B 附錄設定測試環境Appendix B: Setting Up the Test Environment

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題描述建置手動實驗室測試動態存取控制的步驟。This topic outlines the steps to build a hands-on lab to test Dynamic Access Control. 依序有許多元件相依性,因為為了指示操作。The instructions are meant to be followed sequentially because there are many components that have dependencies.

必要條件Prerequisites

硬體與軟體需求Hardware and software requirements

適用於設定實驗室測試需求:Requirements for setting up the test lab:

  • 執行 Windows Server 2008 R2 SP1 與 HYPER-V 主機伺服器A host server running Windows Server 2008 R2 with SP1 and Hyper-V

  • 一份 Windows Server 2012 ISOA copy of the Windows Server 2012 ISO

  • 一份 Windows 8 ISOA copy of the Windows 8 ISO

  • Microsoft Office 2010Microsoft Office 2010

  • 執行 Microsoft Exchange Server 2003 或更新版本A server running Microsoft Exchange Server 2003 or later

您需要組建測試案例動態存取控制下列虛擬電腦:You need to build the following virtual machines to test the Dynamic Access Control scenarios:

  • DC1 (網域控制站)DC1 (domain controller)

  • DC2 (網域控制站)DC2 (domain controller)

  • 1 (server 和 Active Directory Rights Management Services 檔案)FILE1 (file server and Active Directory Rights Management Services)

  • SRV1 (POP3 和 SMTP 伺服器)SRV1 (POP3 and SMTP server)

  • CLIENT1 (client 電腦與 Microsoft Outlook)CLIENT1 (client computer with Microsoft Outlook)

應該,如下所示虛擬電腦的密碼:The passwords for the virtual machines should be as follows:

  • BUILTIN\Administrator:pass@word1BUILTIN\Administrator: pass@word1

  • Contoso\Administrator:pass@word1Contoso\Administrator: pass@word1

  • 所有其他帳號:pass@word1All other accounts: pass@word1

實驗室虛擬電腦組建測試Build the test lab virtual machines

安裝 HYPER-V 角色Install the Hyper-V role

您需要執行 Windows Server 2008 R2 sp1 的電腦上安裝 HYPER-V 角色。You need to install the Hyper-V role on a computer running Windows Server 2008 R2 with SP1.

若要安裝 HYPER-V 角色To install the Hyper-V Role
  1. 按一下[開始],然後按一下 [伺服器管理員。Click Start, and then click Server Manager.

  2. 在伺服器管理員主要視窗的角色摘要區域中,按一下 [新增角色In the Roles Summary area of the Server Manager main window, click Add Roles.

  3. 選取伺服器角色頁面上,按HYPER-VOn the Select Server Roles page, click Hyper-V.

  4. 建立 Virtual 網路頁面上,按一下 [一或多個網路介面卡,如果您想要讓他們網路虛擬電腦使用。On the Create Virtual Networks page, click one or more network adapters if you want to make their network connection available to virtual machines.

  5. 確認安裝選項頁面上,按安裝On the Confirm Installation Selections page, click Install.

  6. 必須重新電腦啟動完成安裝。The computer must be restarted to complete the installation. 按一下關閉以完成精靈中,然後按電腦重新開機。Click Close to finish the wizard, and then click Yes to restart the computer.

  7. 重新開機之後,使用的相同帳號,您用來安裝角色登入。After you restart the computer, sign in with the same account you used to install the role. 繼續設定精靈完成安裝之後,請按一下關閉以完成精靈。After the Resume Configuration Wizard completes the installation, click Close to finish the wizard.

建立 virtual 連絡Create an internal virtual network

您現在將會建立 virtual 連絡稱為 ID_AD_Network。Now you will create an internal virtual network called ID_AD_Network.

若要建立 virtual 網路To create a virtual network
  1. 打開 HYPER-V 管理員。Open Hyper-V Manager.

  2. 動作功能表上,按一下 [ Virtual 的網路管理員]From the Actions menu, click Virtual Network Manager.

  3. 建立 virtual 網路內部Under Create virtual network, select the Internal.

  4. 按一下新增Click Add. 新 Virtual 網路頁面隨即顯示。The New Virtual Network page appears.

  5. 輸入ID_AD_Network以在新的網路的名稱。Type ID_AD_Network as the name for the new network. 檢視其他屬性,並視進行修改。Review the other properties and modify them if necessary.

  6. 按一下[確定]來建立 virtual 網路,並關閉 Virtual 的網路管理員] 中,或按套用建立 virtual 網路,並繼續使用 Virtual 的網路管理員。Click OK to create the virtual network and close Virtual Network Manager, or click Apply to create the virtual network and continue using Virtual Network Manager.

建立網域控制站Build the domain controller

組建一樣,做為網域控制站 (DC1)。Build a virtual machine to be used as the domain controller (DC1). 安裝一樣使用 Windows Server 2012 ISO,並為手機命名 DC1。Install the virtual machine using Windows Server 2012 ISO, and name it DC1.

若要安裝 Active Directory Domain ServicesTo install Active Directory Domain Services
  1. 連 ID_AD_Network 上一樣。Connect the virtual machine to the ID_AD_Network. 登入 DC1 以系統管理員密碼** pass@word1 Sign in to the DC1 as Administrator with the password **pass@word1.

  2. 在伺服器管理員中,按一下管理,然後按新增角色與功能In Server Manager, click Manage, and then click Add Roles and Features.

  3. 在您開始之前頁面上,按一下 [On the Before you begin page, click Next.

  4. 選取 [安裝類型頁面上,按一下 [以角色為基礎,或為基礎的功能的安裝,然後按一下 [下一步On the Select installation type page, click Role-based or Feature-based Install, and then click Next.

  5. 選擇目的伺服器頁面上,按一下 [On the Select destination server page, click Next.

  6. 選擇伺服器角色頁面上,按Active Directory Domain ServicesOn the Select server roles page, click Active Directory Domain Services. 新增角色與功能精靈對話方塊中,按新增功能,,然後按一下 [下一步In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.

  7. 選擇功能頁面上,按一下 [On the Select features page, click Next.

  8. Active Directory Domain Services頁面上,檢視資訊,然後按一下On the Active Directory Domain Services page, review the information, and then click Next.

  9. 確認安裝選項頁面上,按安裝On the Confirm installation selections page, click Install. 結果頁面上的功能安裝進度列指出正在安裝的角色。The Feature installation progress bar on the Results page indicates that the role is being installed.

  10. 結果頁面上,確認已成功完成,再按一下安裝關閉On the Results page, verify that the installation succeeded, and click Close. 在伺服器管理員中,按一下 [驚嘆號在右上角的畫面中,使用警告圖示旁邊管理In Server Manager, click the warning icon with an exclamation mark on top right corner of the screen, next to Manage. 在 [工作] 清單中,按一下這個網域控制站伺服器升級連結。In the Tasks list, click the Promote this server to a domain controller link.

  11. 部署組態頁面上,按一下 [新增新的樹系,輸入名稱根網域中, contoso.com,,然後按一下下一步On the Deployment Configuration page, click Add a new forest, type the name of the root domain, contoso.com, and then click Next.

  12. 網域控制站選項頁面上,選取 [網域和森林功能等級與 Windows Server 2012,指定 DSRM 密碼** pass@word1 ,然後按一下 [下一步On the **Domain Controller Options page, select the domain and forest functional levels as Windows Server 2012, specify the DSRM password pass@word1, and then click Next.

  13. DNS 選項頁面上,按On the DNS Options page, click Next.

  14. 的其他選項頁面上,按一下 [On the Additional Options page, click Next.

  15. 路徑頁面上,輸入 Active Directory 資料庫、 登入檔案,以及 SYSVOL 資料夾位置 (或接受預設的位置),然後按一下 [On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and then click Next.

  16. 評論選項頁面,確認您的選項,然後按一下 [On the Review Options page, confirm your selections, and then click Next.

  17. 請必要條件頁面上,確認必要條件驗證完成,然後按一下 [安裝On the Prerequisites Check page, confirm that the prerequisites validation is completed, and then click Install.

  18. 結果頁面,確認為網域控制站伺服器已成功設定,然後按關閉On the Results page, verify that the server was successfully configured as a domain controller, and then click Close.

  19. 重新開機才能完成 AD DS 安裝伺服器。Restart the server to complete the AD DS installation. (根據預設,這會自動。)(By default, this happens automatically.)

使用 Active Directory 管理中心建立下列使用者。Create the following users by using Active Directory Administrative Center.

DC1 建立使用者和群組Create users and groups on DC1
  1. Contoso.com 以系統管理員身分登入。Sign in to contoso.com as Administrator. 上市 Active Directory 系統管理員中心。Launch Active Directory Administrative Center.

  2. 建立下列安全性群組:Create the following security groups:

    群組的名稱Group Name 電子郵件地址Email Address
    FinanceAdminFinanceAdmin financeadmin@contoso.com
    FinanceExceptionFinanceException financeexception@contoso.com
  3. 建立下列組織單位 (組織單位):Create the following organizational unit (OU):

    組織單位名稱OU Name 電腦Computers
    FileServerOUFileServerOU 1FILE1
  4. 建立屬性,指定下列使用者:Create the following users with the attributes indicated:

    使用者User 使用者名稱Username 電子郵件地址Email address 部門Department 群組Group 國家/地區Country/Region
    Myriam DelesalleMyriam Delesalle MDelesalleMDelesalle MDelesalle@contoso.com 財經Finance 我們US
    英哩 ReidMiles Reid MReidMReid MReid@contoso.com 財經Finance FinanceAdminFinanceAdmin 我們US
    Esther 耶Esther Valle EValleEValle EValle@contoso.com 作業Operations FinanceExceptionFinanceException 我們US
    Maira WenzelMaira Wenzel MWenzelMWenzel MWenzel@contoso.com 小時HR 我們US
    Jeff 低Jeff Low JLowJLow JLow@contoso.com 小時HR 我們US
    RMS 伺服器RMS Server rmsrms rms@contoso.com

    如需有關如何建立安全性群組的詳細資訊,請建立新群組Windows Server 網站上。For more information about creating security groups, see Create a New Group on the Windows Server website.

若要建立群組原則物件To create a Group Policy Object
  1. 在右上角的 [螢幕上的游標,然後按一下 [搜尋] 圖示。Hover the cursor on the upper right corner of screen and click the search icon. 在搜尋方塊中,輸入群組原則管理,按一下 [群組原則管理In the Search box, type group policy management, and click Group Policy Management.

  2. 展開的樹系: contoso.com,然後展開網域,瀏覽至contoso.com,展開 [ (contoso.com),,然後選取 [ FileServerOUExpand Forest: contoso.com, and then expand Domains, navigate to contoso.com, expand (contoso.com), and then select FileServerOU. 以滑鼠右鍵按一下在這個網域中建立 GPO 並連結到Right-click Create a GPO in this domain and Link it here

  3. 輸入描述性 GPO 的名稱,例如FlexibleAccessGPO,然後按[確定]Type a descriptive name for the GPO, such as FlexibleAccessGPO, and then click OK.

若要讓動態存取控制 contoso.com 的To enable Dynamic Access Control for contoso.com
  1. 打開群組原則管理主控台中,按一下contoso.com,然後按兩下 [網域控制站Open the Group Policy Management Console, click contoso.com, and then double-click Domain Controllers.

  2. 以滑鼠右鍵按一下預設網域控制站原則,然後選取 [編輯Right-click Default Domain Controllers Policy, and select Edit.

  3. 在群組原則編輯器] 管理視窗中,按兩下 [電腦設定,按兩下 [原則,按兩下 [系統管理範本],按兩下系統,,然後按兩下 [ KDCIn the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.

  4. 按兩下\ [KDC 支援宣告、 複合驗證以及 Kerberos 保護 \下選取的選項啟用Double-click KDC support for claims, compound authentication, and Kerberos armoring and select the option next to Enabled. 您必須支援此設定来使用的中央存取原則。You need to enable this setting to use Central Access Policies.

  5. 打開提升權限的命令提示字元中,執行下列命令:Open an elevated command prompt, and run the following command:

    gpupdate /force  
    

組建檔案伺服器 AD RMS 伺服器 (1)Build the file server and AD RMS server (FILE1)

  1. Windows Server 2012 ISO 從組建 1 名稱一樣。Build a virtual machine with the name FILE1 from the Windows Server 2012 ISO.

  2. 連 ID_AD_Network 上一樣。Connect the virtual machine to the ID_AD_Network.

  3. 加入一樣 contoso.com 網域中,並再登入 1 contoso\administrator 使用密碼為** pass@word1 Join the virtual machine to the contoso.com domain, and then sign in to FILE1 as contoso\administrator using the password **pass@word1.

安裝檔案服務資源管理員Install File Services Resource Manager

若要安裝檔案服務角色與檔案伺服器資源管理員To install the File Services role and the File Server Resource Manager
  1. 在伺服器管理員中,按一下新增角色與功能In Server Manager, click Add Roles and Features.

  2. 在您開始之前頁面上,按一下 [On the Before you begin page, click Next.

  3. 選擇安裝類型頁面上,按一下 [On the Select installation type page, click Next.

  4. 選擇目的伺服器頁面上,按一下 [On the Select destination server page, click Next.

  5. 選取伺服器角色頁面中,展開 [檔案與儲存空間服務,選取旁邊的核取方塊檔案和 iSCSI 服務,展開,然後選取 [檔案伺服器資源管理員On the Select Server Roles page, expand File and Storage Services, select the check-box next to File and iSCSI Services, expand, and select File Server Resource Manager.

    新增角色與功能精靈中,按一下 [新增功能,然後按一下 [In the Add Roles and Features Wizard, click Add Features, and then click Next.

  6. 選擇功能頁面上,按一下 [On the Select features page, click Next.

  7. 確認安裝選項頁面上,按安裝On the Confirm installation selections page, click Install.

  8. 安裝進度頁面上,按關閉On the Installation progress page, click Close.

該檔案伺服器上安裝 Microsoft Office 篩選器套件Install the Microsoft Office Filter Packs on the file server

Windows Server 2012,以便 Ifilter 寬陣列超過預設所提供的 Office 檔案,您應該安裝 Microsoft Office 篩選套件。You should install the Microsoft Office Filter Packs on Windows Server 2012 to enable IFilters for a wider array of Office files than are provided by default. Windows Server 2012 不需要任何 Ifilter 預設會安裝 Microsoft Office 檔案,檔案分類基礎結構使用 Ifilter 執行 content 分析。Windows Server 2012 does not have any IFilters for Microsoft Office Files installed by default, and the file classification infrastructure uses IFilters to perform content analysis.

下載並安裝 Ifilter,請查看Microsoft Office 2010 篩選套件To download and install the IFilters, see Microsoft Office 2010 Filter Packs.

設定電子郵件通知上 1Configure email notifications on FILE1

當您建立配額和檔案畫面時,您可以選擇當他們事件即將或已被封鎖的檔案儲存嘗試進行後,使用者傳送電子郵件通知。When you create quotas and file screens, you have the option of sending email notifications to users when their quota limit is approaching or after they have attempted to save files that have been blocked. 如果您想要定期通知特定的系統管理員配額和檢測事件檔案,您可以設定一或多個預設收件者。If you want to routinely notify certain administrators of quota and file screening events, you can configure one or more default recipients. 若要傳送這些通知,您必須指定 SMTP 伺服器用於轉送的電子郵件訊息。To send these notifications, you must specify the SMTP server to be used for forwarding the email messages.

設定電子郵件選項中檔案伺服器資源管理員To configure email options in File Server Resource Manager
  1. 打開檔案伺服器資源管理員。Open File Server Resource Manager. 若要打開檔案伺服器資源管理員中,按一下 [ [開始],輸入檔案伺服器資源管理員,然後按一下 [檔案伺服器資源管理員To open File Server Resource Manager, click Start, type file server resource manager, and then click File Server Resource Manager.

  2. 在檔案伺服器資源管理員介面,以滑鼠右鍵按一下檔案伺服器資源管理員,然後按一下 [設定選項In the File Server Resource Manager interface, right-click File Server Resource Manager, and then click Configure options. 檔案伺服器資源管理員選項對話方塊。The File Server Resource Manager Options dialog box opens.

  3. 的電子郵件通知索引標籤的 [SMTP 伺服器名稱或 IP 位址,輸入主機名稱將向前 SMTP 伺服器的 IP 位址電子郵件通知。On the E-mail Notifications tab, under SMTP server name or IP address, type the host name or the IP address of the SMTP server that will forward email notifications.

  4. 如果您想要定期通知特定的系統管理員配額的檔案或檢測活動,在系統管理員收件者預設的,輸入每個電子郵件地址,像是fileadmin@contoso.com。If you want to routinely notify certain administrators of quota or file screening events, under Default administrator recipients, type each email address such as fileadmin@contoso.com. 使用的格式account@domain,並使用分號來分隔多個帳號。Use the format account@domain, and use semicolons to separate multiple accounts.

在 1 中建立群組Create groups on FILE1

若要建立安全性群組 1To create security groups on FILE1
  1. Contoso\administrator,使用密碼登入 1: ** pass@word1 Sign in to FILE1 as contoso\administrator, with the password: **pass@word1.

  2. 新增 NT 授權 \ 驗證使用者WinRMRemoteWMIUsers__群組。Add NT AUTHORITY\Authenticated Users to the WinRMRemoteWMIUsers__ group.

1 上建立的檔案和資料夾Create files and folders on FILE1

  1. 建立新的 NTFS 磁碟區上 1 並建立下列資料夾: D:\Finance 文件。Create a new NTFS volume on FILE1 and then create the following folder: D:\Finance Documents.

  2. 建立下列檔案指定的詳細資料:Create the following files with the details specified:

    • 財務 Memo.docx: 加入一些財務相關文件中的文字。Finance Memo.docx: Add some finance related text in the document. 例如,' 商務規則的相關人員可以存取財經文件已變更。For example, 'The business rules about who can access finance documents have changed. 財經文件現在只存取的 FinanceExpert 群組成員。Finance documents are now only accessed by members of the FinanceExpert group. 其他部門或群組存取。]No other departments or groups have access.' 您需要評估的影響的前環境中執行這項變更。You need to evaluate the impact of this change before implementing it in the environment. 請確定為每個頁面上的頁尾有 CONTOSO 機密這份文件。Ensure that this document has CONTOSO CONFIDENTIAL as the footer on every page.

    • 要求 Hire.docx 核准: 建立表單本文件會收集申請人資訊。Request for Approval to Hire.docx: Create a form in this document that collects applicant information. 您必須在文件下列欄位:申請人名稱、 社會安全、 工作職稱、 建議薪資、 從日期、 監護人名稱部門You must have the following fields in the document: Applicant Name, Social Security number, Job Title, Proposed Salary, Starting Date, Supervisor name, Department. 新增的表單的文件中的其他區段監護人簽章,核准薪資,確認的提供,以及提供狀態Add an additional section in the document that has a form for Supervisor Signature, Approved Salary, Conformation of Offer, and Status of Offer.
      請讓文件版權管理。Make the document rights-management enabled.

    • 文字 Document1.docx: 部分測試 content 新增這份文件。Word Document1.docx: Add some test content to this document.

    • 文字 Document2.docx: 新增測試 content 這份文件。Word Document2.docx: Add test content to this document.

    • Workbook1.xlsxWorkbook1.xlsx

    • Workbook2.xlsxWorkbook2.xlsx

    • 在桌面上稱為規則運算式中建立資料夾。Create a folder on the desktop called Regular Expressions. 建立文字文件在名為RegEx-SSNCreate a text document under the folder called RegEx-SSN. 輸入下列 content 檔案,然後儲存,並關閉檔案:Type the following content in the file, and then save and close the file:
      ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012])) ([-] 嗎?)(?!00) \d\d\3 (? !\d {4} $ 0000)^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$

  3. 共用 D:\Finance 文件以財經文件] 資料夾,並讓每個人都有讀取和寫入分享存取權。Share the folder D:\Finance Documents as Finance Documents and allow everyone to have Read and Write access to the share.

注意

中央存取原則不支援預設系統或開機 c: 磁碟區。Central access policies are not enabled by default on the system or boot volume C:.

安裝 Active Directory Rights Management ServicesInstall Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS) 和所有所需的功能透過伺服器管理員中新增。Add the Active Directory Rights Management Services (AD RMS) and all required features through Server Manager. 選擇您所有的預設值。Choose all the defaults.

若要安裝 Active Directory Rights Management ServicesTo install Active Directory Rights Management Services
  1. 以 CONTOSO\Administrator 或群組成員的網域系統管理員身分登入 1。Sign in to the FILE1 as CONTOSO\Administrator or as a member of the Domain Admins group.

    重要

    為了安裝 AD RMS 伺服器角色安裝程式 account (在本案例,CONTOSO\Administrator) 將會有提供群組成員資格同時本機系統管理員安裝所在 AD RMS 伺服器電腦上的,以及在 Active Directory 中企業系統管理員群組成員資格。In order to install the AD RMS server role the installer account (in this case, CONTOSO\Administrator) will have to be given membership in both the local Administrators group on the server computer where AD RMS is to be installed as well as membership in the Enterprise Admins group in Active Directory.

  2. 在伺服器管理員中,按一下新增角色與功能In Server Manager, click Add Roles and Features. [新增角色與功能精靈會出現。The Add Roles and Features Wizard appears.

  3. 在您開始之前畫面中,按一下 [On the Before you Begin screen, click Next.

  4. 選擇安裝類型畫面中,按一下 [角色/功能型安裝,,然後按一下 [下一步On the Select Installation Type screen, click Role/Feature Based Install, and then click Next.

  5. 選擇伺服器目標畫面中,按一下 [On the Select Server Targets screen, click Next.

  6. 選取伺服器角色畫面中,選取核取方塊接下來Active Directory Rights Management Services,然後按一下 [下一步On the Select Server Roles screen, select the box next to Active Directory Rights Management Services, and then click Next.

  7. 新增所需的 Active Directory Rights Management Services 功能?對話方塊中,按一下 [ [新增功能In the Add features that are required for Active Directory Rights Management Services? dialog box, click Add Features.

  8. 選取伺服器角色畫面中,按On the Select Server Roles screen, click Next.

  9. 選取要安裝的功能畫面中,按On the Select Features to Install screen, click Next.

  10. Active Directory Rights Management Services畫面中,按一下 [下一步]。On the Active Directory Rights Management Services screen, click Next.

  11. 選擇角色服務畫面中,按一下 [On the Select Role Services screen, click Next.

  12. 網頁伺服器角色 (IIS)畫面中,按On the Web Server Role (IIS) screen, click Next.

  13. 選擇角色服務畫面中,按一下 [On the Select Role Services screen, click Next.

  14. 確認安裝選項畫面中,按安裝On the Confirm Installation Selections screen, click Install.

  15. 安裝完成後,在後安裝進度畫面中,按執行額外的設定After the installation has completed, on the Installation Progress screen, click Perform additional configuration. AD RMS 設定精靈會出現。The AD RMS Configuration Wizard appears.

