Adding and Removing Trusted User Domains

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, RMS does not service requests from users whose rights account certificates were issued by a different RMS installation. However, you can add user domains to the list of trusted user domains, which allows RMS to process such requests.

For each trusted domain, you can also add and remove specific users or groups of users. In addition, you can remove a trusted user domain; however, you cannot remove the root cluster for this Active Directory forest from the trusted user domains. Every server in an RMS deployment trusts the root cluster in its own forest.

You can manage trusted user domains as follows:

  • To support external users in general, you can add the Windows Live ID service to the list of trusted domains. This allows an RMS server that is in your organization to process licensing requests that include a rights account certificate issued by the Windows Live ID service.

  • To trust external users from another organization’s RMS installation, you can add the organization to the list of trusted user domains. This allows an RMS server to process a licensing request that includes a rights account certificate that was issued by an RMS server in another organization.

  • In the same manner, to process licensing requests from users within your own organization who reside in a different Active Directory forest, you can add the RMS installation in that forest to the list of trusted user domains. This allows an RMS server that is in the current forest to process a licensing request that includes a rights account certificate issued by an RMS root cluster in the other forest.

  • For each trusted user domain you can specify which e-mail domains are trusted. For trusted Windows Live ID domains, you can specify which e-mail users or domains are not trusted.

To add an RMS installation to the list of trusted user domains, you must import the server licensor certificate of the RMS installation that you want to add. The administrator must first export the server licensor certificate from the root cluster to trust and send the certificate file to you. You can then import the file by specifying the file location. To save the file, the user who is logged on must have permissions for the shared folder.

Note

The private key information is not transferred when you set up a trusted user domain.

For step-by-step instructions about how to establish trusted user domains, see “To Add a Trusted User Domain” later in this subject.