AD RMS with AD FS Identity Federation Step-by-Step Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

About This Guide

This step-by-step guide will assist you in using Active Directory Rights Management Services (AD RMS) with Active Directory® Federation Services (AD FS) in a test environment. Specifically, this guide will look at how to implement AD RMS if you have also deployed AD FS in your organization and have established a trust relationship with another organization that has not deployed AD RMS. Using the information in this guide, you can extend the basic AD RMS deployment to use AD FS credentials to establish trusted user accounts. This will enable you to share access to rights-protected content with another organization without having to establish a separate trust.

In this guide, you will create a test deployment that includes the following components:

  • An AD FS resource partner server

  • An AD FS account partner server

  • An AD RMS server

  • An AD RMS database server

  • Two AD RMS clients

  • Two Active Directory domain controllers

This guide assumes that you previously completed Windows Server Active Directory Rights Management Services Step-by-Step Guide, and that you have already deployed the following components:

  • An AD RMS server

  • An AD RMS database server

  • One AD RMS-enabled client

  • One Active Directory domain controller

What This Guide Does Not Provide

This guide does not provide the following:

  • An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see

  • Guidance for setting up and configuring AD RMS in a production environment.

  • Complete technical reference for AD RMS or AD FS.

  • Guidance for setting up AD FS with Microsoft Office SharePoint Server 2007 and AD RMS. For more information about using identity federation with Office SharePoint Server 2007 and AD RMS, see Appendix A of the Deploying Active Directory Rights Management Services with Microsoft Office SharePoint Server 2007 Step-By-Step Guide (

Deploying AD RMS with Identity Federation Support in a Test Environment

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server features without additional deployment documentation and should be used with discretion as a stand-alone document.

Upon completion of this guide, you will have a working AD RMS and AD FS infrastructure. You can then test and verify AD RMS and AD FS functionality as follows:

  • Restrict permissions on a Microsoft Word 2007 document in the CPANDL.COM domain.

  • Have an authorized user in the TREYRESEARCH.NET domain open and work with the document.

  • Have an unauthorized user in the CPANDL.COM domain attempt to open and work with the document.

The test environment described in this guide includes eight computers connected to a private network and using the following operating systems, applications, and services:

Computer Name Operating System Applications and Services


Windows Server® 2008

AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing



Windows Server 2003 with Service Pack 2 (SP2)

Domain controllers running Windows 2000 Server with Service Pack 4 can be used. However, in this step-by-step guide it is assumed that you will be using domain controllers running Windows Server 2003 with SP2.

Active Directory, Domain Name System (DNS)


Windows Server 2003 with SP2

Microsoft SQL Server® 2005 Standard Edition with Service Pack 2 (SP2)



Windows Vista®

Microsoft Office Word 2007 Enterprise Edition



Windows Server® 2008 Enterprise or Windows Server 2003 R2 Enterprise Edition



Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum requirements for AD RMS (

The computers form two private intranets and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment, if desired. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID is used for the intranet. The domain controller for the domain named is CPANDL-DC and the domain controller for the domain name is TREY-DC. The following figure shows the configuration of the test environment: