Configuring AD RMS to Integrate with Exchange Server 2010 Across Multiple Forests
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1
Enabling information rights management (IRM) functionality in Microsoft Exchange Server 2010 with Active Directory Rights Management Services (AD RMS) across more than one Active Directory Domain Services forest requires additional configuration beyond what is necessary when Exchange Server 2010 and AD RMS are deployed in a single forest. In deployments across forests, the AD RMS clusters must be configured to trust each other, and the Exchange servers must be authenticated in the AD DS forests that contain those AD RMS clusters and given super-user authority for those AD RMS clusters. There are two methods for providing this authentication across forests:
Migrate disabled Exchange Server 2010 user accounts between forests
In each forest, create contact objects that represent Exchange Server 2010 in the other forest
The first method is somewhat more complex to implement but provides a more robust solution. The second method is easier to implement but can prevent the AD RMS cluster in one forest from servicing licensing requests if the AD RMS cluster in the other forest becomes unavailable. For this reason, this section describes how to provide authentication across forests by using migrated user accounts. The method that uses contact objects is recommended only for use in lab-type deployments and is described in Appendix A: Using Contact Objects for Authentication Across Forests.
Before you perform the tasks described in this section:
You must configure each forest to integrate Exchange Server 2010 with AD RMS, as described in Configuring AD RMS to Integrate with Exchange Server 2010 in a Single Forest.
An Active Directory Domain Services administrator must establish trust relationships among all of the forests that contains the AD RMS clusters and Exchange Server 2010 servers.
You must configure the AD RMS clusters in each forest to support users in other forests. For more information, see Configuring AD RMS Across Forests and Checklist: Deploying AD RMS in an Organization with Users in Multiple Forests.
If your network configuration uses proxy servers between forests, you must configure them to allow communication between AD RMS clients (such as Exchange servers) in one forest and AD RMS servers in the other forest, for example by including the AD RMS servers in the proxy bypass lists of the proxy servers in the client forests.
Configuring AD RMS to enable Exchange Server 2010 IRM functionality across more than one forest consists of the following tasks:
Export trusted user domains from each AD RMS cluster and add them to the AD RMS clusters in other forests. This allows the AD RMS cluster in each forest to issue client licensor certificates and use licenses for users in the other forests.
Migrate disabled user accounts representing Exchange Server 2010 in one forest to the other forest.
Add the migrated user account to the AD RMS super users group in each forest.
This section contains the following procedures for performing these tasks.