从 AD RMS 迁移到 Azure 信息保护Migrating from AD RMS to Azure Information Protection

适用于: Active Directory Rights Management Services、 Azure 信息保护Office 365Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365

使用下面的一组指令将 Active Directory Rights Management Services (AD RMS) 部署迁移到 Azure 信息保护。Use the following set of instructions to migrate your Active Directory Rights Management Services (AD RMS) deployment to Azure Information Protection.

迁移之后,AD RMS 服务器将不再可用,但用户将仍然可以访问你的组织使用 AD RMS 来保护的文档和电子邮件。After the migration, your AD RMS servers are no longer in use but users still have access to documents and email messages that your organization protected by using AD RMS. 新保护的内容将使用 Azure 信息保护中的 Azure Rights Management 服务 (Azure RMS)。Newly protected content will use the Azure Rights Management service (Azure RMS) from Azure Information Protection.

不确定这种 AD RMS 迁移是否适合你的组织?Not sure whether this AD RMS migration is right for your organization?

虽然不是必需的,但在开始迁移之前,阅读以下文档可能会很有用。Although not required, you might find it useful to read the following documentation before you start the migration. 这一知识可以让你更好地了解与迁移步骤相关的技术的工作原理。This knowledge provides you with a better understanding of how the technology works when it is relevant to your migration step.

  • 规划和实现 Azure 信息保护租户密钥:了解可用于 Azure 信息保护租户的密钥管理选项;其中,云中的 SLC 密钥等效项要么由 Microsoft(默认)管理,要么由自己管理(“自带密钥”或 BYOK 配置)。Planning and implementing your Azure Information Protection tenant key: Understand the key management options that you have for your Azure Information Protection tenant where your SLC key equivalent in the cloud is either managed by Microsoft (the default) or managed by you (the "bring your own key", or BYOK configuration).

  • Rms 服务发现: rms 客户端部署说明的此部分说明了服务发现的顺序:注册表服务连接点(SCP)RMS service discovery: This section of the RMS client deployment notes explains that the order for service discovery is registry, then service connection point (SCP), then cloud. 在迁移过程中,如果仍在安装 SCP,则可以使用 Azure 信息保护租户的注册表设置来配置客户端,以确保它们不会使用从 SCP 返回的 AD RMS 群集。During the migration process when the SCP is still installed, you configure clients with registry settings for your Azure Information Protection tenant so that they do not use the AD RMS cluster returned from the SCP.

  • 连接器概述:RMS 连接器文档的此部分说明了本地服务器如何连接到 Azure 权限管理服务以保护文档和电子邮件。Overview of the Microsoft Rights Management connector: This section from the RMS connector documentation explains how your on-premises servers can connect to the Azure Rights Management service to protect documents and emails.

此外,如果你不熟悉 AD RMS 的工作方式,你可能会发现阅读 Azure RMS 的工作原理是非常有用的呢?在这种情况下,帮助你确定哪些技术流程对于云版本相同或不同。In addition, if you are not familiar with how AD RMS works, you might find it useful to read How does Azure RMS work? Under the hood to help you identify which technology processes are the same or different for the cloud version.

将 AD RMS 迁移到 Azure 信息保护的先决条件Prerequisites for migrating AD RMS to Azure Information Protection

在开始迁移到 Azure 信息保护之前,请确保具备以下先决条件,并确保你了解所有限制。Before you start the migration to Azure Information Protection, make sure that the following prerequisites are in place and that you understand any limitations.

  • 支持的 RMS 部署:A supported RMS deployment:

    • 以下版本的 AD RMS 支持到 Azure 信息保护的迁移:The following releases of AD RMS support a migration to Azure Information Protection:

      • Windows Server 2012 (x64)Windows Server 2012 (x64)

      • Windows Server 2012 R2 (x64)Windows Server 2012 R2 (x64)

      • Windows Server 2016 (x64)Windows Server 2016 (x64)

    • 支持所有有效的 AD RMS 拓扑:All valid AD RMS topologies are supported:

      • 单个林、单个 RMS 群集Single forest, single RMS cluster

      • 单个林、多个仅授权 RMS 群集Single forest, multiple licensing-only RMS clusters

      • 多个林、多个 RMS 群集Multiple forests, multiple RMS clusters

      注意:默认情况下,多个 AD RMS 群集将迁移到单个 Azure 信息保护租户。Note: By default, multiple AD RMS clusters migrate to a single tenant for Azure Information Protection. 如果想要迁移到单独的 Azure 信息保护租户,必须将它们视为不同的迁移。If you want separate tenants for Azure Information Protection, you must treat them as different migrations. 不能将一个 RMS 群集的密钥导入到多个租户中。A key from one RMS cluster cannot be imported to more than one tenant.

