Trusted Publishing Domain

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Because of the group expansion complexities associated with trusted user domains, and the connectivity needed to validate licenses (and to establish and maintain the relationship between forests in the case where you want group expansion capabilities and GAL synchronization ), deploying a trusted publishing domain (TPD) can be, in some cases, a less demanding way to implement an Active Directory Rights Management Services solution in a multiple-forest environment.

Trusted publishing domains allow one AD RMS server to issue use licenses that correspond with a publishing license issued by another AD RMS server. A trusted publishing domain is added by importing the server licensor certificate and private key of the server to be trusted. This is an important consideration, because sharing the private key implies a high level of trust in the recipient.

By default, servers in an Active Directory Rights Management Services cluster can issue use licenses that correspond only with publishing licenses issued by the same cluster. By configuring a trusted publishing domain, you can enable an AD RMS cluster to grant use licenses for content protected by another cluster in either in the same organization or in a separate organization. There is no limit to the number of trusted publishing domains that can be configured for an Active Directory Rights Management Services cluster.

One scenario where this solution is commonly used is when a company acquires another company that already has an AD RMS implementation in place (and it must be de-provisioned) or when an AD RMS solution’s architecture is reconfigured in order to eliminate an existing cluster. With this feature, you can consolidate the issuance of end-user licenses and client licensor certificates to a single point. In cases where forests are merged using a trusted publishing domain, documents protected by both AD RMS clusters may still be consumed, even in the case where a cluster is de-provisioned.

To add a trusted publishing domain, you must import the server licensor certificate, the private key, and all rights-policy templates for the AD RMS server or cluster in the domain you want to trust. These artifacts must be exported from the original server or cluster to a password-protected file. You can then import them by specifying the file location and password.

If the private key is stored in a hardware security module (HSM), a special procedure must be used to export the private key, which might not be possible for some HSM units.

In order for clients to obtain use licenses from the local AD RMS cluster, they must be configured with registry overrides that map the original licensing server path to the new server path. This enables users to obtain use licenses without having access to the original licensing server, which might be in a separate network or no longer exist.

Because group expansion is performed on the server that hosts the subjects of the use licenses, there is no need for forest trusts when using trusted publishing domains. Therefore, implementing TPDs has less administrative and traffic overhead than implementing trusted user domains. However, the GAL synchronization that a forest trust provides might still be advantageous, because it makes it easy for the users publishing content to lookup destination IDs.

One administrative task that must be done periodically with a TPD between two live AD RMS clusters is synchronizing rights-policy templates. Since the templates are used as the basis for assigning rights to users consuming the documents, they must be kept up to date in the destination system. This periodic synchronization of the templates is not necessary in cases where a TPD is used to replace a cluster that is removed from service.

The most significant risk when you use a TPD is sharing the private key for a cluster. Administrators can understandably be reluctant to share the private key for their AD RMS servers because the key can be used to spoof an AD RMS cluster and decrypt content managed and licensed by the cluster. Thus, a trusted publishing domain is typically implemented within a single organization; in most cases, it is implemented to allow the continued issuance of licenses for documents protected by a de-provisioned cluster.