Deploying AD RMS for Collaboration Beyond Your Organization

Applies To: Windows Server 2008, Windows Server 2008 R2

The following sections provide a high-level description of the tasks that you perform in order to implement the solutions described in Understanding Business-to-Business Scenarios and Understanding Business-to-Consumer Scenarios. If your external users are not in your organization’s intranet, all these solutions require that you make your Active Directory Rights Management Services (AD RMS) infrastructure available on the Internet. For an outline of the options for doing this, see Appendix A: Making AD RMS Available on the Internet.

This topic contains the following sections:

Deploying trusted user domains

To meet the basic requirements of deploying a trusted user domain, follow these steps:

Install AD RMS in the forests in which you want to set up the trusted user domain relationship. For guidance about how to install AD RMS, see Pre-installation Information for Active Directory Rights Management Services and Installing an AD RMS Cluster. For step-by-step instructions for installing AD RMS in a test environment, see AD RMS Step-by-Step Guide.
Export the trusted user domain from the AD RMS cluster(s) from which you want to be able to share rights-protect content with users in another forest. See Export a Trusted User Domain for instructions.
Import the trusted user domains and specify the email domains you want to trust. See Add a Trusted User Domain for more information.
Configure remote client access to each AD RMS cluster that requires it. You can decide between two options, depending on your environment:
- Configure trust between Active Directory forests (see Checklist: Creating a forest trust).
- Enable anonymous access to the licensing pipeline, license.asmx (see Enable Anonymous Authentication (IIS 7)).
To provide for remote group expansion, if you are using forest trusts, synchronize group membership between the forests; otherwise, create contacts for the remote groups in each forest. AD RMS Deployment in a Multi-forest Environment Step-by-Step Guide illustrates one way to do this.

To meet the basic requirements of deploying a trusted publishing domain, follow these steps:

Install AD RMS in the forests in which you want to set up the trusted publishing domain relationship. For guidance about how to install AD RMS, see Pre-installation Information for Active Directory Rights Management Services and Installing an AD RMS Cluster. For step-by-step instructions for installing AD RMS in a test environment, see AD RMS Step-by-Step Guide.
Export the trusted publishing domain from the AD RMS cluster from which you want to be able share rights-protected content with users in another forest. See Export a Trusted Publishing Domain for instructions.
Import the trusted publishing domain. See Add a Trusted Publishing Domain for more information.
Redirect clients to the trusted AD RMS cluster (the one that imported the TPD) either by using registry overrides (AD RMS Registry Settings) or by using DNS aliases (Add an alias (CNAME) resource record to a zone).
If the cluster(s) from which the trusted publishing domains were exported remain active, periodically synchronize rights-policy templates by repeating steps 2 and 3.

To meet the basic requirements of federating AD RMS across forests by using AD FS, follow these steps:

Install AD FS in and federate both forests. For detailed guidance about how to deploy AD FS, see AD FS Deployment Guide.
In the resource forest, install AD RMS with Federation Identity Support. You must use an SSL certificate issued by a trusted certification authority. For guidance about how to install AD RMS, see Pre-installation Information for Active Directory Rights Management Services and Checklist: Deploying AD RMS with AD FS.
Configure clients to work with AD FS: On each client, add the remote federation servers’ URLs to the trusted zone in Internet Explorer and add the local federation servers’ URLs to the intranet zone. Also, you must configure the federation home realm. The registry key is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDRM\Federation

Within this registry key create an registry entry named FederationHomeRealm of type REG_SZ. The value of this registry entry is the federation service URI.

For step-by-step guidance about how to deploy AD RMS with AD FS in a test environment, see AD RMS with AD FS Identity Federation Step-by-Step Guide.

To meet the basic requirements of federating Exchange 2010 and AD RMS with Microsoft Federation Gateway, follow these steps:

Install Exchange Server 2010 with Service Pack 1 in the external forest, and then configure the Exchange infrastructure for federation. See Federation for more information.
Install AD RMS with Microsoft Federation Gateway Support. For guidance about how to install AD RMS, see Pre-installation Information for Active Directory Rights Management Services and Checklist: Deploying AD RMS with Microsoft Federation Gateway Support.
Configure trusted licensing domains (Manage the Microsoft Federation Gateway Licensing Filter List) and trusted publishing domains (Manage the Microsoft Federation Gateway Publishing Filter List).

There several options for deploying AD RMS for external users when you provide Active Directory accounts for them:

You can deploy separate AD RMS infrastructures for internal and external users and create a trusted user domain relationship between them.
You can create a single Active Directory forest and AD RMS infrastructure that is available on the Internet and to users in your intranet.
You can create an AD RMS infrastructure in separate forest and use AD FS to federate the intranet- and extranet-facing forests.

For more information about how to enable AD RMS access by users outside your internal network, see Appendix A: Making AD RMS Available on the Internet.