Planning, - PowerPoint Presentation

Slide1

Planning, Designing & Deploying a Highly Available AD RMS Infrastructure

Jovita NsohSenior Security ArchitectSecurity Governance & ArchitectureOnline Services Security & Compliance (OSSC)Microsoft Corporation

SIA323Slide2

A Bit About Me

Jovita Nsoh, MSc., MBACertifications: CITA-P, MCA, MCM, MCSE, CISSP, CISA, CISMIs a Senior Security ArchitectAt Microsoft’s Online Services Security & Compliance (OSSC)Security Governance & Architecture Team

Has several years at Microsoft Consulting Services (MCS)Based in Redmond, WA, USA.Contact Email: jovitan@microsoft.com – I will respond Slide3

Feel free to ask questions as we go onSlide4

Session Objectives and TakeawaysSlide5

AGENDAOverview & Introduction

Deployment Best Practices AD RMS Performance, Sizing and Fault ToleranceSlide6

Overview & Introduction

AD RMS

Overview

AD RMS

Components

AD RMS

Licenses

AD RMS

Certificates

Information

Flow

BootstrappingSlide7

What is AD RMS?

Information Protection technologyAimed at reducing information leakageServer and client componentsIntegrated with Windows, Office, Exchange, SharePoint and moreBased on Symmetric and Public Key CryptographyProtects data at rest, in transit and in useHelps enforce corporate data policiesSlide8

Information Leakage Is Costly On Multiple Fronts

Legal, Regulatory & Financial impacts

Damage to Image & Credibility

Damage to public image and credibility with customers

Financial impact on company

Leaked e-mails or memos can be embarrassing

Cost of digital leakage per year is measured in $ billions

Increasing number and complexity of regulations,

e.g. GLBA, SOX, CA SB 1386

Non-compliance with regulations or loss of data can lead to significant legal fees, fines and/or jail time

Loss of

Competitive Advantage

Disclosure of strategic plans, M&A info potentially lead to loss of revenue, market capitalization

Loss of research, analytical data, and other intellectual capitalSlide9

Do you want to be this people?Slide10

How does this happen, by who?

Ex-employees, partners, customersOver 1/3 due to negligenceNearly 30% of loss on portable devicesIncreasing loss from external collaboration

Percentage cause of data breach

Cost of Data Breach report

Ponemon

Institute 2010

Estimated sources of data breach

Global State of Information Security Survey

PriceWaterhouseCoopers

2010

2008

2009

2010

Likely source of incidents

34%

33%

32%

Current Employee

16%

19%

23%

Former Employee

28%

26%

31%

Hacker

8%

10%

12%

Customer

7%

8%

11%

Partner/Supplier

42%

39%

34%

UnknownSlide11

How AD RMS Works

Client and user are “activated”Client creates rights-protected content (offline)User distributes rights-protected contentRecipient acquires licenses from server to decrypt protected informationClient enforces usage policiesSlide12

Information Protection with Windows Rights Management Services

Access Control

List Perimeter

No

Yes

Firewall Perimeter

Authorized Users

Unauthorized Users

Information Leakage

Unauthorized Users

…RMS addresses ongoing information usage

Traditional solutions control initial accessSlide13

How do you protect your sensitive information from unauthorized distribution?

Information Author

Recipient

External Users

Mobile Devices

USB DriveSlide14

Using IRM to avoid data leakage

Encryption provides protection from unauthorized accessMost effective if it is identity-basedHow you manage encryption is essentialNeeds to be independent from content managementMust be integrated with ID management

Must be simple to useMust be strong, reliable and recoverableEncryption is not enoughUsers will misuse information if they canEven trusted users make mistakes

But if policy is clear and not easily circumvented, legitimate users will follow the policiesSlide15

AD RMS Workflow

1.

3.

4.

Consumption

Protection

2.

5.

Author automatically receives AD RMS credentials (“rights account certificate” and “client licensor certificate”) the FIRST TIME they rights-protect information (not on subsequent attempts).

The application works with the AD RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it.

The AD RMS Author distributes file.

Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the AD RMS server, which validates the user and issues a “use license.”

Application renders file and enforces rights.Slide16

AD RMS Highlights

Robust protectionAES 128 bits, RSA 1024 bits, HSM supportExtensive client-side enforcementVery easy to useUI integrated with Office productsAuthors just select the appropriate option

No action required on consumers of protected informationNo significant need for user technical trainingTransparent operationAutomated certificate and license managementSmall traffic and volume overhead

Low infrastructure costSlide17

Protecting information with AD RMS

Users can manually assign rights over a documentWho can read, print, edit, copy…Can assign rights to users or groupsDocument expiration, programmatic access, other advanced optionsSome applications have pre-defined options

E.g. Outlooks “Do Not Forward”Users can also use a pre-built templateTemplates reflect the organization’s security policiesCompany ConfidentialManagers onlyContains private information

Etc.

Templates enforce a pre-defined set of rights

Templates are enforced at time of consumption

Some applications can also automatically apply protectionSlide18

AD RMS Breakdown

Persistent

+

Policy

Encryption

Trusted entities

Usage rights

and conditions

EncryptionSlide19

RMS

vs

EFS

vs BitLocker

Scenario

RMS

EFS

BitLocker

Protect my information outside my direct control

Set fine-grained usage policy on my information

Collaborate with others on protected information

Protect my information to my smartcard

Untrusted admin of a file share

Protect information from other users on shared machine

Lost or stolen laptop

Physically insecure branch office server

Local single-user file & folder protection

Secure Collaboration

Protect Yourself

Protect Against TheftSlide20

WHER AD RMS CANNOT HELP!!Slide21

AD RMS ComponentsSlide22

AD RMS Topology

Database

Licensing-Only

Server

Database

Database

Licensing-Only Server Cluster

AD RMS Root ClusterSlide23

Certification & Licensing

Client Machines

RMS Components Detail

RMS “Root” Certification Cluster

IIS, ASP.NET

Active Directory

Identity list

Service Connection point (url)

RMS Licensing Cluster

RMS Web Services:

Publishing

Licensing

IIS, ASP.NET

Logging Database

NLB

Administration:

Service connection point

Policy Templates

Logging Settings

RMS Web Services:

Certification

Publishing

Licensing

SQL Server

Configuration

Logging

Directory

RMS Client + “Lockbox”

RMS-enabled applications

User Certificate + key pair

Machine Certificate + key pair

Licensing

SQL

NLBSlide24

Rights Account Certificate (RAC),

signed with RMS Server Public key

-User Private Key, Encrypted with the machine public key-User Public Key

Client Computer(s)

RMS Server

(single-server configuration)

2. Install RMS Client Software

1. Install RMS-enabled application(s)

RMS Client Activates Machine

-Calls RMActivate.exe to generate machine key pair and signs Machine Certificate (containing machine public key)

Protects user-specific machine private key with DPAPI

4. User authenticates

Certification:

Check user SID against AD

Generate User Key Pair

Handout 1

: RMS Client “Bootstrapping”

Request Client Licensor Certificate

RAC

Validate RAC

Generate “Client” Key Pair

Client Licensor Certificate (CLC),

signed with RMS Server Public key

-CLC Private key,

encrypted with the RAC public key

-CLC Public key and copy of SLC

User can publish

online

or consume

User can publish offline

Authentication credentials

3. User uses RMS for the first timeSlide25

“Publisher” / Sender

Handout 2

: Online Publishing

User protects content

RMS Publishing Server

(an RMS Licensing Service)

encrypted AES key

rights information

url of RMS server

encrypted content

Publishing License

encrypted AES content key

2. Application encrypts content key with RMS server’s public key and sends to RMS publishing server.

4. RMS-enabled application receives and appends it to encrypted content

rights information

3. Creates and signs Publishing License (PL)

1. RMS-enabled application generates AES content key, encrypts content with it

encrypted AES key

rights information

url of RMS server

Publishing License

AES content key

RMS Server public key

RMS Server private key

encrypted contentSlide26

“Publisher” / Sender

Handout 3

Offline Publishing (with CLC)

User protects content (e.g. Word doc)

encrypted AES content key

2. Encrypt content key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in the server SLC, inside the client CLC)

3. Encrypt content key with CLC public key (to create “owner” license)

4. Create publishing license, include both encrypted copies of content key, rights information, and RMS server url, and sign with CLC private key

encrypted content

5. Append Publishing License to content

Client Licensor Certificate

CLC Private key

CLC Public key

copy of SLC

encrypted AES content key

Application and RMS Client:

AES content key

RMS Server public key

2 encrypted AES keys

rights information

url of RMS server

Publishing License

encrypted content

1.

RMS-enabled application

generates AES content key, encrypts content with itSlide27

Handout 4

Offline Publishing & Consumption

Application and RMS client

Generate AES key and encrypt content

Encrypt AES key with the public key of the client’s CLC (for “owner” license)

Encrypt another copy of the AES key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in client CLC)

Create “Publishing License” (PL), sign with CLC private key and append to encrypted content

(Assuming recipient has RMS Client and RAC)

Publisher saves content

Recipient user opens content

Application and RMS Client

Inspect PL for RMS Service url.

Send “Use License Request “ (PL + RAC) to licensing server specified by url.

RMS Server

Validates recipient RAC

Inspects PL for rights

Validates user in AD

Un-encrypts content key & re-encrypts it with recipient RAC’s public key

Returns encrypted content key in use license

RMS Client

uses RAC private key (unavailable to user) to un-encrypt the content key

Application enforces XrML policy detailed in PL

encrypted content

2 encrypted AES keys

rights information

url of RMS server

Publishing License

1

2

4

3

Application renders file and enforces rights

Publish License

Use LicenseSlide28

RMS Credentials and Licenses

Credential

Identifies

Contains

Allows…

Machine Certificate

(one per user per PC)

A trusted machine

Machine public key

Machine and Lockbox to participate in RMS environment

Rights Account Certificate (RAC)

(a. k. a. “GIC”)

A trusted user

User public key

(User private key is encrypted with the machine public key)

Authorized user to consume protected content

Client Licensor Certificate (CLC)

A user allowed to protect content (i.e. “publish”) on behalf of the RMS Server, without connectivity to the RMS Server

CLC public key

CLC private key (encrypted with RAC public key)

Copy of RMS Server Licensor Cert

A user to protect content (i.e. “publish”) on behalf of the RMS Server, without connectivity to the RMS Server

Publishing License

(Issued by either an RMS server or by a user via their CLC)

Policy (users, rights, conditions) governing content consumption

Policy information

Symmetric (AES) key used for content encryption (encrypted with the RMS server public key)

Another copy of the content key (encrypted with the CLC public key)

URL of licensing server

Use License

(Issued by RMS licensing server)

Symmetric (AES) key used for content encryption (encrypted with the authorized user’s RAC public key)

An authorized principal (user) to consume content according to conditions in the Publishing LicenseSlide29

Windows RMS Key FlowStandard Publish-and-Consume Scenario

Information Author

The Recipient

RMS Server

Database Server

Active Directory

2

3

4

5

Author applies an RMS policy to their file. The application works with the RMS client to create a “publishing license”, encrypts the file, and appends the publishing license to it.

Author distributes file.

Recipient clicks file to open. The application sends the recipient’s credentials and the publish license to the RMS server, which validates the user and issues a “use license.”

Application renders file and enforces rights.

Author

automatically

receives RMS credentials (“rights account certificate” and “client licensor certificate”) the first time they rights-protect information.

1Slide30

Example: Rights-Protected Document Word, Excel, or Powerpoint 2003 Pro

a

Rights Info

w/ email addresses

Content Key

Encrypted with the server’s public key

Publishing License

The Content of the File

(Text, Pictures, metadata, etc)

End User Licenses

Content Key

(big random number)

Rights for a

particular user

Encrypted with the user’s public key

Created when file is protected

Only added to the file after server licenses a user to open it

Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key

Encrypted with the server’s public key

Encrypted with the user’s public key

NOTE: Outlook E-mail EULs are stored in the local user profile directorySlide31

RMS and Internet connected clients

Certification server publishes two URLsInternal Intranet URL namespaceExternal Internet URL namespace accessible from Internet

RMS Services

Internet

RMS enabled client, Browser

Internal

RMS clientsSlide32

AD RMS Topology

The number of AD RMS servers per forest or domain will depend on performance and special requirementsMany scenarios:One certification + licensing-only clusterOne certification cluster and multiple licensing-only serversMultiple certification servers and one licensing-only serverCombinationsSlide33

AD RMS ServerRuns on Windows Server 2008

Requires IIS with ASP.NETStatelessUses Microsoft Message QueuingResponsible for transactions to be applied to SQL databaseProvides tolerance when connectivity is lost between AD RMS server and SQL Server

Certification and Licensing

AD RMS 2008 R2 SP1 serversSlide34

Configuration Database

Stores, shares, and retrieves the following for a cluster:Cluster keys (if not using an HSM)All cluster configuration dataRights account certificates (RAC) and their associated identitiesData that is needed to manage CertificationLicensingPublishing servicesCritical for AD RMS operationSome configurations can be edited manually

SQL 2008 R2 Enterprise ClusterSlide35

Logging Database

One per AD RMS clusterOne private message queue on each server in the AD RMS cluster for loggingAD RMS logging service transmits data from this message queue to the logging databaseNot critical for operation, never consumed by the serviceUsed for reporting, troubleshooting, and performance management“append only”

SQL 2008 R2 Enterprise ClusterSlide36

Directory Services Database

Contains cached information about: UsersIdentifiers (such as email addresses)Security ID (SID)Group membershipAlternate identifiersRelieves stress on the domain controllers Is recycled on a daily basisNot critical for AD RMS operationIf lost, it is regenerated

once the database is restored to a pristine state from a backup

SQL 2008 R2 Enterprise ClusterSlide37

Active DirectoryAD RMS contacts Global Catalogs for user and group information

Should be co-located with the AD RMS serversAD RMS requires email attribute to be populated in usersIn multi-forest scenarios it also requires Exchange Server Schema ExtensionsAD RMS polls AD frequently for group membership informationAcross forests it will talk to the local AD RMS in that forestBy default, clients and servers use the Service Connection Point registered in AD to find the Certification Cluster in a forest

37

Domain ControllersSlide38

AD RMS and Server InfrastructureSlide39

AD RMS Components – Logical view

SQL

OS

Platform

Client Platform

Applications

MMC 3.0 Host

Admin Snap-in

Admin Platform

RMS Client

RMS Server

RMS Administration

AD

ADFS

SOAP/HTTP

SOAP/HTTP

Passive Protocol

(HTTP)

WebSSO

Agent

System.Data.SqlClient

Native

LDAP

WebSSO

Redirects

MOM pack

PowerShell

OS

Platform

Client Platform

Applications

MOM pack

PowerShellSlide40

Microsoft AD RMS

Industry leading unstructured data security

Mature solution in the market since 2003

Integrated with AD, Office, Exchange, SharePoint

Core to Microsoft cloud security strategy

Recipient

Information

Author

Active

Directory

View

þ

Edit

Print

þ

þ

View

þ

Edit

ý

Print

ý

SQL Server

AD RMSSlide41

AD RMS & Server Products

Exchange Server Integration

SharePoint IntegrationFile Share IntegrationExchange Online & Cloud Slide42

AD RMS and SharePoint

When content is downloaded from a library…

RMS protection automatically applied

Information still searchable in SharePoint library

SharePoint rights

 IRM permissions

Recipient

AD RMS

SharePointSlide43

AD RMS & ExchangeWhen users are sending emails unprotected…

Exchange transport rules apply RMS automaticallyBased on content (what it says) and context (who its going to) analysisConsume protected email in IE, Firefox and Safari

Recipient

Information

Author

AD RMS

ExchangeSlide44

AD RMS and file shares

AD RMS

Windows

File Server

When content is saved to a network file share...

Bulk Protection Tool secures all content in certain folders

File Classification Infrastructure (FCI) can automate classification, RMS and move into SharePoint

Information

Author

SharePointSlide45

AD RMS and DLP

Microsoft AD RMS

RSA DLP

R&D department

Marketing department

Others

Endpoints:

Laptops/Desktops

File Shares

SharePoint

R&D Department

Marketing Department

Others

View, Edit, Print

View

No Access

Intellectual Property (IP)

template

Find ‘IP’ documents

Apply ‘IP’ AD RMS template

IP Policy

DLP provides a powerful way to locate and classify your information

Maps AD RMS policy to DLP and therefore to contentSlide46

Microsoft Exchange Server 2007 SP1 and later can work with Outlook 2007 or Outlook mobile 6.1 and later to enable

PrelicensingWhen enabled, users are delivered licenses for emails and attachments together with the documentsEliminates the need to be connected to acquire a license on open

Microsoft Exchange PrelicensingSlide47

In Exchange 2010 Exchange prelicensing enables:Offline consumption of email and attachments

Antimalware scanningOWA IRMAutomated decryption/journaling/protectionIndexing and SearchExchange ActiveSync IRM

Exchange Server Prelicensing as an EnablerSlide48

IRM in OWA in Exchange 2010IRM protection in any browser!Slide49

Web Ready Document ViewSlide50

Transport Decryption Enables access to IRM-protected messages by Transport Agents to perform operations such as transport rules, content filtering, and anti-spam/anti-virus.

