How To Configure AD RMS In Windows Server 2016

Active Directory Rights Management Services (AD RMS) is a service that protects sensitive and intellectual documents of an organization from the unauthorized users. One of the major advantages of using AD RMS over other security features such as NTFS permission is that AD RMS permission travels along with the documents. Does not matter how and where you copy or move the documents. In this post, we will see how to install and configure AD RMS in Windows Server 2016.

In order to install and configure AD RMS in Windows Server 2016, you need to perform the following high-level steps:

  1. Preparing AD RMS server.
  2. Installing the AD RMS server role.
  3. Creating an AD RMS Cluster.
  4. Configuring the AD RMS templates.
  5. Testing and verifying AD RMS Configuration.

Preparing AD RMS Server

For the successful AD RMS deployment, first, you need to make sure that you fulfill all the AD RMS prerequisites. For this, first, you need to perform the following steps:

  1. On DC1, create a user named ADRMSSRVC that will be used as AD RMS service account.
  2. Add this account in to the member list of the Domain Admins group. Refer the following figure.Creating AD RMS Service Account
  3. Now, create the following Active Directory objects:
    • Create an OU named Sales and create Peter user under it.
    • Create one more OU named Finance and create Shawn user under it.
  4. When you make the users, ensure that you also set the email addresses for the respective user accounts. For example, set peter@mcsalab.local email account for Peter user and shawn@mcsalab.local for Shawn user. Refer the following figure.AD RMS Accounts
  5. Now, create a shared folder named Secret that will be used as Shared Distribution Point (SDP).
  6. Right-click Secret and navigate to Share with Specific people to share this folder.Creating AD RMS SDP
  7. On the File Sharing dialog box, type Peter, and then click Add.
  8. Set the permission level as Read/Write.AD RMS Shared Folder
  9. Using the same steps, also set the Read/Write permission for the ADRMSSRVC user account.

Installing AD RMS in Windows Server 2016

In order to install the Active Directory Rights Management Services (AD RMS) role, you need to perform the following steps:

  1. On DC1, using the Server Manager console, launch the Add Roles and Features Wizard.
  2. Click Next and accept the default selections till the Select server roles page displays.
  3. Select the Active Directory Right Management Services role and click Next.Installing Active Directory Rights Management Services
  4. Click Next and navigate to the Select role services page.
  5. Ensure that Active Directory Management Server option is selected and then click Next to proceed.Selecting Active Directory Rights Management Services role
  6. Finally, click Install and complete the installation process.

Creating an AD RMS Cluster

After installing AD RMS server role, the next task is to create a new AD RMS cluster. For this, you need to perform the following steps:

  1. On the Server Manager console, click the Notifications icon, and then click Perform additional configuration.Perform Active Directory Rights Management Services post configuration
  2. On the Configuration required for Active Directory Rights Management Services page, click Next.
  3. On the AD RMS Cluster page, ensure that the Create a new AD RMS root cluster radio button is selected, and then click Next.Create a new AD RMS root Cluster
  4. On the Configuration Database page, select the Use Windows Internal Database on this server option, and then click Next. Alternatively, you can also specify the SQL server database, if already configured.Selecting AD RMS configuration database server
  5. On the Service Account page, click Specify to specify the ADRMS Service account that is mcsalab\adrmssrvc and click Next to proceed.AD RMS Service Account
  6. Accept the default selections till the AD RMS Cluster Key Password page. Specify a cluster key password and click Next to proceed.AD RMS Cluster Key Password
  7. On the Cluster Web Site page, accept the default selection, and then click Next.
  8. On the Specify Cluster Address page, select the Use an unencrypted connection (http://) radio button, specify DC1.MCSALAB.LOCAL as FQDN name and click Next to proceed.AD RMS Cluster Address
  9. On the Licensor Certificate page, accept the default name, and then click Next.
  10. On the SCP Registration page, accept the default selection, and then click Next.
  11. On the Confirmation page, review all the options you have chosen. Click Previous to make the changes.Completing AD RMS Cluster configuration
  12. Finally, click Install and complete the installation process.
  13. Ensure that installation process is completed without any error.
  14. Now, Sign off to Administrator and Sign in to as MCSALAB\adrmssrvc user account.
  15. Open the Active Directory Rights Management Services console using the Server Manager console. Verify that there is no error display.Active Directory Rights Management Services console

