Configure Trusted User Domains

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

By default, Active Directory Rights Management Services (AD RMS) does not service a request from a user whose rights account certificate (RAC) was issued by a different AD RMS cluster. However, you can add an AD RMS domain to a list of trusted user domains (TUDs) in an AD RMS cluster. This allows the AD RMS cluster to process this kind of requests.

A trusted user domain is a trust between AD RMS clusters that instructs a licensing server to accept RACs (the certificates identifying users) from another AD RMS server in a different Active Directory forest. An AD RMS trust differs from an Active Directory trust, but it is similar because it refers to the ability of one environment to accept identities from another environment as valid subjects.

Trusted user domains are added by importing the server licensor certificate of the AD RMS domain to trust into the trusting AD RMS cluster.To enable information rights management (IRM) functionality in Microsoft Exchange Server 2010 across more than one forest, you must add each AD RMS domain as a trusted user domain for all other AD RMS domains.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To export a trusted user domain

  1. Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.

  2. In the console tree, expand Trust Policies and then click Trusted User Domains.

  3. In the Actions pane, click Export Trusted User Domain.

  4. The Save As dialog box appears. We recommend that you modify the .bin file name to include the name of your server, such as ADRMS_Cluster1_LicensorCert.bin.

  5. Click Save to save the file by using the name and location you specified.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To import a trusted user domain

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster to which you are adding the TUD.

  2. In the console tree, expand Trust policies, and then click Trusted User Domains.

  3. In the Actions pane, click Import Trusted User Domain.

  4. In the Trusted user domain file box, type the path of the exported server licensor certificate of the user domain to trust or click Browse to locate it.

  5. In Display name, type a name to identify this trusted user domain. If you want to extend this trust to federated users, select Extend trust to federated users of the imported server.

  6. Click Finish.

Note

The private key information is not transferred when you set up a TUD.

The name of the domain appears in the Trusted user domains list in the results pane. To configure additional e-mail domains within that trusted user domain, follow these steps:

To specify properties of the trusted user domain

  1. Select the certificate name in the results pane and then in the Actions pane, click Properties.

  2. Select the Enable licensing to SIDs for e-mail domains check box.

  3. Click the Trusted E-mail Domains tab, and then select one of the following trust options:

    • Select the Trust all e-mail domains option to trust all of the user accounts that are members of that domain.

    • Select the Trust only specified e-mail domains option and then type the domain name to trust, such as example.com, and then click Add. This adds the domain to the Trusted e-mail domains list. To remove a name from the list, select the name, and then click Remove. Adding a domain includes all its child domains.

  4. When finished, click OK.