Translate this site using Windows Live Translator:
Single Forest, Single Domain seeks NON-Universal group to share many bytes of RMS data with - RMS: Protecting Your Assets. - Site Home - TechNet Blogs

RMS: Protecting Your Assets.

The Protecting 'My' Asset Disclaimer: This is my 'un-official', 'in my spare time', 'use at your own risk', all things RMS (Rights Management Services), IRM (Information Rights Management), IPP (Information Protection Pla

Single Forest, Single Domain seeks NON-Universal group to share many bytes of RMS data with

Single Forest, Single Domain seeks NON-Universal group to share many bytes of RMS data with

  • Comments 1
  • Likes

O.K. So I get asked this question a lot. "I've got one forest with a single domain. Do I still need to use a universal group?"

The answer is 'you don't technically have to'. Here is the deal. As we all know Universal groups are the only groups that replicate their membership across the forest. Let's say you have a forest 'foo.com' with a domain 'domain.foo.com'. Now you RMS protect a message and send it to a group. How does RMS deal with this?

Well RMS is going to grab the first 5 GCs that respond to the request, and cycle through them for EUL validation. So let's say you have a Security group called SecGroup1@domain.foo.com that mail is being sent to that joe@domain.foo.com is a member of, and rms grabs these 5 GCs.

GC1.domain.foo.com
GC2.domain.foo.com
GC3.domain.foo.com
GC4.domain.foo.com
GC.foo.com

What do you think will happen when RMS queries each of these GCs for the membership of SecGroup1?

GC1.domain.foo.com - Good
GC2.domain.foo.com - Good
GC3.domain.foo.com - Good
GC4.domain.foo.com - Good
GC.foo.com - Fail

So your user has a 1 in 5 chance of getting an EUL, when a message is sent to a security group in domain.foo.com.

What are your options?

Well you've really got 3. The first is leave it alone, and take your chances at the wheel. OK. Maybe that's not the best option. The next option is to make that group a universal group. The membership will get replicated to GC.foo.com, and you now have 5 in 5 chance of getting an EUL. The last option, which not many people know about is that you can tell RMS which GCs it should query. You would set the following key:

HKLM/Software/Microsoft/DRMS/1.0/  <--Change the 1.0 to 2.0 for WS2008 ADRMS
REGSZ: GC
VALUE: Comma delimited list of GC FQDNs (i.e. GC1.domain.foo.com,GC2.domain.foo.com,GC3.domain.foo.com,GC4.domain.foo.com)

Now you have a 4 in 4 chance of getting an EUL using a security group, or another domain local group.

Now, if you have multiple domains in your forest, you need to use universal groups...period.

I need a nap.

-Jason

 Update: Nap music added to this post. :D


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment