Enabling Shared Content in Complex Organizations

Applies To: Windows Server 2008, Windows Server 2008 R2

Large and complex organizations often have network environments that are partitioned, or otherwise disjoined, with the directory services being typically one layer at which this isolation is reflected. In Active Directory, there are several partitioning units, with the AD forest acting as the security boundary. Large organizations that have implemented separate environments (either for isolation purposes or due to the historical evolution of their environment) typically have multiple disjoined Active Directory forests. Typically, security principals (users, computers, services, and so on) in one forest cannot be assigned rights on resources in another forest.

Despite these complexities, large organizations have the need to share information across all of their networks, regardless of the directory services topology. Companywide email messages must be able to reach all the users in the organization, individual documents from one division hosted by an AD forest might need to be accessed by another division hosted in a separate forest. While those divisions might use different systems and platforms, the need to share information implies that the ability to consume information must not be restricted by the network topology.

One such example of a complex organization is Microsoft. While the majority of users and resources are hosted in a single Active Directory forest, there exist several additional forests that are used for various functions, such as backward compatibility testing, that must be completely independent from the corporate AD forest. Users located in these separate forests still must be able to share information with the rest of the company.

Active Directory Rights Management Services, while typically used to restrict access to documents, should not restrict the flow of information in the organization. A protected document should not be difficult or impossible to consume by anyone in the organization (its access should be dictated only by the restrictions applied to the document).

Since AD RMS uses Active Directory to authenticate the users which the rights have been applied to in a document, the forest is the boundary for the application of rights to a document protected with AD RMS. Thus, if a document is to be consumed by users in different forests in an organization, or if the user applying rights to a document is in a different forest than the users consuming it, special design considerations have to be made in order for the document to be accessible by all intended parties.

If you have users in separate forests, from the same organization, it is essentially the same as having users in different organizations. The methods for dealing with this situation are explained in the following sections .