Adding and Removing Trusted Publishing Domains

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, an RMS server can issue use licenses only against the publishing licenses that it, or another server in its cluster, issued. If you have content that was published by using another root cluster either in your organization, for example a subsidiary organization in another forest, or in another separate organization, your RMS server can grant use licenses to users for this content if you configure a trusted publishing domain on your RMS root cluster. By adding a trusted publishing domain, you set up a trust relationship between your RMS server and the other root cluster by importing the server licensor certificate of the other server. There is no limit to the number of trusted publishing domains that you can configure for your RMS root cluster.

You can remove an added trusted publishing domain at any time by removing its certificate from the list of certificates for trusted publishing domains.

To add a trusted publishing domain, you must import the server licensor certificate, the private key (if the private key is stored in software rather than in a hardware security module), and all the rights policy templates for the RMS cluster. The administrator must first export these items from the cluster to trust to a password-protected file, and then specify the password that is required to decrypt it. The administrator must place that file on a shared folder and inform you of the password. You can then import the file by specifying the file location and password. To save the file, the account running the Admin application pool must have permissions for the shared folder.

For step-by-step instructions about how to establish a trusted publishing domain, see “To Add a Trusted Publishing Domain” later in this subject.

If the private key is stored in a hardware security module, you must transfer the private key to the hardware security module that is on the trusted server by following the instructions in the hardware security module documentation. Depending on the type of hardware security module that is on each server and the configuration of the hardware security module devices, you may not be able to transfer the private key from one hardware security module to another. Review the hardware security module documentation to determine whether you can transfer the private key without losing data located in the destination hardware security module. If you cannot successfully transfer the private key, you cannot establish a trusted publishing domain between the two servers.


If you are using a hardware security module to protect your RMS private key and are importing a server licensor certificate from an RMS installation that uses software-based private key protection, you must specify a private key password on the Security settings page of each RMS server in the cluster before you attempt to import the certificate.