locked
Clients and AD RMS on Different Forests RRS feed

  • Question

  • Hi,

    I have 2 AD forests, Forest A and Forest B. AD RMS server is located in Forest A and my clients are located in Forest B.

    Forest B do not have an AD RMS server and due to certain reasons, I am unable to setup an AD RMS server in Forest B.

    I have tried doing a simple setup and performed the following:

    • Establishing a one-way trust between Forest A and Forest B (Forest B trusting Forest A)
    • Configure the 'ServiceLocation' registry keys for the clients in Forest B to locate the AD RMS server in Forest
    • Assigned the users in Forest B to a domain local security group in Forest A
    • Allow created domain local security group to access the 'Certification', 'Licensing' and 'GroupExpansion' webpages by giving them 'Read & Execute' permission in IIS

    Unfortunately, the setup didn't work. I encountered errors such as 'Failed to find an entry for current user in the Active Directory that was contacted by the endpoint' and 'A group email address was not found the current user' when doing a diagnostic with the RMS Client Diagnostics Tool.

    Is it possible for me to configure clients in Forest B to publish RMS-protected contents using RMS templates from AD RMS server located in Forest A? If yes, how do I go about doing this?

    Thanks in advance.









    • Edited by loftystew Thursday, March 9, 2017 4:11 AM
    Wednesday, March 8, 2017 2:27 PM

All replies

  • AD RMS will need to use AD DS contact objects to obtain the identities of users and groups that are part of the other forest where the accounts exist.

    The AD RMS resource/account forest model relies upon:
     The RMS server is in the resource forest, and
      The users are in the account forest.
     The machines are logging into the resource forest

    AD RMS looks at the accounts SID History to locate it's domain.

    Thursday, March 9, 2017 10:41 PM
  • AD RMS will need to use AD DS contact objects to obtain the identities of users and groups that are part of the other forest where the accounts exist.

    The AD RMS resource/account forest model relies upon:
     The RMS server is in the resource forest, and
      The users are in the account forest.
     The machines are logging into the resource forest

    AD RMS looks at the accounts SID History to locate it's domain.

    Thanks for replying.

    Does this means the client machines have to join the resource forest domain?


    Friday, March 10, 2017 12:32 PM