Appendix A: Using Contact Objects for Authentication Across Forests

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

The preferred method for configuring an Active Directory Rights Management Services (AD RMS) infrastructure to support information rights management (IRM) functionality in Microsoft Exchange Server 2010 across Active Directory forests is to migrate disabled Federated Delivery mailbox accounts between the forests. This method, described in Configuring AD RMS to Integrate with Exchange Server 2010 Across Multiple Forests, provides a more reliable and robust deployment of AD RMS and Exchange Server 2010 across forests.

Although we strongly recommend this method, it has the drawback of being somewhat difficult to implement. If performance and reliability are not important in a deployment (for example, in a demonstration lab setting), you can use an alternative method for giving Exchange Server 2010 the ability to decrypt messages and attachments protected by an AD RMS cluster in another forest. Instead of migrating the Federated Delivery mailbox account, you can create a contact item that represents the Federated Delivery mailbox account in the other forest, and then add that contact item to a nested distribution group inside the AD RMS super users group.

To implement this method, follow these steps:

  1. Configure Trusted User Domains

  2. Cross-Link Contacts

  3. Cross-Link Super Users Groups