Adding a Trusted Publishing Domain

Updated: October 22, 2009

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

By default, servers in an Active Directory Rights Management Services (AD RMS) cluster can issue use licenses only against the publishing licenses that it, or another server in its cluster, issued. If you have content that was published by using another AD RMS root cluster either in your organization, for example a subsidiary organization in another forest, or in another, separate organization, your AD RMS cluster can grant use licenses to users for this content if you configure a trusted publishing domain (TPD). By adding a TPD, you set up a trust relationship between your AD RMS cluster and the other root cluster by importing the server licensor certificate (SLC) of the other cluster. There is no limit to the number of TPDs that you can configure for your AD RMS cluster.

If the cluster key is stored in a CSP, you must transfer the cluster key to the CSP key container on each trusted server in the cluster by following the instructions in the CSP manufacturer's documentation. Depending on the type of CSP on each server and the configuration of any hardware security module devices, you might not be able to transfer the cluster key from one hardware security module to another. If you are using a CSP with a hardware security module (HSM), review the hardware security module documentation to determine whether you can transfer the cluster key without losing data that is in the destination hardware security module. If you cannot successfully transfer the cluster key, you cannot establish a trusted publishing domain.


If you are using a hardware-based CSP, also known as a hardware security module (HSM), to protect your AD RMS cluster key and you are importing an SLC from an AD RMS installation that internally manages the AD RMS cluster key, you must specify a cluster key password for the cluster before you attempt to import the certificate.

This procedure assumes that you have exported the TPD of another AD RMS cluster. For more information about exporting the TPD, see Exporting a Trusted Publishing Domain.

Membership in the local AD RMS Enterprise Administrators, or equivalent, is the minimum required to complete this procedure.

To add a trusted publishing domain

  1. To securely store the cluster key password in a variable, at the Windows PowerShell command prompt, type:

    $password = Read-Host -AsSecureString -Prompt “Password:”

  2. Type the cluster key password, and then press the ENTER key.

  3. At the Windows PowerShell command prompt, type:

    Import-RmsTPD -Path <drive>:\TrustPolicy\TrustedPublishingDomain -DisplayName “<name>” -FileFullPath <file_path> -Password $password

    where <drive> is the name of the Windows PowerShell drive, “<name>” is a name to identify this trusted user domain, and <file_name> is the path of the file containing the TPD being imported.

To remove a trusted publishing domain

  1. At the Windows PowerShell command prompt, type:

    Get-ChildItem -Path <drive>:\TrustPolicy\TrustedPublishingDomain

    where <drive> is the name of the Windows PowerShell drive. Note the ID of the TPD you want to remove.

  2. To remove the trusted publishing domain, at the Windows PowerShell command prompt, type:

    Remove-Item -Path <drive>:\TrustPolicy\TrustedPublishingDomain\<TPD_ID>

    where <drive> is the name of the Windows PowerShell drive and <TPD_ID> is the ID of the TPD you are removing.

See Also


Using Windows PowerShell to Administer AD RMS
Understanding the AD RMS Administration Provider Namespace
AD RMS Administration Cmdlets
Establishing Trust Policies
Exporting a Trusted Publishing Domain

Other Resources

Understanding AD RMS Trust Policies