Designing amp Deploying a Highly Available AD RMS Infrastructure Jovita Nsoh Senior Security Architect Security Governance amp Architecture Online Services Security amp Compliance OSSC ID: 130753
Download Presentation The PPT/PDF document "Planning," is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Planning, Designing & Deploying a Highly Available AD RMS Infrastructure
Jovita NsohSenior Security ArchitectSecurity Governance & ArchitectureOnline Services Security & Compliance (OSSC)Microsoft Corporation
SIA323Slide2
A Bit About Me
Jovita Nsoh, MSc., MBACertifications: CITA-P, MCA, MCM, MCSE, CISSP, CISA, CISMIs a Senior Security ArchitectAt Microsoft’s Online Services Security & Compliance (OSSC)Security Governance & Architecture Team
Has several years at Microsoft Consulting Services (MCS)Based in Redmond, WA, USA.Contact Email: jovitan@microsoft.com – I will respond Slide3
Feel free to ask questions as we go onSlide4
Session Objectives and TakeawaysSlide5
AGENDAOverview & Introduction
Deployment Best Practices AD RMS Performance, Sizing and Fault ToleranceSlide6
Overview & Introduction
AD RMS
Overview
AD RMS
Components
AD RMS
Licenses
AD RMS
Certificates
Information
Flow
BootstrappingSlide7
What is AD RMS?
Information Protection technologyAimed at reducing information leakageServer and client componentsIntegrated with Windows, Office, Exchange, SharePoint and moreBased on Symmetric and Public Key CryptographyProtects data at rest, in transit and in useHelps enforce corporate data policiesSlide8
Information Leakage Is Costly On Multiple Fronts
Legal, Regulatory & Financial impacts
Damage to Image & Credibility
Damage to public image and credibility with customers
Financial impact on company
Leaked e-mails or memos can be embarrassing
Cost of digital leakage per year is measured in $ billions
Increasing number and complexity of regulations,
e.g. GLBA, SOX, CA SB 1386
Non-compliance with regulations or loss of data can lead to significant legal fees, fines and/or jail time
Loss of
Competitive Advantage
Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization
Loss of research, analytical data, and other intellectual capitalSlide9
Do you want to be this people?Slide10
How does this happen, by who?
Ex-employees, partners, customersOver 1/3 due to negligenceNearly 30% of loss on portable devicesIncreasing loss from external collaboration
Percentage cause of data breach
Cost of Data Breach report
Ponemon
Institute 2010
Estimated sources of data breach
Global State of Information Security Survey
PriceWaterhouseCoopers
2010
2008
2009
2010
Likely source of incidents
34%
33%
32%
Current Employee
16%
19%
23%
Former Employee
28%
26%
31%
Hacker
8%
10%
12%
Customer
7%
8%
11%
Partner/Supplier
42%
39%
34%
UnknownSlide11
How AD RMS Works
Client and user are “activated”Client creates rights-protected content (offline)User distributes rights-protected contentRecipient acquires licenses from server to decrypt protected informationClient enforces usage policiesSlide12
Information Protection with Windows Rights Management Services
Access Control
List Perimeter
No
Yes
Firewall Perimeter
Authorized Users
Unauthorized Users
Information Leakage
Unauthorized Users
…RMS addresses ongoing information usage
Traditional solutions control initial accessSlide13
How do you protect your sensitive information from unauthorized distribution?
Information Author
Recipient
External Users
Mobile Devices
USB DriveSlide14
Using IRM to avoid data leakage
Encryption provides protection from unauthorized accessMost effective if it is identity-basedHow you manage encryption is essentialNeeds to be independent from content managementMust be integrated with ID management
Must be simple to useMust be strong, reliable and recoverableEncryption is not enoughUsers will misuse information if they canEven trusted users make mistakes
But if policy is clear and not easily circumvented, legitimate users will follow the policiesSlide15
AD RMS Workflow
1.
3.
4.
Consumption
Protection
2.
5.
Author automatically receives AD RMS credentials (“rights account certificate” and “client licensor certificate”) the FIRST TIME they rights-protect information (not on subsequent attempts).
The application works with the AD RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it.
The AD RMS Author distributes file.
Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the AD RMS server, which validates the user and issues a “use license.”
Application renders file and enforces rights.Slide16
AD RMS Highlights
Robust protectionAES 128 bits, RSA 1024 bits, HSM supportExtensive client-side enforcementVery easy to useUI integrated with Office productsAuthors just select the appropriate option
No action required on consumers of protected informationNo significant need for user technical trainingTransparent operationAutomated certificate and license managementSmall traffic and volume overhead
Low infrastructure costSlide17
Protecting information with AD RMS
Users can manually assign rights over a documentWho can read, print, edit, copy…Can assign rights to users or groupsDocument expiration, programmatic access, other advanced optionsSome applications have pre-defined options
E.g. Outlooks “Do Not Forward”Users can also use a pre-built templateTemplates reflect the organization’s security policiesCompany ConfidentialManagers onlyContains private information
Etc.
Templates enforce a pre-defined set of rights
Templates are enforced at time of consumption
Some applications can also automatically apply protectionSlide18
AD RMS Breakdown
Persistent
+
Policy
Encryption
Trusted entities
Usage rights
and conditions
EncryptionSlide19
RMS
vs
EFS
vs BitLocker
Scenario
RMS
EFS
BitLocker
Protect my information outside my direct control
Set fine-grained usage policy on my information
Collaborate with others on protected information
Protect my information to my smartcard
Untrusted admin of a file share
Protect information from other users on shared machine
Lost or stolen laptop
Physically insecure branch office server
Local single-user file & folder protection
Secure Collaboration
Protect Yourself
Protect Against TheftSlide20
WHER AD RMS CANNOT HELP!!Slide21
AD RMS ComponentsSlide22
AD RMS Topology
Database
Licensing-Only
Server
Database
Database
Licensing-Only Server Cluster
AD RMS Root ClusterSlide23
Certification & Licensing
Client Machines
RMS Components Detail
RMS “Root” Certification Cluster
IIS, ASP.NET
Active Directory
Identity list
Service Connection point (url)
RMS Licensing Cluster
RMS Web Services:
Publishing
Licensing
IIS, ASP.NET
Logging Database
NLB
Administration:
Service connection point
Policy Templates
Logging Settings
RMS Web Services:
Certification
Publishing
Licensing
SQL Server
Configuration
Logging
Directory
RMS Client + “Lockbox”
RMS-enabled applications
User Certificate + key pair
Machine Certificate + key pair
Licensing
SQL
NLBSlide24
Rights Account Certificate (RAC),
signed with RMS Server Public key
-User Private Key, Encrypted with the machine public key-User Public Key
Client Computer(s)
RMS Server
(single-server configuration)
2. Install RMS Client Software
1. Install RMS-enabled application(s)
RMS Client Activates Machine
-Calls RMActivate.exe to generate machine key pair and signs Machine Certificate (containing machine public key)
Protects user-specific machine private key with DPAPI
4. User authenticates
Certification:
Check user SID against AD
Generate User Key Pair
Handout 1
: RMS Client “Bootstrapping”
Request Client Licensor Certificate
RAC
Validate RAC
Generate “Client” Key Pair
Client Licensor Certificate (CLC),
signed with RMS Server Public key
-CLC Private key,
encrypted with the RAC public key
-CLC Public key and copy of SLC
User can publish
online
or consume
User can publish offline
Authentication credentials
3. User uses RMS for the first timeSlide25
“Publisher” / Sender
Handout 2
: Online Publishing
User protects content
RMS Publishing Server
(an RMS Licensing Service)
encrypted AES key
rights information
url of RMS server
encrypted content
Publishing License
encrypted AES content key
2. Application encrypts content key with RMS server’s public key and sends to RMS publishing server.
4. RMS-enabled application receives and appends it to encrypted content
rights information
3. Creates and signs Publishing License (PL)
1. RMS-enabled application generates AES content key, encrypts content with it
encrypted AES key
rights information
url of RMS server
Publishing License
AES content key
RMS Server public key
RMS Server private key
encrypted contentSlide26
“Publisher” / Sender
Handout 3
Offline Publishing (with CLC)
User protects content (e.g. Word doc)
encrypted AES content key
2. Encrypt content key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in the server SLC, inside the client CLC)
3. Encrypt content key with CLC public key (to create “owner” license)
4. Create publishing license, include both encrypted copies of content key, rights information, and RMS server url, and sign with CLC private key
encrypted content
5. Append Publishing License to content
Client Licensor Certificate
CLC Private key
CLC Public key
copy of SLC
encrypted AES content key
Application and RMS Client:
AES content key
RMS Server public key
2 encrypted AES keys
rights information
url of RMS server
Publishing License
encrypted content
1.
RMS-enabled application
generates AES content key, encrypts content with itSlide27
Handout 4
Offline Publishing & Consumption
Application and RMS client
Generate AES key and encrypt content
Encrypt AES key with the public key of the client’s CLC (for “owner” license)
Encrypt another copy of the AES key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in client CLC)
Create “Publishing License” (PL), sign with CLC private key and append to encrypted content
(Assuming recipient has RMS Client and RAC)
Publisher saves content
Recipient user opens content
Application and RMS Client
Inspect PL for RMS Service url.
Send “Use License Request “ (PL + RAC) to licensing server specified by url.
RMS Server
Validates recipient RAC
Inspects PL for rights
Validates user in AD
Un-encrypts content key & re-encrypts it with recipient RAC’s public key
Returns encrypted content key in use license
RMS Client
uses RAC private key (unavailable to user) to un-encrypt the content key
Application enforces XrML policy detailed in PL
encrypted content
2 encrypted AES keys
rights information
url of RMS server
Publishing License
1
2
4
3
Application renders file and enforces rights
Publish License
Use LicenseSlide28
RMS Credentials and Licenses
Credential
Identifies
Contains
Allows…
Machine Certificate
(one per user per PC)
A trusted machine
Machine public key
Machine and Lockbox to participate in RMS environment
Rights Account Certificate (RAC)
(a. k. a. “GIC”)
A trusted user
User public key
(User private key is encrypted with the machine public key)
Authorized user to consume protected content
Client Licensor Certificate (CLC)
A user allowed to protect content (i.e. “publish”) on behalf of the RMS Server, without connectivity to the RMS Server
CLC public key
CLC private key (encrypted with RAC public key)
Copy of RMS Server Licensor Cert
A user to protect content (i.e. “publish”) on behalf of the RMS Server, without connectivity to the RMS Server
Publishing License
(Issued by either an RMS server or by a user via their CLC)
Policy (users, rights, conditions) governing content consumption
Policy information
Symmetric (AES) key used for content encryption (encrypted with the RMS server public key)
Another copy of the content key (encrypted with the CLC public key)
URL of licensing server
Use License
(Issued by RMS licensing server)
Symmetric (AES) key used for content encryption (encrypted with the authorized user’s RAC public key)
An authorized principal (user) to consume content according to conditions in the Publishing LicenseSlide29
Windows RMS Key FlowStandard Publish-and-Consume Scenario
Information Author
The Recipient
RMS Server
Database Server
Active Directory
2
3
4
5
Author applies an RMS policy to their file. The application works with the RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it.
Author distributes file.
Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the RMS server, which validates the user and issues a “use license.”
Application renders file and enforces rights.
Author
automatically
receives RMS credentials (“rights account certificate” and “client licensor certificate”) the first time they rights-protect information.
1Slide30
Example: Rights-Protected Document Word, Excel, or Powerpoint 2003 Pro
a
Rights Info
w/ email addresses
Content Key
Encrypted with the server’s public key
Publishing License
The Content of the File
(Text, Pictures, metadata, etc)
End User Licenses
Content Key
(big random number)
Rights for a
particular user
Encrypted with the user’s public key
Created when file is protected
Only added to the file after server licenses a user to open it
Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key
Encrypted with the server’s public key
Encrypted with the user’s public key
NOTE: Outlook E-mail EULs are stored in the local user profile directorySlide31
RMS and Internet connected clients
Certification server publishes two URLsInternal Intranet URL namespaceExternal Internet URL namespace accessible from Internet
RMS Services
Internet
RMS enabled client, Browser
Internal
RMS clientsSlide32
AD RMS Topology
The number of AD RMS servers per forest or domain will depend on performance and special requirementsMany scenarios:One certification + licensing-only clusterOne certification cluster and multiple licensing-only serversMultiple certification servers and one licensing-only serverCombinationsSlide33
AD RMS ServerRuns on Windows Server 2008
Requires IIS with ASP.NETStatelessUses Microsoft Message QueuingResponsible for transactions to be applied to SQL databaseProvides tolerance when connectivity is lost between AD RMS server and SQL Server
Certification and Licensing
AD RMS 2008 R2 SP1 serversSlide34
Configuration Database
Stores, shares, and retrieves the following for a cluster:Cluster keys (if not using an HSM)All cluster configuration dataRights account certificates (RAC) and their associated identitiesData that is needed to manage CertificationLicensingPublishing servicesCritical for AD RMS operationSome configurations can be edited manually
SQL 2008 R2 Enterprise ClusterSlide35
Logging Database
One per AD RMS clusterOne private message queue on each server in the AD RMS cluster for loggingAD RMS logging service transmits data from this message queue to the logging databaseNot critical for operation, never consumed by the serviceUsed for reporting, troubleshooting, and performance management“append only”
SQL 2008 R2 Enterprise ClusterSlide36
Directory Services Database
Contains cached information about: UsersIdentifiers (such as email addresses)Security ID (SID)Group membershipAlternate identifiersRelieves stress on the domain controllers Is recycled on a daily basisNot critical for AD RMS operationIf lost, it is regenerated
once the database is restored to a pristine state from a backup
SQL 2008 R2 Enterprise ClusterSlide37
Active DirectoryAD RMS contacts Global Catalogs for user and group information
Should be co-located with the AD RMS serversAD RMS requires email attribute to be populated in usersIn multi-forest scenarios it also requires Exchange Server Schema ExtensionsAD RMS polls AD frequently for group membership informationAcross forests it will talk to the local AD RMS in that forestBy default, clients and servers use the Service Connection Point registered in AD to find the Certification Cluster in a forest
37
Domain ControllersSlide38
AD RMS and Server InfrastructureSlide39
AD RMS Components – Logical view
SQL
OS
Platform
Client Platform
Applications
MMC 3.0 Host
Admin Snap-in
Admin Platform
RMS Client
RMS Server
RMS Administration
AD
ADFS
SOAP/HTTP
SOAP/HTTP
Passive Protocol
(HTTP)
WebSSO
Agent
System.Data.SqlClient
Native
LDAP
WebSSO
Redirects
MOM pack
PowerShell
OS
Platform
Client Platform
Applications
MOM pack
PowerShellSlide40
Microsoft AD RMS
Industry leading unstructured data security
Mature solution in the market since 2003
Integrated with AD, Office, Exchange, SharePoint
Core to Microsoft cloud security strategy
Recipient
Information
Author
Active
Directory
View
þ
Edit
Print
þ
þ
View
þ
Edit
ý
Print
ý
SQL Server
AD RMSSlide41
AD RMS & Server Products
Exchange Server Integration
SharePoint IntegrationFile Share IntegrationExchange Online & Cloud Slide42
AD RMS and SharePoint
When content is downloaded from a library…
RMS protection automatically applied
Information still searchable in SharePoint library
SharePoint rights
IRM permissions
Recipient
AD RMS
SharePointSlide43
AD RMS & ExchangeWhen users are sending emails unprotected…
Exchange transport rules apply RMS automaticallyBased on content (what it says) and context (who its going to) analysisConsume protected email in IE, Firefox and Safari
Recipient
Information
Author
AD RMS
ExchangeSlide44
AD RMS and file shares
AD RMS
Windows
File Server
When content is saved to a network file share...
Bulk Protection Tool secures all content in certain folders
File Classification Infrastructure (FCI) can automate classification, RMS and move into SharePoint
Information
Author
SharePointSlide45
AD RMS and DLP
Microsoft AD RMS
RSA DLP
R&D department
Marketing department
Others
Endpoints:
Laptops/Desktops
File Shares
SharePoint
R&D Department
Marketing Department
Others
View, Edit, Print
View
No Access
Intellectual Property (IP)
template
Find ‘IP’ documents
Apply ‘IP’ AD RMS template
IP Policy
DLP provides a powerful way to locate and classify your information
Maps AD RMS policy to DLP and therefore to contentSlide46
Microsoft Exchange Server 2007 SP1 and later can work with Outlook 2007 or Outlook mobile 6.1 and later to enable
PrelicensingWhen enabled, users are delivered licenses for emails and attachments together with the documentsEliminates the need to be connected to acquire a license on open
Microsoft Exchange PrelicensingSlide47
In Exchange 2010 Exchange prelicensing enables:Offline consumption of email and attachments
Antimalware scanningOWA IRMAutomated decryption/journaling/protectionIndexing and SearchExchange ActiveSync IRM
Exchange Server Prelicensing as an EnablerSlide48
IRM in OWA in Exchange 2010IRM protection in any browser!Slide49
Web Ready Document ViewSlide50
Transport Decryption Enables access to IRM-protected messages by Transport Agents to perform operations such as transport rules, content filtering, and anti-spam/anti-virus.
IRM Search Conduct full-text search on IRM-protected messages in OWA and Outlook. Enables eDiscovery or protected messages in the Exchange Store.Journal Report Decryption Journal Report Decryption Agent attaches clear-text copies of IRM-protected messages and attachments to journal mailbox
Exchange Activesync IRMContent gets evaluated, licensed and decrypted before delivered to deviceDevice uses native protection and enforcement capabilities
Additional capabilities in Exchange 2010
Search, scan, filter, and journal protected e-mail Slide51
Accidents Happen
We can’t always rely on users to protect data
“80% of all data leaks occur because of accidents — that is users, being unaware of data policies, as opposed to having malicious intent.” - Forrester, 2008
Top 10 threats to Enterprise Security - IDC Slide52
Information Protection and Control in Exchange 2010
The right tools for the right scenario
Dynamic Signatures/
Disclaimers
MailTips
IRM Protection
Block/
Redirect
SOFT
CONTROLS
HARD
CONTROLS
Moderation
Less restrictive More restrictiveSlide53
AD RMS typically relies on the users to protect content they consider sensitiveIn some scenarios, enforcing protection over certain types of content might be desired
Possible implementations:Use Windows Server 2008 R2 and Exchange 2010 automated protection capabilitiesUse third party solutions to perform discovery and automated protection
Automating Information ProtectionSlide54
Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages called “Transport Rules.”
Automated Protection Reduced risk via automatic, centralized protection
Automatic Content-Based Privacy:
New transport rule action to apply RMS protection based to e-mail message and attachments.
Predicates support regular expression scanning of e-mail body, subject, and attachments
Transport rules also support detection of un-supported attachments and attachment stripping.Slide55
Transport Protection Rules
Take the decision away from end-users
Apply RMS policies automatically using Transport Rules
Apply “Do Not Forward” or custom RMS templates
RMS protection is also applied to Office 2003, 2007, and 2010 attachments
RMS protection can be triggered based on sender, recipient, or contentSlide56
Outlook Protection Rules
Apply IRM protection automatically at the client
IRM protection automatically triggered based on sender and receiver attributes
Supported attachments are
also protected
Windows Desktop Search will index headers and subject
Authorized users can turn off protection
Can be used to prevent email service provider from accessing your emailSlide57
Integration with Exchange
in the CloudSlide58
Integration with Exchange Online
On-Premises
Hosted Service
Co-Existence
Makes migration and coexistence smoother
Gives you greater control over your online environment
Brings new Exchange Server capabilities
to the cloudSlide59
Exchange Online tenants get all IRM capabilities
, except for PrelicensingAfter setup, all RMS transactions in Datacenter executed within DatacenterClients continue to call web services on premise AD RMS
Cross Premise IRM
Contoso
Premise
Exchange Online
AD RMS
Contoso
Tenant
Import Private KeySlide60
New feature introduced with SharePoint Server 2007
Not supported in Windows SharePoint ServicesSharePoint libraries can be configured to automatically apply protection to documentsDocuments get protected automatically on downloadDocuments are stored on the database without additional protectionUsers receive rights based on the rights over the library
Integration with SharePoint ServerSlide61
Handouts
SharePoint IRMSlide62
Documents stored in clear text in the database
Provides indexing and search capabilities, content listed on search based on ACLsDocuments protected each time user downloads the fileAfter a user selects a file, it is protected and provided to the clientProtection derived from user permissions in the library
SharePoint requires online access to the AD RMS infrastructureIf connection fails, the file won’t be provided to the clientWhen protected file is uploaded to the portal, the content protection is removed This feature optimizes document lifecycle into SharePoint
Only works for documents protected by SharePoint
How Does SharePoint IRM Work?Slide63
How Does SharePoint Server IRM Work?
Slide64
PerformanceSizing &
Fault Tolerance
High Availability & Disaster RecoverySlide65
ObjectivesUnderstand bottlenecks and scaling factors affecting AD RMS
Learn to design AD RMS for scalabilityUnderstand the process for sizing AD RMS adequately for an expected load65Slide66
Components ReviewServer Components
Administration websiteDatabaseConfigurationLoggingWeb servicesCertificationPublishingLicensingClientsRMS Client software + “Lockbox”Protected machine and user credentials
RMS Cluster
NLB
RMS Web Services
Certification
Publishing
Licensing
Log DB
Clients connect to
Active Directory
Service Connection Point
for all servicesSlide67
Standard Deployment
Single “Root” Certification + Licensing Cluster
Single ForestAll clients use service discoveryNo registry overridesCluster servers share common database
RMS “Root” Certification Cluster
Clients connect to
Active Directory
Service Connection Point
for all services
NLB
SQL Server
Configuration
Logging
RMS Web Services
Certification
Publishing
Licensing
Simple, scalable and redundant
Single
AD ForestSlide68
Add Licensing Subordinate
RMS “Root” Certification Cluster
NLB
SQL Server
Configuration
Logging
RMS Web Services
Certification
Publishing
Licensing
RMS Web Services
Publishing
Licensing
SQL Server
Registry settings point departmental users to subordinate licensing cluster
NLB
Sub-enrolled Licensing Cluster
Corporate users without registry overrides point to root cluster for licensing
For departmental control over licensing, policy templates
AD Service discovery points all corporate users to SCP for certification
HKLM\Software\
Microsoft\MSDRM\
ServiceLocation\
EnterprisePublishing
=
http://<FQDN>/_wmcs/licensing
Single
AD Forest
Note: Sub-enrolled Licensing server has its own database. Slide69
Multiple AD Forest Architecture:
Multiple Certification, Single License
Single publish/license serviceMicrosoft’s internal deploymentUses RMS Trust
Multiple
AD Forest
NLB
NLB
NLB
Registry override points all users to common licensing server
RMS Certification & Licensing
RMS Certification only
RMS Certification onlySlide70
AD RMS Sizing ConsiderationsSizing AD RMS is about sizing AD RMS clusters (node)
Consider licensing performance when determining the size of an AD RMS cluster:How much content will need to be licensed per hour?Consider steady-state (average) usage Consider peak usage, such as a company-wide executive emailCertification-related load usually negligibleEstablish / Understand Service Level agreements (SLAs)
Aim for sub-second response (Normal)What is "acceptable" in special circumstances?Slide71
AD RMS Sizing Considerations (cont.)AD RMS is EXTREMELY CPU-bound and network intensive
More than 50% of Workload is cryptographic processingHSMs typically do not provide a performance advantage Use 64 BitAlmost twice as much
performance using 64 bit over 32 bitAvoid 32 bit servers as much as possibleAD RMS can take advantage of additional memory:AD RMS caches directory lookups on the serverAD RMS also pre-generates key pairs while idle and stores them in-memorySlide72
Performance Benchmark
AD RMS was tested using a 2.4 GHz, x64 dual core server with 4 GB RAM. AD RMS server delivered slightly over 100 licenses per second AD RMS scales well with CPU count Quad core servers are usually the sweet spot in cost/performanceA few small servers in a cluster are usually sufficient for heavy loads without Hardware Security Module offload
2 GB RAM per AD RMS server is generally sufficient Additional RAM reduces load on DCs and can improve performanceUsing Exchange Pre-licensing may significantly affect loadRequires licensing and email to a large number of users within a few minutesSlide73
Peak Load Considerations and Examples
# Users
Amount of time to consume
(in hours)
Peak
License Requests per min
Peak
License Requests per sec
No pre-licensing
50,000
4
209
3.5
Using pre-licensing
50,000
4
16,667
278
Exchange pre-licensing agent acquires use licenses on delivery, not consumption
Pre-licensing has a default tolerance of approx. three minutes
Significant impact to peak load
Exchange batches requests, which gains some, though not significant, efficiencySlide74
Scaling AD RMS
AD RMS is normally scaled by adding processors to servers and servers to clustersLicensing-only clusters are an inefficient way to scaleHSMs do not increase performance significantly
Memory and disk do not affect performance as much as CPUSQL Server is rarely the bottleneckAdding servers to a cluster is easyAll configuration data is stored in the databaseLoad balancing needs to be configured appropriately
Clusters only used for certification rarely need dedicated sizing
Certification load is in general a small fraction of the load for clusters doing certification and licensing
Clusters used exclusively for certification have generally minimal requirementsSlide75
Sizing AD RMS Guidelines
Typical 64 bit CPU can process ~50 licenses/second per core (without HSM assistance)Some complex licenses might be heavier
HSM assistance does not significantly improve overall performance32 bit CPUs are considerably slower than x64AD RMS scales linearly up to about 8 cores per server
Above 8 cores:
I
t is more efficient to add servers
100Mbps network usually becomes the bottleneck above 4 cores
Hyper threading does not provide an advantageSlide76
Sizing AD RMS
ProcessCertification-only clusters
Rarely stressedEven the most basic server should handle the highest load for typical environmentsCertification+licensing or licensing-only clusters
Calculate peak load
Calculate # of CPU cores needed
Calculate # of servers needed
Specify memory and disk for servers
Add margins and define cluster sizeSlide77
Process for Sizing AD RMS
Obtain peak licenses per secondDivide by 50
This yields the number of 64-bit cores (double for 32-bit cores)Divide by number of cores in standard server Typical web servers make for good
AD RMS
servers
Obtain number of servers
Repeat for other clustersSlide78
Server specifications
AD RMS serversCPUs as defined earlier
Up to 8 x64 cores is most efficientVirtualization is OKMemory: 2GB is typically enough
Disk: minimal requirements for OS
Database Servers
Dual Core is OK for most scenarios
4GB RAM recommended
High volume of reporting may require more CPU and memory
Can be put in cluster
Not strictly necessary as AD RMS can retain some functionality while DB is downSlide79
Estimating Average LoadAverage load will be used mostly for calculating space needed for logging
Average load per user can be approximated by multiplying the total number of documents consumed per user by the expected percentage that will be protectedDocuments and emails should in general be calculated separately and then addedMultiply this number by the number of usersPre-licensing in Exchange and protection through SharePoint libraries might affect the calculationA license is needed even for what you don’t readSlide80
Estimating Average Load – Example
Item
Estimate
Number of Users
100,000
E-mails read per day per user
75
Number of e-mail messages per day
7,500,000
Percentage of messages with AD RMS protection
10%Slide81
Estimating Average Load – Example (cont.)
AD RMS Messages
per day
750,000
per hour (10 hour day)
75,000
per minute
1250
per second
21Slide82
Calculating Average LoadSlide83
Estimating Peak LoadPeak load is used to size AD RMS clusters
Two methods:1) Calculate average load and apply scaling factors for peak days and peak hoursUseful when average rate of document and email protection is high or when document protection is more significant than email protection2) Consider worst case burst eventUseful when average ratio of document and email protection is low, and one time events can significantly affect loadMost common scenarioSlide84
Estimating Peak Load – Method 1
Calculate average load# emails read + sent per day (consider DLs if using Pre-licensing)% emails protected# documents read/modified per day% documents protectedCalculate average licenses/second, LCalculate load at peak daysX% of operations performed in those daysDivide by the number of days, D
Peak Day=L*(X/100)/(D/365)Calculate peak hoursY% of operations performed in peak hours (consider global environment)Divide by the number of hours HPeak Hours=Peak Day*(Y/100)/(H/24)Slide85
Estimating Peak Load – Method 2
Calculate worst case scenario:One person sends a protected message to the whole organizationA few organization-wide protected responsesIf pre-licensing is used, all messages and documents will be licensed within a few hoursSlide86
Impact of Pre-licensing
Pre-licensing is required for several Exchange IRM featuresHas a tolerance of 3 minutesWith Pre-licensing, AD RMS must issue all use licenses for a message within 3 minutes of it being sentWithout pre-licensing, AD RMS issues use licenses as messages are consumed
Without Pre-licensing
Using Pre-licensing
UL
UL
ULSlide87
Network Impact
Some additional network traffic will be generatedUse License Request 60K
Use License Response 30KTotal: 90K Complex licenses might be larger
Server Network Card should not saturate
Quad Core CPU will do 200 transactions per second
Each Transaction is 90K
NIC load should not exceed :
18,000K -> 18 MB -> 144Mbits per second
Server NICs should be 1,000Mbits
SSL Assist might be beneficial in high load environmentsSlide88
Consider network to DCs
Under peak load situations, traffic to/from GCs might be significantConsider putting a Global Catalog near the AD RMS clusterSlide89
AD RMS Database Servers
Configuration DatabaseContains critical information, public/private keys, templates, RACsIf unavailable, some operations may continue, but no new usersNeeded for AD RMS bootDirectory Services DatabaseContains cached Active Directory informationNo significant impact when unavailable for short period of timeNot persistentContent will be automatically repopulated if the DB is restored to initial state
Logging DatabaseStores log of activity if enabledNot critical for service operationNecessary for analysis and reportingSlide90
Database Growth
Configuration and Directory Services Cache databases remain stable over timeNeed defragmentation, but they do not grow significantly
Configuration database: 3MB+2KB per user certificationDS Cache database: approximately 8KB per user and per group, varying depending on the complexity of groups
Logging DB: about 5KB per licensing transaction when including copies of certificates
Default in WS 2008
Significantly more (250KB per transaction) if certificates are logged
Certifications take slightly more than 5KB per transaction
Database schema in Windows Server 2008 and 2008 R2 have been highly normalizedSlide91
Database Growth (cont.)
Use average load as calculated to estimate logging database size1 Million transactions
take 5GB in the default configuration250GB space when logging certificates,
Database can be purged periodically
Consider a consolidated archival database for reporting and investigationSlide92
Log Maintenance Options
Disable logging
Lose potential benefits of logging (Reporting, Audit, Troubleshooting)Enable Log FilteringWhat is logged can be tuned in detailSettings in configuration database
Not logging certificates
Significant savings from not logging XrML text (the default)
Logging certificates might be necessary in certain situations but can be enabled on
demandSlide93
Log Maintenance Options (cont.)
Log ConsolidationConsolidate partial logs from multiple clusters in central database
Discard data not useful in the long termRun custom reports from this DBLog Trimming
Identifies all records in the logging database that are older than a specified age
Implemented by script or stored procedure
Keeps local logging database at a constant volume over timeSlide94
AD RMS DB planningDetails
Database Size Planninghttp://technet.microsoft.com/en-us/library/cc747731.aspxEstimate Database Growth http://technet.microsoft.com/en-us/library/cc747585.aspxMaintaining Logging Databasehttp://technet.microsoft.com/en-us/library/cc747691.aspx
94Slide95
AD RMS Archiving (Cont.)Considerations
AD RMS Performance inside MSIT implementationhttp://technet.microsoft.com/en-us/library/dd941589(WS.10).aspx MSIT Purging Database Example http://technet.microsoft.com/en-us/library/dd941624(WS.10).aspx
95Slide96
AD RMS Disaster Recovery
Planning AD RMS Database ServersBacking Up AD RMSRestoring AD RMSSlide97
HandoutsSlide98
Making AD RMS Highly Available
While AD RMS might be a critical service, minor server downtime is typically not a huge problemUsers can mostly continue to work thanks to pre-licensing, caching, and offline publishingTo make the service highly available, load-balance multiple servers on each clusterGeographical distribution of RMS nodes is usually effectiveLoad balance between locations
You must confirm a strong connection to RMS DBLatency to the DB should not exceed 100msSlide99
Making AD RMS Highly Available (cont.)
The database can also have downtime without much impactFunctionality lost during DB downtime is:New user certificationReportingConfiguration changesRebooting AD RMS nodes
Pre-licensing and Exchange IRM features dependent on Pre-licensing (OWA, Transport Decryption, Journaling, EAS IRM)Will retry licensing at the time of consumptionDB servers can still be made highly available through clusters or log shippingThough a proper backup schedule is usually a good substitute
Note: Clustering for the database does not help if the DB content is corrupt or brokenSlide100
Backing Up AD RMSSlide101
Restoring AD RMSSlide102
Restoring AD RMS: Only Server in ClusterSlide103
Database Backup Options
Failover clusterProvides immediate recovery
Does not protect against data-centric failuresNot an efficient use of resources Log backup
We recommend running databases in full recovery mode
A daily full backup is reasonable for most environments
Consider your recovery needs and acceptable loss levels
Backups should be tested and contain hardware spares to rebuild the DB, if necessary
Log Shipping
Sends copies of the transaction logs to a remote instance of the database
Useful when logging information loss must be minimized
Enables up-to-the-minute recovery and recovery to other points in time (before database corruption, for example)
Provides a “warm standby” database
Log Mirroring
Not officially supported
Replicate data between DBs
Databases can be in different locationsSlide104
Database Disaster Recovery Architecture
Site A
Site B
Log Shipping
DB CNAMESlide105
In Review: Session Objectives and Takeaways
Session Objective(s): To be able to deploy AD RMS in complex situations.To be able to support AD RMS integrated with Exchange 2010 when it doesn’t work as expectedShow how Exchange 2010 SP1 provide significant value to customers implementing information protection… something on the cloud … Slide106
Related Content
Breakout Sessions/Chalk TalksSession Codes and TitlesWebcastsSession Codes and TitlesInstructor-led LabsSession Codes and TitlesHands-on LabsHands-on Lab Codes and TitlesCompetitive Content
Competitive Content related to your topic area (Session Codes and Titles)Slide107
©
2012 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide108
demo
Making a GUI ToolSlide109
Reminder!
Watch my Twitter feed @concentrateddon for the download URL for these scriptsThe GUI builder I’ve been using is SAPIEN PrimalForms (www.sapien.com); they’re in the Expo hall if you’d like to talk to them. A free Community Edition is available.Slide110
Any Final Questions?
I’ll also be hanging out at the Expo HallPlease drop by and let me know what you think, or ask follow-up questions!You can post questions to me at here Or email me: jovitan@microsoft.comThank you!Slide111
Resources
Connect. Share. Discuss.
http
://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn Slide112
Evaluationshttp://europe.msteched.com/sessions
Submit your evals online Slide113
©
2012 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide114