迁移第 1 阶段 - 准备Migration phase 1 - preparation

适用于: Active Directory Rights Management Services、 Azure 信息保护Office 365Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365

使用以下信息,完成从 AD RMS 迁移到 Azure 信息保护的阶段 1。Use the following information for Phase 1 of migrating from AD RMS to Azure Information Protection. 这些过程涉及从 AD RMS 迁移到 Azure 信息保护的步骤 1 至 3,以及准备好迁移环境但确保对用户无任何影响。These procedures cover steps 1 though 3 from Migrating from AD RMS to Azure Information Protection and prepare your environment for migration without any impact to your users.

步骤1:安装 AIPService PowerShell 模块并识别你的租户 URLStep 1: Install the AIPService PowerShell module and identify your tenant URL

安装 AIPService 模块,以便你可以配置和管理为 Azure 信息保护提供数据保护的服务。Install the AIPService module so that you can configure and manage the service that provides the data protection for Azure Information Protection.

有关说明,请参阅安装 AIPService PowerShell 模块For instructions, see Installing the AIPService PowerShell module.

若要完成一些迁移说明,你将需要知道租户的 Azure Rights Management 服务 URL,以便在查看对的引用时可以将其替换为 <Your Tenant URL>To complete some of the migration instructions, you will need to know the Azure Rights Management service URL for your tenant so that you can substitute it for when you see references to <Your Tenant URL>. Azure Rights Management 服务 URL 采用以下格式:{GUID}.rms.[Region].aadrm.comYour Azure Rights Management service URL has the following format: {GUID}.rms.[Region].aadrm.com.

例如:5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.comFor example: 5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com

确定 Azure Rights Management 服务 URLTo identify your Azure Rights Management service URL

  1. 连接到 Azure Rights Management 服务,并在出现提示时输入租户全局管理员的凭据:Connect to the Azure Rights Management service and when prompted, enter the credentials for your tenant's global administrator:

  2. 获取租户的配置:Get your tenant's configuration:

  3. 复制针对 LicensingIntranetDistributionPointUrl 显示的值,并从此字符串删除 /_wmcs\licensingCopy the value displayed for LicensingIntranetDistributionPointUrl, and from this string, remove /_wmcs\licensing.

    剩余的是 Azure 信息保护租户的 Azure 权限管理服务 URL。What remains is your Azure Rights Management service URL for your Azure Information Protection tenant. 此值在以下迁移说明中通常缩写为你的租户 URL**。This value is often shortened to Your tenant URL in the following migration instructions.

    可以通过运行以下 PowerShell 命令验证是否具有正确的值:You can verify that you have the correct value by running the following PowerShell command:

    (Get-AipServiceConfiguration).LicensingIntranetDistributionPointUrl -match "https:\/\/[0-9A-Za-z\.-]*" | Out-Null; $matches[0]

步骤 2。Step 2. 客户端迁移准备Prepare for client migration

对于大多数迁移,一次性迁移所有客户端并不现实,因此很可能分批迁移客户端。For most migrations, it is not practical to migrate all clients at once, so you will likely migrate clients in batches. 这意味着,一段时间内,一些客户端将使用 Azure 信息保护,而一些客户端仍将使用 AD RMS。This means that for a period of time, some clients will be using Azure Information Protection and some will still be using AD RMS. 若要同时支持预迁移和已迁移用户,请使用载入控件并部署预迁移脚本。To support both pre-migrated and migrated users, use onboarding controls and deploy a pre-migration script. 此步骤在迁移过程期间是必需的,以便尚未迁移的用户可以使用已受已迁移用户(当前使用的是 Azure Rights Management)保护的内容。This step is required during the migration process so that users who have not yet migrated can consume content that has been protected by migrated users who are now using Azure Rights Management.

  1. 例如,创建名为 AIPMigrated 的组。Create a group, for example, named AIPMigrated. 可以在 Active Directory 中创建此组,并将其同步到云,也可以在 Office 365 或 Azure Active Directory 中创建它。This group can be created in Active Directory and synchronized to the cloud, or it can be created in Office 365 or Azure Active Directory. 此时,不要将任何用户分配到此组。Do not assign any users to this group at this time. 在后面的某个步骤中,用户迁移后将被添加到该组。At a later step, when users are migrated, you will add them to the group.

    记下该组的对象 ID。Make a note of this group's object ID. 为此,可使用 Azure AD PowerShell,例如,对于 1.0 版的模块,请使用 Get-MsolGroup 命令。To do this, you can use Azure AD PowerShell—for example, for version 1.0 of the module, use the Get-MsolGroup command. 或者,可以从 Azure 门户复制组的对象 ID。Or you can copy the object ID of the group from the Azure portal.

  2. 为载入控件配置此组,以仅允许此组中的人员使用 Azure Rights Management 保护内容。Configure this group for onboarding controls to allow only people in this group to use Azure Rights Management to protect content. 为此,在 PowerShell 会话中,请连接到 Azure Rights Management 服务,并在出现提示时,指定全局管理员凭据:To do this, in a PowerShell session, connect to the Azure Rights Management service and when prompted, specify your global admin credentials:


    然后为载入控件配置此组,将组对象 ID 替换为本例中的对象 ID,并在出现以下提示时输入 Y 进行确认:Then configure this group for onboarding controls, substituting your group object ID for the one in this example, and enter Y to confirm when you are prompted:

    Set-AipServiceOnboardingControlPolicy -UseRmsUserLicense $False -SecurityGroupObjectId "fba99fed-32a0-44e0-b032-37b419009501" -Scope WindowsApp
  3. 下载下列文件,其中包含客户端迁移脚本:Download the following file that contains client migration scripts:


  4. 提取文件并按照Prepare-Client中的说明操作,使其包含 AD RMS 群集 EXTRANET 授权 URL 的服务器名称。Extract the files and follow the instructions in Prepare-Client.cmd so that it contains the server name for your AD RMS cluster extranet licensing URL.

    若要找到此名称:在 Active Directory Rights Management Services 控制台中,请单击群集名称。To locate this name: From the Active Directory Rights Management Services console, click the cluster name. 群集详情信息中,复制 Extranet 群集 URL 部分授权值的服务器名称。From the Cluster Details information, copy the server name from the Licensing value from the extranet cluster URLs section. 例如: rmscluster.contoso.comFor example: rmscluster.contoso.com.


    说明包括将示例地址 adrms.contoso.com 替换为你自己的 AD RMS 服务器地址。The instructions include replacing example addresses of adrms.contoso.com with your AD RMS server addresses. 执行此操作时,请注意地址前后不要有多余空格,否则将中断迁移脚本,并且很难将其认定为问题的根本原因。When you do this, be careful that there are no additional spaces before or after your addresses, which will break the migration script and is very hard to identify as the root cause of the problem. 某些编辑工具会在粘贴文本后自动添加一个空格。Some editing tools automatically add a space after pasting text.

  5. 将此脚本部署到所有 Windows 计算机,以确保开始迁移客户端时,尚未迁移的客户端能继续与 AD RMS 进行通信,即使它们使用的内容受到已迁移客户端(当前使用的是 Azure Rights Management 服务)保护。Deploy this script to all Windows computers to ensure that when you start to migrate clients, clients yet to be migrated continue to communicate with AD RMS even if they consume content that is protected by migrated clients that are now using the Azure Rights Management service.

    可以使用组策略或其他软件部署机制来部署此脚本。You can use Group Policy or another software deployment mechanism to deploy this script.

步骤 3.Step 3. 准备迁移 Exchange 部署Prepare your Exchange deployment for migration

如果使用的是 Exchange 内部部署或 Exchange Online,可能之前已将 Exchange 与 AD RMS 部署集成过。If you are using Exchange on-premises or Exchange online, you might have previously integrated Exchange with your AD RMS deployment. 此步骤将对它们进行配置,以使用现有的 AD RMS 配置支持 Azure RMS 保护的内容。In this step you will configure them to use the existing AD RMS configuration to support content protected by Azure RMS.

请确保你具有租户的 Azure Rights Management 服务 URL,以便在下列命令中将该值替换为 <YourTenantURL>**Make sure that you have your Azure Rights Management service URL for your tenant so that you can substitute this value for <YourTenantURL> in the following commands.

如果已将 Exchange Online 与 AD RMS 集成:打开一个 Exchange Online PowerShell 会话,然后逐一或在脚本中运行以下 PowerShell 命令:If you have integrated Exchange Online with AD RMS: Open an Exchange Online PowerShell session and run the following PowerShell commands either one by one, or in a script:

$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
$list += "<YourTenantURL>/_wmcs/licensing"
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -internallicensingenabled $false
Set-IRMConfiguration -internallicensingenabled $true 

如果你已将 Exchange 本地环境与 AD RMS 集成:对于每个 Exchange 组织,首先在每个 Exchange 服务器上添加注册表值,然后运行 PowerShell 命令:If you have integrated Exchange on-premises with AD RMS: For each Exchange organization, first add registry values on each Exchange server, and then run PowerShell commands:

Exchange 2013 和 Exchange 2016 的注册表值:Registry values for Exchange 2013 and Exchange 2016:

注册表路径:Registry path:


键入: Reg_SZType: Reg_SZ

值:https://\<Your Tenant URL\>/_wmcs/licensingValue: https://\<Your Tenant URL\>/_wmcs/licensing

数据:https://\<AD RMS Extranet Licensing URL\>/_wmcs/licensingData: https://\<AD RMS Extranet Licensing URL\>/_wmcs/licensing

Exchange 2010 的注册表值:Registry values For Exchange 2010:

注册表路径:Registry path:


键入: Reg_SZType: Reg_SZ

值: https:// <Your Tenant URL> /_wmcs/licensingValue: https://<Your Tenant URL>/_wmcs/licensing

数据: https:// <AD RMS Extranet Licensing URL> /_wmcs/licensingData: https://<AD RMS Extranet Licensing URL>/_wmcs/licensing

PowerShell 命令可以逐个运行,也可以在脚本中运行PowerShell commands to run either one by one, or in a script

$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
$list += "<YourTenantURL>/_wmcs/licensing"
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -internallicensingenabled $false
Set-IRMConfiguration -RefreshServerCertificates
Set-IRMConfiguration -internallicensingenabled $true

为 Exchange Online 或 Exchange 本地环境运行这些命令后,如果 Exchange 部署已配置为支持受 AD RMS 保护的内容,则在迁移后,它们还支持受 Azure RMS 保护的内容。After running these commands for Exchange Online or Exchange on-premises, if your Exchange deployment was configured to support content that was protected by AD RMS, it will also support content protected by Azure RMS after the migration. 在执行迁移过程中的下一步骤之前,Exchange 部署将继续使用 AD RMS 支持受保护的内容。Your Exchange deployment will continue to use AD RMS to support protected content until a later step in the migration.

后续步骤Next steps

转到第 2 阶段:服务器端配置Go to phase 2 - server-side configuration.