AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide... 2 About this guide... 2

15 

Loading....

Loading....

Loading....

Loading....

Loading....

Full text

(1)

Contents

AD RMS Windows Server 2008 to Windows Server 2008 R2 Migration and Upgrade Guide ... 2

About this guide... 2

Preparing for the migration or upgrade of an AD RMS cluster ... 2

Checklist: Preparing to migrate or upgrade the AD RMS cluster ... 3

Back up the AD RMS configuration database ... 3

Export the server licensor certificate ... 4

Export and install a software-based CSP key ... 4

Performing the migration of AD RMS on Windows Server 2008 to Windows Server 2008 R2... 6

Checklist: Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2 ... 6

Install Windows Server 2008 R2 on a new computer... 7

Install AD RMS and join the computer to the existing AD RMS cluster ... 8

Join additional servers to the AD RMS cluster ... 9

Performing the upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2 ... 10

Checklist: Upgrading AD RMS on Windows Server 2008 to Windows Server 2008 R2 ... 10

Upgrade an existing AD RMS server to Windows Server 2008 R2 ... 11

Run the AD RMS Upgrade wizard ... 11

Upgrade remaining AD RMS servers to Windows Server 2008 R2 ... 12

Completing the migration or upgrade of AD RMS ... 13

Checklist: Completing the migration or upgrade of AD RMS ... 13

Update cluster URL CNAME record ... 14

Verify AD RMS client connectivity ... 14

(2)

AD RMS Windows Server 2008 to Windows

Server 2008 R2 Migration and Upgrade Guide

If you want to upgrade an Active Directory Rights Management Services (AD RMS) cluster to Windows Server® 2008 R2, you can migrate the cluster or upgrade the existing servers in the cluster. Migrating is the process of installing Windows Server 2008 R2 on a computer, adding the AD RMS server role to that computer, joining that computer to the existing AD RMS cluster, and then replacing the other servers in that cluster with computers running Windows Server 2008 R2. Upgrading is the process of doing an in-place upgrade of existing AD RMS servers in the cluster to AD RMS.

About this guide

This guide is intended for IT professionals who are interested in migrating or upgrading their existing AD RMS infrastructure to Windows Server 2008 R2. Using the checklists provided in this guide, you should be able to seamlessly move your infrastructure from AD RMS to Windows Server 2008 R2.

Preparing for the migration or upgrade of an

AD RMS cluster

A migration or upgrade of an AD RMS cluster from Windows Server 2008 Windows

Server 2008 R2 should be carefully planned so that clients are not affected by the migration or upgrade. You should complete the tasks in Checklist: Preparing to migrate or upgrade the AD RMS cluster to ensure that all prerequisites are met.

When these tasks have been completed:

 For migrating AD RMS, perform the tasks in Performing the migration of AD RMS on Windows Server 2008 to Windows Server 2008 R2.

 For upgrading AD RMS, perform the tasks in Performing the upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2.

(3)

Checklist: Preparing to migrate or upgrade

the AD RMS cluster

Before starting a migration or upgrade, complete all the tasks in this checklist in the order in which they are presented to prepare your infrastructure for AD RMS on Windows

Server 2008 R2.

Checklist: Preparing to migrate or upgrade the AD RMS cluster

Task Reference

To prevent loss of AD RMS data if you should need to roll back the migration or upgrade, be sure to back up the AD RMS configuration database.

Back up the AD RMS configuration database

Before migrating or upgrading an AD RMS cluster, export the server licensor certificate (SLC). The SLC can be stored in either the AD RMS configuration database or a hardware security module.

Export the server licensor certificate

If you are using a software-based CSP to protect your AD RMS private key, you must export the key container and install it on the new computer.

Export and install a software-based CSP key

Back up the AD RMS configuration database

The AD RMS configuration database stores all the configuration information for the AD RMS cluster as well as the private key that signs all rights-protected content. It is important to back up this database before moving to Windows Server 2008 R2.

1. Log on to the server hosting the AD RMS configuration database with a user account that is a member of the System Administrators database role.

2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click SQL To back up the configuration database

(4)

Server Management Studio.

3. When the Connect to Server window appears, ensure that the server hosting the AD RMS configuration database is in the Server name box, and then click Connect. 4. Expand Databases.

5. Right-click the AD RMS configuration database, point to Tasks, and then click Back Up. The default AD RMS configuration database name is in the form of

DRMS_Config_<RMS_cluster_URL>_80, where RMS_cluster_URL is the URL of the AD RMS cluster.

6. Click OK and then click OK again.

Export the server licensor certificate

The server licensor certificate (SLC) of the AD RMS cluster is used to decrypt all content that was protected by the AD RMS cluster. If the SLC is lost, rights-protected content protected by the AD RMS cluster cannot be decrypted. If you are using a hardware security module (HSM) to store the SLC, you should contact the hardware manufacturer of the HSM and get instructions on how to back up the key. If you are using a private key password to protect the SLC, you can back up the certificate by using the Active Directory Rights Management Services console.

1. Open the Active Directory Rights Management Services console.

2. In the console tree, select the AD RMS cluster whose certificate you want to export. 3. Right-click the cluster name, and then click Properties.

4. On the Server Certificate tab, click Export Certificate.

5. The Export Certificate As dialog box appears. We recommend that you modify the .bin file name to include the name of your server, such as

AD RMS_Cluster1_LicensorCert.bin.

6. Specify the location where the SLC certificate should be saved, and then click Save.

Export and install a software-based CSP key

When you installed AD RMS, you were able to select private key protection managed by AD RMS or cryptographic storage provider (CSP)-based key protection. Private key protection offers decreased administrative overhead because the AD RMS private key is stored in the AD RMS configuration database, and as servers are added to the AD RMS cluster, they share this key. A hardware-based CSP provides more security because the private key is not stored in software

(5)

anywhere. A software-based CSP stores the AD RMS private key locally on each AD RMS server. This option is not recommended because of this.

If you are using a software-based CSP, you must export and install the AD RMS private key on a new computer that is joining the AD RMS cluster as part of the migration or upgrade to AD RMS. If you are using a hardware-based CSP, you should consult the manufacturer about steps for migrating the key.

The .NET Framework 2.0 must be installed on the server that you are exporting the AD RMS private key from and the new server on which the private key will be installed. The .NET Framework 2.0 is available by using Windows Update.

1. Log on to the server hosting the AD RMS configuration database with a user account that is a member of the System Administrators database role.

2. Click Start, point to All Programs, point to Microsoft SQL Server, and then click SQL Server Management Studio.

3. When the Connect to Server windows appears, ensure that the server hosting the AD RMS configuration database is in the Server name box, and then click Connect. 4. Expand Databases.

5. Expand the AD RMS configuration database, and then expand Tables. 6. Right-click the DRMS_LicensorPrivateKey table, and then click Open Table.

The key container name is stored in the column named KeyContainerName.

1. Log on to the AD RMS server that has the AD RMS private key installed. 2. Click Start, and then click Command Prompt.

3. Type cd %windir%\Microsoft.NET\Framework\v2.0.50727, and then press ENTER. 4. Type aspnet_regiis.exe –px “<keycontainername>” privatekey.xml –pri, where

<keycontainername> is the key container name that you retrieved from the procedure named “To retrieve the private key container name.”

5. Copy privatekey.xml to the server that will be joined to the AD RMS cluster.

1. Log on to the server that will be joined to the AD RMS cluster. 2. Click Start, and then click Command Prompt.

3. Type cd %windir%\Microsoft.NET\Framework\v2.0.50727, and then press ENTER. 4. Type aspnet_regiis.exe –pi “<keycontainername>” privatekey.xml -exp, where

<keycontainername> is the key container name that you retrieved from the procedure named “To retrieve the private key container name,” and then press ENTER.

Important

To retrieve the private key container name

To export the RMS private key from a software-based CSP

(6)

Performing the migration of AD RMS on

Windows Server 2008 to Windows Server

2008 R2

Follow the tasks in the Checklist: Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2 checklist to perform a migration of your AD RMS cluster from Windows Server 2008 to Windows Server 2008 R2.

When these tasks have been completed, perform the tasks in Completing the migration or upgrade of AD RMS.

Checklist: Migrating AD RMS from Windows

Server 2008 to Windows Server 2008 R2

Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks.

Checklist: Migrating AD RMS from Windows Server 2008 to Windows Server 2008 R2

Task Reference

On the computer that will be the first server of the new AD RMS cluster, install Windows Server 2008 R2.

Install Windows Server 2008 R2 on a new computer

Install AD RMS and join the new AD RMS server to the existing AD RMS cluster.

Install AD RMS and join the computer to the existing AD RMS cluster

Replace or upgrade the remaining AD RMS servers in the cluster to Windows Server 2008 R2.

Join additional servers to the AD RMS cluster

(7)

Install Windows Server 2008 R2 on a new

computer

Install Windows Server 2008 R2 on a stand-alone server that will be used as a new server in the AD RMS cluster. After Windows Server 2008 R2 is installed, you should assign a static IP address and then join it to the same domain as the AD RMS cluster.

If you have several servers in your AD RMS cluster, we recommend that you prepare at least half of your new servers for joining the AD RMS cluster at the same time because the database schema for AD RMS on Windows Server 2008 R2 is different from that for AD RMS on Windows Server 2008. When the first Windows Server 2008 R2–based AD RMS server joins the cluster, the AD RMS configuration database is upgraded to the Windows Server 2008 R2 schema. All Windows Server 2008–based AD RMS servers in the cluster will no longer be able to process client requests.

1. Start your computer by using the Windows Server 2008 R2 product CD.

2. Follow the rest of the instructions that appear on your screen to finish the installation. We recommend that you use a static IP address for the server.

1. Log on to the computer as a member of the local Administrators group.

2. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.

3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4. Click the Use the following IP address option. In the IP address box, type the

appropriate IP address. In the Subnet mask box, type the appropriate subnet mask, and then click OK.

5. Click OK to close the Local Area Connection Properties dialog box.

Finally, you should add this computer to the same domain as the servers in the AD RMS cluster.

1. Click Start, right-click Computer, and then click Properties.

2. Click Change settings (at the right side under Computer name, domain, and workgroup settings), and then click Change.

3. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type the appropriate domain.

4. Click OK, and then click OK again.

To perform a new installation of Windows Server 2008 R2

To configure a static IP address

(8)

5. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for a member of the Domain Admins group, and then click OK.

6. When a Computer Name/Domain Changes dialog box appears welcoming you to the domain, click OK.

7. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

8. Click Restart Now.

Install AD RMS and join the computer to the

existing AD RMS cluster

A migration of an AD RMS cluster from Windows Server 2008 to Windows Server 2008 R2 is accomplished by joining a new Windows Server 2008 R2 AD RMS server to the AD RMS cluster and then migrating or removing the remaining Windows Server 2008 servers.

In order to join a Windows Server 2008 R2 server to an existing AD RMS cluster, the AD RMS service connection point (SCP) must be registered in Active Directory or Active Directory Domain Services.

1. Log on to the server that you want to join to the existing AD RMS cluster with a domain user account that is a member of the local Administrators group on both the AD RMS server and the database server, and that is a member of the System Administrators database role, or equivalent, on the database server.

2. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

3. In the Roles Summary box, click Add Roles.

4. Read the Before You Begin section, and then click Next.

5. On the Select Server Roles page, select the Active Directory Rights Management Services box check box.

6. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next.

7. Read the AD RMS introduction page, and then click Next.

8. On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.

Note

(9)

9. Select the Join an existing AD RMS cluster option, and then click Next. 10. Do the following and then click Next:

a. Click Browse, type the name of the database server, and then click OK.

b. Choose the appropriate database server instance from the Select or enter database server instance box.

c. Type the name of the AD RMS configuration database in the Enter database name box.

d. Click Validate.

11. If you are using AD RMS to centrally manage the cluster key, confirm that the database is correct, type the cluster key password in the Password and Confirm Password boxes, and then click Next.

12. Click Specify, type the User name and Password in the appropriate boxes, and then click OK. Click Next.

13. Select the appropriate Web site, and then click Next.

14. Read the Introduction to Web Server (IIS) page, and then click Next. 15. Keep the Web server default check box selections, and then click Next.

16. Click Install to join this computer to the existing AD RMS cluster. It can take up to 60 minutes to complete the installation.

17. Click Close.

18. Log off the server, and then log back on to update the permissions granted to the logged on user account. The user account that is logged on when the AD RMS server role is provisioned is automatically made a member of the AD RMS Enterprise Administrators group.

Join additional servers to the AD RMS

cluster

Because the configuration database schema has changed for AD RMS on Windows

Server 2008 R2, and the remaining Windows Server 2008–based AD RMS servers will no longer process requests, you must immediately replace the remaining Windows Server 2008–based AD RMS servers after the cluster is migrated to the first Windows Server 2008 R2 server. To decrease downtime, we recommend that you have Windows Server 2008 R2 installed on at least half of the servers you will use in the migrated cluster so that you can quickly install AD RMS and join them to the AD RMS cluster at the same time. Additionally, you should ensure that any Secure Sockets Layer (SSL) certificates are imported into the new servers and that your network load balancing (NLB) environment is configured appropriately.

All servers in an AD RMS cluster must be running the same version of Windows Server. Important

(10)

The instructions to prepare new servers are the same as the procedures in Install Windows Server 2008 R2 on a new computer and Install AD RMS and join the computer to the existing AD RMS cluster.

To upgrade existing servers in the AD RMS cluster, follow the instructions in Upgrade an existing AD RMS server to Windows Server 2008 R2 and Run the AD RMS Upgrade wizard.

Performing the upgrade of AD RMS on

Windows Server 2008 to Windows Server

2008 R2

Follow the tasks in the Checklist: Upgrading AD RMS on Windows Server 2008 to Windows Server 2008 R2 checklist to perform an in-place upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2.

When these tasks have been completed, perform the tasks in Checklist: Completing the migration or upgrade of AD RMS.

Checklist: Upgrading AD RMS on Windows

Server 2008 to Windows Server 2008 R2

Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks.

Checklist: Upgrading AD RMS on Windows Server 2008 to Windows Server 2008 R2

Task Reference

On an existing AD RMS server in the cluster, upgrade to Windows Server 2008 R2.

Upgrade an existing AD RMS server to Windows Server 2008 R2

Upgrade the AD RMS cluster to Windows Server 2008 R2

Run the AD RMS Upgrade wizard

Upgrade the remaining AD RMS servers in the cluster to Windows Server 2008 R2.

Upgrade remaining AD RMS servers to Windows Server 2008 R2

(11)

If you installed a Multilanguage User Interface (MUI) language pack and changed the display UI before adding the AD RMS server role on a server running Windows Server 2008, you must reinstall the same MUI language pack and set the display UI to the same language before upgrading AD RMS. You must do this after upgrading the operating system to Windows Server 2008 R2 but before running the AD RMS Upgrade wizard. Failing to do so can cause the AD RMS cluster to stop functioning.

Upgrade an existing AD RMS server to

Windows Server 2008 R2

The first step in performing an in-place upgrade of a Windows Server 2008–based AD RMS cluster to Windows Server 2008 R2 is to install Windows Server 2008 R2 on one AD RMS server in the cluster.

1. On the AD RMS server to be upgraded, log on with a user account that is a member of the local Administrators group.

2. Insert the Windows Server 2008 R2 product CD, and then click Install now.

3. If your server is connected to the Internet, click Go online to get the latest updates for installation. If the server is not connected to the Internet, click Do not get the latest updates for installation.

4. Enter the product key provided with your copy of Windows Server 2008 R2, and then click Next.

5. Select the I accept the license terms check box, and then click Next. 6. Click Upgrade.

7. On the Compatibility Report page, click Next.

8. When the installation is complete, the AD RMS server will be restarted.

Run the AD RMS Upgrade wizard

The AD RMS Upgrade Wizard must be completed after the operating system is upgraded to Windows Server 2008 R2. If you do not run the AD RMS Upgrade Wizard, your AD RMS

infrastructure will not function. It is only necessary to run the AD RMS Upgrade Wizard on the first computer that you upgrade to Windows Server 2008 R2.

Important

(12)

If you are using a hardware security module (HSM) to protect the cluster’s private key, you must install the Windows Server 2008 R2 version of the HSM drivers before starting the AD RMS Upgrade Wizard.

1. Log on to the AD RMS server that was just upgraded to Windows Server 2008 R2 with a user account that is a member of the local Administrators group and that is a member of the System Administrators database role, or equivalent, on the database server.

2. Click Start, point to Administrative Tools, and then click Server Manager. 3. Expand Roles, and then click Active Directory Rights Management Services. 4. In the results pane, click Complete Installation of Active Directory Rights

Management Services.

5. On the Upgrading Active Directory Rights Management Services page, click Next. 6. Type the service account password in the Password and Confirm password boxes, and

then click Next.

7. If AD RMS is managing the cluster’s private key, on the Provide AD RMS Private Key Password page, type the AD RMS private key password in the Password and Confirm password boxes, and then click Next.

8. On the Confirm Installation Options page, click Next. 9. After the installation has finished, click Close.

If the Identify Federation Support role service was installed and configured before you performed the upgrade, you must remove and then reinstall Identity Federation Support after running the AD RMS Upgrade wizard. If you do not, federation support will stop functioning.

Upgrade remaining AD RMS servers to

Windows Server 2008 R2

Because the configuration database schema has changed for AD RMS on Windows

Server 2008 R2, and the remaining Windows Server 2008–based AD RMS servers will no longer process requests, you must immediately upgrade the remaining AD RMS servers in the cluster to Windows Server 2008 R2. To decrease downtime, we recommend that you have Windows Server 2008 R2 installed on at least half of the servers you will use in the upgraded cluster so that you can quickly upgrade AD RMS on them.

Note

To run the AD RMS Upgrade Wizard

(13)

All servers in an AD RMS cluster must be running the same version of Windows Server. The instructions to upgrade the remaining servers are the same as the procedures in Upgrade an existing AD RMS server to Windows Server 2008 R2 and Run the AD RMS Upgrade wizard.

Completing the migration or upgrade of AD

RMS

After you have performed all the tasks in either Performing the migration of AD RMS on Windows Server 2008 to Windows Server 2008 R2 or Performing the upgrade of AD RMS on Windows Server 2008 to Windows Server 2008 R2, perform the tasks in Checklist: Completing the

migration or upgrade of AD RMS to complete the migration or upgrade of AD RMS from Windows Server 2008 to Windows Server 2008 R2.

Checklist: Completing the migration or

upgrade of AD RMS

Complete the tasks in this checklist in the order in which they are presented. If a reference link takes you to a conceptual topic, return to this checklist after you review the conceptual topic so that you can proceed with the remaining tasks.

Checklist: Completing the migration or upgrade of AD RMS

Task Reference

If you are using a CNAME record for your AD RMS cluster name, you must update it to reflect the new AD RMS server name.

Update cluster URL CNAME record

Verify that the cluster migration or upgrade was successful by opening the AD RMS console.

Verify successful cluster migration

Verify that AD RMS-enabled clients can connect to the AD RMS cluster by browsing to the AD RMS certification

Verify AD RMS client connectivity

(14)

Task Reference

pipeline.

Update cluster URL CNAME record

We recommend that you use a Domain Name Service (DNS) CNAME record for the AD RMS cluster URL. If a CNAME record is used and the AD RMS server name changes, you can update the cluster URL CNAME record to point to the new server name. Otherwise, you must reprovision AD RMS with the new cluster URL.

1. Log on as a member of the Domain Admins group to a DNS server. 2. Click Start, point to All Programs, and then click DNS.

3. Expand Forward Lookup Zones, and then expand the zone for your domain.

4. In the Results pane, right-click the CNAME record for the AD RMS cluster URL, and then click Properties.

5. In the Fully qualified domain name (FQDN) for target host box, click Browse, type the new domain name of the AD RMS server, and then click OK.

Verify AD RMS client connectivity

You can verify that the AD RMS-enabled clients can connect to the AD RMS cluster by browsing to the certification pipeline by using Internet Explorer.

1. Log on to an AD RMS-enabled client. 2. Click Start, and then click Internet.

3. In the address bar, type the following, and then press ENTER:

http(s)://<adrms_cluster_url>/_wmcs/certification/certification.asmx

4. The certification pipeline should open successfully without error or certification prompts. If you encounter a credential prompt, add the AD RMS cluster URL to the Local Intranet security zone and try again.

To update the AD RMS cluster URL CNAME record

(15)

Verify successful cluster migration

When the Active Directory Rights Management Services console is opened, the AD RMS cluster is queried and then displayed in the console. If the AD RMS cluster was not migrated or upgraded properly, the Active Directory Rights Management Services console will not open correctly.

1. Log on to a server in the AD RMS cluster.

2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. Verify that the Active Directory Rights Management Services console opens without error.

Figure

Updating...

References

Updating...