Command option update



AD RMS to AD RMS to Azure Information Protection Part 1


The Scenario:

So, you have read my previous blog posts about AD RMS side-by-side migration and Enterprise Migration from AD RMS to AIP using SCCM but unfortunately both of those articles assume best case scenario for the original AD RMS cluster.  Sadly, that is not always the way things work.  In the real world, the AD RMS instance may have been initially installed on Windows Server 2003 using RMS 1.0 and was subsequently upgraded to 2008 R2 keeping all of the settings pretty much the same.  This usually means using http only and having no CNAMEs for AD RMS or SQL.  This makes my happy articles on upgrading to newer versions of AD RMS or to AIP a lot less straightforward.  Let's fix that.

The Setup:

Luckily, most of the concepts for migration are the same as what I documented in the previous two articles, so I am going to happily plagerize reuse the content in those articles to make something new.  This article should be a bit more useful for poor AD RMS admins that find themselves inheriting systems that have been around for far longer than the best practices guidelines have been.  For this process, we will assume the near worst case (I know things can be more complicated with HSMs and 3rd party stuff) of an AD RMS 2008 (R2) cluster using http only for the pipelines and SCP.  To get from this situation to AIP, you will have to do a 2-step upgrade.  First, you will need to migrate to a new AD RMS cluster that has https pipelines.  Along with this you will need to import the TPD from the old cluster into the new and set up licensing redirection for all clients.  This is where the SCCM scripts from my AD RMS to AIP article come in handy.  We will modify those to point to the new cluster and let SCCM compliance settings work it's magic to get us past the first stage.  Once you are on a shiny new AD RMS 2012 R2 or 2016 cluster, you can follow the other article to do the second stage.  So without further ado:

For this demo, we will assume an original AD RMS cluster with the following settings:

Windows Server 2008 R2 with AD RMS role installed (we will also assume the use of a Windows Internal Database but that is irrelevant to this migration)
Host A record of RMS01.contoso.com
SCP registered in Active Directory of https://rms01.contoso.com/\_wmcs/certification

The Solution:

The Old Cluster:

The very first thing you will want to do is export your TPD from the original cluster.  It is wise to take a backup of the database as well since we will be shutting down the cluster eventually, but the TPD is the main thing that you need.

If you know how to export a TPD, do that.  Otherwise, follow along with the content below and I will show you how!

Log into the existing AD RMS server ad a member of the AD RMS Enterprise Admins local group (not related to the AD Enterprise Admins group) and click on the Start Menu > Administrative Tools > Active Directory Rights Management Services.   Start Menu

In the AD RMS console, expand <server>, Trust Policies, Trusted Publishing Domains and in the Actions pane, click Export Trusted Publishing Domain... TPD

Save the TPD in a location that the RMS Service Account has access to Write (eg. C:\Windows\Temp) and give it a strong password TPD Export

And that is the last thing you will do with your old RMS cluster until you are ready to shut it off. ;-)

The New Cluster:

So, the new AD RMS cluster is technically temporary because you are just using it to transition to the cloud.  However, I highly recommend setting the cluster up as if it will be in production for a year or two just in case.  I have seen AD RMS to AIP migrations take multiple years in some cases due to processes, moratorium periods, and unforeseen setbacks, so setting it up based on production best practices is just a good idea.  Hopefully everything will go smoothly, but just in case.....here is the link to the best practices for setting up an AD RMS cluster.

https://aka.ms/ADRMSBestPractices

So, since the new cluster will be set up via best practices, we need to create 2 CNAME or A records in DNS pointing to the new host (I am only using 1 node for the cluster, but in production these records would point to a load balancer which forwards the traffic to the nodes).

If you already know how to create these records, do that, or follow along below for a nauseatingly detailed walkthrough. :-)

Log into a DNS server and in Server Manager click Tools > DNS

In the DNS console, expand <server>, Forward Lookup Zones, yourdomain.tld and right-click in the zone to create a New Host (A or AAAA)... or New Alias (CNAME)...

For my demo environment, I am creating New Host (A) records for adrms and adrmssql pointing to the ADRMS01 system that will be my AD RMS server and has SQL Server 2014 installed.

Now that we have that out of the way, we can log into the new AD RMS server and knock out the installation.

Bypassing the SCP

Log into the new AD RMS server and open Regedit.  We need to set the GICURL registry key so installation will allow us to install a new root cluster despite the SCP present in AD.

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMS (It likely will not exist, so create a new key under Microsoft named DRMS)

In the DRMS key, create a new String Value named (you guessed it) GICURL

Do not enter a value

Close Regedit

Installing AD RMS

Again, if you know how to install AD RMS, you may do so now on the new server.  Just remember not to register the SCP at the end since there already is one and it will cause your install to fail. If you really like screenshots (I do!), follow along below to see dozens of them that will walk you through a full AD RMS 2016 install.

On the new AD RMS server, launch Server Manager and click Manage > Add Roles and Features

Click next 3 times to get to the Server Roles page and click on Active Directory Rights Management Services.  When the Additional Features dialog pops up, click Add Features

Click Next until you get to the Confirmation page, then click Install

After the installation completes, click the blue link to Perform additional configuration

Click Next on the intro page and verify that Create a new AD RMS root cluster is selected on the AD RMS Cluster page. (If this is greyed out, make sure the GICURL registry key is set correctly)

On the Configuration Database page, type the name of the A record or CNAME you created for the SQL database and click List

In the drop-down, select the database instance or DefaultInstance and click Next

On the Service Account page, enter the service account credentials and click Next

Choose a Cryptographic Mode (leave default unless you have legacy operating systems) and click Next

Click Next on the Cluster Key Storage page and click Next

Enter a secure password on the Cluster Key Password page and click Next

Choose the AD RMS website and click Next

On the Cluster Address page, enter the FQDN of the A record or CNAME for the cluster and ensure that SSL is selected, then click Next

If you have a certificate for the cluster FQDN installed on the server choose it on the Server Certificate page or select Choose a certificate for SSL encryption later and click Next

Choose a meaningful name for the SLC on the Licensor Certificate page and click Next

On the SCP Registration page, choose to Register the SCP later and click Next

Verify all of the settings on the Confirmation page and click Install

After installation completes, you must log off and back on to add your account to the AD RMS Enterprise Admins local group membership.  You will not be able to launch the console until you do this and you will see 401 Unauthorized errors.

If you did not configure a certificate during the install, obtain a certificate from your Certificate Authority for the FQDN of the AD RMS cluster name and install it on the server.  Next launch Server Manager and click on Tools > Internet Information Services (IIS) Manager

Expand <server>, Sites, and click on the AD RMS website

In the Actions pane on the right, under Edit Site, click Bindings

Click on https and click Edit...

In the Edit Site Binding dialog, choose the installed AD RMS certificate and click OK and Close to bind the certificate

To finalize the certificate binding, Launch an Administrative Command Prompt and type IISReset and hit Enter

After you have completed this, click on the Start Menu > Windows Administrative Tools > Active Directory Rights Management Services to launch the AD RMS Console.

Once logged into the console, right-click on the server name and click Properties.

Click on the Cluster URLs tab and copy the cluster FQDN from the licensing URL.

Check the box next to Extranet URLs and paste the copied value into both boxes.

Change the protocol from http to https for both pipelines. The completed tab should look similar to the screenshot below.

Close the properties dialog and expand <servername>, Trust Policies, and click on Trusted Publishing Domains.

In the Trusted Publishing Domains section, under the Actions pane, click on Import Trusted Publishing Domain.

In the Import Trusted Publishing Domain dialog, browse to the exported TPD and enter the password and a name for the old server TPD and click Finish.

The Install is now complete and you have a fully functional AD RMS cluster that can open content protected with the old cluster.  You still need to put in redirection  keys for the clients, but that is where SCCM Compliance Settings comes in.  This is also where my copy and paste kicks into high gear!  In the upcoming blog post I will modify my scripts to allow SCCM Compliance Settings to redirect clients to the new AD RMS server rather than Azure Information Protection.  Stay tuned and I will remove this text once it is up.


AD RMS to Azure Information Protection: Enterprise Client Migration using SCCM Compliance Settings


The Scenario:

Your management has just renewed their Microsoft Enterprise Agreement and bought a shiny new Office 365 E3 (or E5/EM+S/etc) and have been told wonderful things about how Azure Information Protection can enable them to securely collaborate with partners in the cloud.  They want this implemented yesterday (of course) so they can start sending protected messages to all their fellow CxOs that have recently made the move to Azure as well.  OK, no problem.  So you follow the documented migration steps and find that migrating the server portion is going to be a piece of cake.  Then you notice what is needed for the client migration. The documentation for the client migration requires a few scripts on each client, and one of the scripts must be run with administrative rights to allow modification of HKLM registry entries. This presents a problem.  In keeping with Microsoft's posture on Securing Privileged Access, you have removed users from the local administrators group on their assets. Additionally, you do not want to expose privileged credentials to every endpoint.  So how can you manage the client side of this migration?

The Solution:

I recently ran into this scenario at a customer site when assisting with a migration from AD RMS to Azure Information Protection.  Trying to figure out the best way to do this without compromising security and with the least possible impact on end users proved to be very challenging indeed. Luckily, I stumbled across something that works.

System Center Configuration Manager to the rescue!  I found the answer in SCCM Compliance Settings.  When researching this issue, I came across an article by one of my teammates, Russ Rimmerman, about using SCCM Compliance Settings to work with PKI certificates.  I wanted to make sure that it would be possible to do both the elevated portions and user level portions of the script provided in the migration article so I ended up reaching out to another senior SCCM resource on my team, Ray Rosen.  With his help, I designed the SCCM compliance settings using four PowerShell scripts to handle the detection and remediation for both the system and user portions of the migration.  I am going to walk through this process below for your benefit.

Prerequisites:

System Center Configuration Manager 2012 or above
All clients must have properly communicating SCCM client agents
For Office 2010, the RMS Sharing Application and Azure Information Protection Client should be installed (the Beta Azure IP Client can be used inplace of both)
For Office 2013+, the Azure IP Client should be installed

Client Migration using SCCM Compliance Settings:

As I mentioned earlier, this will be done using PowerShell scripts executed using SCCM Compliance settings.  For SCCM, you have two options for running PowerShell scripts on clients.  The first option is to sign the script with a trusted certificate.  While this is the best option, it is not always possible.  Thus, the second option is to set the PowerShell execution policy to "Bypass".  In this example, I won't be signing the PowerShell scripts, so I will go into Administration->Client Settings and select the Client Settings that are being applied to the collection I want to migrate.  This may be the default client settings or custom client settings depending on where you want to deploy the scripts.  Go into the "Computer Agent" section of the client settings, and set the PowerShell execution policy to "Bypass".  This allows unsigned PowerShell scripts to execute when run by the Computer Agent.

image

***UPDATE***

I have added scripts to the package below that include the premigration settings added to the batch scripts at docs.microsoft.com. These premigration scripts can be used to roll out Azure IP in a phased manner.  These scripts are used in the same fashion as described below but in a separate Compliance Settings package targeting users that are not yet migrated to AIP.

***

For the next section, you will need the PowerShell scripts I created for discovery and remediation.  I have posted these at https://aka.ms/AzureIPSCCMScripts.  Download the zip file and extract the for PowerShell scripts.

***IMPORTANT***
Open each of the PowerShell scripts and modify them to add your AD RMS Server Name/FQDN and Azure IP GUID.  Read through each of the scripts so you understand what each of them does.  I have tried to document them as much as possible so they will be easy to follow. Once you have added the appropriate data in each file, save them and we will use them below.

Now, go to Assets and Compliance->Compliance Settings->Configuration Items and click "Create Configuration Item".  The Create CI Wizard will appear.  Give it a meaningful name, select any categories if desired, and click "Next".

On the Supported Platforms page, select any supported client operating systems you require and click "Next".

On the Settings Page, click New...

This will launch the Create Settings dialog box.  Name the setting something meaningful like "Azure IP User Settings". Add a description if you like and set the Setting type to Script.  Set the Data type to String.  Under Discovery Script, click the Add Script... button.  In the Edit Discovery Script dialog, click Open... and select the UserDiscovery.ps1 script you modified earlier.  The script will populate in the Script pane and you should be able to scroll down and verify that your AD RMS Server and Azure IP GUID are populated.  Ensure that the Script language says Windows PowerShell and click OK to close the dialog.  Repeat this process for the Remediation script only this time browsing to UserRemeditation.ps1.  After both scripts have been loaded, check the box to "Run scripts by using the logged on user credentials".  Your General tab should look similar to the image below.

Next, click on the Compliance Rules tab and click on the New... button.  In the Create Rule dialog, name the rule something descriptive like "Azure IP User Compliance Rule".  In "the following values:" textbox, enter "Compliant" (without quotes).  Check the box next to "Run the specified remediation script when this setting is noncompliant" and optionally "Report noncompliance if this setting instance is not found".  You can also set the severity for reporting if you chose to enable that.  Your rule should look similar to the image below.  Click OK to create the rule.

Click OK to finish the User Settings.  Click the New... button again and go through a similar process to create the Azure IP Machine Settings.  The only difference other than the scripts you will choose is that you will not check the checkbox next to "Run scripts by using the logged on user credentials".  Your settings and compliance rule should look similar to the images below. Click OK to create the rule.

Finally, click OK to complete the Machine Settings.  Click Next and you should see the Compliance Rules you have created. Click next to see the Summary, then Next and Close to complete creation of the Configuration Item.

Now, go to Assets and Compliance->Compliance Settings->Configuration Baselines and click "Create Configuration Baseline".  Give the baseline a descriptive name like "Azure IP Migration Baseline", and under Configuration data click Add->Configuration Items.  Select the configuration item you just created and click Add then OK.  Your dialog should look like the one below.

Click OK to complete the creation of your baseline.  The last thing to do now is to deploy the baseline to your clients.  I recommend doing this with a test or pilot group and then rolling out to a larger audience after you have confidence that it is working in your environment.  You can do this by clicking the Deploy button.  This launches the Deploy Configuration Baselines dialog box.  If you had your baseline selected, then it will already show up under Selected configuration baselines in the dialog.  Check the box next to "Remediate noncompliant rules when supported" then click the Browse... button to select your collection.  The selection dialog defaults to User Collections, but I created a Device Collection for my pilot group and you can select that from the drop-down.  Choose your collection then set a schedule for compliance evaluation.  During testing it is good to keep this low, but make sure to raise it back up to a reasonable value when deploying to your full environment.  Below are some images from my deployment.

Click OK and your SCCM Compliance Settings should migrate your collection to Azure Information Protection.

Additional Information:

If you are running Office 2010, the RMS Sharing Application or Beta Azure Information Protection Client will be necessary for the clients to connect to Azure Information Protection.  I mentioned it earlier, but I wanted to make sure that it is fresh in your mind as it is a requirement for your migration.  Office 2013+ will work without the Azure IP client, but I highly advise installing the Azure Information Protection Client on all systems as classification is a great user experience and should be the end goal for any migration to Azure Information Protection.  Please let me know if you find any errors in my documentation or scripts but I have tested them so hopefully you will not run into any issues.

Kevin McKinnerney
PREMIER FIELD ENGINEER – PLATFORMS/SECURITY


AD RMS: Upgrade Migration with a Named SQL Instance


The Scenario:

You read my previous article but it does not cover how to do an upgrade migration if you are moving to a new named instance in SQL.  Although it is very similar to the Version 2, there are some important call-outs if you want to have a pain free upgrade experience.  I have tested these in my lab using AD RMS on Windows Server 2012 R2 and a new named instance of SQL Server 2012 SP3 called ADRMS running on a static port of 1414.

Upgrading AD RMS (Version 3):

  1. If a CNAME does not yet exist for SQL, create a new CNAME in DNS to use for the AD RMS SQL server
  2. Restore the AD RMS databases to the new SQL server named instance
  3. Open SQL Server Managment Studio on the new SQL server and connect to the new named instance
    1. Expand Security
    2. Right-click on Logins and select New Login...
    3.  Click Search...
    4. Change the Locations... to Entire Directory
    5. Enter the name of your AD RMS Service Account and click Check Names then OK
    6. Click OK to complete adding the service account
    7. Expand Databases
    8. Expand the Configruation Database (Should be similar to DRMS_Config_adrms_contoso_com_443)
    9. Expand Tables
    10. Right-click on dbo.DRMS_ClusterPolicies and select Edit Top 200 Rows
    11. Modify the PolicyData corresponding to the following entries in the PolicyName column removing the existing SQL Server and adding the CNAME created for the new SQL server plus "\<InstanceName>" (In my case it would be SQL.CONTOSO.COM\ADRMS)
      • LoggingDatabaseServer
      • CertificationUserKeyStorageConnectionString
      • DirectoryServicesCacheDatabase
    12. Close Sql Server Management Studio
  4. Open SQL Server Configuration Manager (this is only if you are setting a static port for the named instance)
    1. Expand SQL Server Network Configuration
    2. Click on Protocols for <InstanceName>
    3. Ensure TCP has a status of Enabled
    4. Right-click on TCP and select Properties
    5. Select the IP Addresses tab
    6. Scroll down to the IPAll section, enter your port number, then click Apply and OK.
    7. Click on SQL Server Services
    8. Verify that the SQL Server Browser Service is running and is set to a Start Mode of Automatic
    9. Right-click on SQL Server (<InstanceName>), and select Restart
  5. Open a command prompt on the SQL server and run Netstat -ano > %Temp%\netstat.txt
  6. Type Start %Temp%\netstat.txt and verify that you see an entry like "TCP    0.0.0.0:1414           0.0.0.0:0              LISTENING       <PID>"
  7.  Verify that the Windows Firewall and any firewalls between the SQL Server and the new AD RMS server allow your new port over TCP and the SQL Server Browser Service (1434) over UDP
  8. On the new AD RMS server, import the SSL Certificate to the Local Computer>Personal store
  9. Open an administrative Notepad.exe and browse to C:\Windows\System32\drivers\etc and open the hosts file
    1. Create an entry in the hosts file redirecting the CNAME for AD RMS to the local server (Actual IP, not loopback)
    2. Create an entry in the hosts file redirecting the CNAME for the SQL server to the new SQL server (Actual IP, not loopback)
      e.g.
      adrms.contoso.com       10.0.0.25
      sqladrms.contoso.com  10.0.0.26
  10. Install the AD RMS Role on the new 2012 R2 server
  11. After installation completes, select the link to Perform additional configuration
    1. The server will detect the SCP in Active Directory and default to Join an existing AD RMS cluster.  There is a warning that it cannot contact the root cluster.  This is because the SCP is being redirected to this server via the hosts file.  Leave this as is and click next. 
    2. On the Select Configuration Database page, enter the CNAME you specified in the hosts file for the new SQL server (FQDN)
    3. Click List on the second line and select the DefaultInstance from the drop-down
    4. Drop down the Configuration Database Name selection box and select your configuration database
    5. Enter the private key password corresponding to the old database
    6. Enter credentials for the original AD RMS service account
    7. Select Default Website
    8. On the Choose a Server Authentication Certificate page, select the imported SSL certificate and click Next
    9. Click Install to begin the installation
    10. After configuration completes, you will need to log off and back on to administer AD RMS
  12. If you are using primarily Kerberos based authentication, you may need to follow the instructions at https://technet.microsoft.com/en-us/library/dd759186(v=ws.11).aspx to modify your application pool and set Service Principal Names.
  13. Modify the hosts file on several clients to point to the new AD RMS server
  14. Test consuming existing content and protecting new content against the new server
  15. After you are satisfied that the 2012 R2 AD RMS server is doing what you want it to do, you can add any additional nodes to the 2012 R2 AD RMS cluster you now have
  16. Open SQL Server Managment Studio on the new SQL server and navigate to the configuration Database
    1. Expand Tables
    2. Right-click on dbo.DRMS_ClusterServers and select Edit Top 200 Rows
    3. Remove any old servers from the table by deleting each row
  17. Finally, switch over the CNAMEs in DNS and all your clients will start talking to the new servers
  18. When you are comfortable with the new environment, you can gracefully shut down and reallocate the old resources.

Wrapping Up:

As you can see, there is a reason I didn't dive into all of that in the first article.  There are a lot of little things that you have to touch when moving to a new SQL Server Named Instance and static port.  Please let me know if you notice anything I have missed.  Like I said above, I tested this in my lab environment several times so it should work without any issues, but I know production environments can sometimes be more challenging.

Kevin McKinnerney
PREMIER FIELD ENGINEER – PLATFORMS/SECURITY


AD RMS: Side-by-Side Migration from AD RMS on 2008 R2 to 2012 R2


The Scenario:

You are an AD RMS administrator running your AD RMS infrastructure on Windows Server 2008 R2.  You have finally been given the go ahead to upgrade to Windows Server 2012 R2 or 2016 for all your AD RMS farms, but you want to be able to do it with little to no user impact and have full fallback capabilities.  Additionally, the SQL administrators have informed you that they will be decommissioning the SQL server housing your AD RMS databases so you have to figure out how to migrate the databases to a new location.

You think about the best way to go about this and find yourself browsing the TechNet documentation at https://technet.microsoft.com/library/cc754277.aspx.  This is the RMS to AD RMS Migration and Upgrade Guide, but also covers what is necessary for an upgrade from AD RMS 2008 R2 to 2012 R2.  The only problem is that this would require you to add a 2012 R2 server to the cluster which would upgrade the database and immediately render the other AD RMS servers in the cluster useless.  For many companies this is not an issue, but if you have a heavy user load or simply want to be able to test first or fallback to the old infrastructure there is a better way.

The (unofficial) Solution:

I have worked with many companies to do side-by-side migrations and they have gone off without a hitch.  That being said, it is easiest when you have an environment with the following items in place.

  • AD RMS using HTTPS for all endpoints
  • CNAME record in DNS for the AD RMS cluster URL
  • CNAME record in DNS for the SQL server (Many companies do not have this though, so I will cover how to work around that)
  • Know your current private key password (or reset it before backing up the databases)
  • Not using an HSM or third-party extensions to AD RMS

You will need a few prerequisite items as well.

  • Previously mentioned AD RMS cluster private key password
  • Full backup of all AD RMS databases
  • New SQL server or instance to restore databases to (I am assuming the default instance in this guide.  See my next article for details on named instances/static ports)
  • Export of SSL Certificate with Private Key for the cluster URL
  • New Windows Server 2012 R2 server to install your first AD RMS cluster node

If you are still with me, then you are in for a treat.  With those items in place, you have a very easy road for migration to AD RMS on Windows Server 2012 R2.  This migration scenario is very similar to the standard upgrade, but you are duplicating the databases and then joining the new 2012 R2 (or 2016 if you are really fancy) AD RMS server to the cluster pointing at the new SQL server.  The new node will believe that it is joining the existing cluster and will be able to license existing and new content. Follow the steps below in your environment to perform the side-by-side migration.  Version 1 assumes CNAMEs for both AD RMS and SQL. Version 2 details how to set up a CNAME for the new SQL server and the necessary database modifications.

Upgrading AD RMS (Version 1):

  1. Restore the AD RMS databases to the new SQL server
  2. On the new AD RMS server, import the SSL Certificate to the Local Computer>Personal store
  3. Open an administrative Notepad.exe and browse to C:\Windows\System32\drivers\etc and open the hosts file
    1. Create an entry in the hosts file redirecting the CNAME for AD RMS to the local server (Actual IP, not loopback)
    2. Create an entry in the hosts file redirecting the CNAME for the SQL server to the new SQL server (Actual IP, not loopback)
      e.g.
      adrms.contoso.com       10.0.0.25
      sqladrms.contoso.com  10.0.0.26
  4. Install the AD RMS Role on the new 2012 R2 server
  5. After installation completes, select the link to Perform additional configuration
    1. The server will detect the SCP in Active Directory and default to Join an existing AD RMS cluster.  There is a warning that it cannot contact the root cluster.  This is because the SCP is being redirected to this server via the hosts file.  Leave this as is and click next. 
    2. On the Select Configuration Database page, enter the CNAME you specified in the hosts file for the new SQL server (FQDN)
    3. Click List on the second line and select the DefaultInstance from the drop-down
    4. Drop down the Configuration Database Name selection box and select your configuration database
    5. Enter the private key password corresponding to the old database
    6. Enter credentials for the original AD RMS service account
    7. Select Default Website
    8. On the Choose a Server Authentication Certificate page, select the imported SSL certificate and click Next
    9. Click Install to begin the installation
    10. After configuration completes, you will need to log off and back on to administer AD RMS
  6. If you are using primarily Kerberos based authentication, you may need to follow the instructions at https://technet.microsoft.com/en-us/library/dd759186(v=ws.11).aspx to modify your application pool and set Service Principal Names.
  7. Modify the hosts file on several clients to point to the new AD RMS server
  8. Test consuming existing content and protecting new content against the new server
  9. After you are satisfied that the 2012 R2 AD RMS server is doing what you want it to do, you can add any additional nodes to the 2012 R2 AD RMS cluster you now have
  10. Open SQL Server Managment Studio on the new SQL server and navigate to the configuration Database (Should be similar to DRMS_Config_adrms_contoso_com_443)
    1. Expand Tables
    2. Right-click on dbo.DRMS_ClusterServers
    3. Remove any old servers from the table by deleting each row
  11. Finally, switch over the CNAMEs in DNS and all your clients will start talking to the new servers
  12. When you are comfortable with the new environment, you can gracefully shut down and reallocate the old resources.

Upgrading AD RMS (Version 2):

  1. Create a new CNAME in DNS to use for the AD RMS SQL server
  2. Restore the AD RMS databases to the new SQL server
  3. Open SQL Server Managment Studio on the new SQL server and navigate to the configuration Database (Should be similar to DRMS_Config_adrms_contoso_com_443)
    1. Expand Tables
    2. Right-click on dbo.DRMS_ClusterPolicies and select Edit Top 200 Rows
    3. Modify the PolicyData corresponding to the following entries in the PolicyName column to match the CNAME created for the new SQL server
      • LoggingDatabaseServer
      • CertificationUserKeyStorageConnectionString
      • DirectoryServicesCacheDatabase
    4. Close Sql Server Management Studio
  4. On the new AD RMS server, import the SSL Certificate to the Local Computer>Personal store
  5. Open an administrative Notepad.exe and browse to C:\Windows\System32\drivers\etc and open the hosts file
    1. Create an entry in the hosts file redirecting the CNAME for AD RMS to the local server (Actual IP, not loopback)
    2. Create an entry in the hosts file redirecting the CNAME for the SQL server to the new SQL server (Actual IP, not loopback)
      e.g.
      adrms.contoso.com       10.0.0.25
      sqladrms.contoso.com  10.0.0.26
  6. Install the AD RMS Role on the new 2012 R2 server
  7. After installation completes, select the link to Perform additional configuration
    1. The server will detect the SCP in Active Directory and default to Join an existing AD RMS cluster.  There is a warning that it cannot contact the root cluster.  This is because the SCP is being redirected to this server via the hosts file.  Leave this as is and click next. 
    2. On the Select Configuration Database page, enter the CNAME you specified in the hosts file for the new SQL server (FQDN)
    3. Click List on the second line and select the DefaultInstance from the drop-down
    4. Drop down the Configuration Database Name selection box and select your configuration database
    5. Enter the private key password corresponding to the old database
    6. Enter credentials for the original AD RMS service account
    7. Select Default Website
    8. On the Choose a Server Authentication Certificate page, select the imported SSL certificate and click Next
    9. Click Install to begin the installation
    10. After configuration completes, you will need to log off and back on to administer AD RMS
  8. If you are using primarily Kerberos based authentication, you may need to follow the instructions at https://technet.microsoft.com/en-us/library/dd759186(v=ws.11).aspx to modify your application pool and set Service Principal Names.
  9. Modify the hosts file on several clients to point to the new AD RMS server
  10. Test consuming existing content and protecting new content against the new server
  11. After you are satisfied that the 2012 R2 AD RMS server is doing what you want it to do, you can add any additional nodes to the 2012 R2 AD RMS cluster you now have
  12. Open SQL Server Managment Studio on the new SQL server and navigate to the configuration Database (Should be similar to DRMS_Config_adrms_contoso_com_443)
    1. Expand Tables
    2. Right-click on dbo.DRMS_ClusterServers and select Edit Top 200 Rows
    3. Remove any old servers from the table by deleting each row
  13. Finally, switch over the CNAMEs in DNS and all your clients will start talking to the new servers
  14. When you are comfortable with the new environment, you can gracefully shut down and reallocate the old resources.

Wrapping Up:

OK, so maybe that wasn't super easy, but it is effective and allows for a seamless migration from an older version of AD RMS to a newer version.  I know people do this all the time because I have assisted with dozens of migrations exactly like this.  I am fairly certain that I did not leave anything out, but if you find something I missed please leave me a comment and I will correct it as quickly as possible.

Update:

I have written a followup article detailing how to do this if you are moving to a Named Instance for SQL and using a static port.

https://blogs.technet.microsoft.com/kemckinn/2017/01/13/ad-rms-upgrade-migration-with-a-named-sql-instance/

Kevin McKinnerney
PREMIER FIELD ENGINEER – PLATFORMS/SECURITY


AIP Scanner++ (Discovering all the sensitive data)


The Situation:

So, you know that you have terabytes of unstructured data on your file shares and document libraries but you are uncertain how much of it is actually sensitive and needs to be protected.  In the past, discovering sensitive data was time consuming and potentially costly using 3rd party solutions or a massive amount of manpower to accomplish (but realistically, it probably has never been done).  Luckily, Microsoft introduced the AIP Scanner to help with bulk encryption of data, but we actually went one step further and have provided a way for you to discover all of the different types of data that you have scattered throughout your network.

The Solution:

The AIP Scanner now has a feature that will allow for the discovery of sensitive data by scanning against all of the information types defined in O365 and any custom types you create.  And the discovery portion can be done with only AIP P1/EMS E3 licenses.  The new parameter is associated with the Set-AIPScannerConfiguration and is called -DiscoverInformationTypes.  When this property is set to All, the scanner uses any custom conditions that you have specified for labels in the Azure Information Protection policy, and the list of information types that are available to specify for labels in the Azure Information Protection policy. When you use this option, labels do not need to be configured for any conditions.  Keep in mind that this setting only does discovery.  If you would like to classify and protect the identified items, you will need to configure automatic conditions on your labels to classify/protect the documents based on information type (AIP P2/EMS E5) or use PowerShell to classify and protect the entire repository (AIP P1/EMS E3).

The command below will allow you to scan your repositories against all information types

PS C:\> Set-AIPScannerConfiguration -Enforce Off -Schedule OneTime -Type Full -DiscoverInformationTypes All

After running the scan, you can review the logs by opening the Azure Information Protection event log or you can view the detailed logs at C:\users\<Scanner Service Account Profile>\appdata\local\Microsoft\MSIP\Scanner\Reports.  There you will find the summary txt and detailed csv files.

If you need assistance installing the AIP Scanner, please see my previous blog at  https://blogs.technet.microsoft.com/kemckinn/2018/03/23/easy-configuration-of-the-azure-information-protection-scanner/

Let me know if you have any questions. Thanks!

Kevin


AIP Scanner Express (Fully Functional in 10 minutes!)


The Scenario:

You have been trying to install the AIP Scanner and have found that despite all the fancy screenshots and witty remarks I have throughout all of my posts, it takes a long time to configure the Azure AD App Registrations and often fails the first time around.  Well, those days are past us now.  I spent way too many hours developing a scripted method that allows for the automation of the creation of the Azure AD App Registrations and even a cloud account if you are not fond of syncing your service accounts to Azure.  I figured, if it was even painful for me to deploy the scanner...I needed to find a way to make it easier.  So the new solution will allow you to fully deploy the scanner in less than 10 minutes (I have done it in 4 actually), but that is assuming that you already have the AIP Client and Azure AD PowerShell Cmdlets installed, and a SQL Server ready, so there may be a little more time involved (but not too much).  The greatest part is that by using the PS Cmdlets for the Azure AD App Registrations, it removes the possibility of making a mistake when configuring them (something I must say I have done quite a few times). :-)

The Solution:

As per my previous post, please check out the stunning conclusion to this blog post on our official AIP blog at https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Scanner-Express-Installation/ba-p/265424 and bookmark https://aka.ms/AIPBlog for future exciting content from yours truly (I will of course keep writing my fun scenarios here, but the solutions will all be over in the grown-up blog).

