AD RMS trust ... network connections needed between RMS servers?
We have 2 AD RMS servers setup in our 2008 R2 forest. One domain is using the SCP and the other domain is using registry keys to point to the other AD RMS server.
We setup the trust between the AD RMS servers, both the Trusted User and Trusted Publishing domains. Did the export/import shuffle.
My question is this. Do the users in the other domain need to be able to connect to the AD RMS server in the source domain? Or, do the AD RMS servers need to be able to connect to each other? Or neither? The error we are getting is
that the recipients cannot connect to the source AD RMS server. So it looks like the recipient's machine is trying to connect to the source RMS server and not their RMS server.
Thanks for the help.
October 6th, 2010 10:14am
Hi,
As you said there are two possible trusts
1) Trusted User
When you set up a trusted user domain, this means that user certified in different domain (trusted domain) can request a end user license from your RMS server.
2) Trusted Publishing
When you set up a trusted publishing domain, this means that user certified in your domain can request a end user license from your server but on content that was protected in the other domain.
So it looks like you only need to have trusted publishing domain set up in your situation. Unfortunately there is a caveat in this. The URL where the user should look for end user licenses is embeded in the document. Imagine this kind of situation.
User A is certifited by (uses) RMS server in forrest A. User B is certified by (uses) RMS server in forrest B. RMS in forrrest A is located at
https://rms.domain-a.com and RMS in forrest B is located at
https://rms.domain-b.com
User A creates a protected document. The protected document carries information about the URL of RMS server in forrest A (e.g.
https://rms.domain-a.com). If User B will try to open the document he will try to contact
https://rms.domain-a.com. There are two possible solutions:
1) Create a trusted user trust on both RMS servers and publish
https://rms.domain-a.com and https://rms.domain-b.com. This way User B can authenticate against RMS A and get use license if needed.
OR
2) Create a trusted publishing trust on both RMS servers and add in local DNS a redirection so that rms.domain-b.com resolves to rms.domain-a.com in forrest A and rms.domain-a.com resolves to rms.domain-b.com in forrest B. If you use rights policy templates
you will need to reestablish the trust each time the templates are changed so that RMS in forrest A knows about the changes in forrest B templates and vice versa.
Feel free to ask if you need more information. Also check out these documents/fourm posts:
http://technet.microsoft.com/en-us/library/dd983940(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd772670(WS.10).aspx and
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/123e1946-97c7-4b74-9fa3-846f27d32e9c
BTW. there is dedicated forum to RMS if you need more help
http://social.technet.microsoft.com/Forums/en-US/rms/threads
HTH
Martin Rublik
Free Windows Admin Tool Kit Click here and download it now
October 7th, 2010 4:11am