As most of you were aware, I published my book "Mastering Active Directory" back in, 2017. When I released it, I had my doubts! It was my first book even though I was writing to blogs for many years. But over the last 2 years, I had many positive feedbacks. Thousands of people all around the global read this book. Lots of them requested another book. So Yes! I heard it loud and clear. 

I glad to announce the public release of my second book, "Mastering Active Directory, Second Edition" today. It is available for purchase worldwide now.

I also take this opportunity to thanks all my readers who believed in me. It is you who encouraged me to release another edition this soon. 

What Is new in the second edition? 

The new content for this edition is covering,

• Tips to Design your Hybrid AD environment by evaluating business and technology requirements 

• Deep dive into different authentication methods which can use in Hybrid AD environment

• How to protect sensitive data in a hybrid environment using Azure Information Protection

• Learn about protecting identities in Hybrid AD environment 

• Integrate with Azure Active Directory and Manage identities in Hybrid Environment using Azure Active Directory PowerShell for Graph module

Book Name: Mastering Active Directory, Second Edition

ISBN: 978-1789800203

Number of Pages: 786

Publisher: Packt Publishing

Book is available in paperback and kindle format.

https://www.amazon.com/dp/178980020X/ref=olp_product_details?_encoding=UTF8&me=

It also can access via subscriptions, 

https://www.packtpub.com/cloud-networking/mastering-active-directory-second-edition

The Protected Users security group was introduced with Windows Server 2012 R2 and continued in Windows Server 2019. This group was developed to provide better protection for high privileged accounts from credential theft attacks. Members of this group have non-configurable protection applied. In order to use the Protected Users group, PDC should be running with a minimum of Windows Server 2012 R2 and the client computers should be running with a minimum of Windows 8.1 or Windows 2012 R2.

If a member of this group logs into Windows 8.1, Windows Server 2012 R2, Windows 10, Windows Server 2016 or Windows server 2019, we can expect the following:

• Members of this group cannot use NTLM, digest authentication, or CredSSP for authentication. Plain text passwords are not cached. So, any of the devices using these protocols will fail to authenticate to the domain.

• Kerberos long-term keys not cached. For accounts in this group, the Kerberos protocol verifies authentication at each request (the TGT acquired at log on).

• Sign-in is offline. A cached verifier is not created at sign-in.

For the Protected Users group feature, it is not a must to have a domain or forest functional level run on Windows Server 2012 R2 or higher (Windows Server 2008 is the minimum as Kerberos needs to use AES). The only requirement is to run the PDC emulator FSMO role in the Windows Server 2012 R2 domain controller.

If the AD environment uses Windows Server 2012 R2 or Windows Server 2016 domain functional levels, it provides additional protections with Protected User groups, as:

• No NTLM authentication

• No DES or RC4 encryption in Kerberos pre-authentication

• No delegation using the unconstrained or constrained method

• No Kerberos TGT valid more than 4 hours

To start with, we can review the Protected Users security group using the following command:

Get-ADGroup -Identity "Protected Users"

The following screenshot shows the output for the preceding command:

We can add users to the Protected Users group using ADAC, ADUC MMC, and PowerShell. This group is located in the default Users container in AD.

In here, we are going to add the user account Adam in to the Protected Users group using the following command:

Get-ADGroup -Identity "Protected Users" | Add-ADGroupMember –Members "CN=Adam,CN=Users,DC=rebeladmin,DC=com"

The first part of the command will retrieve the group and the second part will add the user Adam to it.

I am glad to announce that I have been awarded with MVP award by Microsoft for 5th consecutive time. It is a true honor to be a part of such a great community. I got my first award back in 2014 under Active Directory category. After that for last 3 years I was awarded under Enterprise Mobility Category.

What is MVP Award?

For more than two decades,the Microsoft MVP Award is our way of saying "Thanks!" to outstanding community leaders. The contributions MVPs make to the community, ranging from speaking engagements, to social media posts, to writing books, to helping others in online communities, have incredible impact. Key benefits to MVPs include early access to Microsoft products, direct communication channels with our product teams and an invitation to the Global MVP Summit, an exclusive annual event hosted in our global HQ in Redmond. They also have a very close relationship with the local Microsoft teams in their area, who are there to support and empower MVPs to address needs and opportunities in the local ecosystem.

I take this opportunity to thank my MVP program Manager Betsy Weber, former program manager Simran Chaudhry for their awesome support over the years. I also like to thank my wife and little selena for their understanding and patience with my community engagements.

I also like to thank my readers for their support and encouragement over last 7 years. In coming weeks, you will see more enhancements in my blog to give you more user-friendly experience. Also, glad to announce that soon you will able to connect with my YouTube channel. So, stay touch! if you need help with subject matters always feel free to contact me on rebeladm@live.com or follow me on twitter @rebeladm

AD DS security is key for any environment as it is foundation of identity protection. Before look in to improvements of AD DS security in an environment, it is important to understand how Active Directory authentication works with Kerberos. In this post I am going to explain how AD authentication works behind the scene.

In infrastructure, there are different types of authentication protocols been used. Active Directory uses Kerberos version 5 as authentication protocol in order to provide authentication between server and client. Kerberos v5 became default authentication protocol for windows server from windows server 2003. It is an open standard and it provides interoperability with other systems which uses same standards.

Kerberos protocol is built to protect authentication between server and client in an open network where other systems also connected. The main concept behind authentication is, two parties agreed on a password (secret) and both use it to identify and verify their authenticity. 

Group Policy can map to Sites, Domain and OUs. If group policy is mapped to OU, by default it will apply to any object under it. But within a OU, Domain or Site there are lots of objects. The security, system or application settings requirements covers by group policies not always applies to boarder target groups. Group Policy filtering capabilities allows to further narrow down the group policy target to security groups or individual objects. 

There are few different ways we can do the filtering in group policy.

1) Security Filtering

2) WMI Filtering

In this post we are going to look in to Security Filtering. In one of my previous post I already covered WMI filtering. It can be found under http://www.rebeladmin.com/2018/02/group-policy-wmi-filters-nutshell/ 

Before apply the security filtering, the first thing to make sure is group policy mapped correctly to the Site, Domain or OU. The security group or the objects you going to target should be under correct level where group policy is mapped. 

We can use the GMPC or PowerShell cmdlets to add the security filtering to GPO.

As you can see, by default any policy have “Authenticated Users” group added to the security filtering. It means by default the policy will apply to any authenticated user in that OU. When we add any group or object to security filtering, it also creates entry under delegation. In order to apply a group policy to an object, it needs minimum of,

 

1) READ

2) APPLY GROUP POLICY

 

Any object added to the Security Filtering section will have both of these permissions set by default. Same way if an object added directly to delegation section and apply both permissions, it will list down those objects under Security Filtering section. 

Now, before we add custom objects to the filtering, we need change the default behavior of the security filtering with “Authenticated Users”. Otherwise it doesn’t matter what security group or object you add it will still apply group policy settings to any authenticated user. Before Microsoft release security patch MS16-072 in year 2016, we can simply remove the Authenticated Users group and add the required objects to it. with this new security patch changes, group policies now will run with in computer security context. Before it was executed with in user’s security context. In order to accommodate this new security requirements, one of following permissions must be available under group policy delegation. 

 

Authenticated Users – READ

Domain Computers – READ

 

In order to edit these changes, Go to Group Policy, Then to Delegation tab, Click on Advanced, Select Authenticated users and then remove Apply group policy permissions. 

 

 

Now we can go back to Scope tab and add the required security group or objects in to security filtering section. it will automatically add the relevant Read and Apply Group Policy permissions. 

 

 

In here we looking in to how to apply group policy to specific target, but it also allows to explicitly allow it to large number of objects and block groups or object by applying it. as an example, let’s assume we have a OU with few hundred objects from different classes. From all these we have like 10 computer objects which we do not need to apply a given group policy. Which one is easy? go and add each and every security group and object to security filtering or allow every one for group policy and block it only for one security group? Microsoft allows to use the second method in filtering too. In order to do that, group policy should have default security filtering which is “Authenticated users” with READ and APPLY GROUP POLICY permissions. Then go to Delegation tab and click on Advanced option. In next window click on Add button and select the group or object that you need to block access to. 

 

 

Now in here we are denying READ and APPLY GROUP POLICY permissions to an object. So, it will not able to apply the group policy and all other object under that OU will still able to read and apply group policy. Easy ha?

 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Data Replication is crucial for healthy Active Directory Environment. There are different ways to check status of replication. In this article I am going to explain how you can check status of domain replication using PowerShell.

For a given domain controller we can find its inbound replication partners using, 

Get-ADReplicationPartnerMetadata -Target REBEL-SRV01.rebeladmin.com

Above command provide detail description for the given domain controller including last successful replication, replication partition, server etc. 

We can list down all the inbound replication partners for given domain using, 

Get-ADReplicationPartnerMetadata -Target "rebeladmin.com" -Scope Domain

In above command the scope is defined as the domain. this can change to forest and get list of inbound partners in the forest. The output is for default partition.  If needed the partition can change using – Partition to Configuration or Schema partition. It will list down the relevant inbound partners for given partition. 

Associated replication failures for a site, forest, domain, domain controller can find using Get-ADReplicationFailure cmdlet. 

Get-ADReplicationFailure -Target REBEL-SRV01.rebeladmin.com

Above command will list down the replication failures for the given domain controller. 

Replication failures for domain can find out using, 

Get-ADReplicationFailure -Target rebeladmin.com -Scope Domain

Replication failures for forest can find out using, 

Get-ADReplicationFailure -Target rebeladmin.com -Scope Forest

Replication failures for site can find out using, 

Get-ADReplicationFailure -Target LondonSite -Scope Site

In command, LondonSite can replace using relevant site name. 

Using both Get-ADReplicationPartnerMetadata and Get-ADReplicationFailure, following PowerShell script can provide report against specified domain controller. 

## Active Directory Domain Controller Replication Status##

$domaincontroller = Read-Host 'What is your Domain Controller?'

## Define Objects ##

$report = New-Object PSObject -Property @{

ReplicationPartners = $null

LastReplication = $null

FailureCount = $null

FailureType = $null

FirstFailure = $null

}

## Replication Partners ##

$report.ReplicationPartners = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).Partner

$report.LastReplication = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).LastReplicationSuccess

## Replication Failures ##

$report.FailureCount  = (Get-ADReplicationFailure -Target $domaincontroller).FailureCount

$report.FailureType = (Get-ADReplicationFailure -Target $domaincontroller).FailureType

$report.FirstFailure = (Get-ADReplicationFailure -Target $domaincontroller).FirstFailureTime

## Format Output ##

$report | select ReplicationPartners,LastReplication,FirstFailure,FailureCount,FailureType | Out-GridView

In this command, it will give option for engineer to specify the Domain Controller name. 

$domaincontroller = Read-Host 'What is your Domain Controller?'

Then its creates some object and map those to result of the PowerShell command outputs. Last but not least it provides a report to display a report including, 

• Replication Partner (ReplicationPartners)

• Last Successful Replication (LastReplication)

• AD Replication Failure Count (FailureCount)

• AD Replication Failure Type (FailureType)

• AD Replication Failure First Recorded Time (FirstFailure)

Further to Active Directory replication topologies, there are two types of replications.

1) Intra-Site – Replications between domain controllers in same Active Directory Site

2) Inter-Site – Replication between domain controllers in different Active Directory Site

We can review AD replication site objects using Get-ADReplicationSite cmdlet. 

Get-ADReplicationSite -Filter *

Above command returns all the AD replication sites in the AD forest. 

We can review AD replication site links on the AD forest using, 

Get-ADReplicationSiteLink -Filter *

In site links, most important information is to know the site cost and replication schedule. It allows ro understand the replication topology and expected delays on replications. 

Get-ADReplicationSiteLink -Filter {SitesIncluded -eq "CanadaSite"} | Format-Table Name,Cost,ReplicationFrequencyInMinutes -A

Above command list all the replication sites link included CanadaSite AD site along with the site link name, link cost, replication frequency. 

A site link bridge can use to bundle two or more site links and enables transitivity between site links.

Site link bridge information can retrieve using, 

Get-ADReplicationSiteLinkBridge -Filter *

Active Directory sites may use multiple IP address segments for its operations. It is important to associate those with the AD site configuration so domain controllers know which computer related to which site. 

Get-ADReplicationSubnet -Filter * | Format-Table Name,Site -A

Above command will list down all the Subnets in the forest in a table with subnet name and AD site.

Bridgehead servers are operating as the primary communication point to handle replication data which comes in and go out from AD site. 

We can list down all the preferred bridgehead servers in a domain using, 

$BHservers = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL

$BHservers | Out-GridView

In above command the attribute value bridgeheadServerListBL retrieve via ADSI connection. 

We can list down all of these findings using on script. 

## Script to gather information about Replication Topology ##

## Define Objects ##

$replreport = New-Object PSObject -Property @{

Domain = $null

}

## Find Domain Information ##

$replreport.Domain = (Get-ADDomain).DNSroot

## List down the AD sites in the Domain ##

$a = (Get-ADReplicationSite -Filter *)

Write-Host "########" $replreport.Domain "Domain AD Sites" "########"

$a | Format-Table Description,Name -AutoSize

## List down Replication Site link Information ##

$b = (Get-ADReplicationSiteLink -Filter *)

Write-Host "########" $replreport.Domain "Domain AD Replication SiteLink Information" "########"

$b | Format-Table Name,Cost,ReplicationFrequencyInMinutes -AutoSize

## List down SiteLink Bridge Information ##

$c = (Get-ADReplicationSiteLinkBridge -Filter *)

Write-Host "########" $replreport.Domain "Domain AD SiteLink Bridge Information" "########"

$c | select Name,SiteLinksIncluded | Format-List

## List down Subnet Information ##

$d = (Get-ADReplicationSubnet -Filter * | select Name,Site)

Write-Host "########" $replreport.Domain "Domain Subnet Information" "########"

$d | Format-Table Name,Site -AutoSize

## List down Prefered BridgeHead Servers ##

$e = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL

Write-Host "########" $replreport.Domain "Domain Prefered BridgeHead Servers" "########"

$e

## End of the Script ##

The only thing we need to change is the ADSI connection with relevant domain DN. 

$e = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com")

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In one of my previous post I explained how we can manage AD administration privileges using ACLs. If you didn’t read it yet you can find it using http://www.rebeladmin.com/2018/02/step-step-guide-manage-active-directory-permissions-using-object-acls/

This Delegate Control method also works similar to ACLs, but its simplified the process as its uses,

• Delegation of Control Wizard which can use to apply delegated permissions. 

• Allows to use predefined tasks and assign permission to those

The Wizard contain following predefined tasks which can use to assign permissions. 

• Create, delete, and manage user accounts

• Reset user passwords and force password change at next logon

• Read all user information

• Create, delete and manage groups

• Modify the membership of a group

• Manage Group Policy links

• Generate Resultant Set of Policy (Planning)

• Generate Resultant Set of Policy (Logging)

• Create, delete, and manage inetOrgPerson accounts

• Reset inetOrgPerson passwords and force password change at next logon

• Read all inetOrgPerson information

This also allows to create custom task to delegate permissions, if it’s not covered from the common task list. 

Similar to ACLs, Permissions can apply in,

1) Site – Delegated permission will valid for all the objects under the given Active Directory Site. 

2) Domain – Delegated permission will valid for all the objects under the given Active Directory Domain. 

3) OU – Delegated permission will valid for all the objects under the given Active Directory OU.

As an example, I have a security group called Second Line Engineers and Scott is a member of it. I like to allow members of this group to reset password for objects in OU=Users,OU=Europe,DC=rebeladmin,DC and nothing else. 

1) Log in to Domain Controller as Domain Admin/Enterprise Admin

2) Review Group Membership Using 

Get-ADGroupMember “Second Line Engineers”

3) Go to ADUC, right click on the Europe OU, then from list click on “Delegate Control”

4) This will open new wizard, in initial page click Next to proceed. 

5) In next page, Click on Add button and add the Second Line Engineers group to it. Then click Next to proceed.

6) From the task to delegate window select Delegate the following common tasks option and from list select Reset user passwords and force password change at next logon. In this page, we can select multiple tasks. If none of those works, we still can create custom task to delegate. Once completes the selection, click next to proceed. 

7) This completes the wizard and click on Finish to complete. 

8) Now it’s time for testing. I log in to Windows 10 computer which has RSAT tools installed as user Scott. 

According to permissions, I should be able to reset password of an object under OU=Users,OU=Europe,DC=rebeladmin,DC

Set-ADAccountPassword -Identity dfrancis

This allows to change the password successfully. 

However, it should not allow to delete any objects. we can test it using,

Remove-ADUser -Identity "CN=Dishan Francis,OU=Users,OU=Europe,DC=rebeladmin,DC=com"

And as expected, it returns access denied error. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Active Directory maintains a multi-master database. like any other database there can be data corruptions, crashes, data lost etc. In my entire career, I still did not come across with a situation that a full database recovery is required in production environment. The reason is AD DS database is keep replicating to other available Domain Controllers and it is very rare that all the available Domain Controllers crash in same time and loose data.

By running integrity check, we can identify binary level AD database corruption. This comes as part of the Ntdsutil tool which use for Active Directory database maintenance. This go through every byte of the database file. The integrity command also checks if correct headers exist in the database itself and if all of the tables are functioning and consistent. This process also run as part of Active Directory Service Restore Mode (DRSM).

This check need to run with NTDS service off. 

In order to run integrity check,

1) Log in to Domain Controller as Domain/Enterprise Administrator

2) Open PowerShell as Administrator

3) Stop NTDS service using net stop ntds

4) Type 

 

ntdsutil

activate instance ntds

files

integrity

 

 

5) In order to exit from the utility type, quit.

6) it is also recommended to run Semantic database analysis to confirm the consistency of active directory database contents. 

7) In order to do it, 

 

ntdsutil

activate instance ntds

semantic database analysis

go

 

 

8) If its detected any integrity issues can type go fixup to fix the errors. 

9) After process is completed, type net start ntds to start the ntds service.

 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

So far in this series we learn what is RMS and how it works. You can access those using,

Part 01 – What is AD RMS ?

Part 02 – AD RMS Components

Part 03 – How AD RMS Works ?

This is the last part of the series and in here I am going to demonstrate how to install and configure AD RMS. 

Setup AD RMS Root Cluster

AD RMS only can install in Domain Member Server. I have a demo server setup and its already member server of the domain. First AD RMS server add to the forest creates the AD RMS cluster. 

Install AD RMS Role

1) Log in to the server as Enterprise Administrator. 

2) Install the AD RMS role and related management tools using, 

Install-WindowsFeature ADRMS -IncludeManagementTools

Configure AD RMS Role

1) Launch Server Manager > Notifications > Under “Configuration required for Active Directory Rights Management Services” > Perform Additional Configuration. This will open the AD RMS Configuration Wizard. Click Next to start the configuration. 

2) In next screen, it gives option to create new AD RMS root cluster or join it to existing AD RMS cluster. Since it is new cluster, select option Create a new AD RMS root cluster and click Next.  

3) Next Screen is to define the AD RMS database configuration. If it’s going to use MS SQL server need to specify the Database server and the instance. Or else it can use Windows Internal Database. Please note if WID used, it cannot have any more AD RMS servers and cannot have AD RMS mobile extension either. Since its demo, I am going to use WID. Once selection made, click Next to move to next step. 

4) In Next window, we need to define service account. It is used to communicate with other services and computers. This doesn’t need to have Domain or Enterprise Admin rights. Click on Specify and provide the user name and password for the account. Then click Next to Proceed to next window. 

5) In next windows, we need to select the Cryptographic mode. This defines the strength of the hashes. This is support two mode which is SHA-1 and SHA-256. It is highly recommended to use Mode 2 which is SHA-256 for stronger hashing. However, this need to be match with the other RMS cluster it deals with. In our setup, I am going to use default SHA-256. Once Selection is made click next to proceed. 

6) AD RMS uses cluster key to sign the certificate and licenses it issues. This is also required when AD RMS restore or when new AD RMS server add to the same cluster. It can be saved in two places. Default method is to use AD RMS centrally managed key storage. So, it doesn’t need any additional configurations. It also supports to use cryptographic service provider (CSP) as storage. But this required manual distribution of key when add another AD RMS server to the cluster. In this we will use option “Use AD RMS centrally managed key storage”. Once selection is made click Next to proceed. 

7) AD RMS also uses Password to encrypt the cluster key described in above. This is required to provide when add another AD RMS server to cluster or when restore AD RMS from backup. This key is cannot reset. There for recommended to keep it recorded in secure place. Once define the AD RMS Cluster Key Password, click Next to proceed. 

8) In next window, we need to define the IIS virtual directory for the AD RMS web site. Unless there is specific requirement always use the default and click Next. 

9) In next step, we need to define a AD RMS cluster URL. This will use by AD RMS clients to communicate with AD RMS cluster. It is highly recommended to use SSL for this even its allow to use it with HTTP only method. The related DNS records and Firewall rules need to be adjusted in order to provide connection between AD RMS clients and this URL (Internally or Externally). Once configuration values provided, click Next to proceed. One thing need to noted is, once this URL is specified, it cannot be change. In this demo, the RMS URL is https://rms.rebeladmin.com. 

10) In next step, we need to define Server Authentication Certificate. This certificate will use to encrypt the network traffic between RMS clients and AD RMS cluster. For testing it can use self-signed certificate but not recommended for production. If its uses internal CA, client computers should be aware of the root certificate. In wizard, it automatically takes the list of SSL certificates installed in the Computer and we can select the certificate from there. It also allowed to configure this setting in later time. Once settings are defined, click Next to proceed. 

11) In next window, it asks to provide Name for the Server License Certificate (SLC). This certificate is to define the identity of the AD RMS cluster and it used in the Data protection process between clients to encrypt/decrypt symmetric keys. Once defined a meaningful name, click Next to proceed. 

12) Last step of the configuration is to register AD RMS connection service point (SCP) with the AD DS. If needed this can configure later too. This need enterprise administrator privileges to register it with AD DS. In this demo, I already logged as enterprise administrator so I am using “Register the SCP now”. Once option selected, click Next. 

13) After the confirmation, installation will begin and wait for the result. If it’s all successful, log off and log back in the AD RMS server. 

14) Once log back in, Go to Server Manager > Tools > Active Directory Rights Management Service to access the AD RMS cluster.

Test Protecting Data using AD RMS Cluster

Next step of the demo is to test the AD RMS cluster by protecting data. For that I am using two user accounts. 

Email account filed is must and if user doesn’t have email address defined, it will not be allowed to protect the document. 

The end user computers must have added https://rms.rebeladmin.com to the Internet Explorer, Local Intranet’s trusted site lists. This can be done via GPO. If it’s not added, when go to protect the document, users will get following error,

In this demo as user Peter going to create protected document using Word 2013. The recipient will only be user Adam and he will only have read permission. 

To Protect the Document

1) Log in to the Windows 10 (Domain member) computer as user Peter

2) Open word 2013 and type some text

3) Then Go to File > Protect Document > Restrict Access > Connect to Digital Rights Management Servers and get templates 

4) Once its successfully retrieves the templates, go back to same option and select Restricted Access

5) Then it will open up new window. On there for the read permissions, type adam@rebeladmin.com to provide read only permission to user adam. Then click OK.  

6) After that save the document. In demo, I used a network share which user adam also have access. 

7) Now I log in to another window 10 computers as user adam. 

8) Then brows to path where document was saved and open it using word 2013. 

9) On the opening process, it asks to authenticate to the RMS to retrieve the licenses. After that it open the document. In top of the document it says document got limited access. When click on the “View Permission” it list down the allowed permissions and it matches what we set in the author side. 

10) Further in to testing I have log in to system as another user (Liam) and when I access the file I gets, 

This ends the configuration and testing of the AD RMS cluster. In this demo, I explained how we can set up AD RMS cluster with minimum resource and configuration. I only used the default configuration of AD RMS cluster and no custom policies applied. By understand core functions allows you to customize it to meet your organization requirements. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

In part 01 of this series we learned RMS and its capabilities. if you didn’t read it yet, you can find it in here. In part 02 we learned about AD RMS components. You can read it using  

In part 03, I am going to explain how AD RMS works. 

By now we know the components of the AD RMS and its capabilities. In this section, we are going to look in details to understand how all these components work together to protect corporate data. 

Before start the data protecting process, we need to have healthy AD RMS Cluster, AD RMS Clients (Author and Recipient) and reliable connection between those components. Once these prerequires fulfill, Data protection process will happen in three main stages which is protect content by author, publish protected content and access protected content by recipient. Let’s assume Peter is trying to protect a document using AD RMS. He going to send it to Adam and he do not want him to edit or print it. This is the first time he going to use AD RMS. In AD RMS environment, user Peter will refer as Information Author. On his first authentication in to AD RMS cluster, it creates Right Account Certificate (RAC) and it will be user’s identity in AD RMS. This is a onetime process. This certificate contains the public key and private key of the Peter which is encrypted by his computer’s public key. When Peter register with AD RMS cluster it also creates another certificate called Client Licensor Certificate (CLC). This CLC includes Client Licensor Certificate’s public key and private key which is protected by public key of Peter. It also includes AD RMS cluster public key which is signed by AD RMS private key.

Peter decides what data need to be protected first. Then it generates symmetric key (random) and encrypt the data which needs to be protected. It uses AES-256 standards to encrypt the data. When first AD RMS server added to the cluster, it creates another certificate called Server Licensor Certificate (SLC). This represent the identity element of the AD RMS server. This is shared with clients so they can use to exchange confidential data in secure way. SLC includes the public key of the AD RMS server. As the next step the system will encrypt the symmetric key used for data encryption by using it. So, only AD RMS cluster can open it. 

After that RMS Client creates Publishing License (PL). This PL use to indicate allowed recipients, what rights they got and what condition will apply towards protected data. PL includes encrypted symmetric key that can used to decrypt the protected data. All these data then encrypt with Server Licensor Certificate’s public key. Apart from that AD RMS client also will sign encrypted data with private key of CLS. At the end this protected data will attached to PL. it also included the copy of symmetric key which is encrypted with CLS public key. This confirms Peter’s authority over the protected document, so he can decrypt the document without using another license. Once all these encryptions and signings are done, the document is ready to send over to Adam. 

Once Adam receives the document, his Ad RMS aware application try to open it and found it is a protected document. Similar to Peter, Adam already have his RAC and CLS from the AD RMS Cluster. In order to open the protected document at once does it encrypt it with does it encrypt or sign with any of Adam’s certificates? No, it’s not. But his AD RMS client knows who need to contact in order to sort it out for him. To open the protected document Adam should have a Use License (UL). This is issue by the RMS cluster. So, AD RMS client request for license also included encrypted Publishing License, Encrypted Symmetric Key, Peter’s CLC and Public key of Adam’s RAC. The protected document will not send over with this request to RMS Cluster. To decrypt the protected document Adam needs the Symmetric key which used by Peter to encrypt the document. As first step Server needs to know if Adam is permitted to access the document, if he is permitted what sort of conditions and rights will apply. This info is in Publishing License. It is encrypted using public key of SLC. AD RMS server is the private key owner for it and he can easily extract it. if Adam is not allowed in PL, it will be declined the access to it. if its allowed it creates a list mentioning Adam’s rights to the document. The most important part of the decryption process is to retrieve the Symmetric Key. This is also encrypted by SLC’s public key. Once it is extract, it will be re-encrypt using Adam’s RAC public key. it was a part of the Use License request. This ensure, the only one can see the key is Adam’s system. Since server got all the required information, it generates Use License including the permission list and encrypted symmetric key. then it sends over to Adam’s RMS client. Once it reaches Adam’s system, it can decrypt the symmetric key using RAC’s private key. then RMS aware application will decrypt the document and attach the rights information retrieved from the User License. At the end, voila!!! Adam can see the content of the document. 

In above I have talked lots about different certificates, licenses, data encryption and decryption. I thought its still better to explain it in high level to recap things we learned. 

Peter wants to send protected document to Adam. Adam should only have read permission to the document and should not be able to modify or print. 

1) This is the first-time peter going to use AD RMS. As soon as he tries to protect the document, RMS client initiate a connection to AD RMS server (cluster)

2) AD RMS Server replied with Right Account Certificate and Client Licensor Certificate. This is one time process. 

3) In Peter’s system, random symmetric key is generated and encrypt the document using it. Then this symmetric key is encrypt using SLC’s public key. After that it is attached to a Publishing License which includes Adam’s rights for the protected document. After that PL attached to encrypted document.

4) Peter sends protected document (along with this additional info) to Adam.

5) Adam’s RMS Aware application try to open it and found that it need Use License from AD RMS Server. then RMS client request it from the RMS Server.

6) RMS server decrypt the symmetric key and the PL. after that server checks if the requester match with the PL. in our scenario it matches, so it went ahead and creates Use License. This includes symmetric key (it re-encrypts using Adam’s RAC Public Key) and a list which contains rights describes in PL. Then it delivers to Adam’s system.

7) Once Adam’s system receives the Use License, it retrieves Symmetric key and decrypt the document. Then Adam open the document and use it according to rights described on PL. 

This marks the end of this blog post. In Part 04, I will demonstrate deployment of AD RMS. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.