By default, servers in an Active Directory Rights Management Services (AD RMS) cluster can issue use licenses only against the publishing licenses that it, or another server in its cluster, issued. If you have content that was published by using another AD RMS root cluster either in your organization, for example a subsidiary organization in another forest, or in another separate organization, your AD RMS cluster can grant use licenses to users for this content if you configure a trusted publishing domain (TPD). By adding a trusted publishing domain, you set up a trust relationship between your AD RMS cluster and the other root cluster by importing the server licensor certificate (SLC) of the other cluster. There is no limit to the number of TPDs that you can configure for your AD RMS cluster.

If the cluster key is stored in a CSP, you must transfer the cluster key to the CSP key container on each trusted server in the cluster by following the instructions in the CSP manufacturer's documentation. Depending on the type of CSP on each server and the configuration of any hardware security module devices, you might not be able to transfer the cluster key from one hardware security module to another. If you are using a CSP with a hardware security module, review the hardware security module documentation to determine whether you can transfer the cluster key without losing data that is in the destination hardware security module. If you cannot successfully transfer the cluster key, you cannot establish a trusted publishing domain.


If you are using a hardware-based CSP, also known as a hardware security module (HSM), to protect your AD RMS cluster key and you are importing an SLC from an AD RMS installation that internally manages the AD RMS cluster key, you must specify a cluster key password on the Security Policies settings of the cluster before you attempt to import the certificate.

This procedure assumes that you have exported the TPD of another AD RMS cluster. For more information about exporting the TPD, see Export a Trusted Publishing Domain.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To add a trusted publishing domain
  1. Open the Active Directory Rights Management Services console, and then expand the AD RMS cluster.

  2. In the console tree, expand Trust Policies, and then click Trusted Publishing Domains.

  3. In the Actions pane, click Import Trusted Publishing Domain.

  4. In Trusted Publishing Domain file, type the path to the trusted publishing domain file or click Browse to locate it.

    This file contains the licensor certificate, private key (if the key is stored in software), and rights policy templates. This file is encrypted.

  5. In Password, type the password required to decrypt this file.

  6. In Display name, type a name to identify this trusted user domain.

    Click Finish.


You can remove a TPD at any time by removing its certificate from the list of certificates for TPDs under the Trust Polices node in the Active Directory Rights Management Services console.

Additional considerations

Additional references