Window Server 2008

By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization’s security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information—such as financial reports, product specifications, customer data, and confidential e-mail messages—from intentionally or accidentally getting into the wrong hands.

For information about AD RMS, see the Active Directory Rights Management Services TechCenter page at http://go.microsoft.com/fwlink/?LinkId=80907.

In the following sections, learn more about AD RMS, the required and optional features in AD RMS, and hardware and software used for running AD RMS. At the end of this topic, learn how to open the AD RMS console and how to find more information about AD RMS.

What is Active Directory Rights Management Services?

An AD RMS system includes a Windows Server® 2008-based server running the Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista® operating system. The deployment of an AD RMS system provides the following benefits to an organization:

•	Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as “confidential - read only” that can be applied directly to the information.
•	Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients.
•	Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection.

AD RMS combines the features of Rights Management Services (RMS) in Windows Server 2003, developer tools, and industry security technologies—including encryption, certificates, and authentication—to help organizations create reliable information protection solutions. For creating customized AD RMS solutions, an AD RMS software development kit (SDK) is available.

Features in AD RMS

By using Server Manager, you can set up the following components of AD RMS:

•	Active Directory Rights Management Services. The Active Directory Rights Management Services (AD RMS) role service is a required role service that installs the AD RMS components used to publish and consume rights-protected content.
•	Identity Federation Support. The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services.

Hardware and software considerations

AD RMS runs on a computer running the Windows Server 2008 operating system. When the AD RMS server role is installed, the required services are installed, one of which is Internet Information Services (IIS). AD RMS also requires a database, such as Microsoft SQL Server, which can be run either on the same server as AD RMS or on a remote server, and an Active Directory Domain Services forest.

The following table describes the minimum hardware requirements and recommendations for running Windows Server 2008-based servers with the AD RMS server role.

Requirement	Recommendation

Note:

To assist with your hardware considerations, use testing in a lab environment, data from existing hardware in a production environment, and pilot roll-outs to determine the capacity needed for your server.

The following table describes the software requirements for running Windows Server 2008-based servers with the AD RMS server role. For requirements that can be met by enabling features on the operating system, installing the AD RMS server role will configure those features as appropriate, if they are not already configured.

Software	Requirement

The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. In order to create rights-protected content, Microsoft Office 2007 Enterprise, Professional Plus, or Ultimate is required. For additional security, AD RMS can be integrated with other technologies such as smart cards.

Windows Vista includes the AD RMS client by default, but other client operating systems must have the RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded from the Microsoft Download Center and works on versions of the client operating system earlier than Windows Vista and Windows Server 2008.

For more detailed information about hardware and software considerations with AD RMS, see the Pre-installation Information for Active Directory Rights Management Services topic on the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=84733).

Installing AD RMS

After you finish installing the operating system, you can use Initial Configuration Tasks or Server Manager to install server roles. To install AD RMS, in the list of tasks, click Add roles, and then click the Active Directory Rights Management Services check box.

For detailed instructions about installing and configuring AD RMS in a test environment, see the AD RMS installation Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134).

Managing AD RMS

Server roles are managed by using a Microsoft Management Console (MMC) snap-in. Use the Active Directory Rights Management Services console to manage AD RMS. To open the Active Directory Rights Management console, click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

For more information

To learn more about AD RMS, you can view the Help on your server. To do this, open the Active Directory Rights Management Services console, and then press F1, or visit the Active Directory Rights Management Services TechCenter (http://go.microsoft.com/fwlink/?LinkId=80907).

You can use Active Directory® Federation Services (AD FS) to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. This topic provides an overview of the improvements in AD FS. For details about the improvements, see Active Directory Federation Services Role.

Overview of the improvements in AD FS

For Windows Server® 2008, AD FS includes new functionality that was not available in Windows Server 2003 R2. This new functionality is designed to ease administrative overhead and to further extend support for key applications:

•	Improved installation: AD FS is included in Windows Server 2008 as a server role, and there are new server validation checks in the installation wizard.
•	Improved application support: AD FS is more tightly integrated with Microsoft Office SharePoint® Server 2007 and Active Directory Rights Management Services (AD RMS).
•	A better administrative experience when you establish federated trusts: Improved trust policy import and export functionality helps to minimize partner-based configuration issues that are commonly associated with federated trust establishment.

By using the Active Directory® Domain Services (AD DS) server role in the Windows Server® 2008 operating system, you can create a scalable, secure, and manageable infrastructure for user and resource management, and you can provide support for directory-enabled applications, such as Microsoft® Exchange Server.

In the following sections, learn more about AD DS, features in AD DS, and software and hardware considerations. For more information about planning, deploying, and operating the AD DS server role, and for a technical reference that explains how AD DS works and the various tools and settings that it uses, see Active Directory Domain Services (http://go.microsoft.com/fwlink/?LinkID=48547).

What is the AD DS server role?

AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.

Organizing network elements into a hierarchical containment structure provides the following benefits:

•	The forest acts as a security boundary for an organization and defines the scope of authority for administrators. By default, a forest contains a single domain, which is known as the forest root domain.
•	Additional domains can be created in the forest to provide partitioning of AD DS data, which enables organizations to replicate data only where it is needed. This makes it possible for AD DS to scale globally over a network that has limited available bandwidth. An Active Directory domain also supports a number of other core functions that are related to administration, including network-wide user identity, authentication, and trust relationships.
•	OUs simplify the delegation of authority to facilitate the management of large numbers of objects. Through delegation, owners can transfer full or limited authority over objects to other users or groups. Delegation is important because it helps to distribute the management of large numbers of objects to a number of people who are trusted to perform management tasks.

Features in AD DS

Security is integrated with AD DS through logon authentication and access control to resources in the directory. With a single network logon, administrators can manage directory data and organization throughout their network. Authorized network users can also use a single network logon to access resources anywhere in the network. Policy-based administration eases the management of even the most complex network.

Additional AD DS features include the following:

•	A set of rules, the schema, that defines the classes of objects and attributes that are contained in the directory, the constraints and limits on instances of these objects, and the format of their names.
•	A global catalog that contains information about every object in the directory. Users and administrators can use the global catalog to find directory information, regardless of which domain in the directory actually contains the data.
•	A query and index mechanism, so that objects and their properties can be published and found by network users or applications.
•	A replication service that distributes directory data across a network. All writable domain controllers in a domain participate in replication and contain a complete copy of all directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain.
•	Operations master roles (also known as flexible single master operations or FSMO). Domain controllers that hold operations master roles are designated to perform specific tasks to ensure consistency and eliminate conflicting entries in the directory.

Identity Management for UNIX

Identity Management for UNIX is a role service of AD DS that can be installed only on domain controllers. Two Identity Management for UNIX technologies, Server for NIS and Password Synchronization, make it easier to integrate computers running Windows® into your existing UNIX enterprise. AD DS administrators can use Server for NIS to manage Network Information Service (NIS) domains. Password Synchronization automatically synchronizes passwords between Windows and UNIX operating systems.

New features in Windows Server 2008 AD DS

Windows Server 2008 includes the new AD DS features in the following table.

Feature	Description
•	The physical security of a domain controller cannot be ensured or its location does not include administrators with the domain-wide authority that is required to administer a writable domain controller.
•	Branch office users can benefit from a more efficient logon process that is provided by a local domain controller in the branch office.

Hardware and software considerations

You can use performance counters, testing in the lab, data from existing hardware in a production environment, and pilot roll-outs to determine the capacity needs for your server. Servers running Windows Server 2008 need at least 512 megabytes (MB) of RAM and 20 gigabytes (GB) of hard disk space.

Important:

The AD DS server role requires Domain Name System (DNS) services to locate computers, domain controllers, member servers, and network services by name. The DNS Server role provides DNS name resolution services for TCP/IP-based networks by mapping names to IP addresses, which makes it possible for computers to locate network resources in an AD DS environment.

In addition, AD DS must be installed on the network to implement other important Windows Server technologies, such Group Policy and Active Directory Certificate Services (AD CS).

Installing the AD DS server role

After you finish installing the operating system, you can use Initial Configuration Tasks or Server Manager to install server roles. To install the AD DS server role, click Add roles to start the Add Roles Wizard, and then click Active Directory Domain Services. Step through the Add Roles Wizard to install the files for the AD DS server role. After you complete the Add Roles Wizard, click the link to start the Active Directory Domain Services Installation Wizard.

Step through the Active Directory Domain Services Installation Wizard to complete the installation and configuration of your domain controller. Most wizard pages have a Help link for more information about the settings that you can configure.

To automate domain controller installations, you can use an answer file or you can specify unattended installation parameters at the command line. For more information about installing AD DS, see the Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal (http://go.microsoft.com/fwlink/?LinkId=88228).

