Configuring AD RMS to Integrate with Exchange Server 2010 in a Single Forest

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

In organizations that deploy Microsoft® Exchange Server 2010 and Active Directory Rights Management Services (AD RMS) in a single Active Directory Domain Services forest, configuring AD RMS to integrate with Exchange 2010 is relatively straightforward. This process consists of the following tasks:

  • Ensure that a service connection point (SCP) for the AD RMS cluster is registered in AD DS. The SCP for AD RMS identifies the connection URL for the service to AD RMS-enabled clients. Because Exchange 2010 depends on the SCP to locate the AD RMS cluster, you must register the AD RMS SCP even if your AD RMS clients use registry overrides to locate the AD RMS cluster.

  • Give Exchange servers the ability to access AD RMS by setting appropriate permissions on the AD RMS server certification pipeline. In a default AD RMS installation, the discretionary access control list (DACL) of the AD RMS server certification pipeline is restricted, which means an application that is not running under a domain user’s credentials cannot obtain certificates and licenses for its users. By granting the Exchange Servers group appropriate permissions to access the server certification pipeline, you can enable Exchange 2010 to participate in your AD RMS system.

  • Give Exchange servers the ability to decrypt protected messages and attachments by configuring the AD RMS super users group. The AD RMS super users group is a special group whose members have full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file. Exchange requires super-user rights to be able to decrypt messages for information rights management (IRM) in Outlook Web App (OWA), transport decryption, and journal decryption. To configure the super users group for Exchange 2010, you add the Federated Delivery Mailbox user account to a group in the same forest as the AD RMS installation and then enable the super users group on the AD RMS cluster.

This section contains the following procedures for performing these tasks.

  1. Register a Service Connection Point

  2. Set Permissions on the AD RMS Server Certification Pipeline

  3. Configure the AD RMS Super Users Group