IRM Search Conduct full-text search on IRM-protected messages in OWA and Outlook. Enables eDiscovery or protected messages in the Exchange Store.Journal Report Decryption Journal Report Decryption Agent attaches clear-text copies of IRM-protected messages and attachments to journal mailbox

Exchange Activesync IRMContent gets evaluated, licensed and decrypted before delivered to deviceDevice uses native protection and enforcement capabilities

Additional capabilities in Exchange 2010

Search, scan, filter, and journal protected e-mail Slide51

Accidents Happen

We can’t always rely on users to protect data

“80% of all data leaks occur because of accidents — that is users, being unaware of data policies, as opposed to having malicious intent.” - Forrester, 2008

Top 10 threats to Enterprise Security - IDC Slide52

Information Protection and Control in Exchange 2010

The right tools for the right scenario

Dynamic Signatures/

Disclaimers

MailTips

IRM Protection

Block/

Redirect

SOFT

CONTROLS

HARD

CONTROLS

Moderation

Less restrictive More restrictiveSlide53

AD RMS typically relies on the users to protect content they consider sensitiveIn some scenarios, enforcing protection over certain types of content might be desired

Possible implementations:Use Windows Server 2008 R2 and Exchange 2010 automated protection capabilitiesUse third party solutions to perform discovery and automated protection

Automating Information ProtectionSlide54

Exchange Server 2010 provides a single point in the organization to control the protection of e-mail messages called “Transport Rules.”

Automated Protection Reduced risk via automatic, centralized protection

Automatic Content-Based Privacy:

New transport rule action to apply RMS protection based to e-mail message and attachments.

Predicates support regular expression scanning of e-mail body, subject, and attachments

Transport rules also support detection of un-supported attachments and attachment stripping.Slide55

Transport Protection Rules

Take the decision away from end-users

Apply RMS policies automatically using Transport Rules

Apply “Do Not Forward” or custom RMS templates

RMS protection is also applied to Office 2003, 2007, and 2010 attachments

RMS protection can be triggered based on sender, recipient, or contentSlide56

Outlook Protection Rules

Apply IRM protection automatically at the client

IRM protection automatically triggered based on sender and receiver attributes

Supported attachments are

also protected

Windows Desktop Search will index headers and subject

Authorized users can turn off protection

Can be used to prevent email service provider from accessing your emailSlide57

Integration with Exchange

in the CloudSlide58

Integration with Exchange Online

On-Premises

Hosted Service

Co-Existence

Makes migration and coexistence smoother

Gives you greater control over your online environment

Brings new Exchange Server capabilities

to the cloudSlide59

Exchange Online tenants get all IRM capabilities

, except for PrelicensingAfter setup, all RMS transactions in Datacenter executed within DatacenterClients continue to call web services on premise AD RMS

Cross Premise IRM

Contoso

Premise

Exchange Online

AD RMS

Contoso

Tenant

Import Private KeySlide60

New feature introduced with SharePoint Server 2007

Not supported in Windows SharePoint ServicesSharePoint libraries can be configured to automatically apply protection to documentsDocuments get protected automatically on downloadDocuments are stored on the database without additional protectionUsers receive rights based on the rights over the library

Integration with SharePoint ServerSlide61

Handouts

SharePoint IRMSlide62

Documents stored in clear text in the database

Provides indexing and search capabilities, content listed on search based on ACLsDocuments protected each time user downloads the fileAfter a user selects a file, it is protected and provided to the clientProtection derived from user permissions in the library

SharePoint requires online access to the AD RMS infrastructureIf connection fails, the file won’t be provided to the clientWhen protected file is uploaded to the portal, the content protection is removed This feature optimizes document lifecycle into SharePoint

Only works for documents protected by SharePoint

How Does SharePoint IRM Work?Slide63

How Does SharePoint Server IRM Work?











Slide64

PerformanceSizing &

Fault Tolerance

High Availability & Disaster RecoverySlide65

ObjectivesUnderstand bottlenecks and scaling factors affecting AD RMS

Learn to design AD RMS for scalabilityUnderstand the process for sizing AD RMS adequately for an expected load65Slide66

Components ReviewServer Components

Administration websiteDatabaseConfigurationLoggingWeb servicesCertificationPublishingLicensingClientsRMS Client software + “Lockbox”Protected machine and user credentials

RMS Cluster

NLB

RMS Web Services

Certification

Publishing

Licensing

Log DB

Clients connect to

Active Directory

Service Connection Point

for all servicesSlide67

Standard Deployment

Single “Root” Certification + Licensing Cluster

Single ForestAll clients use service discoveryNo registry overridesCluster servers share common database

