If you are deploying AD RMS in an environment with multiple Active Directory Domain Services (AD DS) forests, you need to determine what support might be required for users or groups who are outside of the forest in which AD RMS is deployed. AD RMS uses AD DS to identify users and distribution groups. When an organization’s AD DS deployment includes multiple forests, AD RMS uses AD DS contact objects to obtain the identities of users and groups that are part of a different forest than the AD RMS cluster. The problem is that user or group objects from other forests do not typically have representative objects that are in the forest where AD RMS resides. If you intend to use AD RMS to restrict permissions to users or groups who are from other forests, you need to configure your Active Directory forest appropriately to allow group expansion to occur across forests.

You can implement group expansion support across forests for AD RMS in two ways: