October 2015 - My Tech Website

3- EXCHANGE_OI on HASIMI NODE2 – Action Media Clipboard View Help Virtual Machine Connection The application encountered an error while attempting to change the state of •g- EXCHANGE 01

•3- EXCHANGE_OI’ could not initialize. Could not initiallze machine remoting system. Error. •Element not found.’ (000070490). not find a usable cetificate. Element not found.’ (0000704″).

•3- EXCHANGE_OI’ could not initialize. (Virtual machine 10 B967FUc-20A2-43BD.83EE.99R321DCD55) •3- EXCHANGE_OI’ could not initialize machine remoting system. Error: ‘Element not found.'(Ox8D070490). (Virtual machine ID g967FUc.20A2-43gD.B3EE.g9A2321DCD55)

•3- EXCHANGE_OI’ could not find a usable certificate. Error: ‘Element not Status: Off found.’ (oxeoc70490). machine B967FUc-20A2-a3BD-B3EE-99A2321DCD55) @ Hide details Close Symptoms

If the Hyper-V Host Server doesn’t have internet and you have configured it after creating a VM then the server date will change and the self-signed certificate date will change as it won’t be verified by Hyper V manager and will cause launching the VM to fail to start.

Solution:

Delete old certificate and Create a new Self signed certificate.

To do so open MMC

Navigate to Certificates

In Certificates select Service Account

Choose local computer and click next

Then select the Hyper-V Virtual Machine Management Service account and open

Under the Personal, check the date of the certificate there ..

Delete the certificate

Open Service Console and restart all Hyper-V Services

Once the service is restarted, you’ll see a new certificate that has been automatically created

Now if you try to open the VM console again, it should work.

For any questions. please leave a comment

In this post I am going to demonstrate how to integrate Office 365 RMS (Basic) with Office 365 Exchange online in Hybrid Environment with Exchange 2013 and Exchange 2010 in the same organization and then I’ll activate Azure RMS to deploy a new template and apply it on my on-premises Exchange servers.

To do this, you will need

1- an active Office 365 subscription with Exchange online.

2- Azure Subscription.

3- One Public IP to publish RMS URL.

4- Access to your public domain’s DNS to create the RMS A record.

5- Public Certificate that includes the RMS SAN in order to work with Azure RMS.

Starting with the deployment I will start by Introducing a small summary of what’s RMS from MS KB article.

1- AZURE RMS in Exchange Hybrid deployment:

Overview of the Microsoft Rights Management connector

The Microsoft Rights Management (RMS) connector lets you quickly enable existing on-premises servers to use their Information Rights Management (IRM) functionality with the cloud-based Microsoft Rights Management service (Azure RMS). With this functionality, IT and users can easily protect documents and pictures both inside your organization and outside, without having to install additional infrastructure or establish trust relationships with other organizations. You can use this connector even if some of your users are connecting to online services, in a hybrid scenario. For example, some users’ mailboxes use Exchange Online and some users’ mailboxes use Exchange Server. After you install the RMS connector, all users can protect and consume emails and attachments by using Azure RMS, and information protection works seamlessly between the two deployment configurations.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Applications that support Azure RMS

From <https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications>

Requirements for Azure Rights Management

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Prerequisites for the RMS connector

The Rights Management (RMS) service is activated

Click Manage

Click Activate

Activated

2. Second Requirement: Organization must have Azure AD and AADSync enabled with local AD.

I’ll activate Azure AD in order to support user authentication for RMS.

Azure RMS templates

3. Third Requirement: Clients must support RMS (Windows)

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedDevices

4. Users must run applications that support RMS.

https://technet.microsoft.com/en-us/library/dn655136.aspx#BKMK_SupportedApplications

5. Firewall must be enabled for RMS

Check ports and IPs

https://support.office.com/en-US/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2

Note:

The following deployment scenario is not supported:

Running AD RMS and Azure RMS side-by-side in the same organization, except during migration, as described in Migrating from AD RMS to Azure Rights Management.

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

6. RMS Licenses:

Cloud subscriptions that support Azure RMS

To use Azure RMS, you must have at least one of the following subscriptions:

Office 365
Azure RMS Standalone
Enterprise Mobility Suite
RMS for individuals

From <https://technet.microsoft.com/en-us/library/dn655136.aspx>

Note: In Enterprise Plan 3 RMS already exists with basic access

Subscription to use (Office 365 or Azure RMS) and control RMS templates

Azure AD

If you want to manage and control RMS templates you’ll need to have Azure Subscription where you can manage the templates of your Azure AD.

Office 365

If you only have Office 365 subscription and you don’t want to activate your azure AD then you won’t have access to the templates to configure new templates.

7. Integration of Azure RMS with Exchange 2013 On-premises (With Exchange 2010) and Hybrid integration with Exchange online

Windows Requirements

You will also need to install on these servers, a version of the RMS client that includes support for RMS Cryptographic Mode 2. The minimum version that is supported in Windows Server 2008 is included in the hotfix that you can download from RSA key length is increased to 2048 bits for AD RMS in Windows Server 2008 R2 and in Windows Server 2008. The minimum version for Windows Server 2008 R2 can be downloaded from RSA key length is increased to 2048 bits for AD RMS in Windows 7 or in Windows Server 2008 R2. Windows Server 2012 and Windows Server 2012 R2 natively support Cryptographic Mode 2.

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

Exchange Requirements

Note:

To Use RMS with Exchange 2010 you will need Exchange 2010 SP3 RU6 installed and for Exchange 2013 you’ll need CU3 or Later (Build 15.00.0775.038).

Exchange Server 2010 with Exchange 2010 Service Pack 3 Rollup Update 6

From <https://technet.microsoft.com/en-us/library/dn375964.aspx>

My Servers

My Exchange 2010 server (Exch01) has SP3 but no RU installed. So I’ll install the latest RU since it includes all the previous rollups already.

http://go.microsoft.com/fwlink/p/?LinkId=616365

Exchange 2013 Server has CU8 installed so I don’t need to install anything on it.

Requirements to Install RMS connector

A- A minimum of two member computers on which to install the RMS connector:

A 64-bit physical or virtual computer running one of the following operating systems:
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
At least 1 GB of RAM
A minimum of 64 GB of disk space
At least one network interface
Access to the Internet via a firewall (or web proxy) that does not require authentication
Must be in a forest or domain that trusts other forests in the organization that contain installations of Exchange or SharePoint servers that you want to use with the RMS connector

From <https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs>

B- Download the RMS connector tool from http://go.microsoft.com/fwlink/?LinkId=314106

Validating installation if successful or not by navigating to the below link on the server where RMS connector is installed.

A successful installation will show the below screenshot.

http://localhost/_wmcs/certification/servercertification.asmx

Configuring DNS for the URL

Configure the Exchange servers on premises to use Windows Azure Active Directory via the newly installed connector.

In order to setup the URL on Exchange 2013, you must download the script GenConnectorConfig.ps1 on Exchange 2013 Server and run it as following

Download Link

http://go.microsoft.com/fwlink/?LinkId=314106

I have published the RMS on my Pfsense Firewall (Reverse proxy) and I am able to browse to the page… (not able to authenticate though because I selected only Exchange servers group for authentication.

Now I will run the same script on Exchange 2010 but will change the parameter

.\GenConnectorConfig.ps1 -ConnectorUri http://rms.adeo-office365.ga -SetExchange2010

Now Enable Information Rights Management on Exchange on-premises Servers

In Microsoft Exchange Server 2013, Information Rights Management (IRM) is enabled by default for internal messages.

From <https://technet.microsoft.com/en-us/library/bb124077(v=exchg.150).aspx>

(NOTE: Seems that Microsoft is wrong about the IRM enabled by default for Internal messages as the InternalLicensingEnabled is set to False on my Exchange 2013 server).

Now On Exchange 2013 ECP I’ll check if the RMS is there or not!

I will create a new transport rule as following

If I am the recipient, I will be allowed to only view the email … let’s see this after we apply it

I have sent an email and it seems that the email has been encrypted and is asking me for my email confirmation or Phone number.

Trying to take a screenshot of the Email, It seems that the RMS is working perfectly since part of the view only permission is not taking screenshots of Outlook while the RMS is enabled.

Azure RMS Client for Windows

http://go.microsoft.com/fwlink/?LinkId=313954

REF

https://technet.microsoft.com/en-us/library/dn375964.aspx

https://technet.microsoft.com/en-us/library/dd638140(v=exchg.150).aspx#irm

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_ExchangeServer

https://technet.microsoft.com/en-us/library/dn375964.aspx#BKMK_Prereqs

https://fazarsusanto.wordpress.com/2015/05/02/azure-rms-rms-connector/

To open a RMS encrypted PDF you’ll need to download the following:

RMS Client Download

http://download.microsoft.com/download/3/C/F/3CF781F5-7D29-4035-9265-C34FF2369FA2/setup_msipc_x64.exe

Microsoft Online Service Assistant

http://www.microsoft.com/en-us/download/details.aspx?id=28177

Once Signed in, you’ll get the following protection

Note:

If you try and share protected documents with any other mail service like Gmail or Hotmail you will get the following error.

Coming Soon

We can’t yet share protected files with some of your recipients.

-WORD documents

NOTES

Monday, September 14, 2015

1:56 PM

NOTEs:

If a user is activated in a transport role with RMS protection role (Office 365 RMS). Then the user won’t be allowed to use Azure RMS rules (Configure specific rule).

During this time the permission to use RMs will show up as following “Loading permissions…”

Transport rule may take 15 minutes to take affect after being created or deleted.
Sending email with Exchange online (Azure RMS Rule) with (View online rule) to another Office 365 tenant mail gives the following

In order to access e-mails that are sent to users from different tenants or business e-mails. You’ll have to get a free Microsoft RMS account from here

https://portal.aadrm.com/

Once you are signed up , you will get an e-mail like the following

After you sign in you’ll be able to access the protected document as in the below snapshot. And you can also view your permissions or whether you can edit/modify the document or not

The person who sent an email will also get a notification e-mail telling him that you’ve got access to the document if he has ticked the option that allow him to track the email that he sent along.

To compare between Azure RMS and AD RMS please navigate to the following link

Azure RMS comparison

If you have any question please don’t hesitate to contact me or leave a comment.

My Tech Website

Monthly Archives: October 2015

Enable PowerShell remotely on all PCs in a domain

The Application encountered an error while attempting to change the state of "VM"

Deploying Azure RMS with Exchange 2010 and Exchange 2013 on-premises and in Hybrid Environment with Exchange online

Just another IT Website