Configuring AD RMS and Exchange 2010 Sp1 Beta

With the release of Exchange 2010 Sp1 Beta, I was eager to find out what has changed when it boils down to the integration between Exchange 2010 and Active Directory Rights Management Server.

As stated on The Microsoft Exchange Team Blog, in their “Yes Virginia, there is an Exchange Server 2010 SP1” blog post, there are at least two new IRM-related features:

  • Web-Ready Document Viewing of IRM-protected documents
  • smoother IRM support in EAS, enabling you to send and receive IRM-protected mail without having previously connected your device to Windows Mobile Device Center to provision IRM

Eager to find out, time to configure an Exchange 2010 Sp1 Beta (Single Forest) environment for IRM :-)

Step 1. Deploy IRM

I’ve chosen to deploy the Rights Management Server role on a Windows 2008 R2 member server in my environment.


Step 2. Configure Exchange 2010 Sp1 Beta

After deploying the RMS role, nothing will work, until you configure Exchange. A very useful Exchange Management Shell cmdlet that is available for you to test your progress is Test-IRMConfiguration! Before doing any configuration this is the output:


As can be seen in the output, Exchange is able to retrieve by using the Service Connection Point, the URL it has to use to connect to the RMS server…


but that Exchange is unable to acquire a server box RAC (Rights Account Certificate), with an error status of 401: Unauthorized.

Step 2.1  Grant the necessary permissions on the certification pipeline

As described here:

By default, only the local system account has permission to access the Active Directory Rights Management Services (AD RMS) server certification pipeline (ServerCertification.asmx). IRM features in Exchange 2010 require that Exchange servers and the AD RMS Services Group be granted permissions to read and execute this file on all servers in the AD RMS cluster





Check the solution, by running Test-IRMConfiguration again :-)


Overall Result now is = PASS with warnings on disabled features.

Looking at the error message, it is clear what needs to be done, namely “Please make sure that the account “FederatedEmail….” representing Exchange Servers Group is granted Super User privileges on the Active Directory Rights Management Services server”

Looking at the same URL provided above, it is defined as the third step to configure Exchange 2010 and RTM:

Give Exchange servers the ability to decrypt protected messages and attachments by configuring the AD RMS super users group. The AD RMS super user group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it. To configure the super users group for Exchange 2010, you add the Federated Delivery Mailbox user account to a group in the same forest as the AD RMS installation and then enable the super users group on the AD RMS cluster.

Step 2.2 Configuration of AD RMS Super Users group

First, let’s create a mail-enabled universal distribution or universal security group, and add the given FederatedEmail* user as a member.



Then, enable the Super Users group feature using the AD RMS management tool:


In the Actions pane, select Enable Super Users….


Then in the Middle Pane, you can select Change super user group…


Browse to find the just create RMS_Super_Users universal distribution group…


And it’s done :-)



Step 2.3. Enable Internal Licensing

Another step you need to take is, to enable Internal Licensing…




Step 2.4. Check if IRM is enabled for the OWA Virtual Directory!


Step 3. Check one new feature…Web-Ready Document Viewing of IRM-protected documents

Using OWA I’ll send an email to user1, protect it using the built-in RMS template Do Not Forward, and attach a PowerPoint deck to my mail.




And it works :-) Open as Web Page is available :-)