  16. AD RMS畫面中,按On the AD RMS screen, click Next.

  17. AD RMS 叢集畫面上,選取建立新的 AD RMS 叢集根,然後按一下 [下一步On the AD RMS Cluster screen, select Create a new AD RMS root cluster and then click Next.

  18. 設定資料庫畫面中,按一下 [此伺服器上使用 Windows 內部資料庫,然後按一下 [下一步On the Configuration Database screen, click Use Windows Internal Database on this server, and then click Next.

    注意

    使用 Windows 內部資料庫建議的測試環境只因為它不支援 AD RMS 叢集在多部伺服器。Using the Windows Internal Database is recommended for test environments only because it does not support more than one server in the AD RMS cluster. Production 部署應該使用不同的資料庫伺服器。Production deployments should use a separate database server.

  19. 服務 Account畫面上,在使用者核對,按一下 [指定,然後指定的使用者名稱 (contoso\rms),和密碼 (pass@word1),按一下 [ [確定],,然後按一下 [下一步On the Service Account screen, in Domain User Account, click Specify and then specify the user name (contoso\rms), and Password (pass@word1) and click OK, and then click Next.

  20. 模式密碼編譯畫面中,按密碼編譯模式 2On the Cryptographic Mode screen, click Cryptographic Mode 2.

  21. 叢集金鑰存放裝置畫面中,按一下 [On the Cluster Key Storage screen, click Next.

  22. 叢集金鑰密碼畫面上,在密碼確認密碼方塊中,輸入** pass@word1 ,,然後按一下下一步On the **Cluster Key Password screen, in the Password and Confirm password boxes, type pass@word1, and then click Next.

  23. 網站叢集畫面上,請確定預設的網站已選取,然後按一下 [下一步On the Cluster Web Site screen, make sure that Default Web Site is selected, and then click Next.

  24. 叢集地址畫面上,選取使用未加密的連接選項,在完整網域名稱方塊中,輸入FILE1.contoso.com,然後按一下 [下一步On the Cluster Address screen, select the Use an unencrypted connection option, in the Fully Qualified Domain Name box, type FILE1.contoso.com, and then click Next.

  25. 授權憑證的名稱畫面上,接受預設名稱 (1) 文字方塊中按一下 [下一步On the Licensor Certificate Name screen, accept the default name (FILE1) in the text box and click Next.

  26. SCP 登記畫面上,選取登記 SCP 現在,然後按一下 [下一步On the SCP Registration screen, select Register SCP now, and then click Next.

  27. 確認畫面中,按安裝On the Confirmation screen, click Install.

  28. 結果畫面中,按一下 [關閉,然後按一下 [關閉安裝進度螢幕。On the Results screen, click Close, and then click Close on Installation Progress screen. 完成時,請先登出,然後以 contoso\rms 使用密碼登入 (pass@word1)。When complete, log off and log on as contoso\rms using the password provided (pass@word1).

  29. 上市 AD RMS 主機並瀏覽至權限原則範本Launch the AD RMS console and navigate to Rights Policy Templates.

    若要打開 AD RMS 主控台,在伺服器管理員中,按一下 [本機伺服器然後按一下 [主控台中工具,然後按一下 [ Active Directory Rights Management ServicesTo open the AD RMS console, in Server Manager, click Local Server in the console tree, then click Tools, and then click Active Directory Rights Management Services.

  30. 按一下建立散發權利原則範本位於右窗格中,按一下新增,然後選取下列資訊:Click the Create Distributed Rights Policy template located on the right panel, click Add, and select the following information:

    • 語言: 美式英文Language: US English

    • 名稱: Contoso 財經系統管理員Name: Contoso Finance Admin Only

    • 描述: Contoso 財經系統管理員Description: Contoso Finance Admin Only

    按一下新增,然後按一下 [Click Add, and then click Next.

  31. 使用者與權限] 區段下,按一下 [使用者與權限,按一下 [新增,輸入** financeadmin@contoso.com ,按一下 [ **[確定]Under the Users and Rights section, click Users and rights, click Add, type financeadmin@contoso.com, and click OK.

  32. 選取 [完全控制,並保留授與權限的任何的到期擁有者 (作者) 完全控制選取。Select Full Control, and leave Grant owner (author) full control right with no expiration selected.

  33. 按一下顯示的任何變更,剩餘的索引標籤,然後按一下完成Click though the remaining tabs with no changes, and then click Finish. CONTOSO\Administrator 的身分登入。Sign in as CONTOSO\Administrator.

  34. 瀏覽至資料夾 C:\inetpub\wwwroot\_wmcs\certification,選取 ServerCertification.asmx 檔案,並新增驗證使用者有讀取和寫入的檔案權限。Browse to the folder, C:\inetpub\wwwroot\_wmcs\certification, select the ServerCertification.asmx file, and add Authenticated Users to have Read and Write permissions to the file.

  35. 打開 Windows PowerShell 並執行Get-FsrmRmsTemplateOpen Windows PowerShell and run Get-FsrmRmsTemplate. 確認您能以查看您在這個命令此程序的上一個步驟中建立 RMS 範本。Verify that you are able to see the RMS template you created in the previous steps in this procedure with this command.

重要

如果您想要立即變更,您可以將它們測試您的檔案伺服器,您需要執行下列動作:If you want your file servers to immediately change so you can test them, you need to do the following:

  1. 在檔案伺服器、 1,開放提升權限的命令提示字元中,執行下列命令:On the file server, FILE1, open an elevated command prompt, and run the following commands:

    • gpupdate /force。gpupdate /force.
    • NLTEST /SC_RESET:contoso.comNLTEST /SC_RESET:contoso.com
  2. 網域控制站 (DC1),複寫 Active Directory。On the domain controller (DC1), replicate Active Directory.

    如需強制複寫 Active Directory 步驟進行,查看Active Directory 複寫For more information about steps to force the replication of Active Directory, see Active Directory Replication

(選擇性) 而不是使用新增角色及功能精靈在伺服器管理員中,您可以使用 Windows PowerShell 來安裝和設定為下列程序中顯示的 AD RMS 伺服器角色。Optionally, instead of using the Add Roles and Features Wizard in Server Manager, you can use Windows PowerShell to install and configure the AD RMS server role as show in the following procedure.

安裝和使用 Windows PowerShell Windows Server 2012 中設定 AD RMS 叢集To install and configure an AD RMS cluster in Windows Server 2012 using Windows PowerShell
  1. 使用密碼登上為 CONTOSO\Administrator: ** pass@word1 Logon on as CONTOSO\Administrator with the password: **pass@word1.

    重要

    為了安裝 AD RMS 伺服器角色安裝程式 account (在本案例,CONTOSO\Administrator) 將會有提供群組成員資格同時本機系統管理員安裝所在 AD RMS 伺服器電腦上的,以及在 Active Directory 中企業系統管理員群組成員資格。In order to install the AD RMS server role the installer account (in this case, CONTOSO\Administrator) will have to be given membership in both the local Administrators group on the server computer where AD RMS is to be installed as well as membership in the Enterprise Admins group in Active Directory.

  2. 伺服器桌面,請以滑鼠右鍵按一下工作列上選取 [Windows PowerShell 圖示系統管理員身分執行Windows PowerShell 命令提示字元打開的系統管理員權限。On the Server desktop, right-click the Windows PowerShell icon on the taskbar and select Run as Administrator to open a Windows PowerShell prompt with administrative privileges.

  3. 若要使用 cmdlet 伺服器管理員安裝 AD RMS 伺服器角色,請輸入:To use Server Manager cmdlets to install the AD RMS server role, type:

    Add-WindowsFeature ADRMS '"IncludeAllSubFeature '"IncludeManagementTools  
    
  4. 建立 Windows PowerShell 磁碟機來代表您要安裝的 AD RMS 伺服器。Create the Windows PowerShell drive to represent the AD RMS server you are installing.

    例如,建立名為 RC 安裝和 AD RMS 根叢集中設定伺服器第一個 Windows PowerShell 磁碟機,請輸入:For example, to create a Windows PowerShell drive named RC to install and configure the first server in an AD RMS root cluster, type:

    Import-Module ADRMS  
    New-PSDrive -PSProvider ADRMSInstall -Name RC -Root RootCluster  
    
  5. 設定命名空間的磁碟機中,表示需要的設定的物件的屬性。Set properties on objects in the drive namespace that represent required configuration settings.

    例如,若要設定 AD RMS 服務帳號,Windows PowerShell 命令提示字元中,輸入:For example, to set the AD RMS service account, at the Windows PowerShell command prompt, type:

    $svcacct = Get-Credential  
    

    Windows 安全性對話方塊出現時,輸入 AD RMS 服務 account 網域使用者名稱 CONTOSO\RMS 及已指派的密碼。When the Windows security dialog box appears, type the AD RMS service account domain user name CONTOSO\RMS and the assigned password.

    接下來,若要指定 AD RMS 叢集設定 AD RMS 服務帳號,輸入下列動作:Next, to assign the AD RMS service account to the AD RMS cluster settings, type the following:

    Set-ItemProperty -Path RC:\ -Name ServiceAccount -Value $svcacct  
    

    接下來,若要設定 AD RMS 伺服器的 Windows PowerShell 命令提示字元中,使用 Windows 內部資料庫,請輸入:Next, to set the AD RMS server to use the Windows Internal Database, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path RC:\ClusterDatabase -Name UseWindowsInternalDatabase -Value $true  
    

    下一步] 安全地儲存在變數中,於 Windows PowerShell 命令提示字元中輸入的叢集金鑰密碼:Next, to securely store the cluster key password in a variable, at the Windows PowerShell command prompt, type:

    $password = Read-Host -AsSecureString -Prompt "Password:"  
    

    輸入叢集金鑰密碼,然後按 ENTER 鍵。Type the cluster key password, and then press the ENTER key.

    接下來,若要將密碼指派給您的 AD RMS 安裝,在 Windows PowerShell 命令提示字元中,請輸入:Next, to assign the password to your AD RMS installation, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path RC:\ClusterKey -Name CentrallyManagedPassword -Value $password  
    

    接下來,若要設定 AD RMS 叢集地址,請在 Windows PowerShell 命令提示字元,請輸入:Next, to set the AD RMS cluster address, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path RC:\ -Name ClusterURL -Value "http://file1.contoso.com:80"  
    

    接下來,若要指派 SLC 名稱 AD RMS 安裝,在 Windows PowerShell 命令提示字元中,請輸入:Next, to assign the SLC name for your AD RMS installation, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path RC:\ -Name SLCName -Value "FILE1"  
    

    接下來,若要設定 AD RMS 叢集、 服務連接點 (SCP) 的 Windows PowerShell 命令提示字元,請輸入:Next, to set the service connection point (SCP) for the AD RMS cluster, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path RC:\ -Name RegisterSCP -Value $true  
    
  6. 執行安裝-ADRMS cmdlet。Run the Install-ADRMS cmdlet. 除了安裝 AD RMS 伺服器角色設定伺服器,這個 cmdlet 也會安裝其他 AD RMS 必要時所需的功能。In addition to installing the AD RMS server role and configuring the server, this cmdlet also installs other features required by AD RMS if necessary.

    例如,若要變更 Windows PowerShell 的磁碟機 RC 並安裝,設定 AD RMS 輸入:For example, to change to the Windows PowerShell drive named RC and install and configure AD RMS, type:

    Set-Location RC:\  
    Install-ADRMS -Path.  
    

    輸入 「 Y 「 時 cmdlet 會提示您確認您想要開始安裝。Type "Y" when the cmdlet prompts you to confirm you want to start the installation.

  7. CONTOSO\Administrator 和登入以登入 CONTOSO\RMS 使用提供的密碼 (」pass@word1「)。Log out as CONTOSO\Administrator and log on as CONTOSO\RMS using the provided password ("pass@word1").

    重要

    為了管理 AD RMS 伺服器帳號,您的登入與管理的伺服器 (在本案例,CONTOSO\RMS) 使用必須指定這兩個本機系統管理員群組 AD RMS 伺服器的電腦,以及在 Active Directory 中企業系統管理員群組成員資格的資格。In order to manage the AD RMS server the account you are logged on to and using to manage the server (in this case, CONTOSO\RMS) will have to be given membership in both the local Administrators group on the AD RMS server computer as well as membership in the Enterprise Admins group in Active Directory.

  8. 伺服器桌面,請以滑鼠右鍵按一下工作列上選取 [Windows PowerShell 圖示系統管理員身分執行Windows PowerShell 命令提示字元打開的系統管理員權限。On the Server desktop, right-click the Windows PowerShell icon on the taskbar and select Run as Administrator to open a Windows PowerShell prompt with administrative privileges.

  9. 建立 Windows PowerShell 磁碟機來表示您的設定 AD RMS 伺服器。Create the Windows PowerShell drive to represent the AD RMS server you are configuring.

    例如,以建立名稱為 RC 設定根 AD RMS 叢集 Windows PowerShell 磁碟機,請輸入:For example, to create a Windows PowerShell drive named RC to configure the AD RMS root cluster, type:

    Import-Module ADRMSAdmin `  
    New-PSDrive -PSProvider ADRMSAdmin -Name RC -Root http://localhost -Force -Scope Global  
    
  10. 若要建立新的權限範本 Contoso 財經系統管理員,並將它指派使用者權利與完全控制 AD RMS 安裝,在 Windows PowerShell 命令提示字元中,輸入:To create new rights template for the Contoso finance administrator and assign it user rights with full control in your AD RMS installation, at the Windows PowerShell command prompt, type:

    New-Item -Path RC:\RightsPolicyTemplate '"LocaleName en-us -DisplayName "Contoso Finance Admin Only" -Description "Contoso Finance Admin Only" -UserGroup financeadmin@contoso.com  -Right ('FullControl')  
    
  11. 若要確認 Windows PowerShell 命令提示字元中,以 Contoso 財經系統管理員可以看到新的權限範本:To verify that you can see the new rights template for the Contoso finance administrator, at the Windows PowerShell command prompt:

    Get-FsrmRmsTemplate  
    

    目前檢視的下列 cmdlet 來確認您建立一個步驟中 RMS 範本輸出。Review the output of this cmdlet to confirm the RMS template you created in the previous step is present.

組建郵件伺服器 (SRV1)Build the mail server (SRV1)

SRV1 是 SMTP 日 POP3 郵件伺服器。SRV1 is the SMTP/POP3 mail server. 您需要設定,讓您可以存取的協助案例的一部分傳送電子郵件通知。You need to set it up so that you can send email notifications as part of the Access-Denied assistance scenario.

在這台電腦上設定 Microsoft Exchange Server。Configure Microsoft Exchange Server on this computer. 如需詳細資訊,請查看安裝 Exchange Server 如何For more information, see How to Install Exchange Server.

組建 client 一樣 (CLIENT1)Build the client virtual machine (CLIENT1)

建置 client 一樣To build the client virtual machine
  1. 若要 ID_AD_Network 連接 CLIENT1。Connect the CLIENT1 to the ID_AD_Network.

  2. 安裝 Microsoft Office 2010。Install Microsoft Office 2010.

  3. Contoso\Administrator 的身分登入,請使用下列資訊來設定 Microsoft Outlook。Sign in as Contoso\Administrator, and use the following information to configure Microsoft Outlook.

    • 您的名稱︰ 檔案系統管理員Your name: File Administrator

    • 電子郵件地址:fileadmin@contoso.comEmail address: fileadmin@contoso.com

    • 考慮類型: POP3Account type: POP3

    • 輸入電子郵件伺服器: SRV1 靜態 IP 位址Incoming mail server: Static IP address of SRV1

    • 傳出郵件伺服器: SRV1 靜態 IP 位址Outgoing mail server: Static IP address of SRV1

    • 使用者名稱:fileadmin@contoso.comUser name: fileadmin@contoso.com

    • 記住密碼: 選取Remember password: Select

  4. 建立 outlook contoso\administrator 桌面的快速鍵。Create a shortcut to Outlook on the contoso\administrator desktop.

  5. 打開 Outlook 和地址所有 '啟動第一次 」 的訊息。Open Outlook and address all the 'first time launched' messages.

  6. Delete 之任何測試訊息。Delete any test messages that were generated.

  7. 建立新的快顯 client 一樣指向 \\FILE1\Finance 文件上所有使用者的桌面上。Create a new short cut on desktop for all users on the client virtual machine that points to \\FILE1\Finance Documents.

  8. 視需要開機。Reboot as needed.

讓 client 一樣存取的協助Enable Access-Denied assistance on the client virtual machine
  1. 打開作業系統,並瀏覽至HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ExplorerOpen Registry Editor, and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer.

    • 設定EnableShellExecuteFileStreamCheck1Set EnableShellExecuteFileStreamCheck to 1.

    • 值: DWORDValue: DWORD

跨樹系案例部署宣告 lab 設定Lab setup for deploying claims across forests scenario

DC2 的組建一樣Build a virtual machine for DC2

  • Windows Server 2012 ISO 的組建一樣。Build a virtual machine from the Windows Server 2012 ISO.

  • 建立 DC2 一樣名稱。Create the virtual machine name as DC2.

  • 連 ID_AD_Network 上一樣。Connect the virtual machine to the ID_AD_Network.

重要

加入網域的電腦虛擬和部署宣告類型跨樹系需要虛擬的電腦無法解析相關網域的 Fqdn。Joining virtual machines to a domain and deploying claim types across forests require that the virtual machines be able to resolve the FQDNs of the relevant domains. 您可能需要手動虛擬完成此電腦上設定 DNS 設定。You may have to manually configure the DNS settings on the virtual machines to accomplish this. 如需詳細資訊,請查看設定 virtual 網路For more information, see Configuring a virtual network.

所有一樣影像 (伺服器及戶端) 必須重都設使用版本 4 (IPv4) 靜態 IP 位址和網域名稱系統 」 (DNS) client 設定。All the virtual machine images (servers and clients) must be reconfigured to use a static IP version 4 (IPv4) address and Domain Name System (DNS) client settings. 如需詳細資訊,請查看適用於靜態 IP 位址設定 DNS ClientFor more information, see Configure a DNS Client for Static IP Address.

新的樹系稱為 adatum.com 設定Set up a new forest called adatum.com

若要安裝 Active Directory Domain ServicesTo install Active Directory Domain Services
  1. 連 ID_AD_Network 上一樣。Connect the virtual machine to the ID_AD_Network. 登入 DC2 以系統管理員密碼** Pass@word1 Sign in to the DC2 as Administrator with the password **Pass@word1.

  2. 在伺服器管理員中,按一下管理,然後按新增角色與功能In Server Manager, click Manage, and then click Add Roles and Features.

  3. 在您開始之前頁面上,按一下 [On the Before you begin page, click Next.

  4. 選取安裝類型頁面上,按一下 [以角色為基礎,或為基礎的功能的安裝,然後按一下 [下一步On the Select Installation Type page, click Role-based or Feature-based Install, and then click Next.

  5. 選取目的伺服器頁面上,按一下 [選取伺服器伺服器集區的,按一下您要安裝 Active Directory Domain Services (AD DS),然後按一下 [伺服器名稱,下一步On the Select destination server page, click Select a server from the server pool, click the names of the server where you want to install Active Directory Domain Services (AD DS), and then click Next.

  6. 選取伺服器角色頁面上,按Active Directory Domain ServicesOn the Select Server Roles page, click Active Directory Domain Services. 新增角色與功能精靈對話方塊中,按新增功能,,然後按一下 [下一步In the Add Roles and Features Wizard dialog box, click Add Features, and then click Next.

  7. 選擇功能頁面上,按一下 [On the Select Features page, click Next.

  8. AD DS頁面上,檢視資訊,然後按一下On the AD DS page, review the information, and then click Next.

  9. 確認頁面上,按安裝On the Confirmation page, click Install. 結果頁面上的功能安裝進度列指出正在安裝的角色。The Feature installation progress bar on the Results page indicates that the role is being installed.

  10. 結果頁面上,確認安裝已成功完成,然後按一下 [驚嘆號右上角的畫面上的警告圖示旁邊管理On the Results page, verify that the installation succeeded, and then click the warning icon with an exclamation mark on top right corner of the screen, next to Manage. 在 [工作] 清單中,按一下這個網域控制站伺服器升級連結。In the Tasks list, click the Promote this server to a domain controller link.

    重要

    如果您關閉安裝精靈中,此時而不是按這個網域控制站伺服器升級,您可以按一下繼續 AD DS 安裝工作在伺服器管理員中。If you close the installation wizard at this point rather than click Promote this server to a domain controller, you can continue the AD DS installation by clicking Tasks in Server Manager.

  11. 部署組態頁面上,按一下 [新增新的樹系,輸入名稱根網域中, adatum.com,,然後按一下下一步On the Deployment Configuration page, click Add a new forest, type the name of the root domain, adatum.com, and then click Next.

  12. 網域控制站選項頁面上,選取 [網域和森林功能等級與 Windows Server 2012,指定 DSRM 密碼** pass@word1 ,然後按一下 [下一步On the **Domain Controller Options page, select the domain and forest functional levels as Windows Server 2012, specify the DSRM password pass@word1, and then click Next.

  13. DNS 選項頁面上,按On the DNS Options page, click Next.

  14. 的其他選項頁面上,按一下 [On the Additional Options page, click Next.

  15. 路徑頁面上,輸入 Active Directory 資料庫、 登入檔案,以及 SYSVOL 資料夾位置 (或接受預設的位置),然後按一下 [On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and then click Next.

  16. 評論選項頁面,確認您的選項,然後按一下 [On the Review Options page, confirm your selections, and then click Next.

  17. 請必要條件頁面上,確認必要條件驗證完成,然後按一下 [安裝On the Prerequisites Check page, confirm that the prerequisites validation is completed, and then click Install.

  18. 結果頁面,確認為網域控制站伺服器已成功設定,然後按關閉On the Results page, verify that the server was successfully configured as a domain controller, and then click Close.

  19. 重新開機才能完成 AD DS 安裝伺服器。Restart the server to complete the AD DS installation. (根據預設,這會自動。)(By default, this happens automatically.)

重要

您必須以確保您設定的樹系之後網路已正常運作,設定,執行下列動作:To ensure that the network is configured properly, after you have set up both the forests, you must do the following:

  • Adatum\administrator 登入 adatum.com。Sign in to adatum.com as adatum\administrator. 開放命令提示字元視窗中,輸入nslookup contoso.com,然後按 ENTER 鍵。Open a Command Prompt window, type nslookup contoso.com, and then press ENTER.
  • Contoso\administrator 登入 contoso.com。Sign in to contoso.com as contoso\administrator. 開放命令提示字元視窗中,輸入nslookup adatum.com,然後按 ENTER 鍵。Open a Command Prompt window, type nslookup adatum.com, and then press ENTER.

如果不會出現錯誤,執行下列命令,森林可以彼此。If these commands execute without errors, the forests can communicate with each other. 適用於 nslookup 錯誤的詳細資訊,請查看主題中的 [疑難排解] 區段使用 NSlookup.exeFor more information on nslookup errors, see the troubleshooting section in the topic Using NSlookup.exe

為信任的樹系 adatum.com 來設定 contoso.comSet contoso.com as a trusting forest to adatum.com

您可以在此步驟,建立信任關係之間 Adatum 公司的網站,以 Contoso,ltd.In this step, you create a trust relationship between the Adatum Corporation site and the Contoso, Ltd. 網站。site.

將 Contoso 設定為信任的樹系 Adatum 到To set Contoso as a trusting forest to Adatum
  1. 以系統管理員身分登入 DC2。Sign in to DC2 as administrator. [開始]畫面中,輸入 domain.msc。On the Start screen, type domain.msc.

  2. 在主控台 adatum.com,以滑鼠右鍵按一下,然後按一下屬性。In the console tree, right-click adatum.com, and then click Properties.

  3. 信任索引標籤上,按一下 [新增信任,然後按一下 [下一步On the Trusts tab, click New Trust, and then click Next.

  4. 信任名稱頁面上,輸入contoso.com,網域名稱系統 」 (DNS) 中的欄位,名稱,然後按下一步On the Trust Name page, type contoso.com, in the Domain Name System (DNS) name field, and then click Next.

  5. 信任類型頁面上,按一下 [信任的樹系,然後按一下 [下一步On the Trust Type page, click Forest Trust, and then click Next.

  6. 方向信任的頁面上,按雙向On the Direction of Trust page, click Two-way.

  7. 信任側邊頁面上,按一下 [這兩個網域和指定的網域,然後按一下 [下一步On the Sides of Trust page, click Both this domain and the specified domain, and then click Next.

  8. 繼續依照精靈中的指示進行。Continue to follow the instructions in the wizard.

建立 Adatum 森林中的其他使用者Create additional users in the Adatum forest

建立 Jeff 低使用者使用密碼** pass@word1 ,並將指派公司屬性的值AdatumCreate the user Jeff Low with the password **pass@word1, and assign the company attribute with the value Adatum.

若要建立的使用者使用公司屬性To create a user with the Company attribute
  1. 打開提升權限的命令提示字元中,Windows PowerShell 和貼上下列程式碼:Open an elevated command prompt in Windows PowerShell, and paste the following code:

    New-ADUser `  
    -SamAccountName jlow `  
    -Name "Jeff Low" `  
    -UserPrincipalName jlow@adatum.com `  
    -AccountPassword (ConvertTo-SecureString `  
    -AsPlainText "pass@word1" -Force) `  
    -Enabled $true `  
    -PasswordNeverExpires $true `  
    -Path 'CN=Users,DC=adatum,DC=com' `  
    -Company Adatum`  
    

建立 adataum.com 公司宣告類型Create the Company claim type on adataum.com

若要使用 Windows PowerShell 來建立宣告類型To create a claim type by using Windows PowerShell
  1. 以系統管理員身分登入 adatum.com。Sign in to adatum.com as an administrator.

  2. 打開提升權限的命令提示字元中,Windows PowerShell 中,輸入下列程式碼:Open an elevated command prompt in Windows PowerShell, and type the following code:

    New-ADClaimType `  
    -AppliesToClasses:@('user') `  
    -Description:"Company" `  
    -DisplayName:"Company" `  
    -ID:"ad://ext/Company:ContosoAdatum" `  
    -IsSingleValued:$true `  
    -Server:"adatum.com" `  
    -SourceAttribute:Company `  
    -SuggestedValues:@((New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Contoso", "Contoso", "")), (New-Object Microsoft.ActiveDirectory.Management.ADSuggestedValueEntry("Adatum", "Adatum", ""))) `  
    

讓 contoso.com 公司資源屬性Enable the Company resource property on contoso.com

若要讓 contoso.com 公司資源屬性To enable the Company resource property on contoso.com
  1. 以系統管理員身分登入 contoso.com。Sign in to contoso.com as an administrator.

  2. 在伺服器管理員中,按一下工具,然後按Active Directory 管理中心In Server Manager, click Tools, and then click Active Directory Administrative Center.

  3. 在 Active Directory 管理中心的左窗格中,按一下 [樹檢視In the left pane of Active Directory Administrative Center, click Tree View. 在左窗格中,按一下 [動態存取控制,然後按兩下 [資源屬性In the left pane, click Dynamic Access Control, and then double-click Resource Properties.

  4. 選取 [公司資源屬性清單中,以滑鼠右鍵按一下,選取 [屬性Select Company from the Resource Properties list, right-click and select Properties. 建議值區段中,按一下 [新增來新增建議的值: Contoso 和 Adatum,,然後按一下 [ [確定]兩次。In the Suggested Values section, click Add to add the suggested values: Contoso and Adatum, and then click OK twice.

  5. 選取 [公司資源屬性清單中,以滑鼠右鍵按一下,選取 [可讓Select Company from the Resource Properties list, right-click and select Enable.

讓 adatum.com 動態存取控制Enable Dynamic Access Control on adatum.com

若要讓動態存取控制 adatum.com 的To enable Dynamic Access Control for adatum.com
  1. 以系統管理員身分登入 adatum.com。Sign in to adatum.com as an administrator.

  2. 打開群組原則管理主控台中,按一下adatum.com,然後按兩下 [網域控制站Open the Group Policy Management Console, click adatum.com, and then double-click Domain Controllers.

  3. 以滑鼠右鍵按一下預設網域控制站原則,然後選取 [編輯Right-click Default Domain Controllers Policy, and select Edit.

  4. 在群組原則編輯器] 管理視窗中,按兩下 [電腦設定,按兩下 [原則,按兩下 [系統管理範本],按兩下系統,,然後按兩下 [ KDCIn the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-click Administrative Templates, double-click System, and then double-click KDC.

  5. 按兩下\ [KDC 支援宣告、 複合驗證以及 Kerberos 保護 \下選取的選項啟用Double-click KDC support for claims, compound authentication, and Kerberos armoring and select the option next to Enabled. 您必須支援此設定来使用的中央存取原則。You need to enable this setting to use Central Access Policies.

  6. 打開提升權限的命令提示字元中,執行下列命令:Open an elevated command prompt, and run the following command:

    gpupdate /force  
    

建立 contoso.com 公司宣告類型Create the Company claim type on contoso.com

若要使用 Windows PowerShell 來建立宣告類型To create a claim type by using Windows PowerShell
  1. 以系統管理員身分登入 contoso.com。Sign in to contoso.com as an administrator.

  2. 左提升權限的命令提示字元中 Windows PowerShell,然後輸入下列程式碼:Open an elevated command prompt in Windows PowerShell, then type the following code:

    New-ADClaimType '"SourceTransformPolicy `  
    '"DisplayName 'Company' `  
    '"ID 'ad://ext/Company:ContosoAdatum' `  
    '"IsSingleValued $true `  
    '"ValueType 'string' `  
    

建立的中央存取規則Create the central access rule

若要建立的中央存取規則To create a central access rule
  1. 在 Active Directory 管理中心的左窗格中,按一下 [樹檢視In the left pane of Active Directory Administrative Center, click Tree View. 在左窗格中,按一下 [動態存取控制,然後按中央存取規則In the left pane, click Dynamic Access Control, and then click Central Access Rules.

  2. 以滑鼠右鍵按一下中央存取規則,按一下 [,然後中央存取規則Right-click Central Access Rules, click New, and then Central Access Rule.

  3. 名稱欄位中,輸入AdatumEmployeeAccessRuleIn the Name field, type AdatumEmployeeAccessRule.

  4. 權限區段中,選取為目前的權限的權限之後使用選項,請按一下 [編輯,,然後按一下新增In the Permissions section, select the Use following permissions as current permissions option, click Edit, and then click Add. 按一下選取主體連結,輸入Authenticated Users,然後按一下 [ [確定]Click the Select a principal link, type Authenticated Users, and then click OK.

  5. 權限的項目權限的對話方塊中,按一下 [ [新增條件,輸入下列條件: [使用者] [公司] [等於] [] [Adatum]。In the Permission Entry for Permissions dialog box, click Add a condition, and enter the following conditions: [User] [Company] [Equals] [Value] [Adatum]. 應該權限]修改、 讀取並執行、 朗讀、 寫入Permissions should be Modify, Read and Execute, Read, Write.

  6. 按一下[確定]Click OK.

  7. 按一下[確定]以完成,並回到 Active Directory 管理中心三次。Click OK three times to finish and return to Active Directory Administrative Center.

    方案指南Windows PowerShell 相當於命令 * * Windows PowerShell equivalent commands*

    下列 Windows PowerShell cmdlet 執行上述程序相同的功能。The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. 輸入每個 cmdlet 上一行,,即使它們可能會出現換透過以下幾個行因為格式設定的限制。Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

    New-ADCentralAccessRule `  
    -CurrentAcl:"O:SYG:SYD:AR(A;;FA;;;OW)(A;;FA;;;BA)(A;;FA;;;SY)(XA;;0x1301bf;;;AU;(@USER.ad://ext/Company:ContosoAdatum == `"Adatum`"))" `  
    -Name:"AdatumEmployeeAccessRule" `  
    -ProposedAcl:$null `  
    -ProtectedFromAccidentalDeletion:$true `  
    -Server:"contoso.com" `  
    

建立的中央存取原則Create the central access policy

若要建立的中央存取原則To create a central access policy
  1. 以系統管理員身分登入 contoso.com。Sign in to contoso.com as an administrator.

  2. 打開提升權限的命令提示字元中,Windows PowerShell 中,將下列程式碼:Open an elevated command prompt in Windows PowerShell, and then paste the following code:

    New-ADCentralAccessPolicy "Adatum Only Access Policy"   
    Add-ADCentralAccessPolicyMember "Adatum Only Access Policy" `  
    -Member "AdatumEmployeeAccessRule" `  
    

發行新原則透過群組原則Publish the new policy through Group Policy

若要透過群組原則檔案伺服器上套用的中央存取原則To apply the central access policy across file servers through Group Policy
  1. [開始]畫面中,輸入系統管理工具],並在搜尋列中,按一下設定On the Start screen, type Administrative Tools, and in the Search bar, click Settings. 設定結果中,按系統管理工具]In the Settings results, click Administrative Tools. 打開從 「 群組原則管理主控台系統管理工具]資料夾。Open the Group Policy Management Console from the Administrative Tools folder.

    提示

    如果顯示系統管理工具]已停用設定、 [系統管理工具] 資料夾和內容不會出現在設定的結果。If the Show Administrative tools setting is disabled, the Administrative Tools folder and its contents will not appear in the Settings results.

  2. 以滑鼠右鍵按一下 contoso.com 網域中,按一下在這個網域中建立 GPO 並連結到Right-click the contoso.com domain, click Create a GPO in this domain and Link it here

  3. 輸入描述性 GPO 的名稱,例如AdatumAccessGPO,然後按[確定]Type a descriptive name for the GPO, such as AdatumAccessGPO, and then click OK.

若要套用的中央存取原則檔案伺服器透過群組原則To apply the central access policy to the file server through Group Policy
  1. [開始]畫面中,輸入群組原則管理,請在搜尋方塊。On the Start screen, type Group Policy Management, in the Search box. 開放群組原則管理的 [系統管理工具] 資料夾。Open Group Policy Management from the Administrative Tools folder.

    提示

    如果顯示系統管理工具]已停用設定、 [系統管理工具] 資料夾和內容不會出現在 [設定] 結果。If the Show Administrative tools setting is disabled, the Administrative Tools folder and its contents will not appear in the Settings results.

  2. 瀏覽並選取 Contoso,如下所示: 群組原則 Management\Forest: contoso.com\Domains\contoso.com。Navigate to and select Contoso as follows: Group Policy Management\Forest: contoso.com\Domains\contoso.com.

  3. 以滑鼠右鍵按一下AdatumAccessGPO原則,然後選取編輯Right-click the AdatumAccessGPO policy, and select Edit.

  4. 群組原則管理編輯器] 中,按一下 [電腦設定,展開原則,展開Windows 設定,然後按一下的安全性設定In Group Policy Management Editor, click Computer Configuration, expand Policies, expand Windows Settings, and then click Security Settings.

  5. 展開檔案系統,以滑鼠右鍵按一下的中央存取原則,然後按一下 [管理中央存取原則Expand File System, right-click Central Access Policy, and then click Manage Central access policies.

  6. 中央存取原則設定對話方塊中,按一下 [新增、 選取Adatum 只存取原則,,然後按一下 [ [確定]In the Central Access Policies Configuration dialog box, click Add, select Adatum Only Access Policy, and then click OK.

  7. 關閉 「 群組原則管理編輯器。Close the Group Policy Management Editor. 您現在已群組原則來新增的中央存取原則。You have now added the central access policy to Group Policy.

獲利伺服器上建立資料夾的檔案Create the Earnings folder on the file server

建立新的 NTFS 磁碟區 1,並建立下列資料夾: D:\Earnings。Create a new NTFS volume on FILE1, and create the following folder: D:\Earnings.

注意

中央存取原則不支援預設系統或開機 c: 磁碟區。Central access policies are not enabled by default on the system or boot volume C:.

設定分類,並套用獲利資料夾中的中央存取原則Set classification and apply the central access policy on the Earnings folder

將檔案伺服器的中央存取原則To assign the central access policy on the file server
  1. 在 [HYPER-V 管理員連接伺服器 1。In Hyper-V Manager, connect to server FILE1. Contoso\Administrator,使用密碼登入伺服器** pass@word1 Sign in to the server by using Contoso\Administrator, with the password **pass@word1.

  2. 打開提升權限的命令提示字元中,輸入: gpupdate /forceOpen an elevated command prompt and type: gpupdate /force. 這樣可確保群組原則變更會影響您的伺服器。This will ensure that your Group Policy changes will take effect on your server.

  3. 您也需要重新整理全球 Active directory 資源屬性。You also need to refresh the Global Resource Properties from Active Directory. 開放的 Windows PowerShell,輸入Update-FSRMClassificationpropertyDefinition,然後按 ENTER 鍵。Open Windows PowerShell, type Update-FSRMClassificationpropertyDefinition, and then press ENTER. 關閉 Windows PowerShell。Close Windows PowerShell.

  4. 打開 Windows 檔案總管],並瀏覽至 D:\EARNINGS。Open Windows Explorer, and navigate to D:\EARNINGS. 以滑鼠右鍵按一下獲利資料夾,然後按屬性Right-click the Earnings folder, and click Properties.

  5. 按一下分類索引標籤。Click the Classification tab. 選取 [公司,然後選取 [ Adatum欄位。Select Company, and then select Adatum in the Value field.

  6. 按一下變更,請選取Adatum 只存取原則從下拉式功能表,然後按一下 [套用]Click Change, select Adatum Only Access Policy from the drop-down menu, and then click Apply.

  7. 按一下安全性索引標籤上,按一下 [進階,然後按一下 [中央原則索引標籤。Click the Security tab, click Advanced, and then click the Central Policy tab. 您應該會看到AdatumEmployeeAccessRule列。You should see the AdatumEmployeeAccessRule listed. 您可以展開以檢視所有的設定建立規則 Active Directory 中的權限的項目。You can expand the item to view all of the permissions that you set when you created the rule in Active Directory.

  8. 按一下[確定]以返回 [Windows 檔案總管]。Click OK to return to Windows Explorer.