http://technet2.microsoft.com/windowsserver/en/library/2dfb40b7-95b1-4362-b32e-72867544b7051033.mspx?mfr=true To provide network security while still supporting network access by external users, you can create a separate Active Directory forest for partner accounts. With this topology, you can make a separate root certification cluster for the Internet-facing portion of the RMS system. This allows external users to receive their RMS machine certificate and rights account certificate from this Internet-facing root certification cluster the first time that they gain access to RMS-protected content. If you decide to implement a separate forest for external partners that will contain the partner accounts, RMS must be installed in that forest. You can then use the trusted publishing domain feature of RMS to establish trust between the two RMS servers. You also need to have the external DNS records identify the external cluster URL of the RMS installation in the forest created for the external partners. Creating this trust relationship would allow the external RMS server to issue use licenses for all content issued by the internal RMS system and vice versa. I build this infrastructure model, but it's not working properly.Connection to external serverwere not established. RMS clients will connect only to internal RMS server. Is this part of documentationcorrect?!

I would like to hear a lot more about what test you are doing to try and get the RMS clients to hit the external forest. If you have a laptop that is part of your internal forest, you are going to have to overcome a lot of automated activity to hit the external forest. If you have a laptop that is joined to the external forest, using external DNS and you are logging into the laptop with a user that has an account in the external forest, you should have a very hard time hitting the internal RMS server. Let me know where the process is breaking,

So. I've build analogical test infrastructure, some as in documentation - two forest (internal & external), two RMS root servers andclients. On both RMS servers all trusts (users and publishing) are created. I'll testing this design before implementing. I've logged into internal forest, create a document and secure it for user account that resides external forest. When I log in external forest and try to open document, RMS client on this computer will to connecttointernal RMS server. Because no forest trusts betweenAD forests was created, this operation was useless. I've understanding this part of documentation that client will connect only to external RMS server, and I no need an AD forest trust between two forests. It's possible to create this design?

It is possible, but there are a number of steps involved. It is outlined here: http://technet2.microsoft.com/windowsserver/en/library/d531dfdc-efff-4eb0-8d99-f1fd19d7a9631033.mspx?mfr=true "No trust exists. The forests that are in the organization cannot authenticate users and groups from other forests. It is recommended that you not use cross-forest group expansion if the forests involved do not have a trust relationship. However, if it is an operational requirement that you do so, you can enable this scenario by configuring the RMS service account as a valid domain account in both forests, and must using the same user name and password for each. In addition, a local machine account must be created on each RMS front-end server, which also has the exact same user name and password as the domain accounts that are used for the RMS service account in both forests. This will automatically allow the local service sufficient permissions to authenticate to both the remote Active Directory and the remote RMS server." You might be tripping on the naming trick that they outline. Also, that group expansion involves a setup of IIFP or MIIS (ILM). But it can be done. Good Luck!