By default, Active Directory Rights Management Services (AD RMS) does not service requests from users whose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can add user domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests.
For each trusted user domain (TUD), you can also add and remove specific users or groups of users. In addition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root cluster in its own forest.
You can add TUDs as follows:
- To support external users in general, you can
trust Windows Live ID. This allows an AD RMS cluster that is
in your company to process licensing requests that include a RAC
that was issued by Microsoft’s online RMS service. For more
information about trusting Windows Live ID in your organization,
see Use Windows
Live ID to Establish RACs for Users.
- To trust external users from another
organization’s AD RMS installation, you can add the
organization to the list of TUDs. This allows an AD RMS
cluster to process a licensing request that includes a RAC that was
issued by an AD RMS server that is in the other
organization.
- In the same manner, to process licensing
requests from users within your own organization who reside in a
different Active Directory forest, you can add the AD RMS
installation in that forest to the list of TUDs. This allows an
AD RMS cluster in the current forest to process a licensing
request that includes a RAC that was issued by an AD RMS
cluster in the other forest.
- For each TUD, you can specify which e-mail
domains are trusted. For trusted Windows Live ID sites and
services, you can specify which e-mail users or domains are not
trusted.
Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.
To add a trusted user domain |
-
The TUD of the AD RMS installation to be trusted should already be exported and available. For more information about exporting a TUD, see Export a Trusted User Domain.
-
Open the Active Directory Rights Management Services console and expand the AD RMS cluster.
-
In the console tree, expand Trust policies, and then click Trusted User Domains.
-
In the Actions pane, click Import Trusted User Domain.
-
In the Trusted user domain file box, type the path to the exported server licensor certificate of the user domain to trust or click Browse to locate it.
-
In Display name, type a name to identify this trusted user domain. If you would like to extend this trust to federated users, select Extend trust to federated users of the imported server.
-
Click Finish.
Note | |
The private key information is not transferred when you set up a TUD. |
The name of the domain appears in the Trusted user domains list in the results pane. To further configure e-mail domains within that trusted user domain, do the following steps:
To specify properties of the trusted user domain |
-
If the trusted user domain is based on another AD RMS cluster's server licensor certificate, you can specify which e-mail domains within the trusted user domain are trusted.
-
Select the certificate name in the results pane and then in the Actions pane, click Properties.
-
Click the Trusted E-mail Domains tab, and then choose one of the following trust options:
- Select the Trust all e-mail domains
option to trust all of the user accounts that are members of that
domain.
- Select the Trust only specified e-mail
domains option and then type the domain name to trust, such as
example.com, and then click Add. This adds the domain to the
Trusted e-mail domains list. To remove a name from the list,
select the name, and then click Remove. Adding a domain
includes all of its child domains.
- Select the Trust all e-mail domains
option to trust all of the user accounts that are members of that
domain.
-
Select the Trust AD RMS licensing to security identifiers (SIDs) for this user domain check box, if necessary.
-
When finished, click OK.
Additional considerations
- You can also perform the task described in
this procedure by using Windows PowerShell. For more information
about Windows PowerShell for AD RMS, see http://go.microsoft.com/fwlink/?LinkId=136806.