AD RMS Deployment in a Multi-forest Environment Step-by-Step Guide
Applies To: Windows Server 2008, Windows Server 2008 R2
About This Guide
This step-by-step walks you through the process of setting up two working Active Directory Rights Management Services (AD RMS) infrastructures in a test environment. Specifically, this guide will look at how to implement AD RMS in two different Active Directory forests and then set up an AD RMS trusted user domain so that users in both forests can exchange rights-protected information.
In this guide, you will create a test deployment that includes the following components:
Two AD RMS servers
Two AD RMS database servers
Two AD RMS clients
Two Active Directory domain controllers
This guide assumes that you previously completed Windows Server Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72134), and that you have already deployed the following components:
An AD RMS server
An AD RMS database server
One AD RMS-enabled client
One Active Directory domain controller
What This Guide Does Not Provide
This guide does not provide the following:
An overview of AD RMS. For more information about the advantages that AD RMS can bring to your organization, see https://go.microsoft.com/fwlink/?LinkId=84726.
Guidance for using identity federation with AD RMS. For guidance about this, see the Using Identity Federation with Active Directory Rights Management Services Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=72135).
Guidance for setting up and configuring AD RMS in a production environment.
Complete technical reference for AD RMS.
We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without additional deployment documentation and should be used with discretion as a stand-alone document.
Upon completion of this guide, you will have two working AD RMS infrastructures configured with a trusted user domain. You can then test and verify AD RMS and AD FS functionality as follows:
Restrict permissions on a Microsoft® Word 2007 document in the CPANDL.COM domain.
Have an authorized user in the TREYRESEARCH.NET domain open and work with the document.
The test environment described in this guide includes eight computers connected to a private network and using the following operating systems, applications, and services:
| Computer Name | Operating System | Applications and Services | ||
|---|---|---|---|---|
ADRMS-SRV TREY-ADRMS |
Windows Server® 2008 |
AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing |
||
CPANDL-DC TREY-DC |
Windows Server 2003 with Service Pack 2 (SP2) or Windows Server 2008
|
Active Directory, Domain Name System (DNS) |
||
ADRMS-DB TREY-DB |
Windows Server 2003 with SP2 |
Microsoft SQL Server® 2005 Standard Edition with Service Pack 2 (SP2) |
||
ADRMS-CLNT ADRMS-CLNT2 |
Windows Vista® |
Microsoft Office Word 2007 Enterprise Edition |
.gif)
NoteNote
Before installing and configuring the components in this guide, you should verify that your hardware meets the minimum requirements for AD RMS (https://go.microsoft.com/fwlink/?LinkId=84733).
The computers form two private intranets and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment, if desired. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller for the domain named cpandl.com is CPANDL-DC and the domain controller for the domain name treyresearch.net is TREY-DC. The following figure shows the configuration of the test environment:
.gif)