步骤 2:软件保护密钥到软件保护密钥的迁移Step 2: Software-protected key to software-protected key migration

适用于: Active Directory Rights Management Services、 Azure 信息保护Office 365Applies to: Active Directory Rights Management Services, Azure Information Protection, Office 365

此说明是从 AD RMS 到 Azure 信息保护的迁移路径中的一部分,仅当 AD RMS 密钥是软件保护密钥,且希望使用软件保护租户密钥迁移到 Azure 信息保护时才适用。These instructions are part of the migration path from AD RMS to Azure Information Protection, and are applicable only if your AD RMS key is software-protected and you want to migrate to Azure Information Protection with a software-protected tenant key.

如果这不是你选择的配置方案,请返回到步骤4。从 AD RMS 导出配置数据并将其导入到 Azure RMS ,然后选择其他配置。If this is not your chosen configuration scenario, go back to Step 4. Export configuration data from AD RMS and import it to Azure RMS and choose a different configuration.

使用以下步骤将 AD RMS 配置导入到 Azure 信息保护,以生成由 Microsoft 管理的 Azure 信息保护租户密钥。Use the following procedure to import the AD RMS configuration to Azure Information Protection, to result in your Azure Information Protection tenant key that is managed by Microsoft.

将配置数据导入 Azure 信息保护To import the configuration data to Azure Information Protection

  1. 在连接 internet 的工作站上,使用AipService cmdlet 连接到 Azure Rights Management 服务:On an internet-connected workstation, use the Connect-AipService cmdlet to connect to the Azure Rights Management service:

    Connect-AipService
    

    出现提示时,输入 Azure Rights Management 租户管理员凭据(通常,你将使用作为 Azure Active Directory 或 Office 365 全局管理员的帐户)。When prompted, enter your Azure Rights Management tenant administrator credentials (typically, you will use an account that is a global administrator for Azure Active Directory or Office 365).

  2. 使用 AipServiceTpd cmdlet 上传每个导出受信任发布域(.xml)文件。Use the Import-AipServiceTpd cmdlet to upload each exported trusted publishing domain (.xml) file. 例如,如果已将 AD RMS 群集升级到加密模式 2,则至少应拥有一个要导入的其他文件。For example, you should have at least one additional file to import if you upgraded your AD RMS cluster for Cryptographic Mode 2.

    若要运行此 cmdlet,需要先前为每个配置数据文件指定的密码。To run this cmdlet, you will need the password that you specified earlier for each configuration data file.

    例如,首先运行以下命令以存储密码:For example, first run the following to store the password:

    $TPD_Password = Read-Host -AsSecureString
    

    输入指定的密码以导出第一个配置数据文件。Enter the password that you specified to export the first configuration data file. 然后,使用 E:\contosokey1.xml 作为示例配置文件,运行以下命令并确认希望执行此操作:Then, using E:\contosokey1.xml as an example for that configuration file, run the following command and confirm that you want to perform this action:

    Import-AipServiceTpd -TpdFile E:\contosokey1.xml -ProtectionPassword $TPD_Password -Verbose
    
  3. 上传每个文件后,请运行AipServiceKeyProperties以标识与 AD RMS 中当前活动的 SLC 密钥相匹配的已导入的密钥。When you have uploaded each file, run Set-AipServiceKeyProperties to identify the imported key that matches the currently active SLC key in AD RMS. 该密钥将成为 Azure 权限管理服务的活动租户密钥。This key will become the active tenant key for your Azure Rights Management service.

  4. 使用AipServiceService cmdlet 断开与 Azure Rights Management 服务的连接:Use the Disconnect-AipServiceService cmdlet to disconnect from the Azure Rights Management service:

    Disconnect-AipServiceService
    

你现在已准备好进入步骤5。激活 Azure Rights Management 服务You’re now ready to go to Step 5. Activate the Azure Rights Management service.