Managing the AD DS server role

You can manage server roles with Microsoft Management Console (MMC) snap-ins. To manage a domain controller (that is, a server that is running AD DS), click Start, click Control Panel, click Administrative Tools, and then double-click the appropriate snap-in:

•	To manage user and computer accounts, click Active Directory Users and Computers.
•	To manage Active Directory trusts, functional levels, and forest-wide operations master roles, click Active Directory Domains and Trusts.
•	To manage Active Directory sites and site links, click Active Directory Sites and Services.

As an alternative, you can double-click the appropriate snap-in on the Active Directory Domain Services page in Server Manager.

Experienced programmers and system administrators can manage the Active Directory schema, but the Active Directory Schema snap-in is not installed by default. In addition, the schmmgmt.dll file must be registered before the snap-in can be installed.

	To install the Active Directory Schema snap-in
•	To place the snap-in on the Administrative Tools menu, in File name, type a name for the snap-in, and then click Save.
•	To save the snap-in to a location other than the Administrative Tools folder, in Save in, navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save.

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.

In the following sections, learn more about AD CS, the required and optional features in AD CS, and hardware and software used for running AD CS. At the end of this topic, learn how to open the interface for AD CS and how to find more information about AD CS.

Features in AD CS

By using Server Manager, you can set up the following components of AD CS:

•	Certification authorities (CAs). Root and subordinate CAs are used to issue certificates to users, computers, and services, and to manage certificate validity.
•	Web enrollment. Web enrollment allows users to connect to a CA by means of a Web browser in order to request certificates and retrieve certificate revocation lists (CRLs).
•	Online Responder. The Online Responder service decodes revocation status requests for specific certificates, evaluates the status of these certificates, and sends back a signed response containing the requested certificate status information.
•	Network Device Enrollment Service. The Network Device Enrollment Service allows routers and other network devices that do not have domain accounts to obtain certificates.

Benefits of AD CS

Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.

Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.

Among the new features of AD CS in Windows Server® 2008 are:

•	Improved enrollment capabilities that enable delegated enrollment agents to be assigned on a per-template basis.
•	Integrated Simple Certificate Enrollment Protocol (SCEP) enrollment services for issuing certificates to network devices such as routers.
•	Scalable, high-speed revocation status response services combining both CRLs and integrated Online Responder services.

Hardware and software considerations

AD CS requires Windows Server 2008 and Active Directory Domain Services (AD DS). Although AD CS can be deployed on a single server, many deployments will involve multiple servers configured as CAs, other servers configured as Online Responders, and others serving as Web enrollment portals. CAs can be set up on servers running a variety of operating systems, including Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design will require careful planning and testing before you deploy AD CS in a production environment.

Note:

Installing AD CS

After you finish installing the operating system, you can set up a CA and other optional components by using Server Manager.

Additional configuration steps need to be completed by using the appropriate snap-ins before a CA or Online Responder is functional. For more information, refer to the related Help topics for the Certification Authority and Online Responder snap-ins.

Managing AD CS

AD CS role services are managed by using Microsoft Management Console (MMC) snap-ins.

•	To manage a CA, use the Certification Authority snap-in. To open Certification Authority, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certification Authority, click Add, click OK, and then double-click Certification Authority.
•	To manage certificates, use the Certificates snap-in. To open Certificates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificates, click Add, click OK, and then double-click Certificates.
•	To manage certificate templates, use the Certificate Templates snap-in. To open Certificate Templates, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Certificate Templates, click Add, click OK, and then double-click Certificate Templates.
•	To manage an Online Responder, use the Online Responder snap-in. To open Online Responder, click Start, click Run, type mmc, click File, click Add/Remove Snap-in, click Online Responder, click Add, click OK, and then double-click Online Responder.

If you are using Windows Server 2008 but have not yet installed any of the AD CS role services, then only the Certificates snap-in is installed by default. You can install the remaining snap-ins without installing AD CS roles services by using Server Manager and selecting the Active Directory Certificate Services tools under Remote Server Administration Tools. If the computer you want to perform remote administration tasks from is running Windows Vista, you can obtain the Remote Server Administration Tools Pack from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=89361).

For more information

•	To learn more about AD CS, you can view the Help on your server. To do this, open the Certification Authority snap-in and then press F1 to display Help.
•	For more inf