none
AD RMS trust ... network connections needed between RMS servers? RRS feed

  • Question

  • We have 2 AD RMS servers setup in our 2008 R2 forest.  One domain is using the SCP and the other domain is using registry keys to point to the other AD RMS server.

    We setup the trust between the AD RMS servers, both the Trusted User and Trusted Publishing domains.  Did the export/import shuffle.

    My question is this.  Do the users in the other domain need to be able to connect to the AD RMS server in the source domain?  Or, do the AD RMS servers need to be able to connect to each other?  Or neither?  The error we are getting is that the recipients cannot connect to the source AD RMS server.  So it looks like the recipient's machine is trying to connect to the source RMS server and not their RMS server.

    Thanks for the help.

    Wednesday, October 6, 2010 2:12 PM

Answers

  • Hi,

    As you said there are two possible trusts

    1) Trusted User

    When you set up a trusted user domain, this means that user certified in different domain (trusted domain) can request a end user license from your RMS server.

    2) Trusted Publishing

    When you set up a trusted publishing domain, this means that user certified in your domain can request a end user license from your server but on content that was protected in the other domain.

    So it looks like you only need to have trusted publishing domain set up in your situation. Unfortunately there is a caveat in this. The URL where the user should look for end user licenses is embeded in the document. Imagine this kind of situation.

    User A is certifited by (uses) RMS server in forrest A. User B is certified by (uses) RMS server in forrest B. RMS in forrrest A is located at https://rms.domain-a.com and RMS in forrest B is located at https://rms.domain-b.com

    User A creates a protected document. The protected document carries information about the URL of RMS server in forrest A (e.g. https://rms.domain-a.com). If User B will try to open the document he will try to contact https://rms.domain-a.com. There are two possible solutions:

    1) Create a trusted user trust on both RMS servers and publish https://rms.domain-a.com and https://rms.domain-b.com. This way User B can authenticate against RMS A and get use license if needed.

    OR

    2) Create a trusted publishing trust on both RMS servers and add in local DNS a redirection so that rms.domain-b.com resolves to rms.domain-a.com in forrest A and rms.domain-a.com resolves to rms.domain-b.com in forrest B. If you use rights policy templates you will need to reestablish the trust each time the templates are changed so that RMS in forrest A knows about the changes in forrest B templates and vice versa.

    Feel free to ask if you need more information. Also check out these documents/fourm posts:

    http://technet.microsoft.com/en-us/library/dd983940(WS.10).aspx 
    http://technet.microsoft.com/en-us/library/dd772670(WS.10).aspx and
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/123e1946-97c7-4b74-9fa3-846f27d32e9c

    BTW. there is dedicated forum to RMS if you need more help http://social.technet.microsoft.com/Forums/en-US/rms/threads

    HTH

    Martin Rublik

     

     

     

     

    Thursday, October 7, 2010 8:10 AM