Configure AD RMS in Windows Server 2016

Once you installed the AD RMS server role, the next step is to configure AD RMS templates. For this, you need to perform the following steps:

  1. On the Active Directory Rights Management Services console, expand dc1.mcsalab.local, select and right-click Rights Policy Templates, and then select Properties.Configuring Rights Policy Templates
  2. Select the Enable export check box, type the path of SDP that is \\dc1.mcsalab.local\secret and then click OK.Right Policy Templates File Location
  3. Click Create distributed rights policy template to create the distributed rights policy template.Create Distributed Rights Policy Templates
  4. On the Add New Template Identification Information page, click Add.
  5. Specify template name and description, click Add, and then click Next to proceed.Template Identification Information
  6. On the Add User Rights page, click Add. Type email of Peter user in The e-mail address of a user or group text box, and then click OK.AD RMS User Rights
  7. Using the same steps, add Shawn user account, assign the View permission, and proceed to Next.Configure AD RMS Permissions
  8. On the Expiration Policy page, set the desired expiry date for this template and click Next to proceed.
  9. On the Specify Extended Policy page, click Next.
  10. On the Specify Revocation Policy page, click Finish.AD RMS Revocation Policy
  11. Close the Active Directory Rights Management Services console.

Verifying AD RMS Client

Now, you have successfully configured AD RMS, the next step is to verify your AD RMS configuration. In order to verify the AD RMS configuration, you need to perform the following steps:

  1. Switch and sign in to CLIENT1 as MCSALAB\Peter.
  2. Open the Internet options, click the Security tab, click Local intranet, and then click Sites.
  3. Click Advanced, type http://DC1.MCSALAB.LOCAL in the Add this website to the zone and then click Add.
  4. Open a blank Word 2013 document and then type a descriptive message in the document.
  5. Click Protect Document using the File tab and navigate to Restrict AccessRestricted Access > Connect to Rights Management Services.Install and Configure AD RMS
  6. Select the Restrict permission to this document check box in the Permission dialog box, and then type Shawn@MCSALAB.LOCAL in the Read text box.
  7. Type Peter@MCSALAB.LOCAL in the Change text box.
  8. Click OK to close the Permission dialog box.
  9. Click Save As from the File menu, and then save the file as \\DC1\Secret\ADRMS_Test.docx. You can notice that Peter user can make changes.
  10. Switch user as MCSALAB\Shawn and open File Explorer, and then browse to \\DC1\Secret.
  11. Try to open the ADRMS_Test.docx file. Notice the message that displays.
  12. Click View Permission and verify that Shawn user has the view permission.
  13. Click the File tab and notice that the Print option is not available.

In this article, we have learned how to install and configure AD RMS in Windows Server 2016. Drop your queries, suggestions, feedback in the comment box.

Posted in Windows 10, Windows Server 2016

How To Add Hyper-V Hosts To SCVMM 2012 R2

SCVMM 2012 R2 allows you to manage and control virtual machines running on the Hyper-V hosts. However, for this, you need to add Hyper-V hosts to SCVMM 2012 R2 Management server. Once you added the Hyper-V hosts to SCVMM Management server, you can create, delete, and manage virtual machines on the added hosts. We assume that you have already read the previous post in which we have explained step by step SCVMM 2012 R2 installation guide. In this post, we will continue to use the same VMM server to explain how to add a Hyper-V host to SCVMM 2012 R2 Management server. However, before proceeding to next, first, you need to ensure the following:

  • VMM Management server and Hyper-V host are properly connected to each other.
  • VMM Management Server and Hyper-V host are the members of the same domain.
  • The Windows Firewall is configured to allow communication between VMM management server and Hyper-V host. You may turn off the Windows Firewall for the testing purpose.

Adding Hyper-V Hosts to SCVMM 2012 R2

In order to add Hyper-V hosts to SCVMM management server, the following steps need to be followed:

  1. Open the Virtual Machine Manager console on the VMM management server.

    Note: Sometimes, you may get an error while opening the VMM console. To resolve this, you may need to reboot VMM management server. If the problem still exists, restart the Virtual Machine Manager service using the Services console.

  2. In the VMs and Services section, scroll down and right-click the All Hosts option, and then select the Add Hyper-V Hosts and Clusters option.
  3. On the Resource Location page of the Add Resource Wizard page, review all the available options that you can use. For the testing purpose, we will select the Windows Server computers in a trusted Active Directory domain option.Add Hyper-V Host To SCVMM
  4. On the Credentials page, select the Manually enter the credentials option and specify domain administrator account details in DomainName\Administrator format and then click Next.
  5. On the Discovery Scope page, select Specify Windows Server computers by names, type the IP address or computer name of the Hyper-V host that yu want to add and then click Next.Adding Hyper-V Hosts to SCVMM Management Server
  6. On the Target Resources page, select the Computer name check box in the Discovered computers section and then click Next.
  7. On the Host Settings page, accept the default Host group (All Hosts) and then click Next. We will explain how to create and manage the host group in a separate article.Managing Host Settings in SCVMM
  8. On the Summary page, click Finish to complete the task. Monitor the status of the Jobs window and close it once the Hyper-V host is added.
  9. Now, you will see all the virtual machines, if any, of the added Hyper-V host. In the following figure, you can see that host1 is added in the Virtual Machine Connection console.Adding and Configuring Hyper-V Hosts to SCVMM Management Server
  10. Now, you can manage the added Hyper-V hosts using the Virtual Machine Connection console.

In this article, we have explained a step by step guide “how to add Hyper-V hosts to SCVMM”. Hope, you loved it. If you get stuck anywhere, please drop your queries in the comment box.

Posted in SCVMM, Windows Server 2016 Tagged with: , ,

How To Configure Remote Access VPN Server In Windows Server 2016

VPN stands for Virtual Private Network that has been used for many years to provide remote connectivity and support. VPN is one of the most popular, secure, and cheap technique to connect remote branch offices and remote users over the Internet. There are various VPN authentication protocols such as PPTP, L2TP, SSTP, and IKEv2 that can be used by an administrator for authenticating remote users. Each VPN authentication protocol supports the different level of security. However, in this post, we will just focus on step by step guide to configure Remote Access VPN Server using Windows Server 2016.

Understanding Remote Access VPN Lab Setup

First of all, understand the lab setup topology we are going to use. Ensure that all the systems are configured with the appropriate TCP/IP settings as mentioned in the topology. Also, ensure that the Windows Firewall is turned off on all the systems to avoid any network connectivity issues.

We will use the following systems to complete this lab exercise:

ROUTER1

  • Hosts the Remote Access Server role.
  • Connected to CLIENT1 using 10.0.0.1/8 IP address.
  • Connected to the SERVER2 using 192.168.1.1/24 IP address.
  • Acts as VPN Server.

SERVER2

  • Acts as an internal (private) client and is connected to ROUTER1 using 192.168.1.2/24 IP address and 192.168.1.1 as the Default gateway.

CLIENT1

  • Acts as a remote (Public) client and is connected to ROUTER1 using 10.0.0.101/8 IP address and 10.0.0.1 as the Default gateway.

It is recommended that all of your participating systems of this lab exercise should belong either to the same Domain network or should belong to a Workgroup network. Mixed type of network may create some issues to complete the lab exercise. Here, all systems are based on the Workgroup-based network.

Installing Remote Access Service on Windows Server 2016

In order to configure VPN Server on Windows Server 2016, first, you need to install the Remote Access service role. For this, you need to perform the following steps:

  1. On ROUTER1, launch the Add Roles and Features Wizard.
  2. Click Next and accept the default selections until the Select server roles page displays.
  3. Select the Remote Access server role and click Next.Installing Remote Access VPN Service
  4. Click Next until the Select role services page displays.
  5. Select the DirectAccess and VPN (RAS) and Routing role services and then click Next.Selecting DirectAccess and VPN servcies
  6. On the rest of the pages, accept the default selections by clicking Next. Wait until the installation process completes.