Thanks!

Kevin


Creating Labels for Azure Information Protection


The Scenario:

You are starting to implement Azure Information Protection and you need to create Labels and Sub-Labels so your users can see the new fancy buttons in their Office applications.  Often there are default labels to work from, but sometimes those labels have been removed or you simply want to create your own labels and are not sure what all the options in the portal do.  Fear not! I will show you how to create labels and explain all the functionality of those labels along the way.  As an added bonus, I have provided some labels templates at the end that may be useful in defining your structure.  These are of course just a recommendation and you can use them or not as you see fit.  Also, since I like to make sure you have the best information possible, the official documentation for creating labels can be found at /en-us/azure/information-protection/deploy-use/configure-policy-new-label and as always is authoritative over anything I might say here. ;-)

The Solution

Here I am going to assume that you already know how to log into the Azure Portal and get to the AIP blade.  So, navigate to the AIP blade and I will help you create labels that look like the set below.

To create a new label, click on the + Add a new label link below Protection templates

This will bring up the Label blade as shown below.

Let's step through each of the options on this new label interface.

Enabled

This is a simple Off/On selection that defaults to On.

Label display name

This is the text that will display on the button in the Office AIP client interface and in the sensitivity bar of protected documents.  As an example, we can use the first default label of Personal.

Description

This is the description of the purpose and usage instructions for a label.  This should be concise enough to fit in a popup description while being descriptive enough to help your users know if the label should be applied to the content.  The description for Personal is below (I will list all of the default labels and their descriptions later in this post).

Non-Business data which does not belong to <enter your company here>. Data is not encrypted and cannot be tracked or revoked.  Do not use Non-Business to classify any personal data which is collected by or belongs to <enter your company here>. Such content should be marked as either Confidential or Highly Confidential.

Color

This is the color that will display next to the label in the sensitivity bar in Office.  You can Select from a list of standard colors in the drop-down or select Custom and specify the color using the hex triplet code for RGB.

Example: Gray or #737373

Set permissions for documents and email containing this label

The options here are Not configured, Protect, or Remove Protection.

Not configured is exactly what is sounds like and is what is used for the Personal, Public, and General labels.

Protect gives additional options for encrypting content using a Microsoft managed key, Azure (cloud key), BYOK, or HYOK.

After selecting Protect, you will also need to configure the additional options by clicking on the Protection type (in this case Azure (cloud key). Protection is typically used for Confidential and Highly Confidential sub-labels. The Protect blade looks similar to the image below.

 

The first option in the Protection settings is Azure (cloud key) or HYOK (AD RMS) protection.

In Azure (cloud key) protection, you first have to

Select the protection action type

This defines if you will use standard permissions for users, groups, or domains (Set permissions), or use the Do Not Forward or Custom Settings dialogs in Office (Set user-defined permissions (Preview)).

If using Set permissions, click the + Add permissions link below users to select user rights.

This brings up the Add permissions blade

 

To add all users synced to your O365 tenant, simply click the + Add <your company> - All members link and choose a permission preset or custom permissions.  Alternatively, you can browse the directory for any mail enabled groups or users to add rights to.

Note: You will only be able to add one type of permissions at a time so if you want different levels of permissions for different groups you will need to save and return to add the different levels of access.

One additional option you have in this interface is to add additional external users or domains on the Enter details tab.

Note: If entering a domain, include only the domain name and no additional characters like *@

The permissions you can choose from under Choose permissions from preset or set custom are shown below.

You can click through the presets to see what is available or use Custom to assign specific permissions from this list.

After adding users/groups/domains and selecting the appropriate level of permissions, click OK to return to the Protection settings interface.

If you choose Set user-defined permissions (Preview) you will see the interface below.

If you deselect either of these options, the label will not display in the programs noted.  This is often used to create Recipient Only labels that will apply the Do Not Forward permission, but the label would look out of place in Word, Excel, PowerPoint and File Explorer.  Similarly, a label like Custom Permissions would look out of place in Outlook but fine in the other Office applications.

The other options in the Protections settings interface are Content expiration and Allow offline access.

Content expiration

This option allows you to expire content on a specific date or after a specific number of days.  This could be useful for contracts that are not valid after a specific date or offers that are only valid for a set number of days from creation.

Allow offline access

This option defines the length of time that a Use license is valid without reauthenticating to AIP.  The default for this is 7 days which allows a user to be offline for a full week without needing to authenticate to the cloud.  After that amount of time they will need to reach out to AIP to get a new use license. Leaving this default for Confidential information and perhaps using a lower number of days for Highly Confidential is a good decision as it allows you to revoke access to content dynamically by removing a user from the authorized groups defined in the AIP label.

Note: Use caution with setting this option to Never as it could have detrimental impact on usability and could cause users that travel regularly to be unable to work on Airplanes or other locations with limited internet access.

Finally, Remove Protection allows you to use a label to remove any existing protection applied to a document.  This is useful for bulk decryption templates.

 

Set visual marking (such as header or footer)

This option allows you to add header/footer text to your labeled documents.  This is typically reserved for Confidential/Highly Confidential documents but can be configured for any label.

Documents with this label have a header/footer/watermark

This can be set to Off or On with the default being Off.  If this is set to Off, the additional options below are hidden.

Header/Footer/Watermark text

This is the text that will be added to the header/footer/watermark of the document or email

Header/Footer/Watermark font size

This is the font size for the header/footer/watermark

Header/Footer/Watermark font name

The default header/footer/watermark font is Calibri.  A custom font must be typed in manually and if the font is not present on the system opening the document the system will use a random font.

Header/Footer/Watermark Color

This works like the color option for the label (Select from list or use Custom RGB hex triplet)

Header/Footer alignment

Choose from Left, Center, or Right alignment with Left being default

Caution : Headers and Footers defined in labels will overwrite any existing headers or footers in documents or emails.

Watermark layout

Choose Horizontal or Diagonal with Diagonal being the default

Configure conditions for automatically applying this label

This option can be used to automatically apply or recommend this label based on defined criteria.  This is an AIP Premium P2 feature (EMS E5) and goes beyond the scope of this post.

Default Label Contents and Template

The information below can be used to create the default templates that Microsoft provides with new AIP tenants.  There is also a blank template that you can use for planning your own labels and adding to your documentation.

Personal

Label Name:
Personal
Note: Many companies use Non-Business rather than Personal for this label name

Sub-Label:
No

Description:
Non-Business data which does not belong to <enter your company here>. Data is not encrypted and cannot be tracked or revoked.  Do not use Non-Business to classify any personal data which is collected by or belongs to <enter your company here>. Such content should be marked as either Confidential or Highly Confidential.

Label color:
Gray

AIP Protection:
Not configured

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
No

Footer Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Public

Label Name:
Public

Sub-Label:
No

Description:
Business data specifically prepared and approved for public consumption. Data is NOT encrypted and cannot be tracked or revoked.

Label color:
Green

AIP Protection:
Not configured

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
No

Footer Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

General

Label Name:
General

Sub-Label:
No

Description:
Business data which is NOT intended for public consumption. However, this can be shared with internal employees, business guests and external partners as required. Data is not encrypted and cannot be tracked or revoked.

Label color:
Blue

AIP Protection:
Not configured

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
No

Footer Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Confidential

Label Name:
Confidential

Sub-Label:
No

Description:
Sensitive business data that could cause damage to the business if shared with unauthorized people. Data is encrypted. Data owners can track and revoke content.

Label color:
Orange

AIP Protection:
Not configured

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
No

Footer Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Confidential \ Recipients Only

Label Name:
Confidential \ Recipients Only

Sub-Label:
Yes, of Confidential

Description:
Confidential data that is encrypted and that can be viewed by the recipients only.

AIP Protection:
Protect, User defined permissions, In Outlook apply Do Not Forward

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
Yes

Footer Text:
Classified as Confidential \ Recipients Only

Font size:
10

Color:
Black

Alignment:
Left

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Confidential \ All Employees

Label Name:
Confidential \ All Employees

Sub-Label:
Yes, of Confidential

Description:
Confidential data which is classified and protected.  <Company name> employees may edit, reply, forward and print.  Data owners can track and revoke content.

AIP Protection:
Protect, Set permissions, Add all members of tenant with Co-Owner rights

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
Yes

Footer Text:
Classified as Confidential \ All Employees

Font size:
10

Color:
Black

Alignment:
Left

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Highly Confidential

Label Name:
Highly Confidential

Sub-Label:
No

Description:
Very Sensitive business data that would certainly cause damage to the business if over-shared. Data is encrypted. Data owners can track and revoke content.

Label color:
Red

AIP Protection:
Not configured

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
No

Footer Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Highly Confidential \ Recipients Only

Label Name:
Highly Confidential \ Recipients Only

Sub-Label:
Yes, of Highly Confidential

Description:
Highly Confidential data that is encrypted and that can be viewed by the recipients only.

AIP Protection:
Protect, User defined permissions, In Outlook apply Do Not Forward

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
Yes

Footer Text:
Classified as Highly Confidential \ Recipients Only

Font size:
10

Color:
Black

Alignment:
Left

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Highly Confidential \ All Employees

Label Name:
Highly Confidential \ All Employees

Sub-Label:
Yes, of Highly Confidential

Description:
Highly Confidential data which is classified and protected.  <Company name> employees may edit, reply, forward and print.  Data owners can track and revoke content.

AIP Protection:
Protect, Set permissions, Add all members of tenant with Co-Owner rights

Document Headers:
No

Header Text:
N/A

Font size:
N/A

Color:
N/A

Alignment:
N/A

Document Footers:
Yes

Footer Text:
Classified as Highly Confidential \ All Employees

Font size:
10

Color:
Black

Alignment:
Left

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
N/A

Conditions set:
None

Template

Label Name:
LabelName

Sub-Label:
No

Description:
Description of Label Usage

Label color:
Color or N/A for sub-labels

AIP Protection:
Protection Properties

Document Headers:
No

Header Text:
N/A

Font size:
10

Color:
Black

Alignment:
Left

Document Footers:
No

Footer Text:
N/A

Font size:
10

Color:
Black

Alignment:
Left

Document Watermark:
No

Watermark Text:
None

Size:
N/A

Color:
N/A

Layout:
Diagonal

Conditions set:
None