.

Using Active Directory Snapshots

There is a really cool new feature in Windows Server 2008 called Active Directory Snapshots. Volume Shadow Copy Service now allows us to take a snapshot of Active Directory as a type of backup. They are very quick to create and serve as another line of defense for your backup strategy.
With your server booted into normal mode open a command prompt by clicking Start, type “cmd“, and press enter.
We are going to use the ntdsutil again for creating the Active Directory snapshots. The commands are:

ntdsutil
snapshot
activate instance ntds
create
quit
quit

So now that you have a snapshot of AD, how do you access the data? First we need to mount the snapshot using ntdsutil. The commands are:

ntdsutl
snapshot
list all
mount 1 — (Note: You should mount the correct snapshot you need; for this example there is only 1.)
quit
quit

Your snapshot is mounted, but how do you access the data? We need to use the dsamain command to accomplish this. Then we need to select an LDAP port to use. The command is as follows:

dsamain –dbpath c:\$SNAP_200905141444_VOLUMEC$\WINDOWS\NTDS\ntds.dit –ldapport 10001

The result should look like this:



Now we need to go to Start, Administrative Tools, then Active Directory Users and Computers.
Right click Active Directory Users and Computers and select Change Domain Controller.



In the area that says < Type a Directory Server name [:port] here > enter the name of your server and the LDAP port you used when running the dsamain command.
For my example it would be: WIN-V22UWGW0LU8.HOME.LOCAL:10001



Now you can browse the snapshot of Active Directory without affecting anything else negatively.