70-412 Configuring Advanced Windows Server 2012 R2 – Chapter 21: Installing and Configuring Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS)
Technology used to provide an extra level of security to documents such as email and Microsoft Office documents by using encryption to limit who can access a document or web page and what can be done with a document or web page.
Rights
Basic security mechanisms that specify what a user or group can do on a system.
Permissions
Basic security mechanisms that specify what a user or group can do with an object.
AD RMS Server
A Windows server that is a member of an Active Directory Domain Services (AD DS) domain.
AD RMS Client
Computers with the AD RMS client. Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating systems have the client built-in. The client for Windows XP, Windows Server 2003, and Windows Server 2003 R2 can be downloaded and installed.
AD RMS Enable Applications
An application that allows users to create and consume AD RMS-protected content. Examples of AD RMS clients include Microsoft Word, Microsoft Excel, and Microsoft Outlook.
AD RMS root certification cluster
The first AD RMS server that you deploy in a forest. It manages all licensing and certification traffic for the domain in which it is installed. The configuration information is installed in a Microsoft SQL database.
Licensing-only cluster
An optional component that is not part of the root cluster. However, it relies on the root cluster for certification and other services. It provides both publishing licenses and use licenses to users. It is typically used when supporting unique right management requirements of a department or when supporting rights management of external business partners.
Server licensor certificate (SLC)
A certificate that contains the public key that encrypts the content key in a publishing license. It allows the AD RMS server to extract the content key and issue end use licenses (EULs) against the publishing key. It is generated when you create the AD RMS cluster. It allows the AD RMS cluster to issue SLCs to other servers in the cluster, rights account certificates to clients, client licensor certificates, publishing licensing, use licenses; and to deploy rights policy templates. It has a validity of 250 years. Since it is one of the core components, it is important to back up the SLCs on a regular basis.
AD RMS Machine Certificate
Used to identify a trusted computer or device. It is also used to encrypt the rights account certificate private key and decrypt the rights account certificates.
Rights account certificate (RAC)
A RAC is issued the first time a user attempts to access AD RMS-protected content, which is used to identify a specific user. RACs can be issued only to users in AD DS whose user accounts have email addresses that are associated with them. The default validity time for a RAC is 365 days.
Temporary Rights Account Certificate
Issued to users who are accessing AD RMS- protected content from a computer that is not a member of the same or trusted forest as the AD RMS cluster. A temporary RAC has a validity time of 15 minutes.
Active Directory Federation Services (AD FS) RACs
Issued to federated users. They have a validity of seven days.
Windows Live ID RACs
Used with a Microsoft account, formerly called a Windows Live Account. Windows Live ID RACs used on private computers have a validity of six months. Windows Live ID RACs on public computers are valid until the user logs off.
Client Licensor Certificate
Allows a user to publish AD RMS-protected content when the client computer is not connected to the same network as the AD RMS cluster. The client licensor certificate public key encrypts the symmetric content key and includes it in the publishing license that it issues. The client licensor certificate private key signs any publishing licenses that are issued when the client is not connected to the AD RMS cluster. Since the client licensor certificates are tied to a specific user’s RAC, if another user who does not have a RAC attempts to publish AD RMS-protected content from the same client, they will not be able to until the client is connected to the AD RMS cluster so that the user can get a RAC.
Publishing License (PL)
Determines the rights that apply to AD RMS-protected content. It contains the content key, which is encrypted using the public key of the licensing service. It also contains the URL and the digital signature of the AD RMS server.
End Use License
Required to consume AD RMS-protected content. The AD RMS server issues one EUL per user per document. EULs are cached by default.
Service connection point (SCP)
An object in Active Directory that holds the web address of the AD RMS cer- tification cluster. It was defined during the installation of AD RMS. AD RMS-enabled applications use the SCP to find the AD RMS service.
Rights policy templates
Also known as RMS templates, are used to enforce the rights that a user or group has on rights-protected content.
Exclusion policies
Policies that allow you to specify which user accounts, client software, and applica- tions are automatically denied access to AD RMS. They also allow you to specify a mini- mum version of the AD RMS client software.