Cross-Link Super Users Groups

Updated: September 1, 2009

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Enabling Exchange Server 2010 and Active Directory Rights Management Services (AD RMS) in different forests to work together requires that the super user groups of the AD RMS clusters in the forests be linked to each other. The super user group is a special group that has full control over all rights-protected content managed by a cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it. The super user groups in the forests are linked by placing in each super user group a contact that points to a mail-enabled universal distribution group that belongs to the super user group in the other forest.

The following diagram illustrates the logical topology of groups, users, and contacts required to implement this design:

Integration of Exchange and AD RMS across forests

To configure the super users group for Exchange Server 2010 across multiple forests, the Active Directory Domain Services administrator of each forest must follow these steps:

  1. Create a mail-enabled universal distribution group that will be configured as the AD RMS super users group of the administrator’s forest.

  2. Create a mail-enabled universal distribution group, add it as a member of the super users group, and add the Federated Delivery Mailbox of the Exchange servers in the forest to the member group.

    ImportantImportant
    Do not place the Federated Delivery Mailbox in the super users group itself. This can cause a recursive condition. The Federated Delivery Mailbox must be in a distribution group that is a member of the super users group.

  3. Create a mail-enabled contact item for the super users member group in the other forests and set the msExchOriginatingForest attribute of the contact to the fully qualified domain name of the forest where the target group is located.

    noteNote
    The msExchOriginatingForest Active Directory schema attribute is installed with Microsoft Exchange Server 2003 and later versions. If an Exchange server is not deployed in a forest, you must extend the schema to include this attribute. For more information, see Extend Active Directory schema in AD RMS Deployment in a Multi-forest Environment Step-by-Step Guide.

  4. Add the contact item created in the previous step to the super users group of the forest.

After the contact items and groups have been created and populated, the AD RMS administrator of each forest must enable and designate the super users group.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

  1. Open the Active Directory Rights Management Services console and expand the AD RMS cluster.

  2. In the console tree, expand Security Policies, and then click Super Users.

  3. In the Actions pane, click Enable Super Users.

  4. In the results pane, click Change super user group to open the Super Users properties sheet.

  5. In the Super user group box, type the e-mail address of the group created by the AD DS administrator for this purpose, or click Browse to navigate through the defined users and groups in the directory.

  6. Click OK.

Community Additions

ADD
Show: