Useful Command Line Tools for Managing AD Environment

01. DNSCMD -
This command-line tool assists administrators in Domain Name System (DNS) management.



Refer to :

Souce: http://technet.microsoft.com/en-us/library/cc778513%28WS.10%29.aspx 

02. DCPROMO -
Installs and removes Active Directory Domain Services (AD DS).
For examples of how to use dcpromo, see Examples.
Source: http://technet.microsoft.com/en-us/library/cc732887%28WS.10%29.aspx

Implementing Windows Server 2008 File System Quotas

Refer to this link to read about File Server Resource Manager:

http://www.simple-talk.com/sysadmin/exchange/implementing-windows-server-2008-file-system-quotas/

Wbadmin start recovery - Command Syntax

Note
This subcommand applies only to Windows Server 2008.

To perform a recovery with this subcommand, you must be a member of the Backup Operators group or the Administrators group, or you must have been delegated the appropriate permissions. In addition, you must run wbadmin from an elevated command prompt. (To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.)
For examples of how to use this subcommand, see Examples.

Syntax

Copy

wbadmin start recovery
-version:<VersionIdentifier>
-items:{<VolumesToRecover> | <AppsToRecover> | <FilesOrFoldersToRecover>}
-itemtype:{Volume | App | File}
[-backupTarget:{<VolumeHostingBackup> | <NetworkShareHostingBackup>}]
[-machine:<BackupMachineName>]
[-recoveryTarget:{<TargetVolumeForRecovery> | <TargetPathForRecovery>}]
[-recursive]
[-overwrite:{Overwrite | CreateCopy | Skip}]
[-notRestoreAcl]
[-skipBadClusterCheck]
[-noRollForward]
[-quiet]

Parameters

 

Parameter	Description
-version	Specifies the version identifier of the backup to recover in MM/DD/YYYY-HH:MM format. If you do not know the version identifier, type wbadmin get versions.
-items	Specifies a comma-delimited list of volumes, applications, files, or folders to recover. If -itemtype is Volume, you can specify only a single volume—by providing the volume drive letter, volume mount point, or GUID-based volume name. If -itemtype is App, you can specify only a single application. To be recovered, the application must have registered with Windows Server Backup. You can also use the value ADIFM to recover an installation of Active Directory. See Remarks in for more information. If -itemtype is File, you can specify files or folders, but they should be part of the same volume and they should be under the same parent folder.
-itemtype	Specifies type of items to recover. Must be Volume, App, or File.
-backupTarget	Specifies the storage location that contains the backup that you want to recover. This parameter is useful when the location is different from where backups of this computer are usually stored.
-machine	Specifies the name of the computer that you want to recover the backup for. This parameter is useful when multiple computers have been backed up to the same location. It should be used when -backupTarget is specified.
-recoveryTarget	Specifies the location to restore to. This parameter is useful if this location is different than the location that was previously backed up. It can also be used for restorations of volumes, files, or applications. If you are restoring a volume, you can specify the volume drive letter of the alternate volume. If you are restoring a file or application, you can specify an alternate recovery location.
-recursive	Valid only when recovering files. Recovers the files in the folders and all files subordinate to the specified folders. By default, only files which reside directly under the specified folders are recovered.
-overwrite	Valid only when recovering files. Specifies the action to take when a file that is being recovered already exists in the same location. Skip causes Windows Server Backup to skip the existing file and continue with recovery of the next file. CreateCopy causes Windows Server Backup to create a copy of the existing file so that the existing file is not modified. Overwrite causes Windows Server Backup to overwrite the existing file with the file from the backup.
-notRestoreAcl	Valid only when recovering files. Specifies to not restore the security access control lists (ACLs) of the files being recovered from the backup. By default, the security ACLs are restored (the default value is true). If this parameter is used, the ACLs for the restored files will be inherited from the location to which the files are being restored.
-skipBadClusterCheck	Valid only when recovering volumes. Skips checking the disks that you are recovering to for bad cluster information. If you are recovering to an alternate server or hardware, we recommend not using this parameter. You can manually run the command chkdsk /b on these disks at any time to check them for bad clusters, and then update the file system information accordingly. Important Until you run chkdsk as described, the bad clusters reported on your recovered system may not be accurate.
-noRollForward	Valid only when recovering applications. Allows for previous point-in-time recovery of an application if the latest version from the backups is selected. For other versions of the application that are not the latest, previous point-in-time recovery is done as the default.
-quiet	Runs the subcommand with no prompts to the user.

Remarks

• To view a list of items that are available for recovery from a specific backup version, use wbadmin get items. If a volume did not have a mount point or drive letter at the time of backup, then this subcommand would return a GUID-based volume name that should be used for recovering the volume.
• When the -itemtype is App, you can use a value of ADIFM for -item to perform an Install from Media operation to recover all the related data needed for Active Directory. ADIFM creates a copy of the Active Directory database, registry, and SYSVOL state, and then saves this information in the location specified by -recoveryTarget. Use this parameter only when -recoveryTarget is specified.

Note
Before using wbadmin to perform an Install from Media operation, you should consider using the ntdsutil command because ntdsutil only copies the minimum amount of data needed, and it uses a more secure data transport method.

Examples

To run a recovery of the backup from March 31, 2005, taken at 9:00 A.M., of volume d:, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:Volume -items:d:

To run a recovery to drive d of the backup from March 31, 2005, taken at 9:00 A.M., of the registry, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:App -items:Registry -recoverytarget:d:\

To run a recovery of the backup from March 31, 2005, taken at 9:00 A.M., of the d:\folder and folders subordinate to d:\folder, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:File -items:d:\folder -recursive

To run a recovery of the backup from March 31, 2005, taken at 9:00 A.M., of the volume \\?\Volume{cc566d14-44a0-11d9-9d93-806e6f6e6963}\, type:

Copy

wbadmin start recovery -version:03/31/2005-09:00 -itemType:Volume 
-items:\\?\Volume{cc566d14-44a0-11d9-9d93-806e6f6e6963}\

To run a recovery of the backup from April 30, 2005, taken at 9:00 A.M., of the shared folder \\servername\share from server01, type:

Copy

wbadmin start recovery -version:04/30/2005-09:00 -backupTarget:\\servername\share -machine:server01 

Source: http://technet.microsoft.com/en-US/library/52381316-a0fa-459f-b6a6-01e31fb21612.aspx

Volume Shadow Copy Service Tools and Settings

In this section

• Volume Shadow Copy Service Tools
  
  
• Volume Shadow Copy Service Registry Entries
  
  
• Volume Shadow Copy Service WMI Classes
  
  
• Related Information
  
  

Volume Shadow Copy Service Tools

The following tools are associated with the Volume Shadow Copy Service.

DiskRaid.exe: RAID Configuration Tool

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running the Windows Server 2003 operating systems.
Enables configuration and management of redundant array of independent (or inexpensive) disks (RAID) storage subsystems.
To find more information about DiskRaid.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

VSSadmin.exe: Volume Shadow Copy Service Administrative Tool

Category

Windows Server 2003 operating system tool

Version compatibility

Runs on computers running the Windows XP or Windows Server 2003 operating systems.
Displays current volume shadow copies and all installed shadow copy writers and providers in the command window. The Windows Server 2003 version of this command contains more parameters than the one that is in Windows XP.
To find more information about VSSadmin.exe, see “Command Line References” in the Tools and Settings Collection.

VolPerf.exe: Shadow Copy Performance Counters

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running any of the Windows Server 2003 operating systems.
Enables administrators to use System Monitor to monitor their shadow copies.
To find more information about Volperf.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

VolRest.exe: Shadow Copies for Shared Folders Restore Tool

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running the Windows XP or Windows Server 2003 operating systems.
Searches for and restores previous file versions from shared folders that are protected by the Shadow Copies for Shared Folders feature. With VolRest, administrators can browse or restore previous versions of one or multiple files that are stored on a server where Shadow Copies for Shared Folders has been enabled.
To find more information about Volrest.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

Vrfydsk.exe: Verify Disk

Category

Windows Server 2003 Resource Kit tool

Version compatibility

Runs on computers running Windows Server 2003 operating systems.
Checks the consistency and integrity of the file system (FAT or NTFS) on a specified volume. It creates and displays a status report for the volume based on the file system and also lists the errors on that volume, if any. However, if any errors are discovered, VrfyDsk cannot correct them. To correct these errors, run Chkdsk in fix mode.
To find more information about Vrfydsk.exe, see “Resource Kit Tools” in the Tools and Settings Collection.

Volume Shadow Copy Service Registry Entries

The following registry entries are associated with Volume Shadow Copy Service.
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

VSS

The following registry entry is located under \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS.

VssAccessControl

Registry path

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl

Version

Windows Server 2003
Enables or prevents a writer from using a specific user account.
In order for any writer to use the VSS infrastructure, the writer must run under an account that is a member of the local Administrators or Backup Operators group on the local computer. For example, a writer running under the Local System account meets this requirement. This is true for the vast majority of writers.
You can, however, enable a writer to use a specific user account by adding the appropriate registry entry. You can also prevent a writer from using a specific user account.
To enable a writer to use a specific user account, add a REG_DWORD entry with the name equal with the user name. Set the value of the registry entry to 1 (one).
To prevent a writer from using a specific user account, add a REG_DWORD entry with the name equal with the user name. Set the value of the registry entry to 0 (zero).

VOLSNAP

The following registry entry is located under \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VOLSNAP.

MinDiffAreaFileSize

Registry path

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VOLSNAP\MinDiffAreaFileSize

Version

Windows Server 2003
Controls the initial size of the shadow copy storage area for each snapshot. The MinDiffAreaFileSize registry key uses the REG_DWORD data type.
The MinDiffAreaFileSize registry key specifies the minimum size of the shadow copy storage area. The default size of the shadow copy storage area is 300 MB, and the maximum size is 3 gigabytes (GB). For an accurate setting, specify a value that is a multiple of 300 MB. Otherwise, the next multiple of 300 MB will be used. A value of 300 is equal to 300 MB, and a value of 3,000 is equal to 3 GB.
Shadow copies might not function correctly if the value of the MinDiffAreaFileSize registry key is larger than the maximum size of the shadow copy storage area. Before you change this registry entry, run the vssadmin list shadowstorage command. Make sure that the shadow copy storage area is larger than 300 MB or that the shadow copy storage area is larger than the value that is set in the registry. Also, make sure that you have at least 300 MB of free space on the shadow copy storage volume.

Volume Shadow Copy Service WMI Classes

The following table lists and describes the WMI classes that are associated with the Volume Shadow Copy Service.
WMI Classes Associated with Volume Shadow Copy Service

 

Class Name	Namespace	Version Compatibility
Win32_ShadowBy	\root\cimv2	Windows Server 2003 family
Win32_ShadowContext	\root\cimv2	Windows Server 2003 family
Win32_ShadowCopy	\root\cimv2	Windows Server 2003 family
Win32_ShadowDiffVolumeSupport	\root\cimv2	Windows Server 2003 family
Win32_ShadowFor	\root\cimv2	Windows Server 2003 family
Win32_ShadowOn	\root\cimv2	Windows Server 2003 family
Win32_ShadowProvider	\root\cimv2	Windows Server 2003 family
Win32_ShadowStorage	\root\cimv2	Windows Server 2003 family
Win32_ShadowVolumeSupport	\root\cimv2	Windows Server 2003 family
Win32_Volume	\root\cimv2	Windows Server 2003 family

How to use Group Policy to remotely install software in Windows Server 2003 and in Windows Server 2008

This step-by-step article describes how to use Group Policy to automatically distribute programs to client computers or users. You can use Group Policy to distribute computer programs by using the following methods:

• Assigning Software
  You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is finalized. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is finalized.
• Publishing Software
  You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.

Note Windows Server 2003 Group Policy automated-program installation requires client computers that are running Microsoft Windows 2000 or later.

Back to the top

Create a Distribution Point

To publish or assign a computer program, you must create a distribution point on the publishing server:

1. Log on to the server computer as an administrator.
2. Create a shared network folder where you will put the Microsoft Windows Installer package (.msi file) that you want to distribute.
3. Set permissions on the share to allow access to the distribution package.
4. Copy or install the package to the distribution point. For example, to distribute Microsoft Office XP, run the administrative installation (setup.exe /a) to copy the files to the distribution point.

Back to the top

Create a Group Policy Object

To create a Group Policy object (GPO) to use to distribute the software package:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Type a name for this new policy (for example, Office XP distribution), and then press ENTER.
5. Click Properties, and then click the Security tab.
6. Click to clear the Apply Group Policy check box for the security groups that you want to prevent from having this policy applied.
7. Click to select the Apply Group Policy check box for the groups that you want this policy to apply to.
8. When you are finished, click OK.

Back to the top

Assign a Package

To assign a program to computers that are running Windows Server 2003, Windows 2000, or Microsoft Windows XP Professional, or to users who are logging on to one of these workstations:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, select the group policy object that you want, and then click Edit.
4. Under Computer Configuration, expand Software Settings.
5. Right-click Software installation, point to New, and then click Package.
6. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi.
   
   Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
7. Click Open.
8. Click Assigned, and then click OK. The package is listed in the right pane of the Group Policy window.
9. Close the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
10. When the client computer starts, the managed software package is automatically installed.

Back to the top

Publish a Package

To publish a package to computer users and make it available for installation from the Add or Remove Programs tool in Control Panel:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the group policy object that you want, and then click Edit.
4. Under User Configuration, expand Software Settings.
5. Right-click Software installation, point to New, and then click Package.
6. In the Open dialog box, type the full UNC path of the shared installer package that you want. For example, \\file server\share\file name.msi.
   
   Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
7. Click Open.
8. Click Publish, and then click OK.
9. The package is listed in the right pane of the Group Policy window.
10. Close the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
11. Test the package:
    
    Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
    1. Log on to a workstation that is running Windows 2000 Professional or Windows XP Professional by using an account that you published the package to.
    2. In Windows XP, click Start, and then click Control Panel.
    3. Double-click Add or Remove Programs, and then click Add New Programs.
    4. In the Add programs from your network list, click the program that you published, and then click Add. The program is installed.
    5. Click OK, and then click Close.

Back to the top

Redeploy a Package

In some cases you may want to redeploy a software package. For example, if you upgrade or modify the package. To redeploy a package:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the Group Policy object that you used to deploy the package, and then click Edit.
4. Expand the Software Settings container that contains the software installation item that you used to deploy the package.
5. Click the software installation container that contains the package.
6. In the right pane of the Group Policy window, right-click the program, point to All Tasks, and then click Redeploy application. You will receive the following message:
   Redeploying this application will reinstall the application everywhere it is already installed. Do you want to continue?
7. Click Yes.
8. Quit the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.

Back to the top

Remove a Package

To remove a published or assigned package:

1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the Group Policy object that you used to deploy the package, and then click Edit.
4. Expand the Software Settings container that contains the software installation item that you used to deploy the package.
5. Click the software installation container that contains the package.
6. In the right pane of the Group Policy window, right-click the program, point to All Tasks, and then click Remove.
7. Do one of the following:
   • Click Immediately uninstall the software from users and computers, and then click OK.
   • Click Allow users to continue to use the software but prevent new installations, and then click OK.
8. Quit the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.

Back to the top

Troubleshoot

Published Packages Are Displayed on a Client Computer After You Use a Group Policy to Remove Them

This situation can occur when a user has installed the program but has not used it. When the user first starts the published program, the installation is finalized. Group Policy then removes the program.

Source: http://support.microsoft.com/kb/816102

Password Replication Policy Administration

Applies To: Windows Server 2008
This section provides procedures for the following administrative tasks that are related to Password Replication Policy for an RODC:

• Configure the Password Replication Policy for an RODC
  
  
• View Current Credentials That Are Cached on an RODC
  
  
• Review Whose Accounts Have Been Authenticated to an RODC
  
  
• Prepopulate the password cache for an RODC
  
  
• Reset the Current Credentials That Are Cached on an RODC If It Is Stolen

Configure the Password Replication Policy for an RODC

Administrative credentials
To configure the Password Replication Policy for an RODC, you must be a member of the Domain Admins group.

To configure the Password Replication Policy for an RODC

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab, as shown in the following figure.
   
5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed List and the Denied List on the RODC. To add other groups that should be included in either the Allowed List or the Denied List, click Add. To add other accounts that will not have credentials cached on the RODC, click Deny. To add other accounts that will have credentials cached on the RODC, click Allow.
   Accounts that will not have credentials cached on the RODC can still use the RODC for domain logon. The credentials, however, will not be cached for subsequent logon using the RODC.
   

View current credentials that are cached on an RODC

By default, the only credentials that are cached on an RODC are for the computer account of the RODC itself and a krbtgt account.
Administrative credentials
Any domain user can view current credentials that are cached on an RODC.

To view current credentials that are cached on an RODC

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab.
   
5. Click Advanced.
   
6. In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as shown in the following illustration.
   

Review whose accounts have attempted to authenticate to an RODC

Periodically, you should review whose accounts have tried to authenticate to an RODC. This information can help you plan updates that you intend to make to the existing Password Replication Policy. For example, look at which user and computer accounts have tried to authenticate to an RODC so that you can add those accounts to the Allowed List. After their credentials are cached on the RODC, the accounts can be authenticated by the RODC in the branch office when the wide area network (WAN) to the hub site is offline.
You can use the repadmin /prp move command to automatically move accounts that try to authenticate to an RODC to the Allowed List for that RODC. For more information, see Repadmin /prp (http://go.microsoft.com/fwlink/?LinkId=112118).
Administrative credentials
Any domain user can view which user and computer accounts have authenticated to an RODC.

To review the accounts that have been authenticated to an RODC

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab.
   
5. Click Advanced.
   
6. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.
   

Prepopulate the password cache for an RODC

You can prepopulate the password cache for an RODC with the passwords of user and computer accounts that you plan to authenticate to it. When you prepopulate the RODC password cache, you trigger the RODC to replicate and cache the passwords for users and computers before the accounts try to log on in the branch office.
Prepopulating the password cache helps ensure that a user can log on to the network in the branch office, even if the WAN link to the data center is offline. For example, suppose that a user who normally works in the data center travels to a branch office and attempts to log on there with a laptop. The RODC contacts the writable domain controller in the data center. If the Password Replication Policy allows it, the RODC caches the password. However, if the WAN link is offline when the user attempts to log on, then the logon attempt fails because the RODC has not yet replicated the password for the account.
To avoid this problem, you can prepopulate the password cache of the RODC in the branch office with the password of the user and the laptop. This eliminates the need for the RODC to replicate the password from the Windows Server 2008 domain controller over the WAN link.
In addition, prepopulating the password cache is a good idea if you build an RODC in a central location, such as in a data center, before you transport the RODC to the branch office. By prepopulating the password cache with the users and computers who will log on in the branch office, the RODC can authenticate those accounts without contacting the Windows Server 2008 domain controller over the WAN link.
You can prepopulate the cache only for accounts that the Password Replication Policy allows to be cached. If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails.
You can prepopulate the password cache for an RODC by using Active Directory Users and Computers or by using the Repadmin command-line tool.
Administrative credentials
To prepopulate the password cache for an RODC, you must be a member of the Domain Admins group.

To prepopulate the password cache for an RODC by using Active Directory Users and Computers

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Properties.
   
4. Click the Password Replication Policy tab.
   
5. Click Advanced.
   
6. Click Prepopulate Passwords.
   
7. Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK.
   
8. When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.
   

To prepopulate the password cache for an RODC by using the Repadmin command-line tool

1. Log on to a writable domain controller that is running Windows Server 2008.
   
2. Click Start, right-click Command Prompt, and then click Run as administrator.
   
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
   
4. Type the following command. and then press ENTER:
   repadmin /rodcpwdrepl [DSA_List] <Hub DC> <User1 Distinguished Name> [<Computer1 Distinguished Name> <User2 Distinguished Name> …]
   In the command, use the values from the following table.
   

    

   Placeholder	Value
   DSA_List	The name of the RODC whose password cache you want to prepopulate.
   Hub DC	The name of the writable Windows Server 2008 domain controller that is the replication partner of the RODC.
   User1, Computer1, ….	The names of the user and computers whose passwords you want to cache on the RODC. You must add the computer accounts of the users or they cannot log on.

   For example, the following command prepopulates the password cache for RODC15 with the passwords for Mike Danseglio and his computer, MikeDanLaptop. The hub domain controller is named HUBDC12.
   Repadmin /rodcpwdrepl RODC15 HUBDC12 CN=MikeDan,OU=DatacenterUsers,DC=contoso,DC=com CN= MikeDanLaptop,OU=DatacenterComputers,DC=contoso,DC=com
   

Reset the current credentials that are cached on an RODC if it is stolen

Administrative credentials
To reset the current credentials that are cached on an RODC, you must be a member of the Domain Admins group.

To reset the current credentials that are cached on an RODC if it is stolen

1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
   
2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click Domain Controllers.
   
3. In the details pane, right-click the RODC computer account, and then click Delete.
   
4. To confirm the deletion, click Yes.
   
5. In the Deleting Active Directory Domain Controller dialog box, select the Reset all passwords for user accounts that were cached on this read-only domain controller check box, as shown in the following figure. As an option, you can also select the Export the list of accounts that were cached on this read-only domain controller to this file check box to create a list of user accounts whose passwords must be reset after the RODC account is deleted. That list of accounts is not available after the RODC account is deleted.
    

Source: http://technet.microsoft.com/en-us/library/cc753470%28WS.10%29.aspx

Real Admin Tips

01. After using 'Telnet' command to check server reponse, it's sometimes a pain to completly get out of the telnet terminal. I found a short cut key combination to quit from Telnet.

Use 'Ctrl plus [' key combination to exit from telnet and enter 'quit' or 'q' to get back to the pervious command lines.

Posted by: Khaleel M Ismail

02. .In order to run 'Restore' wizard in case of Computer Crash or failiure, you can reboot the computer and restart the computer by pressing 'F8' to go to advanced options. Select 'Safe Mode with Command prompt' option.
Once computer started on safe mode with command window open, enter the command as
C:\windows\system32\rstrui.exe to run 'Restore' wizard from command prompt.

Posted by: Khaleel M Ismail

AD LDS Getting Started Step-by-Step Guide

Updated: September 7, 2007
Applies To: Windows Server 2008
Active Directory® Lightweight Directory Services (AD LDS), formerly known as Active Directory Application Mode (ADAM), is a Lightweight Directory Access Protocol (LDAP) directory service that provides data storage and retrieval support for directory-enabled applications, without the dependencies that are required for the Active Directory Domain Services (AD DS). You can run multiple instances of AD LDS concurrently on a single computer, with an independently managed schema for each AD LDS instance.
For additional information about AD LDS, see Active Directory Lightweight Directory Services Overview (http://go.microsoft.com/fwlink/?LinkId=96084).
For more information about configuring ADAM, see Step-by-Step Guide to Deploying ADAM (http://go.microsoft.com/fwlink/?LinkId=96083).

Note

If you install security update 951746 on your Windows Server 2008 R2–based and Windows Server 2008–based computers, the Domain Name System (DNS) server’s method of port allocation changes, and this change might prevent AD LDS from obtaining the port that it requires to function correctly. For more information, see article 959215 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=157712).

About this guide

This guide describes the processes for setting up AD LDS and getting it running. You can use the procedures in this guide to install AD LDS on servers that are running the Windows Server® 2008 operating system in a small test lab environment.
As you complete the steps in this guide, you will be able to:

• Install the AD LDS server role and practice working with AD LDS instances.
  
• Practice using AD LDS administration tools.
  
• Practice creating and managing organizational units (OUs), groups, and users in AD LDS.
  
• Practice creating and deleting AD LDS application directory partitions.
  
• View, grant, and deny AD LDS user permissions.
  
• Practice binding to an AD LDS instance in several ways.
  
• Practice managing AD LDS configuration sets.
  

Note
To maximize your chances of successfully completing the objectives of this guide, it is important that you follow the steps in this guide in the order in which they are presented.

Requirements

Before you start using the procedures in this guide, do the following regarding your system requirements:

• Have available at least one test computer on which you can install AD LDS. For the purposes of following the exercises in this guide, install AD LDS on computers running Windows Server 2008.
  
• Log on to Windows Server 2008 with an administrator account.
  
• For the purposes of this guide, you can install replica AD LDS instances on your first test computer or you can install them on a second computer, if you have a second computer available.
  

Steps for getting started with AD LDS

The following sections provide step-by-step instructions for setting up AD LDS. These sections provide both graphical user interface (GUI) and command-line methods for backing up and restoring AD LDS, where applicable.

• Step 1: Install the AD LDS Server Role
  
  
• Step 2: Practice Working with AD LDS Instances
  
  
• Step 3: Practice Using AD LDS Administration Tools
  
  
• Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users
  
  
• Step 5: Practice Working with Application Directory Partitions
  
  
• Step 6: Practice Managing Authorization
  
  
• Step 7: Practice Managing Authentication
  
  
• Step 8: Practice Managing Configuration Sets

Source: http://technet.microsoft.com/en-us/library/cc770639%28WS.10%29.aspx

All About AD RMS - Step By Step

About This Guide

This step-by-step walks you through the process of setting up a working Active Directory Rights Management Services (AD RMS) infrastructure in a test environment. During this process you create an Active Directory® domain, install a database server, install the AD RMS server role, configure the AD RMS cluster, and configure the AD RMS-enabled client computer.
Once complete, you can use the test lab environment to learn about AD RMS technology on Windows Server® 2008 and assess how it might be deployed in your organization.
As you complete the steps in this guide, you will:

• Prepare the AD RMS infrastructure.
  
• Install and configure AD RMS.
  
• Verify AD RMS functionality after you complete the configuration.
  

The goal of an AD RMS deployment is to be able to protect information, no matter where it goes. Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the content owner is able to remove the protection from the file. The owner grants rights to other users to perform actions on the content, such as the ability to view, copy, or print the file. For more information about the business reasons behind an AD RMS deployment, see the white paper "Windows Rights Management Services: Helping Organizations Safeguard Digital Information from Unauthorized Use" (http://go.microsoft.com/fwlink/?LinkId=64636).

Note
This guide is considered the basic AD RMS step-by-step guide. All other step-by-step guides developed for AD RMS will assume that this guide has been completed first.

What This Guide Does Not Provide

This guide does not provide the following:

• An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see http://go.microsoft.com/fwlink/?LinkId=84726.
  
• Guidance for setting up and configuring AD RMS in a production environment
  
• Complete technical reference for AD RMS
  

Deploying AD RMS in a Test Environment

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a stand-alone document.
Upon completion of this step-by-step guide, you will have a working AD RMS infrastructure. You can then test and verify AD RMS functionality as follows:

• Restrict permissions on a Microsoft Office Word 2007 document
  
• Have an authorized user open and work with the document.
  
• Have an unauthorized user attempt to open and work with the document.
  

The test environment described in this guide includes four computers connected to a private network and using the following operating systems, applications, and services:

 

Computer Name	Operating System	Applications and Services
ADRMS-SRV	Windows Server 2008	AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing
CPANDL-DC	Windows Server 2008 or Windows Server 2003 with Service Pack 2 (SP2) Note Service Pack 2 for Windows Server 2003 is not required but will be used for the purposes of this guide.	Active Directory, Domain Name System (DNS)
ADRMS-DB	Windows Server 2003 with SP2 Note Service Pack 2 for Windows Server 2003 is not required but will be used for the purposes of this guide.	Microsoft SQL Server® 2005 Standard Edition with Service Pack 2 (SP2) Note Service Pack 2 for SQL Server 2005 Standard Edition is not required but will be used for the purposes of this guide.
ADRMS-CLNT	Windows Vista®	Microsoft Office Word 2007 Enterprise Edition

Note
For more information about the system requirements for installing AD RMS, see http://go.microsoft.com/fwlink/?LinkId=84733.

The computers form a private intranet and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment if desired. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com. The following figure shows the configuration of the test environment:
 

 

 

Step 1: Setting up the Infrastructure

Applies To: Windows Server 2008
To prepare your AD RMS test environment in the CPANDL domain, you must complete the following tasks:

• Configure the domain controller (CPANDL-DC)
  
  
• Configure the AD RMS database computer (ADRMS-DB)
  
  
• Configure the AD RMS root cluster computer (ADRMS-SRV)
  
  
• Configure the AD RMS client computer (ADRMS-CLNT)
  
  

Use the following table as a reference when setting up the appropriate computer names, operating systems, and network settings that are required to complete the steps in this guide.

Important
Before you configure your computers with static Internet Protocol (IP) addresses, we recommend that you first complete Windows product activation while each of your computers still has Internet connectivity. You should also install any available critical security updates from Windows Update (http://go.microsoft.com/fwlink/?LinkID=47370).

 

Computer name	Operating system requirement	IP settings	DNS settings
CPANDL-DC	Windows Server 2003 with Service Pack 2 (SP2) or Windows Server® 2008	IP address: 10.0.0.1 Subnet mask: 255.255.255.0	Configured by DNS server role.
ADRMS-SRV	Windows Server 2008	IP address: 10.0.0.2 Subnet mask: 255.255.255.0	Preferred: 10.0.0.1
ADRMS-DB	Windows Server 2003 with SP2	IP address: 10.0.0.3 Subnet mask: 255.255.255.0	Preferred: 10.0.0.1
ADRMS-CLNT	Windows Vista	IP address 10.0.0.4 Subnet mask: 255.255.255.0	Preferred: 10.0.0.1

Configure the domain controller (CPANDL-DC)

Depending on your environment, you may evaluate AD RMS in Windows Server 2008 or Windows Server 2003 domain. Use the appropriate section to configure the domain controller, depending on the type of domain to be used, and then configure user accounts and groups.

Configure a Windows Server 2003–based domain controller

To configure the domain controller CPANDL-DC using Windows Server 2003, you must:

• Install Windows Server 2003 with SP2.
  
• Configure TCP/IP properties.
  
• Install Active Directory.
  
• Raise the Active Directory domain functional level to Windows Server 2003.
  
• Create user accounts.
  
• Create groups for the user accounts.
  

For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups.
First, install Windows Server 2003 with SP2 on a stand-alone server.

To install Windows Server 2003 Standard Edition

1. Start your computer by using the Windows Server 2003 product CD. (You can use any edition of Windows Server 2003 except the Web Edition to establish the domain.)
   
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type CPANDL-DC.
   

Next, configure TCP/IP properties so that CPANDL-DC has a static IP address of 10.0.0.1. In addition, configure 10.0.0.1 as the IP address for the DNS server.

To configure TCP/IP properties on CPANDL-DC

1. Log on to CPANDL-DC as a member of the local Administrators group.
   
2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.
   
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
   
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.1. In the Subnet mask box, type 255.255.255.0.
   
5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
   

Next, configure the computer as a domain controller.

To configure CPANDL-DC as a domain controller

1. Click Start, and then click Run. In the Open box, type dcpromo, and then click OK.
   
2. On the Welcome page of the Active Directory Installation Wizard, click Next.
   
3. Click the Domain controller for a new domain option, and then click Next.
   
4. Click the Domain in a new forest option, and then click Next.
   
5. Click the No, just install and configure DNS on this computer option, and then click Next.
   
6. In the Full DNS name for new domain box, type cpandl.com, and then click Next.
   
7. In the Domain NetBIOS name box, type CPANDL, and then click Next three times.
   
8. Select the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option, and then click Next.
   
9. In the Restore Mode Password and Confirm password boxes, type a strong password. Click Next.
   
10. Click Next again.
    
11. When the Active Directory Installation Wizard is done, click Finish.
    
12. Click Restart Now.
    

Note
You must restart the computer after you complete this procedure.

Next, you must raise the domain functional level to Windows Server 2003 so that Active Directory Universal groups can be used.

To raise the domain functional level to Windows Server 2003

1. Log on to CPANDL-DC with the CPANDL\Administrator account.
   
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
   
3. Right-click cpandl.com, and then click Raise domain functional level.
   
4. In the list under Select an available domain functional level, click Windows Server 2003, and then click Raise.
   
5. Click OK to confirm the selection.
   

   Note
   You cannot change the domain functional level once you have raised it.

   
   
6. Close the Active Directory Users and Computers console.
   

Configure a Windows Server 2008–based domain controller

To configure the domain controller CPANDL-DC using Windows Server 2008, you must:

• Install Windows Server 2008.
  
• Configure TCP/IP properties.
  
• Install Active Directory Domain Services (AD DS).
  

First, install Windows Server 2008 on a stand-alone server.

To install Windows Server 2008

1. Start your computer by using the Windows Server 2008 product CD.
   
2. When prompted for a computer name, type CPANDL-DC.
   
3. Follow the rest of the instructions that appear on your screen to finish the installation.
   

Next, configure TCP/IP properties so that CPANDL-DB has a IPv4 static IP address of 10.0.0.1 and a IPv6 static IP address of FEC0:0:0:1::.

To configure TCP/IP properties

1. Log on to CPANDL-DC with the CPANDL-DC\Administrator account.
   
2. Click Start, click Control Panel, click Network and Internet, click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.
   
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
   
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.1. In the Subnet mask box, type 255.255.255.0, and then click OK.
   
5. On the Networking tab, clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK.
   
6. Click OK to close the Local Area Connection Properties dialog box.
   

Next, configure the computer as a domain controller using Windows Server 2008.

To configure CPANDL-DC as a domain controller using Windows Server 2008

1. Click Start, and then click Run. In the Open box, type dcpromo, and then click OK.
   
2. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
   
3. Click the Domain controller for a new domain option, and then click Next.
   
4. Click the Create a new domain in anew forest option, and then click Next.
   
5. In the FQDN of the forest root domain box, type cpandl.com, and then click Next.
   
6. In the Forest functional level box, select Windows Server 2003, and then click Next.
   
7. In the Domain functional level box, select Windows Server 2003, and then click Next.
   
8. Ensure that the DNS server check box is selected, and then click Next.
   
9. Click Yes, confirming that you want to create a delegation for this DNS server.
   
10. On the Location for Database, Log Files, and SYSVOL page, click Next.
    
11. In the Password and Confirm password boxes, type a strong password, and then click Next.
    
12. On the Summary page, click Next to start the installation.
    
13. When the installation is complete, click Finish, and then click Restart Now.
    

Note
You must restart the computer after you complete this procedure.

Configure user accounts and groups

In this section you create the user accounts and groups in the CPANDL domain.
First, add the user accounts shown in the following table to Active Directory or AD DS. Use the procedure following the table to create the user accounts.

