Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted per forest. If your organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest.

The following steps in this checklist describe the tasks required to deploy AD RMS in an organization with users in multiple forests.

  1. Assign a secure sockets layer (SSL) certificate to the Web site that will be hosting the AD RMS cluster.

  2. Install and configure an AD RMS root cluster in each forest.

  3. If you are not using Exchange Server in each forest, you must extend the Active Directory schema.

  4. Add the AD RMS service account to the access control list of the group expansion pipeline.

For detailed instructions about setting up AD RMS in a multiple forest environment, see Deploying Active Directory Rights Management Services in a multiple forest environment Step-by-Step guide (