AD RMS Design Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

Active Directory Rights Management Services (AD RMS) for the Windows Server 2008 operating system is information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use, both online and offline, and inside and outside of the firewall. AD RMS is designed for organizations that need to protect sensitive and proprietary information such as financial reports, product specifications, customer data, and confidential e-mail messages. AD RMS augments an organization's security strategy by providing protection of information through persistent usage policies (also known as usage rights and conditions), which remain with the information no matter where it is moved. AD RMS persistently protects any binary format of data, so the usage rights remain with the information rather than the rights merely residing on an organization's network. This also enables usage rights to be enforced after the information is accessed by an authorized recipient, both online and offline, and inside and outside of the organization. AD RMS helps protect information through persistent usage policies by establishing the following essential elements:

  • Trusted entities. Organizations can specify the entities, including individuals, groups of users, computers, and applications that are trusted participants in an AD RMS system. By establishing trusted entities, AD RMS can help protect information by enabling access only to properly trusted participants.

  • Usage rights and conditions. Organizations and individuals can assign usage rights and conditions that define how a specific trusted entity can use rights-protected content. Examples of usage rights are permission to read, copy, print, save, forward, and edit. Usage rights can be accompanied by conditions, such as when those rights expire. Organizations can exclude applications and entities from accessing the rights-protected content.

  • Encryption. Encryption is the process by which data is locked by using electronic keys. AD RMS encrypts information, making access conditional on the successful validation of the trusted entities. Once information is locked, only trusted entities that were granted usage rights under the specified conditions (if any) can unlock or decrypt the information in an AD RMS-enabled application or browser. The defined usage rights and conditions will then be enforced by the application.

About This Guide

This guide is intended for use by infrastructure specialists, system architects, system administrators and system engineers. It provides valuable reference information for successfully designing and deploying AD RMS in your organization. It assumes that you are familiar with AD RMS and the concepts that have are presented in the Getting Started documentation. If you are not familiar with these documents, it is recommended that you start on TechNet with the Active Directory Rights Management Services Overview(

You can then use this guide to help select and deploy your AD RMS design in your production environment. This guide provides information for helping to identifying what type of design best fits your organization and on deploying any of the following AD RMS designs:

  • Certification and Licensing

  • Additional Licensing-only Clusters

  • Trust Policies – Trusted User Domains and Publishing Domains

  • Identity Federation Support

  • External Access using VPN and Firewall Services