Looking for good AD RMS setup guides.

I currently running AD RMS on a 2008 R2 server intranet and looking to expand it for external access. I started to go over the TechNet articles listed in the search below. Any good suggestions?
ad rms extranet
LVL 27
yo_beeDirector of Information TechnologyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
in the external context , suggest to consider these for external users when you provide Active Directory accounts for them:
You can deploy separate AD RMS infrastructures for internal and external users and create a trusted user domain relationship between them.

You can create a single Active Directory forest and AD RMS infrastructure that is available on the Internet and to users in your intranet.

You can create an AD RMS infrastructure in separate forest and use AD FS to federate the intranet- and extranet-facing forests.
https://technet.microsoft.com/en-us/library/hh311038(v=ws.10).aspx

The key aspects is actually for external organizations (or users) to have the ability to access the AD RMS infrastructure from outside your organization’s network, that is, as I see largely from the Internet (and there may be other dedicated isolated segment but still considered "foreign" per se). May be good to delve further into possible architectures recommended
Host all of the AD RMS servers (root and licensing-only servers) in a perimeter network and configure them to access the directory services servers, which are hosted in the core network.

Host an AD RMS licensing-only cluster in a perimeter network and configure it to access the directory services servers and the AD RMS root server, which are hosted in the core network.

Host AD RMS servers, together with domain controllers to service them, in a perimeter network.

Host all of the AD RMS servers in the core network and publish them to the Internet through a reverse proxy, by using a product such as Internet Security and Acceleration (ISA) Server.
https://technet.microsoft.com/en-us/library/hh311037(v=ws.10).aspx

Another aspect since in common RMS use case, mostly each user’s email address will be the primary means for identification. Hence, it helps to enforce the necessary access to protected content restricted to certain or all users within the same email domain.

There are also sharing on alternative option whereby the user can use a Windows Live ID (WLID) email address to access protected content. This then open another exploration into having to set up a trust with Windows Live ID to allow an AD RMS services user to send rights-protected content to a user with a Windows Live ID and they are able to still consume the protected content.

These are the so called "complex scenarios" (https://technet.microsoft.com/en-us/library/dd996659(v=ws.10).aspx) that you can look at in later stage too after reviewing the infra req as earlier shared in a/m points.

Overall, there is use case in the lights of this as well for you add on info
Perhaps your organization plans to share protected information in a more casual manner, and you would like to avoid any type of prolonged trust.  This scenario is common in a business to consumer relationship or when you simply want to share a single document with a partner.  You can configure your AD RMS cluster to trust the Windows Live ID service and then partner users can open protected content using WLID credentials.  While partner users will be able to open protected content, they are unable to create protected content that your users will be able to consume.  Furthermore, these users will not be able to open protected content on their Windows Mobile device or access your documents in a protected SharePoint library.  Finally, protection must be applied on an individual basis; WLID accounts cannot be added to an Active Directory group.
http://blogs.technet.com/b/rms/archive/2012/04/29/sharing-protected-documents-when-partners-do-not-have-an-ad-rms-installation.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyAuthor Commented:
thank you for putting in the effort and time to search, compose and post the reply.  
I think the last link is what I need.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.