Configure Remote Access VPN Server

In order to configure VPN Server on Windows Server 2016, you need to perform the following steps on ROUTER1.

  1. Open the Routing and Remote Access console by using the Server Manager console.
  2. Click Tools and selecting the Routing and Remote Access option.Opening Routing and Remote Access Console
  3. Select and right-click Server name (ROUTER1) and then select Configure and Enable Routing and Remote Access.Configure and enable routing and remote access services
  4. On the Welcome page, click Next and navigate to the Configuration page. Ensure that the Remote access (dial-up or VPN) option is selected and then click Next.Configure Remote Access VPN Server
  5. On the Remote Access page, select the VPN option and then click Next.Routing and Remote Access Server Setup Wizard
  6. On the VPN Connections page, select the network adapter that is connected to the Public network (Internet) and proceed to next. In this case, Ethernet0 network adapter is connected to the Public system CLIENT1.Selecting VPN Public Internet Connection
  7. On the IP Address Assignment page, select the desired option. If your VPN server is also configured as active DHCP server, select Automatically. If you want to assign IP addresses to the VPN clients using the VPN server, select the From a specified range of addresses option and then click Next.Specifying IP Address Assignment
  8. On the IP Address Assignment page, click New and set the Start and End IP ranges depending on the number of VPN clients your network contains. For example, set the 10.0.0.240 to 10.0.0.245 range for the testing purpose and proceed to Next.Specifying New VPN IP Range
  9. On the Manage Multiple Remote Access Servers page, select the No option as we will configure RADIUS server in a separate article. Click Next and finish the wizard.Finishing Routing and Remote Access Server Setup Wizard
  10. On the Service message box click OK to start the Remote Access service.

Creating VPN User

In order to connect and authenticate to Remote Access VPN server, VPN clients require user credentials. For this, you need to perform the following steps.

  1. Execute the following command on VPN server ROUTER1 to create a test user named as VPNUser1. It will be used by remote users to connect to your VPN server.Creating VPN Test User
  2. Now, type lusrmgr.msc in the Run dialog box and open the Properties of VPNUser1.
  3. Select the Dial-in tab and then select the Allow access option for the selected user.Allow dial-in VPN access

Connecting VPN Client to VPN Server

Now, you have successfully configured Remote Access VPN server. The next step is to test your VPN configuration. For this, you need to perform the following steps on VPN client that is CLIENT1.

  1. Move on to CLIENT1, open the Network and Sharing Center Wizard, and select Set up a new connection or network to create a new VPN connection.Creating a new VPN connection in Windows 10
  2. Select the Connect to a workplace option and then click Next.Connect to workplace VPN option
  3. On the How do you connect to VPN page, select Use my Internet Connection (VPN) option and then click Next.Using Internet VPN connection
  4. On the next page, select I’ll setup Internet connection later and then click Next.How to connect Windows 10 to VPN server
  5. On the Type the Internet address to connect to page, type hostname (if the DNS server is already configured) or simply type the Public IP address of VPN server. In this case, 10.0.0.1 and then click Create.Specifying VPN Server Address
  6. Click the network status icon in the Notification Area and select VPN Connection.Connecting VPN Connection on Windows 10
  7. On the NETWORK & INTERNET screen, select VPN Connection and then click Connect.Add VPN Connection in Windows 10
  8. On the Sign In screen, type the username and password of VPN server that you have previously created and click OK to connect.Authenticating VPN Server
  9. Ensure that you are successfully connected to VPN server.Verify VPN Connectivity
  10. To further verify, type \\192.168.1.2\c$ to test that you are able to access the data of the Private client that is SERVER2.Accessing data using VPN connection

Note: Use the Administrator user if you are unable to access SERVER2 using VPNUser1.

In this post, we have explained how to configure Remote Access VPN Server on Windows Server 2016. You are always welcome to provide your valuable suggestions and feedback. Please use the comment box to share your views. Stay connected with us for more step by step Windows Server 2016 tutorials.

Posted in Windows 10, Windows Server 2016 Tagged with: , , ,