AD RMS Multi-forest Considerations

Applies To: Windows Server 2008, Windows Server 2008 R2

Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted in each forest. If your organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest. The following reference information can be used to help in deploying AD RMS in a multi-forest environment, which is shown in the following diagram.

AD RMS Multi-Forest Support Matrix

The following table describes the product capabilities of multi-forest scenarios.

Requirement Windows Live ID Trusted User Domains Trusted Publishing Domains AD RMS with AD FS

Office IRM Protection Document Protection

Not Supported

Supported

Supported

Supported

Office IRM Protection Document Consumption

Supported

Supported

Supported

Supported

MOSS IRM usage Document Protection (Server certification)

Not Supported

Supported

Supported

Not Supported for the scenario where MOSS servers are in a forest where AD RMS does not reside.

Windows Mobile 6 IRM

Not Supported

Supported

Supported

Not Supported. WM IRM cannot be configured to use AD RMS with AD FS (from another forest) that is integrated into active or protected or read documents that use RMS.

XPS IRM Protection

Supported

Supported

Supported

Not Supported. XPS client included in the .NET Framework can locate AD RMS with AD FS server; XPS Essentials client does not support ADFS.

XPS IRM Consumption

Supported

Supported

Supported

Partially Supported. Only XPS Essentials client can locate AD RMS with ADFS.

Internet Explorer RMA

Supported for Office 2003 Documents. OWA not supported.

Supported

Supported

Not Supported. RMA clients cannot locate AD RMS with AD FS servers.

Group Expansion capabilities

Not Supported

Supported

Partially Supported – Group expansion is not supported for those users and groups that are published with the imported TPD. It is supported for documents published in the current domain.

Not Supported

Multiple Forest Company Trusted User Domain

The following table describes additional considerations for a single company with multiple Active Directory forests.

Note

This scenario can use group expansion because of the forest trust relationship between the multiple forests.

Solution Component Consideration

Windows Trust

  • A Windows Trust could exist between forests. This could allow the assignment of permissions and validations between forests for group membership using universal groups.

  • Therefore, anonymous access is not required and you can continue authenticating the users with their credentials.

GAL Synchronization

  • In order to have a consolidated list of users or contacts from different forests you can use ILM, MIIS, or IIFP to replicate or synchronize those objects. Assigning rights inside your company will then be transparent to users.

Number of Trusts

  • One important consideration when you deploy this kind of trust is that the number of trusts required to interact between all AD RMS domains could grow significantly.

  • For example, if you have ten AD RMS domains and all of them should be able to exchange information between each other, there must be (10 × 9) 90 trusts configured to achieve this goal. N*(N-1)

For additional information about group expansion and AD RMS in a multiple forest environment, see Understanding AD RMS Across Forests

For additional information about considerations for AD RMS in a multiple forest environment, see Checklist: Deploying AD RMS in an Organization with Users in Multiple Forests

For detailed instructions about how to set up AD RMS in a multiple forest environment, see Deploying Active Directory Rights Management Services in a multiple forest environment Step-by-Step guide.