AD RMS Multi-forest Considerations

Applies To: Windows Server 2008, Windows Server 2008 R2

Only one Active Directory Rights Management Services (AD RMS) root cluster is permitted in each forest. If your organization wants to use rights-protected content in more than one forest, you must have a separate AD RMS root cluster for each forest. The following reference information can be used to help in deploying AD RMS in a multi-forest environment, which is shown in the following diagram.

AD RMS Multi-Forest Support Matrix

The following table describes the product capabilities of multi-forest scenarios.

Requirement	Windows Live ID	Trusted User Domains	Trusted Publishing Domains	AD RMS with AD FS
Office IRM Protection Document Protection	Not Supported	Supported	Supported	Supported
Office IRM Protection Document Consumption	Supported	Supported	Supported	Supported
MOSS IRM usage Document Protection (Server certification)	Not Supported	Supported	Supported	Not Supported for the scenario where MOSS servers are in a forest where AD RMS does not reside.
Windows Mobile 6 IRM	Not Supported	Supported	Supported	Not Supported. WM IRM cannot be configured to use AD RMS with AD FS (from another forest) that is integrated into active or protected or read documents that use RMS.
XPS IRM Protection	Supported	Supported	Supported	Not Supported. XPS client included in the .NET Framework can locate AD RMS with AD FS server; XPS Essentials client does not support ADFS.
XPS IRM Consumption	Supported	Supported	Supported	Partially Supported. Only XPS Essentials client can locate AD RMS with ADFS.
Internet Explorer RMA	Supported for Office 2003 Documents. OWA not supported.	Supported	Supported	Not Supported. RMA clients cannot locate AD RMS with AD FS servers.
Group Expansion capabilities	Not Supported	Supported	Partially Supported – Group expansion is not supported for those users and groups that are published with the imported TPD. It is supported for documents published in the current domain.	Not Supported

Multiple Forest Company Trusted User Domain

The following table describes additional considerations for a single company with multiple Active Directory forests.

Note

This scenario can use group expansion because of the forest trust relationship between the multiple forests.

Solution Component	Consideration
Windows Trust	A Windows Trust could exist between forests. This could allow the assignment of permissions and validations between forests for group membership using universal groups. Therefore, anonymous access is not required and you can continue authenticating the users with their credentials.
GAL Synchronization	In order to have a consolidated list of users or contacts from different forests you can use ILM, MIIS, or IIFP to replicate or synchronize those objects. Assigning rights inside your company will then be transparent to users.
Number of Trusts	One important consideration when you deploy this kind of trust is that the number of trusts required to interact between all AD RMS domains could grow significantly. For example, if you have ten AD RMS domains and all of them should be able to exchange information between each other, there must be (10 × 9) 90 trusts configured to achieve this goal. N*(N-1)

For additional information about group expansion and AD RMS in a multiple forest environment, see Understanding AD RMS Across Forests

For additional information about considerations for AD RMS in a multiple forest environment, see Checklist: Deploying AD RMS in an Organization with Users in Multiple Forests

For detailed instructions about how to set up AD RMS in a multiple forest environment, see Deploying Active Directory Rights Management Services in a multiple forest environment Step-by-Step guide.