Extending AD RMS Beyond Your Organization
Updated: July 15, 2011
Applies To: Windows Server 2008, Windows Server 2008 R2
In the interconnected world that the Internet has made possible over the past several decades, organizations face new opportunities to extend their reach beyond the boundaries which previously constrained them. And yet these opportunities are also accompanied by new challenges. As the demand for information sharing between organizations and with customers grows, so, too, does the risks of exposure of sensitive information to those who should not receive it. Sensitive business and personal data that used to be kept on paper and required many deliberate actions to be “leaked” can now be sent anywhere in the world with a single keystroke or mouse click. Precisely because an organization has less control over how customers and partners use their information than is the case with their own employees, it is even more important to use technology to ensure that information that leaves the organization cannot fall into the wrong hands.
Active Directory Rights Management Services (AD RMS) is a feature of Windows Server® 2008 and Windows Server 2008 R2 that lets users control who can view, modify, and share sensitive information. Designed to integrate with Active Directory Domain Services (AD DS), it provides an easy and effective method for users to rights-protect documents and messages that are exchanged within an Active Directory forest. However, when the need arises to share content with users beyond an organization’s boundaries, special arrangements are required to make this possible. These range from using built-in trusted domains in AD RMS to setting up federation relationships between organizations.
This document describes several methods for accomplishing this goal and provides high-level guidance for deploying these methods. It contains the following sections: