Yournetwork contains an Active directory forest named contoso.com. The forest contains two child
domains named east.contoso.com and west.contoso.com.
Youinstall an Active Directory Rights Management Services (AD RMS) cluster in each child domain.
Youdiscover that all of the users in the contoso.com forest are directed to the AD RMS cluster in
east.contoso.com.
You need to ensure that the users in west.contoso.com are directed to the AD RMS cluster in
west.contoso.com and that the users in east.contoso.com are directed to the AD RMS cluster in
east.contoso.com.
What should you do?
A.
Modify the Service Connection Point (SCP).
B.
Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain.
C.
Configure the Group Policy object (GPO) settings of the users in the east.contoso.com domain.
D.
Modify the properties of the AD RMS cluster in west.contoso.com.
Explanation:
The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com
not the east.contoso.com.
Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only
deploy settings as needed.
AD RMS Best Practices Guide
Answer is B: Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain.
Resources:
http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx
“nly one SCP can exist in your Active Directory forest. If you try to install AD RMS and an SCP already exists in your forest from a previous AD RMS installation that was not properly deprovisioned, the new SCP will not install properly.”
and
https://technet.microsoft.com/en-us/library/jj735304(v=ws.11).aspx
“Create a group in Active Directory and use that for targeting AD RMS client deployment It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed. Target settings using the same groups used for client deployment.”
Hope this helps…
5
0
the setup described in the question is NO recommended best practice according to:
https://technet.microsoft.com/en-us/library/jj735304(v=ws.11)
I did some research and found these articles giving deeper information about RMS service discovery, maybe they clear up things a little bit more for you:
https://technet.microsoft.com/en-us/library/cc755112.aspx
https://technet.microsoft.com/de-de/library/ee221071(v=ws.10).aspx (nearly at the end of this page you find “AD RMS Service Discovery” describing the registry stuff)
1
0
because this topic bugs me a bit I did more research and found further information:
https://docs.microsoft.com/en-us/information-protection/rms-client/client-deployment-notes#enabling-client-side-service-discovery-by-using-the-windows-registry
https://technet.microsoft.com/en-us/library/dd772665(v=ws.10).aspx
to me it looks like quite quirky dirty stuff:
there are different reg keys, depending on client’s software version, also no explicit GPO settings mentioned anywhere.
so looks to me if you want to do it right you either have to create your own adm(x) template or hack the desired reg settings into the respective GPO Preference section.
1
0
I believe the correct answer is “B. Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain”.
The client will look for AD RMS server by checking first locally its registers then if it does not find anything goes to SCP in the forest then finally checks with Azure Right Mangement Discovery service if previous did respond.
Since we can only have one SCP per forest, we will have to put the AD RMS server location in a register for the client to use locally.
https://docs.microsoft.com/en-us/information-protection/rms-client/client-deployment-notes
1
0
if previous did not respond*
0
0