Configuring AD RMS and Exchange 2010 Sp1 Beta

Article
07/09/2010

With the release of Exchange 2010 Sp1 Beta, I was eager to find out what has changed when it boils down to the integration between Exchange 2010 and Active Directory Rights Management Server.

As stated on The Microsoft Exchange Team Blog, in their “Yes Virginia, there is an Exchange Server 2010 SP1” blog post, there are at least two new IRM-related features:

Web-Ready Document Viewing of IRM-protected documents
smoother IRM support in EAS, enabling you to send and receive IRM-protected mail without having previously connected your device to Windows Mobile Device Center to provision IRM

Eager to find out, time to configure an Exchange 2010 Sp1 Beta (Single Forest) environment for IRM :-)

Step 1. Deploy IRM

I’ve chosen to deploy the Rights Management Server role on a Windows 2008 R2 member server in my environment.

Step 2. Configure Exchange 2010 Sp1 Beta

After deploying the RMS role, nothing will work, until you configure Exchange. A very useful Exchange Management Shell cmdlet that is available for you to test your progress is Test-IRMConfiguration! Before doing any configuration this is the output:

As can be seen in the output, Exchange is able to retrieve by using the Service Connection Point, the URL it has to use to connect to the RMS server…

but that Exchange is unable to acquire a server box RAC (Rights Account Certificate), with an error status of 401: Unauthorized.

Step 2.1 Grant the necessary permissions on the certification pipeline

As described here: http://technet.microsoft.com/en-us/library/ee849850(WS.10).aspx

By default, only the local system account has permission to access the Active Directory Rights Management Services (AD RMS) server certification pipeline (ServerCertification.asmx). IRM features in Exchange 2010 require that Exchange servers and the AD RMS Services Group be granted permissions to read and execute this file on all servers in the AD RMS cluster

Check the solution, by running Test-IRMConfiguration again :-)

Overall Result now is = PASS with warnings on disabled features.

Looking at the error message, it is clear what needs to be done, namely “Please make sure that the account “FederatedEmail….” representing Exchange Servers Group is granted Super User privileges on the Active Directory Rights Management Services server”

Looking at the same URL provided above, it is defined as the third step to configure Exchange 2010 and RTM:

Give Exchange servers the ability to decrypt protected messages and attachments by configuring the AD RMS super users group. The AD RMS super user group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it. To configure the super users group for Exchange 2010, you add the Federated Delivery Mailbox user account to a group in the same forest as the AD RMS installation and then enable the super users group on the AD RMS cluster.