Installing ADRMS in an AD resource forest
The resource forest approach aims to centralize enterprise applications in a dedicated AD forest, providing full segregation from user forests and providing improved security. One of the enterprise applications that can be deployed in a resource forest is ADRMS. As you might expect this is not a straight forward deployment since users (from the user forest) cannot be authenticated to the ADRMS licensing server in the resource forest and would not be able to access the Service Connection Point (SCP) in the resource forest. For this reason, I will outline the procedures that are required to make this scenario work on a high level, this is not meant to be a step by step guide.
- Install ADRMS in the resource forest
- Use Forefront Identity Manager to migrate the user accounts from the user forest to the resource forest. The user accounts in the resource forest (called stub accounts) must be migrated as follows
- Primary e-mail address must be migrated
- The user SID must be migrated to the SID history attribute of the stub account https://msdn.microsoft.com/en-us/library/windows/desktop/ms677982(v=vs.85).aspx
- The msDS-SourceObjectDN must be populated with the original DN of the user account
- For users to be able to locate the SCP in the resource forest, the SCP must be created manually in the configuration partition of the user forest.
- Disable SID filtering in the resource forest. (warning, before you perform this task, research the security implications of this action)
- Any customizations to the registry (like ADRMS templates location, licensing servers etc) must be implemented in the user forest.
I hope this helps