RMS “Root” Certification Cluster

Clients connect to

Active Directory

Service Connection Point

for all services

NLB

SQL Server

Configuration

Logging

RMS Web Services

Certification

Publishing

Licensing

Simple, scalable and redundant

Single

AD ForestSlide68

Add Licensing Subordinate

RMS “Root” Certification Cluster

NLB

SQL Server

Configuration

Logging

RMS Web Services

Certification

Publishing

Licensing

RMS Web Services

Publishing

Licensing

SQL Server

Registry settings point departmental users to subordinate licensing cluster

NLB

Sub-enrolled Licensing Cluster

Corporate users without registry overrides point to root cluster for licensing

For departmental control over licensing, policy templates

AD Service discovery points all corporate users to SCP for certification

HKLM\Software\

Microsoft\MSDRM\

ServiceLocation\

EnterprisePublishing

=

http://<FQDN>/_wmcs/licensing

Single

AD Forest

Note: Sub-enrolled Licensing server has its own database. Slide69

Multiple AD Forest Architecture:

Multiple Certification, Single License

Single publish/license serviceMicrosoft’s internal deploymentUses RMS Trust

Multiple

AD Forest

NLB

NLB

NLB

Registry override points all users to common licensing server

RMS Certification & Licensing

RMS Certification only

RMS Certification onlySlide70

AD RMS Sizing ConsiderationsSizing AD RMS is about sizing AD RMS clusters (node)

Consider licensing performance when determining the size of an AD RMS cluster:How much content will need to be licensed per hour?Consider steady-state (average) usage Consider peak usage, such as a company-wide executive emailCertification-related load usually negligibleEstablish / Understand Service Level agreements (SLAs)

Aim for sub-second response (Normal)What is "acceptable" in special circumstances?Slide71

AD RMS Sizing Considerations (cont.)AD RMS is EXTREMELY CPU-bound and network intensive

More than 50% of Workload is cryptographic processingHSMs typically do not provide a performance advantage Use 64 BitAlmost twice as much

performance using 64 bit over 32 bitAvoid 32 bit servers as much as possibleAD RMS can take advantage of additional memory:AD RMS caches directory lookups on the serverAD RMS also pre-generates key pairs while idle and stores them in-memorySlide72

Performance Benchmark

AD RMS was tested using a 2.4 GHz, x64 dual core server with 4 GB RAM. AD RMS server delivered slightly over 100 licenses per second AD RMS scales well with CPU count Quad core servers are usually the sweet spot in cost/performanceA few small servers in a cluster are usually sufficient for heavy loads without Hardware Security Module offload

2 GB RAM per AD RMS server is generally sufficient Additional RAM reduces load on DCs and can improve performanceUsing Exchange Pre-licensing may significantly affect loadRequires licensing and email to a large number of users within a few minutesSlide73

Peak Load Considerations and Examples

# Users

Amount of time to consume

(in hours)

Peak

License Requests per min

Peak

License Requests per sec

No pre-licensing

50,000

4

209

3.5

Using pre-licensing

50,000

4

16,667

278

Exchange pre-licensing agent acquires use licenses on delivery, not consumption

Pre-licensing has a default tolerance of approx. three minutes

Significant impact to peak load

Exchange batches requests, which gains some, though not significant, efficiencySlide74

Scaling AD RMS

AD RMS is normally scaled by adding processors to servers and servers to clustersLicensing-only clusters are an inefficient way to scaleHSMs do not increase performance significantly

Memory and disk do not affect performance as much as CPUSQL Server is rarely the bottleneckAdding servers to a cluster is easyAll configuration data is stored in the databaseLoad balancing needs to be configured appropriately

Clusters only used for certification rarely need dedicated sizing

Certification load is in general a small fraction of the load for clusters doing certification and licensing

Clusters used exclusively for certification have generally minimal requirementsSlide75

Sizing AD RMS Guidelines

Typical 64 bit CPU can process ~50 licenses/second per core (without HSM assistance)Some complex licenses might be heavier

HSM assistance does not significantly improve overall performance32 bit CPUs are considerably slower than x64AD RMS scales linearly up to about 8 cores per server

Above 8 cores:

I

t is more efficient to add servers

100Mbps network usually becomes the bottleneck above 4 cores

Hyper threading does not provide an advantageSlide76

Sizing AD RMS

ProcessCertification-only clusters

Rarely stressedEven the most basic server should handle the highest load for typical environmentsCertification+licensing or licensing-only clusters

Calculate peak load

Calculate # of CPU cores needed

Calculate # of servers needed

Specify memory and disk for servers

Add margins and define cluster sizeSlide77

Process for Sizing AD RMS

Obtain peak licenses per secondDivide by 50

This yields the number of 64-bit cores (double for 32-bit cores)Divide by number of cores in standard server Typical web servers make for good

