Step 2: Configure AD RMS to Work Across Forests

Applies To: Windows Server 2008, Windows Server 2008 R2

In this step, you do the following:

• Create a trusted user domain between the AD RMS installations

• Enable anonymous access on the AD RMS licensing pipeline

• Extend Active Directory schema

• Create contact objects and distribution groups

Create a trusted user domain between the AD RMS installations

In a default AD RMS installation, use licenses are not issued to users whose rights account certificates were issued by a different AD RMS cluster. You can configure AD RMS so that it processes this type of request by importing the trusted user domain of another AD RMS installation.

The trusted user domain must be exported from one AD RMS cluster and then imported into the other. A trusted user domain is required only if the AD RMS clusters are in a different forest.

First, export the trusted user domain by using the Active Directory Rights Management Services console.

To export a trusted user domain from the cpandl.com domain

1. Log on to ADRMS-SRV as cpandl\adrmsadmin.

2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. Expand the AD RMS cluster, and then expand Trust Policies.

5. Click Trusted User Domains, right-click the certificate named Enterprise, and then click Export Trusted User Domain.

6. In the File name box, type \\adrms-db\public\cpandlTUD.bin, and then click Save.

Next, import the trusted user domain that was just exported from the AD RMS cluster in the CPANDL domain into the TREYRESEARCH domain by using the Active Directory Rights Management Services console.

To import a trusted user domain file into the treyresearch.net domain

1. Log on to TREY-ADRMS as treyresearch\adrmsadmin.

2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User Domains, and then click Import Trusted User Domain.

5. In the Trusted user domain file box, type \\adrms-db\public\cpandlTUD.bin.

6. In the Display name box, type CPANDL.COM, and then click Finish.

Finally, repeat the above procedures and import the Trey Research trusted user domain file into the CPANDL domain.

To export a trusted user domain from the treyresearch.net domain

1. Log on to TREY-ADRMS as treyresearch\adrmsadmin.

2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. Expand the AD RMS cluster, and then expand Trust Policies.

5. Click Trusted User Domains, right-click the certificate named Enterprise, and then click Export Trusted User Domain.

6. In the File name box, type \\adrms-db\public\treyresearchTUD.bin, and then click Save.

To import a trusted user domain file into the cpandl.com domain

1. Log on to ADRMS-SRV as cpandl\adrmsadmin.

2. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. Expand the AD RMS cluster, expand Trust Policies, right-click Trusted User Domains, and then click Import Trusted User Domain.

5. In the Trusted user domain file box, type \\adrms-db\public\treyresearchTUD.bin.

6. In the Display name box, type TREYRESEARCH.NET, and then click Finish.

Enable anonymous access on the AD RMS licensing pipeline

For each AD RMS cluster, you must enable anonymous access on the AD RMS license.asmx and servicelocator.asmx files in the licensing pipeline.

To enable anonymous access on the AD RMS licensing pipeline

1. Log on to ADRMS-SRV as cpandl\adrmsadmin.

2. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. Expand the domain node, expand Sites, expand Default Web Site, and then expand _wmcs.

5. Right-click the licensing folder, and then click Switch to Content View.

6. Right-click ServiceLocator.asmx, and then click Switch to Features View.

7. Under IIS, double-click Authentication, right-click Anonymous Authentication, and then click Enable.

8. Right-click the licensing directory again, and then click Switch to Content View.

9. Right-click license.asmx, and then click Switch to Features View.

10. Double-click Authentication, right-click Anonymous Authentication, and then click Enable.

11. Log on to TREY-ADRMS as treyresearch\adrmsadmin and repeat steps 1-10 for the treyresearch.net domain.

Extend Active Directory schema

When users across Active Directory forests need to exchange rights-protected content, the AD RMS clusters need to know the forest in which the user account or group resides. This is done by using the msExchOriginatingForest Active Directory schema attribute. This schema attribute is installed with Microsoft Exchange Server 2003 and later. If you do not have an Exchange server deployed in your environment, you must extend the schema to include this attribute by using ldifde.exe from the command prompt on a domain controller in each forest.

Extend the schema in the cpandl.com domain

To extend the schema in the cpandl.com domain you should copy the following text into a text file named cpandl.ldf. In this guide, you save it to the cpandl\administrator desktop on CPANDL-DC.

dn: CN=ms-Exch-Originating-Forest,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0



dn: CN=Contact,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=Group,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=User,CN=Schema,CN=Configuration,DC=CPANDL,DC=COM
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-

Finally, you should run the ldifde.exe command to extend the schema by using the following procedure:

To run the ldifde command to extend the schema

1. Log on to CPANDL-DC as cpandl\administrator.

2. Click Start, and then click Command Prompt.

3. Type the following, and then press ENTER:

   cd %systemdrive%\Users\Administrator\Desktop

   where %systemdrive% is the volume on which Windows Server 2008 is installed.

4. Type the following, and then press ENTER:

   ldifde.exe -s cpandl-dc -v -i -k -f cpandl.ldf /c "CN=Schema,CN=Configuration,DC=CPANDL,DC=COM" "CN=Schema,CN=Configuration,DC=CPANDL,DC=COM"

5. To confirm that the command was successful, the last two lines of the output should say the following:

   4 entries modified successfully. The command has completed successfully.

Extend the schema in the treyresearch.net domain

To extend the schema in the treyresearch.net domain you should copy the following text into a text file named trey.ldf. In this guide, you save it to the treyresearch\administrator desktop on TREY-DC.

dn: CN=ms-Exch-Originating-Forest, CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: add
adminDescription: ms-Exch-Originating-Forest
adminDisplayName: ms-Exch-Originating-Forest
attributeID: 1.2.840.113556.1.4.7000.102.50300
attributeSecurityGuid:: VAGN5Pi80RGHAgDAT7lgUA==
attributeSyntax: 2.5.5.12
isMemberOfPartialAttributeSet: TRUE
isSingleValued: FALSE
lDAPDisplayName: msExchOriginatingForest
name: ms-Exch-Originating-Forest
oMSyntax: 64
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
objectClass: attributeSchema
schemaIdGuid:: 5h1nFlOXv0eaEr4xq+CvCA==
searchFlags: 0



dn: CN=Contact,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=Group,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-



dn: CN=User,CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET 
changetype: modify
add: mayContain
mayContain: msExchOriginatingForest
-

Finally, you should run the ldifde.exe command to extend the schema by using the following procedure:

To run the ldifde command to extend the schema

1. Log on to TREY-DC as treyresearch\administrator.

2. Click Start, and then click Command Prompt.

3. Type the following, and then press ENTER:

   cd %systemdrive%\Users\Administrator\Desktop

   where %systemdrive% is the volume on which Windows Server 2008 is installed.

4. Type the following, and then press ENTER:

   ldifde.exe -s trey-dc -v -i -k -f trey.ldf /c "CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET" "CN=Schema,CN=Configuration,DC=TREYRESEARCH,DC=NET"

5. To confirm that the command was successful, the last two lines of the output should say the following:

   4 entries modified successfully. The command has completed successfully.

Create contact objects and distribution groups

Active Directory contact objects are used to tell the AD RMS cluster the forest in which the user account resides. Similarly, distribution groups are used to tell the AD RMS cluster the forest in which the group resides. You must create contact objects and distribution groups in each forest for every user and group that will be used with AD RMS. In this guide, you create contact objects for Nicole Holliday and Terrence Philip, and distribution groups for the Employees group in each forest.

Create the contact objects by using the following procedure:

To create an Active Directory contact object for the cpandl.com domain

1. Log on to CPANDL-DC as cpandl\Administrator.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Click View, and then click Advanced Features.

4. Expand cpandl.com, right-click Users, point to New, and then click Contact.

5. In the Full Name and Display name boxes , type Terrence Philip, and then click OK.

6. Open the Users folder, and then double-click the Terence Philip contact object.

7. In the E-mail box, type tphilip@treyresearch.net, and then click Apply.

8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.

9. In the Value to add box, type treyresearch.net, click Add, and then click OK.

10. Click OK to close the Terrence Philip properties sheet.

Next, create the contact objects in the Trey Research domain:

To create an Active Directory contact object for the treyresearch.net domain

1. Log on to TREY-DC as treyresearch\Administrator.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Click View, and then click Advanced Features.

4. Expand treyresearch.net, right-click Users, point to New, and then click Contact.

5. In the Full Name and Display name boxes , type Nicole Holliday, and then click OK.

6. Open the Users folder, and then double-click the Nicole Holliday contact object.

7. In the E-mail box, type nhollida@cpandl.com, and then click Apply.

8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.

9. In the Value to add box, type cpandl.com, click Add, and then click OK.

10. Click OK to close the Nicole Holliday properties sheet.

Next, create the distribution groups and assign the appropriate msExhOriginatingForest schema attribute for each group.

To create the Trey Research Employees distribution group for the cpandl.com domain

1. Log on to CPANDL-DC as cpandl\Administrator.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Click View, and then click Advanced Features.

4. Expand cpandl.com, right-click Users, point to New, and then click Group.

5. In the Group name box, type Trey Research Employees, click the Universal option, click the Distribution option, and then click OK.

6. Open the Users folder, and then double-click the Trey Research Employees distribution group.

7. In the E-mail box, type employees@treyresearch.net, and then click Apply.

8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.

9. In the Value to add box, type treyresearch.net, click Add, and then click OK.

10. Click OK to close the Trey Research Employees properties sheet.

Finally, create the distribution group and assign the appropriate msExchOriginatingForest schema attribute for each group.

To create the CPANDL Employees distribution group for the treyresearch.net domain

1. Log on to TREY-DC as treyresearch\Administrator.

2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

3. Click View, and then click Advanced Features.

4. Expand treyresearch.net, right-click Users, point to New, and then click Group.

5. In the Group name box, type CPANDL Employees, click the Universal option, click the Distribution option, and then click OK.

6. Open the Users folder, and then double-click the CPANDL Employees distribution group.

7. In the E-mail box, type employees@cpandl.com, and then click Apply.

8. Click the Attribute Editor tab, click msExchOriginatingForest in the Attributes box, and then click Edit.

9. In the Value to add box, type cpandl.com, click Add, and then click OK.

10. Click OK to close the CPANDL Employees properties sheet.