迁移第 3 阶段 - 客户端配置Migration phase 3 - client-side configuration

适用于: Active Directory Rights Management Services、 Azure 信息保护Office 365Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365

使用以下信息,完成从 AD RMS 迁移到 Azure 信息保护的阶段 3。Use the following information for Phase 3 of migrating from AD RMS to Azure Information Protection. 这些过程涉及了从 AD RMS 迁移到 Azure 信息保护中的步骤 7。These procedures cover step 7 from Migrating from AD RMS to Azure Information Protection.

步骤 7.Step 7. 重新配置 Windows 计算机以使用 Azure 信息保护Reconfigure Windows computers to use Azure Information Protection

对于使用 Office 365 应用、Office 2019 或 Office 2016 即点即用桌面应用的 Windows 计算机:For Windows computers that use Office 365 apps, Office 2019, or Office 2016 click-to-run desktop apps:

  • 可通过 DNS 重定向,将这些客户端重新配置为使用 Azure 信息保护。You can reconfigure these clients to use Azure Information Protection by using DNS redirection. 这是客户端迁移的首选方法,因为它是最简单的。This is the preferred method for client migration because it is the simplest. 但是,此方法限于 Windows 计算机上的 Office 2016(或更高版本)即点即用桌面应用。However, this method is restricted to Office 2016 (or later) click-to-run desktop apps for Windows computers.

    此方法要求创建新的 SRV 记录,并在 AD RMS 发布终结点上为用户设置 NTFS 拒绝权限。This method requires you to create a new SRV record, and set an NTFS deny permission for users on the AD RMS publishing endpoint.

  • 对于不使用 Office 2019 或 Office 2016 即点即用版本的 Windows 计算机:For Windows computers that don't use Office 2019 or Office 2016 click-to-run:

    不能使用 DNS 重定向,而必须使用注册表编辑。You cannot use DNS redirection and instead, must use registry edits. 如果混合使用能够和不能够使用 DNS 重定向的 Office 版本,可使用这种方法处理所有 Windows 计算机,或结合使用 DNS 重定向和编辑注册表。If you have a mix of Office versions that can and cannot use DNS redirection, you can use this single method for all Windows computers, or a combination of DNS redirection and editing the registry.

    可通过编辑和部署可下载脚本,更轻松实现注册表更改。The registry changes are made easier for you by editing and deploying scripts that you can download.

参阅下列部分,详细了解如何配置 Windows 客户端。See the following sections for more information about how to reconfigure Windows clients.

通过 DNS 重定向重新配置客户端Client reconfiguration by using DNS redirection

此方法仅适用于运行 Office 365 应用和 Office 2016(或更高版本)即点即用桌面应用的 Windows 客户端。This method is suitable only for Windows clients that run Office 365 apps and Office 2016 (or later) click-to-run desktop apps.

  1. 创建使用以下格式的 DNS SRV 记录:Create a DNS SRV record using the following format:

    _rmsredir._http._tcp.<AD RMS cluster>. <TTL> IN SRV <priority> <weight> <port> <your tenant URL>.
    

    对于 <AD RMS cluster> ,指定 AD RMS 群集的 FQDN。For <AD RMS cluster>, specify the FQDN of your AD RMS cluster. 例如 rmscluster.contoso.comFor example, rmscluster.contoso.com.

    或者,如果你在该域中只有一个 AD RMS 群集,可以指定该 AD RMS 群集的域名。Alternatively, if you have just one AD RMS cluster in that domain, you can specify just the domain name of the AD RMS cluster. 在本示例中,即 contoso.comIn our example, that would be contoso.com. 在此记录中指定域名时,重定向将应用到该域中的所有 AD RMS 群集。When you specify the domain name in this record, the redirection applies to any and all AD RMS clusters in that domain.

    <port> 忽略该数字。The <port> number is ignored.

    对于 <your tenant URL> ,为你的租户指定你自己的Azure RIGHTS MANAGEMENT 服务 URLFor <your tenant URL>, specify your own Azure Rights Management service URL for your tenant.

    如果在 Windows Server 上使用 DNS 服务器角色,可使用下表作为示例,在 DNS 管理器控制台中指定 SRV 记录属性。If you use the DNS Server role on Windows Server, you can use the following table as an example how to specify the SRV record properties in the DNS Manager console.

    字段Field Value
    Domain _tcp.rmscluster.contoso.com_tcp.rmscluster.contoso.com
    服务Service _rmsredir_rmsredir
    协议Protocol _http_http
    PriorityPriority 00
    WeightWeight 00
    端口号Port number 8080
    提供此服务的主机Host offering this service 5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com5c6bb73b-1038-4eec-863d-49bded473437.rms.na.aadrm.com
  2. 在 AD RMS 发布终结点上为运行 Office 365 应用或 Office 2016(或更高版本)的用户设置拒绝权限:Set a deny permission on the AD RMS publishing endpoint for users running Office 365 apps or Office 2016 (or later):

    a.a. 在群集中的某个 AD RMS 服务器上,启动 Internet Information Services (IIS) 管理器控制台。On one of your AD RMS servers in the cluster, start the Internet Information Services (IIS) Manager console.

    b.b. 导航到 "默认网站",然后展开 _wmcsNavigate to Default Web Site and expand _wmcs.

    c.c. 右键单击 "授权",然后选择 "切换到内容视图"。Right-click licensing and select Switch to Content View.

    d.d. 在详细信息窗格中,右键单击 " license" " > 属性" " > 编辑"In the details pane, right-click license.asmx > Properties > Edit

    e.e. 在 " license 的权限" 对话框中,选择 "用户" (如果要为所有用户设置重定向),或单击 "添加",然后指定包含要重定向的用户的组。In the Permissions for license.asmx dialog box, either select Users if you want to set redirection for all users, or click Add and then specify a group that contains the users that you want to redirect.

    即使所有用户都使用支持 DNS 重定向的 Office 版本,最好还是先指定部分用户来进行分阶段迁移。Even if all your users are using a version of Office that supports DNS redirection, you might prefer to initially specify a subset of users for a phased migration.

    f.f. 对于所选组,为“读取和执行”及“读取”权限选择“拒绝”,然后两次单击“确定”。For your selected group, select Deny for the Read & Execute and the Read permission, and then click OK twice.

    如,g. 若要确认此配置按预期工作,请尝试从浏览器直接连接到 licensing.asmx 文件。To confirm this configuration is working as expected, try to connect to the licensing.asmx file directly from a browser. 应看到以下错误消息,它将触发运行 Office 365 应用或 Office 2019 或 Office 2016 的客户端查找 SRV 记录:You should see the following error message, which triggers the client running Office 365 apps or Office 2019 or Office 2016 to look for the SRV record:

    错误消息 401.3: 无权使用所提供的凭据查看此目录或页面(由于访问控制列表,访问被拒绝)。Error message 401.3: You do not have permissions to view this directory or page using the credentials you supplied (access denied due to Access Control Lists).

使用注册表编辑重新配置客户端Client reconfiguration by using registry edits

此方法适用于所有 Windows 客户端,如果不运行 Office 365 应用或 Office 2016 (或更高版本),则应使用此方法。This method is suitable for all Windows clients and should be used if they do not run Office 365 apps, or Office 2016 (or later). 此方法使用两个迁移脚本重新配置 AD RMS 客户端:This method uses two migration scripts to reconfigure AD RMS clients:

  • Migrate-Client.cmdMigrate-Client.cmd

  • Migrate-User.cmdMigrate-User.cmd

客户端配置脚本 (Migrate-Client.cmd) 在注册表中配置计算机级别设置,这意味着它必须在可进行这些更改的安全上下文中运行。The client configuration script (Migrate-Client.cmd) configures computer-level settings in the registry, which means that it must run in a security context that can make those changes. 这通常指以下方法之一:This typically means one of the following methods:

  • 使用组策略,将该脚本作为计算机启动脚本运行。Use group policy to run the script as a computer startup script.

  • 使用组策略软件安装,将脚本分配给计算机。Use group policy software installation to assign the script to the computer.

  • 使用软件部署解决方案,将脚本部署给计算机。Use a software deployment solution to deploy the script to the computers. 例如,使用 System Center Configuration Manager 包和程序For example, use System Center Configuration Manager packages and programs. 在包和程序的属性中,在“运行模式”下****,指定在设备上使用管理权限运行该脚本。In the properties of the package and program, under Run mode, specify that the script runs with administrative permissions on the device.

  • 如果用户具有本地管理员特权,请使用登录脚本。Use a logon script if the user has local administrator privileges.

用户配置脚本 (Migrate-User.cmd) 配置用户级别设置,并清除客户端许可证存储。The user configuration script (Migrate-User.cmd) configures user-level settings and cleans up the client license store. 这意味着此脚本必须在实际用户上下文中运行。This means that this script must run in the context of the actual user. 例如:For example:

  • 使用登录脚本。Use a logon script.

  • 使用组策略软件安装来发布脚本供用户运行。Use group policy software installation to publish the script for the user to run.

  • 使用软件部署解决方案,将脚本部署给用户。Use a software deployment solution to deploy the script to the users. 例如,使用 System Center Configuration Manager 包和程序For example, use System Center Configuration Manager packages and programs. 在包和程序的属性中,在“运行模式”下****,指定使用该用户的权限运行该脚本。In the properties of the package and program, under Run mode, specify that the script runs with the permissions of the user.

  • 用户登录到他们的计算机时要求其运行该脚本。Ask the user to run the script when they are signed in to their computer.

这两个脚本包含一个版本号并且不会重新运行,除非更改该版本号。The two scripts include a version number and do not rerun until this version number is changed. 也就是说,可以一直在原位保留这两个脚本,直到迁移完成。This means that you can leave the scripts in place until the migration is complete. 但如果确实对想要计算机和用户在 Windows 计算机上重新运行的脚本进行了更改,可将这两个脚本中的以下行更新为较高的值:However, if you do make changes to the scripts that you want computers and users to rerun on their Windows computers, update the following line in both scripts to a higher value:

SET Version=20170427

用户配置脚本专门设计在客户端配置脚本之后运行,并在此检查中使用版本号。The user configuration script is designed to run after the client configuration script, and uses the version number in this check. 如果版本相同的客户端配置脚本未运行,它将停止。It stops if the client configuration script with the same version has not run. 此检查可确保这两个脚本以正确的顺序运行。This check ensures that the two scripts run in the right sequence.

如果无法同时迁移所有 Windows 客户端,请分批对客户端运行以下过程。When you cannot migrate all your Windows clients at once, run the following procedures for batches of clients. 对于批次中具有要迁移的 Windows 计算机的每个用户,将用户添加到之前创建的 AIPMigrated 组。For each user who has a Windows computer that you want to migrate in your batch, add the user to the AIPMigrated group that you created earlier.

修改脚本以实现注册表编辑Modifying the scripts for registry edits

  1. 返回到迁移脚本 Migrate-Client.cmd**** 和 Migrate-User.cmd**** 中,这是之前在准备阶段下载这些脚本时提取的。Return to the migration scripts, Migrate-Client.cmd and Migrate-User.cmd, which you extracted previously when you downloaded these scripts in the preparation phase.

  2. 按照migrate-client.cmd中的说明修改脚本,使其包含租户的 Azure RIGHTS MANAGEMENT 服务 URL,以及你的 AD RMS 群集 EXTRANET 授权 url 和 INTRANET 授权 url 的服务器名称。Follow the instructions in Migrate-Client.cmd to modify the script so that it contains your tenant's Azure Rights Management service URL, and also your server names for your AD RMS cluster extranet licensing URL and intranet licensing URL. 然后,使上述脚本版本递增。Then, increment the script version, which was previously explained. 跟踪脚本版本的一个好方法是使用当天的日期,格式如下: YYYYMMDDA good practice for tracking script versions is to use today's date in the following format: YYYYMMDD

    重要

    仍然注意,不要在地址前后引入多余空格。As before, be careful not to introduce additional spaces before or after your addresses.

    此外,如果 AD RMS 服务器使用 SSL/TLS 服务器证书,请检查字符串中许可 URL 值是否包括端口号 443In addition, if your AD RMS servers use SSL/TLS server certificates, check whether the licensing URL values include the port number 443 in the string. 例如:https://rms.treyresearch.net:443/_wmcs/licensing。For example: https://rms.treyresearch.net:443/_wmcs/licensing. 单击群集名称并查看“群集详细信息”时,Active Directory Rights Management Services 中会显示此信息。You can find this information in the Active Directory Rights Management Services console when you click the cluster name and view the Cluster Details information. 如果端口号 443 包含在此 URL 中,修改脚本时请将该值包括在内。If you see the port number 443 included in the URL, include this value when you modify the script. 例如 https://rms.treyresearch.net:443For example, https://rms.treyresearch.net:443.

    如果需要检索* < YourTenantURL > *的 azure Rights Management 服务 url,请参阅返回以识别 azure Rights Management 服务 urlIf you need to retrieve your Azure Rights Management service URL for <YourTenantURL>, refer back to To identify your Azure Rights Management service URL.

  3. 使用此步骤开始处的说明,配置脚本部署方法,在由 AIPMigrated 组成员使用的 Windows 客户端计算机上运行 Migrate-Client.cmd**** 和 Migrate-User.cmd****。Using the instructions at the beginning of this step, configure your script deployment methods to run Migrate-Client.cmd and Migrate-User.cmd on the Windows client computers that are used by the members of the AIPMigrated group.

后续步骤Next steps

若要继续迁移,请转到第 4 阶段 - 支持服务配置To continue the migration, go to phase 4 -supporting services configuration.