AD RMS

servers

Obtain number of servers

Repeat for other clustersSlide78

Server specifications

AD RMS serversCPUs as defined earlier

Up to 8 x64 cores is most efficientVirtualization is OKMemory: 2GB is typically enough

Disk: minimal requirements for OS

Database Servers

Dual Core is OK for most scenarios

4GB RAM recommended

High volume of reporting may require more CPU and memory

Can be put in cluster

Not strictly necessary as AD RMS can retain some functionality while DB is downSlide79

Estimating Average LoadAverage load will be used mostly for calculating space needed for logging

Average load per user can be approximated by multiplying the total number of documents consumed per user by the expected percentage that will be protectedDocuments and emails should in general be calculated separately and then addedMultiply this number by the number of usersPre-licensing in Exchange and protection through SharePoint libraries might affect the calculationA license is needed even for what you don’t readSlide80

Estimating Average Load – Example

Item

Estimate

Number of Users

100,000

E-mails read per day per user

75

Number of e-mail messages per day

7,500,000

Percentage of messages with AD RMS protection

10%Slide81

Estimating Average Load – Example (cont.)

AD RMS Messages

per day

750,000

per hour (10 hour day)

75,000

per minute

1250

per second

21Slide82

Calculating Average LoadSlide83

Estimating Peak LoadPeak load is used to size AD RMS clusters

Two methods:1) Calculate average load and apply scaling factors for peak days and peak hoursUseful when average rate of document and email protection is high or when document protection is more significant than email protection2) Consider worst case burst eventUseful when average ratio of document and email protection is low, and one time events can significantly affect loadMost common scenarioSlide84

Estimating Peak Load – Method 1

Calculate average load# emails read + sent per day (consider DLs if using Pre-licensing)% emails protected# documents read/modified per day% documents protectedCalculate average licenses/second, LCalculate load at peak daysX% of operations performed in those daysDivide by the number of days, D

Peak Day=L*(X/100)/(D/365)Calculate peak hoursY% of operations performed in peak hours (consider global environment)Divide by the number of hours HPeak Hours=Peak Day*(Y/100)/(H/24)Slide85

Estimating Peak Load – Method 2

Calculate worst case scenario:One person sends a protected message to the whole organizationA few organization-wide protected responsesIf pre-licensing is used, all messages and documents will be licensed within a few hoursSlide86

Impact of Pre-licensing

Pre-licensing is required for several Exchange IRM featuresHas a tolerance of 3 minutesWith Pre-licensing, AD RMS must issue all use licenses for a message within 3 minutes of it being sentWithout pre-licensing, AD RMS issues use licenses as messages are consumed

Without Pre-licensing

Using Pre-licensing

UL

UL

ULSlide87

Network Impact

Some additional network traffic will be generatedUse License Request 60K

Use License Response 30KTotal: 90K Complex licenses might be larger

Server Network Card should not saturate

Quad Core CPU will do 200 transactions per second

Each Transaction is 90K

NIC load should not exceed :

18,000K -> 18 MB -> 144Mbits per second

Server NICs should be 1,000Mbits

SSL Assist might be beneficial in high load environmentsSlide88

Consider network to DCs

Under peak load situations, traffic to/from GCs might be significantConsider putting a Global Catalog near the AD RMS clusterSlide89

AD RMS Database Servers

Configuration DatabaseContains critical information, public/private keys, templates, RACsIf unavailable, some operations may continue, but no new usersNeeded for AD RMS bootDirectory Services DatabaseContains cached Active Directory informationNo significant impact when unavailable for short period of timeNot persistentContent will be automatically repopulated if the DB is restored to initial state

Logging DatabaseStores log of activity if enabledNot critical for service operationNecessary for analysis and reportingSlide90

Database Growth

Configuration and Directory Services Cache databases remain stable over timeNeed defragmentation, but they do not grow significantly

Configuration database: 3MB+2KB per user certificationDS Cache database: approximately 8KB per user and per group, varying depending on the complexity of groups

Logging DB: about 5KB per licensing transaction when including copies of certificates

Default in WS 2008

Significantly more (250KB per transaction) if certificates are logged

Certifications take slightly more than 5KB per transaction

Database schema in Windows Server 2008 and 2008 R2 have been highly normalizedSlide91

Database Growth (cont.)

Use average load as calculated to estimate logging database size1 Million transactions

take 5GB in the default configuration250GB space when logging certificates,

Database can be purged periodically

Consider a consolidated archival database for reporting and investigationSlide92

Log Maintenance Options

Disable logging

Lose potential benefits of logging (Reporting, Audit, Troubleshooting)Enable Log FilteringWhat is logged can be tuned in detailSettings in configuration database

Not logging certificates

Significant savings from not logging XrML text (the default)

Logging certificates might be necessary in certain situations but can be enabled on

demandSlide93

Log Maintenance Options (cont.)

