Share via

AD RMS Deployment in a Multi-forest Environment Step-by-Step Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

About This Guide

This step-by-step walks you through the process of setting up two working Active Directory Rights Management Services (AD RMS) infrastructures in a test environment. Specifically, this guide will look at how to implement AD RMS in two different Active Directory forests and then set up an AD RMS trusted user domain so that users in both forests can exchange rights-protected information.

In this guide, you will create a test deployment that includes the following components:

  • Two AD RMS servers

  • Two AD RMS database servers

  • Two AD RMS clients

  • Two Active Directory domain controllers

This guide assumes that you previously completed Windows Server Active Directory Rights Management Services Step-by-Step Guide (, and that you have already deployed the following components:

  • An AD RMS server

  • An AD RMS database server

  • One AD RMS-enabled client

  • One Active Directory domain controller

What This Guide Does Not Provide

This guide does not provide the following:

  • An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see

  • Guidance for using identity federation with AD RMS. For guidance about this, see the Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide (

  • Guidance for setting up and configuring AD RMS in a production environment.

  • Complete technical reference for AD RMS.

We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional deployment documentation and should be used with discretion as a stand-alone document.

Upon completion of this guide, you will have two working AD RMS infrastructures configured with a trusted user domain. You can then test and verify AD RMS and AD FS functionality as follows:

  • Restrict permissions on a Microsoft® Word 2007 document in the CPANDL.COM domain.

  • Have an authorized user in the TREYRESEARCH.NET domain open and work with the document.

The test environment described in this guide includes eight computers connected to a private network and using the following operating systems, applications, and services:

Computer Name Operating System Applications and Services



Windows Server® 2008

AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing



Windows Server 2003 with Service Pack 2 (SP2) or Windows Server 2008

Domain controllers running Windows 2000 Server with Service Pack 4 can be used. However, in this step-by-step guide it is assumed that you will be using domain controllers running either Windows Server 2003 with SP2 or Windows Server 2008.

Active Directory, Domain Name System (DNS)



Windows Server 2003 with SP2

Microsoft SQL Server® 2005 Standard Edition with Service Pack 2 (SP2)



Windows Vista®

Microsoft Office Word 2007 Enterprise Edition


Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum requirements for AD RMS (

The computers form two private intranets and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment, if desired. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID is used for the intranet. The domain controller for the domain named is CPANDL-DC and the domain controller for the domain name is TREY-DC. The following figure shows the configuration of the test environment: