Scenario Overview
Applies To: Windows Server 2008, Windows Server 2008 R2
Fabrikam, a fictitious company, has setup their e-mail infrastructure using a resource forest design. Currently they are investigating moving away from this design to a single forest design. However this will take some serious planning and will probably take significant time to implement. In the interim, they want to deploy AD RMS and take advantage of its ability to protect content from unauthorized use.
Fabrikam has two forests, corp.fabrikam.com, the accounts forest and resource.fabrikam.net, the resource forest. These are shown in the texting environment diagram in this topic. Current users reside in corp.fabrikam.com. They use Windows Vista® and the 2007 Microsoft Office system on their desktops. New users are created directly in resource.fabrikam.net. They use Windows® 7 Ultimate and the 2007 Microsoft Office system on their desktop. All e-mail servers and the AD RMS cluster will reside in the resource forest. Prior to being migrated, users in both forests must be able to send and consume protected e-mail content.
Note
The scenario detailed in this document is provided as an interim solution. Because of the security concerns exposed by this scenario, the utmost consideration should be given to moving to a single forest design.
.gif)
The scenario outlined in this document has been developed and tested on two stand-alone computers that are running the Windows Server 2008 operating system and Hyper-V™. The servers have two 3.0 gigahertz (GHz) dual core processors and 4 gigabytes (GB) of RAM each. The following table shows six virtual machines that were created in this step-by-step guide on the hosts by using Hyper-V.
Virtual Machines and Roles
| Computer Name | Forest | Operating System | Memory | Applications and Services | IP Address |
|---|---|---|---|---|---|
ACC-DC |
corp.fabrikam.com |
Windows Server 2008 |
512 |
Active Directory® Domain Services, Domain Name System |
192.168.100.100 |
ACC-CLT1 |
corp.fabrikam.com |
Windows Vista with Service Pack 2 |
1024 |
Microsoft Office Word 2007 |
192.168.100.101 |
ACC-CLT2 |
corp.fabrikam.com |
Windows Vista with Service Pack 2 |
1024 |
Microsoft Office Word 2007 |
192.168.100.102 |
RES-DC |
resource.fabrikam.net |
Windows Server 2008 with Service Pack 2 |
2048 |
Active Directory® Domain Services, Domain Name System, Microsoft Exchange 2007, IIS 7.0, Microsoft SQL Server 2008 with Service Pack 1, Identity Lifecycle Manager 2007 Feature Pack 1, Microsoft® Visual Studio 2008, Active Directory Migration Tool version 3.1. |
192.168.100.1 |
RES-ADRMS |
resource.fabrikam.net |
Windows Server 2008 with Service Pack 2 |
1024 |
AD RMS, Microsoft SQL Server 2008 with Service Pack 1, IIS 7.0 |
192.168.100.2 |
RES-CLT1 |
resource.fabrikam.net |
Windows 7 Ultimate |
1024 |
Microsoft Office Word 2007 |
192.168.100.3 |
Hyper-V is not a requirement to complete the steps outlined in this guide. These steps can be implemented on physical computers as long as they reflect the same roles as the preceding table.
The following table summarizes the accounts used in this step-by-step guide.
Required Accounts
| Account | Display name | Forest | Employee ID | Group Membership | Password | Description |
|---|---|---|---|---|---|---|
bsimon |
Britta Simon |
corp.fabrikam.com |
11111 |
All FTE |
Pass1word$ |
User account. |
ljacobson |
Lola Jacobson |
resource.fabrikam.net |
22222 |
All FTE |
Pass1word$ |
User account. |
nholliday |
Nicole Holliday |
corp.fabrikam.com |
33333 |
All FTE |
Pass1word$ |
User account. |
lhenig |
Limor Henig |
corp.fabrikam.com |
44444 |
All Contractors |
Pass1word$ |
User account. |
srailson |
Stuart Railson |
corp.fabrikam.com |
55555 |
All Contractors |
Pass1word$ |
User account. |
The following table summarizes the universal groups used in this step-by-step guide.
Universal Group Summary
| Group Name | Group Scope | Group Type |
|---|---|---|
All Staff |
Universal |
Security |
All FTE |
Universal |
Security |
All Contractors |
Universal |
Security |