Log ConsolidationConsolidate partial logs from multiple clusters in central database

Discard data not useful in the long termRun custom reports from this DBLog Trimming

Identifies all records in the logging database that are older than a specified age

Implemented by script or stored procedure

Keeps local logging database at a constant volume over timeSlide94

AD RMS DB planningDetails

Database Size Planninghttp://technet.microsoft.com/en-us/library/cc747731.aspxEstimate Database Growth http://technet.microsoft.com/en-us/library/cc747585.aspxMaintaining Logging Databasehttp://technet.microsoft.com/en-us/library/cc747691.aspx

94Slide95

AD RMS Archiving (Cont.)Considerations

AD RMS Performance inside MSIT implementationhttp://technet.microsoft.com/en-us/library/dd941589(WS.10).aspx MSIT Purging Database Example http://technet.microsoft.com/en-us/library/dd941624(WS.10).aspx

95Slide96

AD RMS Disaster Recovery

Planning AD RMS Database ServersBacking Up AD RMSRestoring AD RMSSlide97

HandoutsSlide98

Making AD RMS Highly Available

While AD RMS might be a critical service, minor server downtime is typically not a huge problemUsers can mostly continue to work thanks to pre-licensing, caching, and offline publishingTo make the service highly available, load-balance multiple servers on each clusterGeographical distribution of RMS nodes is usually effectiveLoad balance between locations

You must confirm a strong connection to RMS DBLatency to the DB should not exceed 100msSlide99

Making AD RMS Highly Available (cont.)

The database can also have downtime without much impactFunctionality lost during DB downtime is:New user certificationReportingConfiguration changesRebooting AD RMS nodes

Pre-licensing and Exchange IRM features dependent on Pre-licensing (OWA, Transport Decryption, Journaling, EAS IRM)Will retry licensing at the time of consumptionDB servers can still be made highly available through clusters or log shippingThough a proper backup schedule is usually a good substitute

Note: Clustering for the database does not help if the DB content is corrupt or brokenSlide100

Backing Up AD RMSSlide101

Restoring AD RMSSlide102

Restoring AD RMS: Only Server in ClusterSlide103

Database Backup Options

Failover clusterProvides immediate recovery

Does not protect against data-centric failuresNot an efficient use of resources Log backup

We recommend running databases in full recovery mode

A daily full backup is reasonable for most environments

Consider your recovery needs and acceptable loss levels

Backups should be tested and contain hardware spares to rebuild the DB, if necessary

Log Shipping

Sends copies of the transaction logs to a remote instance of the database

Useful when logging information loss must be minimized

Enables up-to-the-minute recovery and recovery to other points in time (before database corruption, for example)

Provides a “warm standby” database

Log Mirroring

Not officially supported

Replicate data between DBs

Databases can be in different locationsSlide104

Database Disaster Recovery Architecture

Site A

Site B

Log Shipping

DB CNAMESlide105

In Review: Session Objectives and Takeaways

Session Objective(s): To be able to deploy AD RMS in complex situations.To be able to support AD RMS integrated with Exchange 2010 when it doesn’t work as expectedShow how Exchange 2010 SP1 provide significant value to customers implementing information protection… something on the cloud … Slide106

Related Content

Breakout Sessions/Chalk TalksSession Codes and TitlesWebcastsSession Codes and TitlesInstructor-led LabsSession Codes and TitlesHands-on LabsHands-on Lab Codes and TitlesCompetitive Content

Competitive Content related to your topic area (Session Codes and Titles)Slide107

©

2012 Microsoft

Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT

MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide108

demo

Making a GUI ToolSlide109

Reminder!

Watch my Twitter feed @concentrateddon for the download URL for these scriptsThe GUI builder I’ve been using is SAPIEN PrimalForms (www.sapien.com); they’re in the Expo hall if you’d like to talk to them. A free Community Edition is available.Slide110

Any Final Questions?

I’ll also be hanging out at the Expo HallPlease drop by and let me know what you think, or ask follow-up questions!You can post questions to me at here Or email me: jovitan@microsoft.comThank you!Slide111

Resources

Connect. Share. Discuss.

http

://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn Slide112

Evaluationshttp://europe.msteched.com/sessions

Submit your evals online Slide113

©

2012 Microsoft

Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the

part

of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT

MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide114