Adding a Trusted User Domain

  • Article

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

By default, Active Directory Rights Management Services (AD RMS) does not service requests from users whose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can add user domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests.

For each trusted user domain (TUD), you can also add and remove specific users or groups of users. In addition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root cluster in its own forest.

You can add TUDs as follows:

  • To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that is in your company to process licensing requests that include a RAC that was issued by Microsoft’s online RMS service. For more information about trusting Windows Live ID in your organization, see Using Windows Live ID to Establish RACs for Users.

  • To trust external users from another organization’s AD RMS installation, you can add the organization to the list of TUDs. This allows an AD RMS cluster to process a licensing request that includes a RAC that was issued by an AD RMS server in the other organization.

  • In the same manner, to process licensing requests from users within your own organization who reside in a different Active Directory forest, you can add the AD RMS installation in that forest to the list of TUDs. This allows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that was issued by an AD RMS cluster in the other forest.

  • For each TUD, you can specify which e-mail domains, including their child domains, are trusted. For trusted Windows Live ID sites and services, you can specify which e-mail users or domains are not trusted.

Before you can add a trusted user domain, the server licensor certificate (SLC) of the domain to be trusted must be exported to a file. For more information, see Exporting a Trusted User Domain.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To add a trusted user domain

  • At the Windows PowerShell command prompt, type:

    Import-RmsTUD -Path <drive>:\TrustPolicy\TrustedUserDomain -DisplayName “<name>” -SourceFile <file_path> [-TrustADFederatedUser]

    where <drive> is the name of the Windows PowerShell drive, <name> is a name to identify this trusted user domain, and <file_path> is the path to the exported server licensor certificate of the user domain to trust. Specify -TrustADFederatedUser to extend this trust to federated users.

To specify properties of the trusted user domain

  1. At the Windows PowerShell command prompt, type:

    Get-ChildItem -Path <drive>:\TrustPolicy\TrustedUserDomain

    where <drive> is the name of the Windows PowerShell drive. Note the ID of the TUD you want to modify.

  2. To specify which e-mail domains within the trusted user domain are trusted, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\TrustPolicy\TrustedUserDomain\<TUD_ID> -Name TrustedEmailDomain -Value <domain>[,<domain>…]

    where <drive> is the name of the Windows PowerShell drive, <TUD_ID> is the ID of the TUD you found in the previous step, and <domain> is the e-mail domain you want to trust. You can specify more than one domain as a comma-separated list.

    For example, for a Windows PowerShell drive named Z, to configure the TUD with the ID of 101 to trust the e-mail domains fabrikam.com and fabrikam.net, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path Z:\TrustPolicy\TrustedUserDomain\101 -Name TrustedEmailDomain -Value fabrikam.com, fabrikam.net

  3. To issue licenses to Active Directory Domain Services (AD DS) security identifiers (SIDs) rather than using just the e-mail address attribute in AD DS, at the Windows PowerShell command prompt, type:

    Set-ItemProperty -Path <drive>:\TrustPolicy\TrustedUserDomain\<TUD_ID> -Name IsLicensingToSIDEnabled -Value $true

    where <drive> is the name of the Windows PowerShell drive, and <TUD_ID> is the ID of the TUD you found in the first step.

To remove a trusted user domain

  1. At the Windows PowerShell command prompt, type:

    Get-ChildItem -Path <drive>:\TrustPolicy\TrustedUserDomain

    where <drive> is the name of the Windows PowerShell drive. Note the ID of the TUD you want to remove.

  2. To remove the trusted user domain, at the Windows PowerShell command prompt, type:

    Remove-Item -Path <drive>:\TrustPolicy\TrustedUserDomain\<TUD_ID>

    where <drive> is the name of the Windows PowerShell drive, and <TUD_ID> is the ID of the TUD you are removing.

See Also

Concepts

Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
AD RMS Administration Cmdlets
Establishing Trust Policies

Other Resources

Understanding AD RMS Trust Policies