 

Account Name	User Logon Name	E-mail address	Group
ADRMSSRVC	ADRMSSRVC
ADRMSADMIN	ADRMSADMIN		Enterprise Admins
Nicole Holliday	NHOLLIDA	nhollida@cpandl.com	Employees, Finance
Limor Henig	LHENIG	lhenig@cpandl.com	Employees, Marketing
Stuart Railson	SRAILSON	srailson@cpandl.com	Employees, Engineering

To add new user accounts

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
   
2. In the console tree, expand cpandl.com.
   
3. Right-click Users, point to New, and then click User.
   
4. In the New Object – User dialog box, type ADRMSSRVC in the Full name and User logon name boxes, and then click Next.
   
5. In the New Object – User dialog box, type a password of your choice in the Password and Confirm password boxes. Clear the User must change password at next logon check box, click Next, and then click Finish.
   
6. Perform steps 3-6 for each of the following users: ADRMSADMIN, Nicole Holliday, Limor Henig, and Stuart Railson.
   

Next, add e-mail addresses to all user accounts.

To add e-mail addresses to user accounts

1. In the Active Directory Users and Computers console, right-click Nicole Holliday, click Properties, type nhollida@cpandl.com in the E-mail box, and then click OK.
   
2. Repeat step 1 for Limor Henig and Stuart Railson, using the e-mail addresses for each account from the table.
   
3. Close the Active Directory Users and Computers console.
   

Once the user accounts have been created, Active Directory Universal groups should be created and these users added to them. The following table lists the Universal groups that should be added to Active Directory. Use the procedure following the table to create the Universal groups.

 

Group Name	E-mail address
Finance	finance@cpandl.com
Marketing	marketing@cpandl.com
Engineering	engineering@cpandl.com
Employees	employees@cpandl.com

To add new group objects to Active Directory

1. In the Active Directory Users and Computers console, right-click Users, point to New, and then click Group.
   
2. In the New Object – Group dialog box, type Finance in Group name, select the Universal option for the Group Scope, and then click OK.
   
3. Perform the above steps 1-2 for each of the remaining groups: Marketing, Engineering, and Employees.
   

Next, add e-mail addresses to group objects:

To add e-mail addresses to group objects

1. In the Active Directory Users and Computers console, double-click Users, right-click Finance, and then click Properties.
   
2. Type finance@cpandl.com in the E-mail box, and then click OK.
   
3. Perform the above steps 1-2 for each of the remaining groups: Marketing, Engineering, and Employees.
   

Finally, add the user accounts to their appropriate groups. In this guide, we will add Nicole Holliday, Limor Henig, and Stuart Railson to the Employees group. Then, we will add Nicole Holliday to the Finance group, Limor Henig to the Marketing group, and finally add Stuart Railson to the Engineering group. To add the user accounts to their respective groups, you should follow these steps:

To add user accounts to groups

1. In the Active Directory Users and Computers console, double-click Users, and then double-click Employees.
   
2. Click Members, and then click Add.
   
3. Type nhollida@cpandl.com;lhenig@cpandl.com;srailson@cpandl.com, and then click OK.
   
4. Perform the above steps 2-4 to add one member to each of the remaining groups as follows:
   
   • Nicole Holliday—Finance
     
   • Limor Henig—Marketing
     
   • Stuart Railson—Engineering
     
5. Double-click Enterprise Admins
   
6. Click Members, and then click Add.
   
7. Type adrmsadmin@cpandl.com, and then click OK.
   
8. Close the Active Directory Users and Computers console.
   

Configure the AD RMS database computer (ADRMS-DB)

First, install Windows Server 2003 on the computer that will be hosting the AD RMS databases.

To install Windows Server 2003 Standard Edition

1. Start your computer using the Windows Server 2003 product CD. (You can use any edition of Windows Server 2003 except the Web Edition to establish the domain.)
   
2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ADRMS-DB.
   

In this step, configure TCP/IP properties so that ADRMS-DB has a static IP address of 10.0.0.3.

To configure TCP/IP properties on ADRMS-DB

1. Log on to ADRMS-DB with the ADRMS-DB\Administrator account or another user account in the local Administrators group.
   
2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.
   
3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.
   
4. Click the Use the following IP address option. In the IP address box, type 10.0.0.3. In the Subnet mask box, type 255.255.255.0. In the Preferred DNS server box, type 10.0.0.1.
   
5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
   

Next, join the AD RMS database server (ADRMS-DB) computer to the CPANDL domain:

To join ADRMS-DB to the CPANDL domain

1. Click Start, right-click My Computer, and then click Properties.
   
2. Click Computer Name tab, and then click Change.
   
3. In the Computer Name Changes dialog box, select the Domain option, and then type cpandl.com.
   
4. Click More, and then type cpandl.com in the Primary DNS suffix of this computer box.
   
5. Click OK twice.
   
6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials for CPANDL\Administrator, and then click OK.
   
7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK.
   
8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click OK again.
   
9. Click Yes to restart the computer.
   

Next, install Microsoft SQL Server 2005 Standard Edition:

To install Microsoft SQL Server 2005

1. Log on to ADRMS-DB with the CPANDL\Administrator account or another user account in the local Administrators group.
   
2. Insert the Microsoft SQL Server 2005 product CD. The installation will start automatically.
   
3. Click the I accept the licensing terms and conditions check box, and then click Next.
   
4. On the Installing Prerequisites page, click Install.
   
5. Click Next.
   
6. On the Welcome to theMicrosoft SQL Server Installation Wizard page, click Next, and then click Next again.
   
7. In the Name box, type your name. In the Company box, type the name of your organization, and then type in the appropriate product key. Click Next.
   
8. Select the SQL Server Database Services, and Workstation components, Books Online, and development tools check boxes, and then click Next.
   
9. Select the Default instance option, and then click Next.
   
10. Click the Use the built-in System account option, and then click Next.
    
11. Click the Windows Authentication Mode option, and then click Next.
    
12. Click Next, accepting the default Collation Settings, and then click Next again.
    
13. Click Install. When the status of all the selected components is finished, click Next.
    
14. Click Finish.
    

Next, add ADRMSADMIN to the local Administrators group on ADRMS-DB. The AD RMS installing user account needs this membership in order to create the AD RMS databases. After AD RMS installed, ADRMSADMIN can be removed from this group.

To add ADRMSADMIN to local Administrators group

1. Click Start, point to Administrative Tools, and then click Computer Management.
   
2. Expand System Tools, expand Local Users and Groups, and then click Groups.
   
3. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in Enter the object names to select (examples) box, and then click OK.
   
4. Click OK, and then close Computer Management.
   

Finally, create a shared folder on ADRMS-DB so that other users can find documents saved to the network.

To create a shared network folder that can be modified by CP&L employees

1. Click Start, click MyComputer, and then double-click Local Disk (C:).
   
2. Click File, point to New, and then click Folder.
   
3. Type Public for the new folder, and then press ENTER.
   
4. Right-click Public, and then click Sharing and Security.
   
5. On the Sharing tab click the Share this folder option, and ensure that Public is in the Share name box.
   
6. Click Permissions.
   
7. In the Group or user name box click Everyone.
   
8. Select the Full Control check box in the Allow column of the Permissions for Everyone box.
   
9. Click OK.
   
10. Click the Security tab, and then click Users (ADRMS-DB\Users) in the Group or user name box.
    
11. In the Permissions for Users box select the Full Control check box in the Allow column.
    
12. Click OK.
    

Configure the AD RMS root cluster computer (ADRMS-SRV)

To configure the member server, ADRMS-SRV, you must install Windows Server 2008, configure TCP/IP properties, and then join ADRMS-SRV to the domain cpandl.com. You must also add the account ADRMSADMIN as a member to the local administrators group. This is needed for ADRMSADMIN to install AD RMS on ADRMS-SRV.
Installing the AD RMS server role will also install Internet Information Services (IIS) 7.0 and Message Queuing.
First, install Windows Server 2008 as a stand-alone server.

To install Windows Server 2008

1. Start your computer by using the Windows Server 2008 product CD.
   
2. When prompted for a computer name, type ADRMS-SRV.
   
3. Follow the rest of the instructions that appear on your screen to finish the installation.
   

Next, configure TCP/IP properties so that ADRMS-SRV has a static IP address of 10.0.0.2. In addition, configure the DNS server by using the IP address of CPANDL-DC (10.0.0.1).

To configure TCP/IP Properties

1. Log on to ADRMS-SRV with the ADRMS-SRV\Administrator account or another user account in the local Administrators group.
   
2. Click Start, click Control Panel, double-click Network and Sharing Center, click Manage Network Connections, right-click Local Area Connection, and then click Properties.
   
3. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
   
4. Click the Use the following IP address option. In IP address, type 10.0.0.2, in Subnet mask, type 255.255.255.0.
   
5. Click the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.1.
   
6. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
   

Next, join ADRMS-SRV to the cpandl.com domain.

To join ADRMS-SRV to the cpandl.com domain

1. Click Start, right-click Computer, and then click Properties.
   
2. Click Change settings (at the right side under Computer name, domain, and workgroup settings), and then click Change.
   
3. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type cpandl.com.
   
4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.
   
5. Click OK, and then click OK again.
   
6. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials for CPANDL\Administrator, and then click OK.
   
7. When a Computer Name/Domain Changes dialog box appears welcoming you to the cpandl.com domain, click OK.
   
8. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
   
9. Click Restart Now.
   

After the computer has restarted, add ADRMSADMIN to the local administrators group on ADRMS-SRV.

To add ADRMSADMIN to the local administrators group

1. Log on to ADRMS-SRV with the CPANDL\Administrator account.
   
2. Click Start, click Administrative Tools, and then click Computer Management.
   
3. Expand System Tools, expand Local User and Groups, and then click Groups.
   
4. Right-click Administrators, click Add to Group, click Add, type ADRMSADMIN in Enter the object names to select (examples) box, and then click OK.
   
5. Click OK, and then close Computer Management.
   

Configure AD RMS client computer (ADRMS-CLNT)

To configure ADRMS-CLNT, you must install Windows Vista, configure TCP/IP properties, and then join ADRMS-CLNT to the domain cpandl.com. You must also install an AD RMS-enabled application. In this example, Microsoft Office Word 2007 Enterprise Edition is installed on ADRMS-CLNT.

To install Windows Vista

1. Start your computer by using the Windows Vista product CD.
   
2. Follow the instructions that appear on your screen, and when prompted for a computer name, type ADRMS-CLNT.
   

Next, configure TCP/IP properties so that ADRMS-CLNT has a static IP address of 10.0.0.4. In addition, configure the DNS server of CPANDL-DC (10.0.0.1).

To configure TCP/IP properties

1. Log on to ADRMS-CLNT with the ADRMS-CLNT\Administrator account or another user account in the local Administrators group.
   
2. Click Start, click Control Panel, click Network and Internet, and then click Network and Sharing Center.
   
3. Click Manage Network Connections, right-click Local Area Connection, and then click Properties.
   
4. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
   
5. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
   
6. Click the Use the following IP address option. In IP address, type 10.0.0.4, in Subnet mask, type 255.255.255.0.
   
7. Click the Use the following DNS server addresses option. In Preferred DNS server, type 10.0.0.1.
   
8. Click OK, and then click Close to close the Local Area Connection Properties dialog box.
   

Next, join ADRMS-CLNT to the cpandl.com domain.

To join ADRMS-CLNT to the cpandl.com domain

1. Click Start, right-click Computer, and then click Properties.
   
2. Under Computer name, domain, and workgroup settings, click Change settings.
   
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
   
4. On the Computer Name tab, click Change.
   
5. In the Computer Name/Domain Changes dialog box, select the Domain option, and then type cpandl.com.
   
6. Click More, and in the Primary DNS suffix of this computer box, type cpandl.com.
   
7. Click OK, and then click OK again.
   
8. When a Computer Name/Domain Changes dialog box appears prompting you for administrative credentials, provide the credentials, and then click OK.
   
9. When a Computer Name/Domain Changes dialog box appears welcoming you to the cpandl.com domain, click OK.
   
10. When a Computer Name/Domain Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.
    
11. In the System Settings Change dialog box, click Yes to restart the computer.
    

Finally, install Microsoft Office Word 2007 Enterprise.

To install Microsoft Office Word 2007 Enterprise

1. Log on to ADRMS-CLNT with the CPANDL\Administrator account or another user account in the local Administrators group.
   
2. Double-click setup.exe from the Microsoft Office 2007 Enterprise product disc.
   
3. Click Customize as the installation type, set the installation type to Not Available for all applications except Microsoft Office Word 2007 Enterprise, and then click Install Now. This might take several minutes to complete.
    
   

 

Step 2: Installing and Configuring AD RMS on ADRMS-SRV

Applies To: Windows Server 2008

To install and configure AD RMS, you must add the AD RMS server role.
Windows Server 2008 includes the option to install AD RMS as a server role through Server Manager. Both installation and configuration of AD RMS are handled through Server Manager. The first server in an AD RMS environment is the root cluster. An AD RMS root cluster is composed of one or more AD RMS servers configured in a load-balancing environment. This step-by-step guide will install and configure a single-server AD RMS root cluster.
Registering the AD RMS service connection point (SCP) requires that the installing user account be a member of the Active Directory Enterprise Admins group.

Important
Access to the Enterprise Admins group should be granted only while AD RMS is being installed. After installation is complete, the cpandl\ADRMSADMIN account should be removed from this group.

To add ADRMSADMIN to the Enterprise Admins group

1. Log on to CPANDL-DC with the cpandl\Administrator account or another user account in the Domain Admins group.
   
2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
   
3. In the console tree, expand cpandl.com, double-click Users, and then double-click Enterprise Admins.
   
4. Click the Members tab, and then click Add.
   
5. Type adrmsadmin@cpandl.com, and then click OK.
   

Install and configure AD RMS as a root cluster.

To add the AD RMS Server Role

1. Log on to ADRMS-SRV as cpandl\ADRMSADMIN.
   
2. Click Start, point to Administrative Tools, and then click Server Manager.
   
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
   
4. In the Roles Summary box, click Add Roles. The Add Roles Wizard opens.
   
5. Read the Before You Begin section, and then click Next.
   
6. On the Select Server Roles page, select the Active Directory Rights Management Services check box.
   
7. The Role Services page appears informing you of the AD RMS dependent role services and features. Make sure that Web Server (IIS), Windows Process Activation Service (WPAS), and Message Queuing are listed, and then click Add Required Role Services. Click Next.
   
8. Read the AD RMS introduction page, and then click Next.
   
9. On the Select Role Services page, verify that the Active Directory Rights Management Server check box is selected, and then click Next.
   
10. Click the Create a new AD RMS cluster option, and then click Next.
    
11. Click the Use a different database server option.
    
12. Click Select, type ADRMS-DB in the Select Computer dialog box, and then click OK.
    
13. In Database Instance, click Default, and then click Validate.
    
14. Click Next.
    
15. Click Specify, type CPANDL\ADRMSSRVC, type the password for the account, click OK, and then click Next.
    
16. Ensure that the Use AD RMS centrally managed key storage option is selected, and then click Next.
    
17. Type a strong password in the Password box and in the Confirm password box, and then click Next.
    
18. Choose the Web site where AD RMS will be installed, and then click Next. In an installation that uses default settings, the only available Web site should be Default Web Site.
    
19. Click the Use an SSL-encrypted connection (https://) option.
    
20. In the Fully-Qualified Domain Name box, type adrms-srv.cpandl.com, and then click Validate. If validation succeeds, the Next button becomes available. Click Next.
    
21. Click the Create a self-signed certificate for SSL encryption option, and then click Next.
    
22. Type a name that will help you identify the AD RMS cluster in the Friendly name box, and then click Next.
    
23. Ensure that the Register the AD RMS service connection point now option is selected, and then click Next to register the AD RMS service connection point (SCP) in Active Directory during installation.
    
24. Read the Introduction to Web Server (IIS) page, and then click Next.
    
25. Keep the Web server default check box selections, and then click Next.
    
26. Click Install to provision AD RMS on the computer. It can take up to 60 minutes to complete the installation.
    
27. Click Close.
    
28. Log off the server, and then log on again to update the security token of the logged-on user account. The user account that is logged on when the AD RMS server role is installed is automatically made a member of the AD RMS Enterprise Administrators local group. A user must be a member of that group to administer AD RMS.
    

Note
At this point in the guide, you can remove cpandl\ADRMSADMIN from the local Administrators group on ADRMS-DB.

Your AD RMS root cluster is now installed and configured.
Further management of AD RMS is done by using the Active Directory Rights Management Services console.

To open the Active Directory Rights Management Services console

1. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
   
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
   

From the console, you can configure trust policies, configure exclusion policies, and create rights policy templates.

Step 3: Verifying AD RMS Functionality on ADRMS-CLNT

Applies To: Windows Server 2008

The AD RMS client is included in the default installation of Windows Vista and Windows Server 2008. Previous versions of the client are available for download for some earlier versions of the Windows operating system. For more information, see the Windows Server 2003 Rights Management Services page on the Microsoft Windows Server TechCenter (http://go.microsoft.com/fwlink/?LinkId=68637).
Before you can consume rights-protected content, you must add the AD RMS cluster URL to the Local Intranet security zone.
Add the AD RMS cluster URL to the Local Intranet security zone for all users who will be consuming rights-protected content.

To add AD RMS cluster to Local Intranet security zone

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).
   
2. Click Start, click All Programs, and then click Internet Explorer.
   
3. Click Tools, and then click Internet Options.
   
4. Click the Security tab, click Local intranet, and then click Sites.
   
5. Click Advanced.
   
6. In the Add this website to the zone, type https://adrms-srv.cpandl.com, and then click Add.
   
7. Click Close.
   
8. Repeat steps 1–7 for Stuart Railson and Limor Henig.
   

To verify the functionality of the AD RMS deployment, you will log on as Nicole Holliday and then restrict permissions on a Microsoft Word 2007 document so that members of the CP&L Engineering group are able to read the document but unable to change, print, or copy. You will then log on as Stuart Railson, verifying that the proper permission to read the document has been granted, and nothing else. Then, you will log on as Limor Henig. Since Limor is not a member of the Engineering group, he should not be able to consume the rights-protected file.

Note

In this step-by-step guide, when a user restricts permissions on a document or attempts to open a restricted document, a warning appears that informs you that the certificate issuer for the AD RMS Web site is unknown or untrusted. This warning results from using a self-signed certificate instead of a certificate issued by a recognized certification authority. When you receive this warning, click Yes to continue.

To restrict permissions on a Microsoft Word document

1. Log on to ADRMS-CLNT as Nicole Holliday (cpandl\NHOLLIDA).
   
2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
   
3. Type CP&L engineering employees can read this document, but they cannot change, print, or copy it on the blank document page.
   
4. Click the Microsoft Office Button, click Prepare, click Restrict Permission, and then click Restricted Access.
   
5. Click the Restrict permission to this document check box.
   
6. In the Read box, type engineering@cpandl.com, and then click OK to close the Permission dialog box.
   
7. Click the Microsoft Office Button, click Save As, and then save the file as \\ADRMS-DB\Public\ADRMS-TST.docx.
   
8. Log off as Nicole Holliday.
   

Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.

To view a rights-protected document

1. Log on to ADRMS-CLNT as Stuart Railson (cpandl\SRAILSON).
   
2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
   
3. Click the Microsoft Office Button, and then click Open.
   
4. In the File name box, type \\ADRMS-DB\Public\ADRMS-TST.docx, and then click Open.
   The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your permission."
   
5. Click OK.
   The following message appears: "Verifying your credentials for opening content with restricted permissions…".
   
6. When the document opens, click the Microsoft Office Button. Notice that the Print option is not available.
   
7. Close Microsoft Word.
   
8. Log off as Stuart Railson.
   

Finally, log on as Limor Henig and verify that he is not able to consume the rights-protected file.

To attempt to view a rights-protected document

1. Log on to ADRMS-CLNT as Limor Henig (cpandl\LHENIG).
   
2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
   
3. Click the Microsoft Office Button, click Open, and then double-click \\ADRMS-DB\Public\ADRMS-TST.docx.
   The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com:443/_wmcs/licensing to verify your credentials and download your permission."
   
4. Click OK.
   
5. The following message appears: "You do not have credentials that allow you to open this document. You can request updated permission from nhollida@cpandl.com. Do you want to request updated permission?"
   
6. Click No, and then close Microsoft Word.
   

You have successfully deployed and demonstrated the functionality of AD RMS, using the simple scenario of applying restricted permissions to a Microsoft Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.

Source: http://technet.microsoft.com/en-us/library/cc753531%28v=WS.10%29.aspx