迁移第 4 阶段 - 支持服务配置Migration phase 4 - supporting services configuration

适用于: Active Directory Rights Management Services、 Azure 信息保护Office 365Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365

使用以下信息,完成从 AD RMS 迁移到 Azure 信息保护的第 4 阶段。Use the following information for Phase 4 of migrating from AD RMS to Azure Information Protection. 这些过程包括从 AD RMS 迁移到 Azure 信息保护的步骤 8-9。These procedures cover steps 8 through 9 from Migrating from AD RMS to Azure Information Protection.

步骤 8。Step 8. 为 Exchange Online 配置 IRM 集成Configure IRM integration for Exchange Online

重要

因为无法控制哪些迁移了用户的收件人可能选择受保护的电子邮件,请确保组织中所有用户和启用邮件的组在 Azure AD 中都有一个可用于 Azure 信息保护的帐户。Because you cannot control which recipients migrated users might select for protected emails, make sure that all users and mail-enabled groups in your organization have an account in Azure AD that can be used with Azure Information Protection. 详细信息More information

使用选择的 Azure 信息保护租户密钥拓扑单独执行以下操作:Independently from the Azure Information Protection tenant key topology that you chose, do the following:

  1. 为了使 Exchange Online 能够解密受 AD RMS 保护的电子邮件,需要知道群集的 AD RMS URL 对应于租户中可用的密钥。For Exchange Online to be able to decrypt emails that are protected by AD RMS, it needs to know that the AD RMS URL for your cluster corresponds to the key that's available in your tenant. 这是通过 AD RMS 群集的 DNS SRV 记录完成,此记录还用于将 Office 客户端重新配置为使用 Azure 信息保护。This is done with the DNS SRV record for your AD RMS cluster that is also used to reconfigure Office clients to use Azure Information Protection. 如果未在步骤 7 中创建 DNS SRV 记录以实现客户端重新配置,请立即创建此记录以支持 Exchange Online。If you did not create the DNS SRV record for client reconfiguration in step 7, create this record now to support Exchange Online. 说明Instructions

    此 DNS 记录就位后,使用 Outlook 网页版和移动电子邮件客户端的用户便能在这些应用中查看受 AD RMS 保护的电子邮件,并且 Exchange 可以使用你从 AD RMS 导入的密钥,对已受 AD RMS 保护的内容执行解密、编制索引、日志记录和保护操作。When this DNS record is in place, users using Outlook on the web and mobile email clients will be able to view AD RMS protected emails in those apps, and Exchange will be able to use the key you imported from AD RMS to decrypt, index, journal, and protect content that has been protected by AD RMS.

  2. 运行 Exchange Online set-irmconfiguration命令。Run the Exchange Online Get-IRMConfiguration command. 如需运行此命令的帮助,请参阅 Exchange Online:IRM 配置中的分步说明。If you need help running this command, see the step-by-step instructions from Exchange Online: IRM Configuration.

    在输出中,检查“AzureRMSLicensingEnabled”是否设置为“True”:********From the output, check whether AzureRMSLicensingEnabled is set to True:

步骤 9.Step 9. 为 Exchange Server 和 SharePoint Server 配置 IRM 集成Configure IRM integration for Exchange Server and SharePoint Server

如果你已将 Exchange Server 或 SharePoint Server 的信息权限管理 (IRM) 与 AD RMS 集成,则需要部署 Rights Management (RMS) 连接器,以充当本地服务器与 Azure 信息保护的保护服务之间的通信接口(中继)。If you have used the Information Rights Management (IRM) functionality of Exchange Server or SharePoint Server with AD RMS, you will need to deploy the Rights Management (RMS) connector, which acts as a communications interface (a relay) between your on-premises servers and the protection service for Azure Information Protection.

此步骤包括安装和配置连接器、对 Exchange 和 SharePoint 禁用 IRM,以及配置这些服务器以使用该连接器。This step covers installing and configuring the connector, disabling IRM for Exchange and SharePoint, and configuring these servers to use the connector. 最后,如果你已将用于保护电子邮件的 AD RMS 数据配置文件 (.xml) 导入到 Azure 信息保护,则必须手动编辑 Exchange Server 计算机上的注册表,将所有受信任的发布域 URL 重定向到 RMS 连接器。Finally, if you have imported AD RMS data configuration files (.xml) into Azure Information Protection that were used to protect email messages, you must manually edit the registry on the Exchange Server computers to redirect all trusted publishing domain URLs to the RMS connector.

备注

在开始之前,请从支持 Azure RMS 的本地服务器中核实 Azure Rights Management 服务所支持的本地服务器的版本。Before you start, check the versions of the on-premises servers that the Azure Rights Management service supports, from On-premises servers that support Azure RMS.

安装并配置 RMS 连接器Install and configure the RMS connector

请使用部署 Azure Rights Management 连接器一文中的说明,并执行步骤 1 至 4。Use the instructions in the Deploying the Azure Rights Management connector article, and do steps 1 though 4. 但不要执行连接器说明中的步骤 5。Do not start step 5 yet from the connector instructions.

在 Exchange 服务器上禁用 IRM 并删除 AD RMS 配置Disable IRM on Exchange Servers and remove AD RMS configuration

重要

如果你尚未在任何 Exchange 服务器上配置 IRM,只需执行步骤2和6。If you haven't yet configured IRM on any of your Exchange servers, do just steps 2 and 6.

当你运行set-irmconfiguration时,如果LicensingLocation参数中没有显示所有 AD RMS 群集的所有授权 url,请执行所有这些步骤。Do all these steps if all the licensing URLs of all your AD RMS clusters are not displayed in the LicensingLocation parameter when you run Get-IRMConfiguration.

  1. 在每个 Exchange 服务器上,找到以下文件夹,并删除该文件夹中的所有条目: \programdata\microsoft\drm\server\s-1-5-18On each Exchange server, locate the following folder and delete all the entries in that folder: \ProgramData\Microsoft\DRM\Server\S-1-5-18

  2. 在其中一台 Exchange Server 中,运行以下 PowerShell 命令,以确保用户能够读取使用 Azure Rights Management 保护的电子邮件。From one of the Exchange servers, run the following PowerShell commands to ensure that users will be able to read emails that are protected by using Azure Rights Management.

    在运行这些命令之前,请将你自己的 Azure Rights Management 服务 URL 替换为 <Your Tenant URL>Before you run these commands, substitute your own Azure Rights Management service URL for <Your Tenant URL>.

    $irmConfig = Get-IRMConfiguration
    $list = $irmConfig.LicensingLocation 
    $list += "<Your Tenant URL>/_wmcs/licensing"
    Set-IRMConfiguration -LicensingLocation $list
    

    现在,当你运行set-irmconfiguration时,你应该会看到所有 AD RMS 群集授权 url 和为LicensingLocation参数显示的 Azure Rights Management 服务 URL。Now when you run Get-IRMConfiguration, you should see all your AD RMS cluster licensing URLs and your Azure Rights Management service URL displayed for the LicensingLocation parameter.

  3. 现在对向外部收件人发送的消息禁用 IRM 功能:Now disable IRM features for messages that are sent to internal recipients:

    Set-IRMConfiguration -InternalLicensingEnabled $false
    
  4. 然后使用同一 cmdlet 在 Microsoft Office Outlook Web App 和 Microsoft Exchange ActiveSync 中禁用 IRM:Then use the same cmdlet to disable IRM in Microsoft Office Outlook Web App and in Microsoft Exchange ActiveSync:

    Set-IRMConfiguration -ClientAccessServerEnabled $false
    
  5. 最后,使用同一 cmdlet 清除所有缓存的证书:Finally, use the same cmdlet to clear any cached certificates:

    Set-IRMConfiguration -RefreshServerCertificates
    
  6. 现在,在每个 Exchange 服务器上重置 IIS,例如,通过以管理员身份运行命令提示符并键入 iisresetOn each Exchange Server, now reset IIS, for example, by running a command prompt as an administrator and typing iisreset.

在 SharePoint 服务器上禁用 IRM 并删除 AD RMS 配置Disable IRM on SharePoint Servers and remove AD RMS configuration

  1. 请确保没有文档从 RMS 保护的库中签出。Make sure that there are no documents checked out from RMS-protected libraries. 如果有,这些文档将在此过程结束时变为不可访问。If there are, they will be become inaccessible at the end of this procedure.

  2. 在 SharePoint 管理中心网站的“快速启动”部分中,单击“安全性”********。On the SharePoint Central Administration Web site, in the Quick Launch section, click Security.

  3. 在“安全性”页的“信息策略”部分中,单击“配置信息权限管理”************。On the Security page, in the Information Policy section, click Configure information rights management.

  4. 在“信息权限管理”页的“信息权限管理”部分中,选择“不在此服务器上使用 IRM”,然后单击“确定”****************。On the Information Rights Management page, in the Information Rights Management section, select Do not use IRM on this server, then click OK.

  5. 在每台 SharePoint server 计算机上,删除 \ < 运行 SharePoint server>帐户的文件夹 \ProgramData\Microsoft\MSIPC\Server SID 的内容。On each of the SharePoint Server computers, delete the contents of the folder \ProgramData\Microsoft\MSIPC\Server\<SID of the account running SharePoint Server>.

配置 Exchange 和 SharePoint 以使用连接器Configure Exchange and SharePoint to use the connector

  1. 返回到部署 RMS 连接器的说明:步骤 5:配置服务器以使用 RMS 连接器Return to the instructions for deploying the RMS connector: Step 5: Configuring servers to use the RMS connector

    如果仅具有 SharePoint Server,请直接转到后续步骤继续该迁移。If you have SharePoint Server only, go straight to Next steps to continue the migration.

  2. 在每台 Exchange Server 上,手动为下一节中的每个已导入的配置数据文件 (.xml) 添加注册表项,将受信任的发布域 URL 重定向到 RMS 连接器。On each Exchange Server, manually add the registry keys in the next section for each configuration data file (.xml) that you imported, to redirect the trusted publishing domain URLs to the RMS connector. 这些注册表项特定于迁移,并且不是通过 Microsoft RMS 连接器的服务器配置工具添加的。These registry entries are specific to migration and are not added by the server configuration tool for Microsoft RMS connector.

    进行这些注册表编辑时,请使用以下说明:When you make these registry edits, use the following instructions:

    • 连接器 FQDN 替换为你在 DNS 中为该连接器定义的名称。Replace connector FQDN with the name that you defined in DNS for the connector. 例如 rmsconnector.contoso.comFor example, rmsconnector.contoso.com.

    • 对连接器 URL 使用 HTTP 或 HTTPS 前缀,具体取决于你已将连接器配置为使用 HTTP 还是使用 HTTPS 与本地服务器通信。Use the HTTP or HTTPS prefix for the connector URL, depending on whether you have configured the connector to use HTTP or HTTPS to communicate with your on-premises servers.

Exchange 的注册表编辑Registry edits for Exchange

对于所有 Exchange 服务器,将以下注册表值添加到 LicenseServerRedirection,具体视 Exchange 版本而定:For all Exchange servers, add the following registry values to LicenseServerRedirection, depending on your versions of Exchange:


对于 Exchange 2013 和 Exchange 2016 - 注册表编辑 1:For Exchange 2013 and Exchange 2016 - registry edit 1:

注册表路径:Registry path:

HKLM\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\LicenseServerRedirectionHKLM\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\LicenseServerRedirection

键入: Reg_SZType: Reg_SZ

值: https:// <AD RMS Intranet Licensing URL> /_wmcs/licensingValue: https://<AD RMS Intranet Licensing URL>/_wmcs/licensing

数据Data:

以下前缀之一,具体取决于 Exchange 服务器与 RMS 连接器之间的连接是使用 HTTP 还是 HTTPS:One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://<connector FQDN>/_wmcs/licensinghttp://<connector FQDN>/_wmcs/licensing

  • https://<connector FQDN>/_wmcs/licensinghttps://<connector FQDN>/_wmcs/licensing


Exchange 2013 - 注册表编辑 2:Exchange 2013 - registry edit 2:

注册表路径:Registry path:

HKLM\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\LicenseServerRedirectionHKLM\SOFTWARE\Microsoft\ExchangeServer\v15\IRM\LicenseServerRedirection

键入: Reg_SZType: Reg_SZ

值: https:// <AD RMS Extranet Licensing URL> /_wmcs/licensingValue: https://<AD RMS Extranet Licensing URL>/_wmcs/licensing

数据Data:

以下前缀之一,具体取决于 Exchange 服务器与 RMS 连接器之间的连接是使用 HTTP 还是 HTTPS:One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://<connector FQDN>/_wmcs/licensinghttp://<connector FQDN>/_wmcs/licensing

  • https://<connector FQDN>/_wmcs/licensinghttps://<connector FQDN>/_wmcs/licensing


对于 Exchange 2010 - 注册表编辑 1:For Exchange 2010 - registry edit 1:

注册表路径:Registry path:

HKLM\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\LicenseServerRedirectionHKLM\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\LicenseServerRedirection

键入: Reg_SZType: Reg_SZ

值: https:// <AD RMS Intranet Licensing URL> /_wmcs/licensingValue: https://<AD RMS Intranet Licensing URL>/_wmcs/licensing

数据Data:

以下前缀之一,具体取决于 Exchange 服务器与 RMS 连接器之间的连接是使用 HTTP 还是 HTTPS:One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://<connector FQDN>/_wmcs/licensinghttp://<connector FQDN>/_wmcs/licensing

  • https://<connector Name>/_wmcs/licensinghttps://<connector Name>/_wmcs/licensing


对于 Exchange 2010 - 注册表编辑 2:For Exchange 2010 - registry edit 2:

注册表路径:Registry path:

HKLM\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\LicenseServerRedirectionHKLM\SOFTWARE\Microsoft\ExchangeServer\v14\IRM\LicenseServerRedirection

键入: Reg_SZType: Reg_SZ

值: https:// <AD RMS Extranet Licensing URL> /_wmcs/licensingValue: https://<AD RMS Extranet Licensing URL>/_wmcs/licensing

数据Data:

以下前缀之一,具体取决于 Exchange 服务器与 RMS 连接器之间的连接是使用 HTTP 还是 HTTPS:One of the following, depending on whether you are using HTTP or HTTPS from your Exchange server to the RMS connector:

  • http://<connector FQDN>/_wmcs/licensinghttp://<connector FQDN>/_wmcs/licensing

  • https://<connector FQDN>/_wmcs/licensinghttps://<connector FQDN>/_wmcs/licensing


后续步骤Next steps

若要继续迁移,请转到第 5 阶段 - 迁移后任务To continue the migration, go to phase 5 -post migration tasks.