  • 运行 Azure 信息保护的所有要求,包括 Azure 信息保护租户(Azure Rights Management 服务未激活)订阅:All requirements to run Azure Information Protection, including a subscription for Azure Information Protection (the Azure Rights Management service is not activated):

    请参阅 Azure 信息保护的要求See Requirements for Azure Information Protection.

    请注意,如果你的计算机运行的是 Office 2010,则必须为用户安装 Azure 信息保护客户端或 Azure 信息保护统一标签客户端,因为这些客户端提供对云服务的用户进行身份验证的功能。Note that if you have computers that run Office 2010, you must install the Azure Information Protection client or the Azure Information Protection unified labeling client for users, because these clients provide the ability to authenticate users to cloud services. 对于更高版本的 Office,需要对这些客户端进行分类和标记,但 Azure 信息保护客户端是可选的,但是如果你只想要保护数据,则建议使用此选项。For later versions of Office, these clients are required for classification and labeling, and the Azure Information Protection client is optional but recommended if you want to only protect data. 有关详细信息,请参阅Azure 信息保护客户端管理指南和azure 信息保护统一标签客户端For more information, see the admin guides for the Azure Information Protection client and the Azure Information Protection unified labeling client.

    尽管要求必须拥有 Azure 信息保护订阅才能迁移 AD RMS,但我们建议在开始迁移之前不要激活 Rights Management 服务。Although you must have a subscription for Azure Information Protection before you can migrate from AD RMS, we recommend that the Rights Management service for your tenant is not activated before you start the migration. 迁移过程包括此激活步骤,在从 AD RMS 导出密钥和模板并将其导入到 Azure 信息保护租户之后执行此操作。The migration process includes this activation step after you have exported keys and templates from AD RMS and imported them to your tenant for Azure Information Protection. 但是,如果 Rights Management 服务已激活,你仍可以凭借额外的步骤从 AD RMS 迁移。However, if the Rights Management service is already activated, you can still migrate from AD RMS with some additional steps.

  • Azure 信息保护的准备工作:Preparation for Azure Information Protection:

  • 如果你已使用过 Exchange Server 的信息权限管理 (IRM) 功能****(例如,传输规则和 Outlook Web Access)或者带 AD RMS 的 SharePoint Server:If you have used the Information Rights Management (IRM) functionality of Exchange Server (for example, transport rules and Outlook Web Access) or SharePoint Server with AD RMS:

    • 为这些服务器上未提供 IRM 的较短期间拟定计划Plan for a short period of time when IRM will not be available on these servers

      在迁移后,你可以继续在这些服务器上使用 IRM。You can continue to use IRM on these servers after the migration. 但是,其中一个迁移步骤是暂时禁用 IRM 服务、安装并配置连接器、重新配置服务器,然后重新启用 IRM。However, one of the migration steps is to temporarily disable the IRM service, install and configure a connector, reconfigure the servers, and then re-enable IRM.

      在迁移过程中,只有这一步会出现服务中断。This is the only interruption to service during the migration process.

  • 如果想要通过使用 HSM 保护的密钥管理自己的 Azure 信息保护租户密钥If you want to manage your own Azure Information Protection tenant key by using an HSM-protected key:

    • 此可选的配置需要 Azure 密钥保管库和一个支持含 HSM 保护密钥的密钥保管库的 Azure 订阅。This optional configuration requires Azure Key Vault and an Azure subscription that supports Key Vault with HSM-protected keys. 有关详细信息,请参阅Azure Key Vault 定价页For more information, see the Azure Key Vault Pricing page.

加密模式注意事项Cryptographic mode considerations

如果 AD RMS 群集当前处于加密模式 1,则在开始迁移前,请勿将此群集升级到加密模式 2。If your AD RMS cluster is currently in Cryptographic Mode 1, do not upgrade the cluster to Cryptographic Mode 2 before you start the migration. 请改为使用加密模式 1 进行迁移,并在迁移结束时重新生成租户密钥,将其作为迁移后的任务之一。Instead, migrate using Cryptographic Mode 1 and you can rekey your tenant key at the end of the migration, as one of the post migration tasks.

确认 AD RMS 加密模式:To confirm the AD RMS cryptographic mode:

  • 对于 Windows Server 2012 R2 和 Windows 2012:“AD RMS 群集属性”>“常规”**** 选项卡。For Windows Server 2012 R2 and Windows 2012: AD RMS cluster properties > General tab.

迁移限制Migration limitations

  • 如果 Azure 信息保护使用的 Rights Management 服务不支持你的软件和客户端,则它们无法保护或使用受 Azure Rights Management 保护的内容。If you have software and clients that are not supported by the Rights Management service that is used by Azure Information Protection, they will not be able to protect or consume content that is protected by Azure Rights Management. 请务必查看Azure 信息保护的要求中的 "支持的应用程序和客户端" 部分。Be sure to check the supported applications and clients sections from Requirements for Azure Information Protection.

  • 如果将你的 AD RMS 部署配置为与外部合作伙伴协作(例如,通过使用受信任的用户域或联合),则在你迁移的同时或之后尽早的时间,这些合作伙伴也必须迁移到 Azure 信息保护。If your AD RMS deployment is configured to collaborate with external partners (for example, by using trusted user domains or federation), they must also migrate to Azure Information Protection either at the same time as your migration, or as soon as possible afterwards. 若要继续访问你的组织以前使用 Azure 信息保护进行保护的内容,这些合作伙伴必须进行与你进行的更改(在本文档中提供了这些更改)类似的客户端配置更改。To continue to access content that your organization previously protected by using Azure Information Protection, they must make client configuration changes that are similar to those that you make, and included in this document.

    由于你的合作伙伴进行的配置可能有所变动,确切说明此重新配置已超出了本文档的范围。Because of the possible configuration variations that your partners might have, exact instructions for this reconfiguration are out of scope for this document. 但是,有关规划指导及其他帮助,请参阅下一节,联系 Microsoft 支持部门However, see the next section for planning guidance and for additional help, contact Microsoft Support.

与外部伙伴协作时的迁移规划Migration planning if you collaborate with external partners

包括迁移规划阶段的 AD RMS 合作伙伴,因为他们也必须迁移到 Azure 信息保护。Include your AD RMS partners in your planning phase for migration because they must also migrate to Azure Information Protection. 执行以下迁移步骤之前,请确保下列各项已就位:Before you do any of the following migration steps, make sure that the following is in place:

  • 他们拥有支持 Azure Rights Management 服务的 Azure Active Directory 租户。They have an Azure Active Directory tenant that supports the Azure Rights Management service.

    例如,他们拥有 Office 365 E3 或 E5 订阅,或企业移动性 + 安全性订阅或 Azure 信息保护独立订阅。For example, they have an Office 365 E3 or E5 subscription, or an Enterprise Mobility + Security subscription, or a standalone subscription for Azure Information Protection.

  • 他们的 Azure Rights Management 服务尚未激活,但他们知道其 Azure Rights Management 服务 URL。Their Azure Rights Management service is not yet activated but they know their Azure Rights Management service URL.

    他们可以通过以下方式获取此信息:安装 Azure Rights Management 工具,连接到服务(AipService),然后查看其 Azure Rights Management 服务(AipServiceConfiguration)的租户信息。They can get this information by installing the Azure Rights Management Tool, connecting to the service (Connect-AipService), and then viewing their tenant information for the Azure Rights Management service (Get-AipServiceConfiguration).

  • 他们向你提供其 AD RMS 群集的 URL 及其 Azure Rights Management 服务 URL,以便你可以配置已迁移客户端,将其受 AD RMS 保护的内容的请求重定向到其租户的 Azure Rights Management 服务中。They provide you with the URLs for their AD RMS cluster and their Azure Rights Management service URL, so that you can configure your migrated clients to redirect requests for their AD RMS protected content to their tenant's Azure Rights Management service. 步骤 7 说明了如何配置客户端重定向。Instructions for configuring client redirection are in step 7.

  • 他们需先将其 AD RMS 群集根项 (SLC) 导入到其租户中,然后你才能开始迁移你的用户。They import their AD RMS cluster root keys (SLC) into their tenant before you start to migrate your users. 同样,你也需要先导入你的 AD RMS 群集根项,然后他们才能开始迁移其用户。Similarly, you must import your AD RMS cluster root keys before they start to migrate their users. 此迁移过程的步骤4中介绍了导入密钥的说明。从 AD RMS 导出配置数据并将其导入到 Azure 信息保护Instructions for importing the key are covered in this migration process, Step 4. Export configuration data from AD RMS and import it to Azure Information Protection.

将 AD RMS 迁移到 Azure 信息保护的步骤概述Overview of the steps for migrating AD RMS to Azure Information Protection

迁移步骤可分为五个阶段,在不同的时间由不同的管理员执行。The migration steps can be divided into five phases that can be done at different times, and by different administrators.

第 1 阶段:迁移准备工作PHASE 1: MIGRATION PREPARATION

  • 步骤1:安装 AIPService PowerShell 模块并识别你的租户 URLStep 1: Install the AIPService PowerShell module and identify your tenant URL

    迁移过程要求你从 AIPService 模块运行一个或多个 PowerShell cmdlet。The migration process requires you to run one or more of the PowerShell cmdlets from the AIPService module. 你还需要知道你的租户的 Azure Rights Management 服务 URL 才能完成多个迁移步骤,并且可使用 PowerShell 来确定此值。You will need to know your tenant's Azure Rights Management service URL to complete many of the migration steps, and you can identity this value by using PowerShell.

  • 步骤2。准备客户端迁移Step 2. Prepare for client migration

    如果无法一次迁移所有客户端,并且将其分批次进行迁移,请使用载入控件并部署预迁移脚本。If you cannot migrate all clients at once and will migrate them in batches, use onboarding controls and deploy a pre-migration script. 但是,如果要同时迁移所有内容,而不是分步迁移,可跳过此步骤。However, if you will migrate everything at the same time rather than do a phased migration, you can skip this step.

  • 步骤 3:准备迁移 Exchange 部署Step 3: Prepare your Exchange deployment for migration

    如果当前正在使用 Exchange Online 的 IRM 功能或 Exchange 本地部署保护电子邮件,则需要此步骤。This step is required if you currently use the IRM feature of Exchange Online or Exchange on-premises to protect emails. 但是,如果要同时迁移所有内容,而不是分步迁移,可跳过此步骤。However, if you will migrate everything at the same time rather than do a phased migration, you can skip this step.

第 2 阶段:AD RMS 的服务器端配置PHASE 2: SERVER-SIDE CONFIGURATION FOR AD RMS

  • 步骤4。从 AD RMS 导出配置数据并将其导入到 Azure 信息保护Step 4. Export configuration data from AD RMS and import it to Azure Information Protection

    从 AD RMS 将配置数据(密钥、模板、Url)导出到 XML 文件,然后使用 AipServiceTpd PowerShell cmdlet 将该文件上传到 azure 信息保护中的 Azure Rights Management 服务。You export the configuration data (keys, templates, URLs) from AD RMS to an XML file, and then upload that file to the Azure Rights Management service from Azure Information Protection, by using the Import-AipServiceTpd PowerShell cmdlet. 然后,确定要使用哪个导入的服务器许可方证书 (SLC) 密钥作为 Azure 权限管理服务的租户密钥。Then, identify which imported Server Licensor Certificate (SLC) key to use as your tenant key for the Azure Rights Management service. 可能需要其他步骤,具体取决于你的 AD RMS 密钥配置:Additional steps might be needed, depending on your AD RMS key configuration:

    • 软件保护密钥到软件保护密钥的迁移Software-protected key to software-protected key migration:

      AD RMS 中集中管理的基于密码的密钥迁移到由 Microsoft 管理的 Azure 信息保护租户密钥。Centrally managed, password-based keys in AD RMS to Microsoft-managed Azure Information Protection tenant key. 这是最简单的迁移路径,并且无需执行任何附加步骤。This is the simplest migration path and no additional steps are required.

    • HSM 保护密钥到 HSM 保护密钥的迁移HSM-protected key to HSM-protected key migration:

      将 HSM 存储的 AD RMS 密钥迁移到客户管理的 Azure 信息保护租户密钥(“自带密钥”方案,简称 BYOK)。Keys that are stored by an HSM for AD RMS to customer-managed Azure Information Protection tenant key (the “bring your own key” or BYOK scenario). 这需要额外的步骤将密钥从本地 nCipher HSM 传输到 Azure Key Vault,并授权 Azure Rights Management 服务使用此密钥。This requires additional steps to transfer the key from your on-premises nCipher HSM to Azure Key Vault and authorize the Azure Rights Management service to use this key. 现有的 HSM 保护密钥必须受模块保护;Rights Management Services 不支持 OCS 保护密钥。Your existing HSM-protected key must be module-protected; OCS-protected keys are not supported by Rights Management services.

    • 软件保护密钥到 HSM 保护密钥的迁移Software-protected key to HSM-protected key migration:

      AD RMS 中集中管理的基于密码的密钥迁移到由客户管理的 Azure 信息保护租户密钥(“携带你自己的密钥”或 BYOK 方案)。Centrally managed, password-based keys in AD RMS to customer-managed Azure Information Protection tenant key (the “bring your own key” or BYOK scenario). 这需要的配置最多,因为你必须先提取软件密钥并将其导入到本地 HSM,然后执行附加步骤将密钥从本地 nCipher HSM 传输到 Azure Key Vault HSM,并授权 Azure Rights Management 服务使用存储密钥的密钥保管库。This requires the most configuration because you must first extract your software key and import it to an on-premises HSM, and then do the additional steps to transfer the key from your on-premises nCipher HSM to an Azure Key Vault HSM and authorize the Azure Rights Management service to use the key vault that stores the key.

  • 步骤5。激活 Azure Rights Management 服务Step 5. Activate the Azure Rights Management service

    如果可能,请在执行导入过程之后而不是之前执行此步骤。If possible, do this step after the import process and not before. 如果在导入前已激活服务,则需要执行额外的步骤。Additional steps are required if the service was activated before the import.

  • 步骤6。配置导入的模板Step 6. Configure imported templates

    当你导入权限策略模板时,系统会将其状态存档。When you import your rights policy templates, their status is archived. 如果希望用户能够查看并使用这些模板,则必须在 Azure 经典门户中将模板状态更改为“已发布”。If you want users to be able to see and use them, you must change the template status to be published in the Azure classic portal.

第 3 阶段:客户端配置PHASE 3: CLIENT-SIDE CONFIGURATION

  • 步骤 7:重新配置 Windows 计算机以使用 Azure 信息保护****Step 7: Reconfigure Windows computers to use Azure Information Protection

    必须将现有 Windows 计算机重新配置为使用 Azure Rights Management 服务而不是 AD RMS。Existing Windows computers must be reconfigured to use the Azure Rights Management service instead of AD RMS. 此步骤适用于你组织中的计算机以及合作伙伴组织(如果你在运行 AD RMS 时已与其协作)中的计算机。This step applies to computers in your organization, and to computers in partner organizations if you have collaborated with them while you were running AD RMS.

第 4 阶段:支持服务配置PHASE 4: SUPPORTING SERVICES CONFIGURATION

  • 步骤 8:为 Exchange Online 配置 IRM 集成Step 8: Configure IRM integration for Exchange Online

    此步骤将为 Exchange Online 完成 AD RMS 迁移,以便现在使用 Azure Rights Management 服务。This step completes the AD RMS migration for Exchange Online to now use the Azure Rights Management service.

  • 步骤 9:为 Exchange Server 和 SharePoint Server 配置 IRM 集成Step 9: Configure IRM integration for Exchange Server and SharePoint Server

    此步骤将为本地 Exchange 或本地 SharePoint 完成 AD RMS 迁移,以便现在使用 Azure Rights Management 服务,这需要部署 Rights Management 连接器。This step completes the AD RMS migration for Exchange or SharePoint on-premises to now use the Azure Rights Management service, which requires deploying the Rights Management connector.

第 5 阶段:迁移后任务PHASE 5: POST MIGRATION TASKS

  • 步骤 10:取消预配 AD RMSStep 10: Deprovision AD RMS

    如果已确认所有 Windows 计算机均使用 Azure Rights Management 服务而不再访问 AD RMS 服务器,则可以取消预配 AD RMS 部署。When you have confirmed that all Windows computers are using the Azure Rights Management service and are no longer accessing your AD RMS servers, you can deprovision your AD RMS deployment.

  • 步骤 11:完成客户端迁移任务Step 11: Complete client migration tasks

    如果部署了移动设备扩展以支持移动设备(如 iOS 手机和 iPad、Android 手机和平板电脑、Windows Phone 和平板电脑以及 Mac 计算机),则必须删除 DNS 中重定向这些客户端的 SRV 记录才能使用 AD RMS。If you have deployed the mobile device extension to support mobile devices such as iOS phones and iPads, Android phones and tablets, Windows phones and tablets, and Mac computers, you must remove the SRV records in DNS that redirected these clients to use AD RMS.

    不再需要准备阶段配置的载入控件。The onboarding controls that you configured during the preparation phase are no longer needed. 但是,如果因选择同时迁移所有内容(而非分步迁移)而未使用载入控件,可跳过有关删除载入控件的说明。However, if you did not use onboarding controls because you chose to migrate everything at the same time rather than do a phased migration, you can skip the instructions to remove the onboarding controls.

    如果 Windows 计算机运行的是 Office 2010,请检查是否需要禁用“AD RMS 权限策略模板管理(自动)”任务****。If your Windows computers are running Office 2010, check whether you need to disable the AD RMS Rights Policy Template Management (Automated) task.

  • 步骤12:重新生成 Azure 信息保护租户密钥Step 12: Rekey your Azure Information Protection tenant key

    如果迁移前未在加密模式 2 中运行,建议执行此步骤。This step is recommended if you were not running in Cryptographic Mode 2 before the migration.

后续步骤Next steps

若要开始迁移,请转到第 1 阶段:准备To start the migration, go to Phase 1 - preparation.