Planning for Deployment Across Forests
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If you are deploying RMS in an environment with multiple forests, you need to determine what support might be required for users or groups who are outside of the forest in which RMS is deployed. The problem is that user or group objects from other forests do not typically have representative objects in the forest where RMS resides. If you intend to use RMS to restrict permissions to users or groups who are from other forests, you need to configure your forest appropriately to allow group expansion to occur across forests.
You can implement group expansion across forests for RMS in two ways:
Deploy RMS into the forest where the groups are defined, and where it will be used to expand the membership of these groups.
Use Active Directory Universal Groups so that the group membership is replicated to all Active Directory Global Catalog servers, including the RMS super users group.
Synchronize group definitions between forests to allow the local RMS installation to determine the complete group membership for any user. If the user who is requesting a use license has a Windows account in a separate forest, there also must be a contact object in the local forest to represent that user’s group membership. You can use metadirectories, such as Microsoft® Identity Integration Server (MIIS) 2003 or Identity Integration Feature Pack (IIFP), to implement full-fidelity synchronization of group objects across forests.
If you plan to use RMS for only one forest, you can optimize the process for issuing use licenses by modifying the MaxCrossForestCalls cluster policy in the RMS configuration database. This policy specifies the maximum number of times a group's membership can cross forest boundaries. The default value is 10. To change that value to 0, use the following SQL command:
update DRMS_ClusterPolicies set PolicyData=0 where PolicyName='MaxCrossForestCalls'