Microsoft Exchange 2013 and ADRMS Integration

I recently did an Exchange 2013 deployment at one of our customers and also integrated with ADRMS so I thought to outline the high level integration steps to assist others.

1. Verify Exchange Servers in Microsoft Exchange Security Groups OU contain your Exchange servers.

2. Modify the default AD RMS ACLs settings in order to allow Exchange to use AD RMS information protection capabilities. Perform the following steps on ADRMS server.

  • Log on as an administrator.
  • From the Start Menu open the Internet Information Services (IIS) Manager.
  • Expand the server’s name, Sites, Default Web Site, and _wmcs. Click Certification.
  • In the third pane, select the Content View option located in the very bottom of the window.
  • Right click the ServerCertification.asmx file and then select Edit Permissions…
  • In the ServerCertification.asmx Properties dialog box verify that the Exchange Servers and the AD RMS Service group (which is a local group on ADRMS server) are granted Read & Execute and Read permissions. Click OK and close all open windows.
  • If you made any changes restart the IIS Service using the command iisreset in a command prompt window with elevated privileges.

2. In order to provide encryption and decryption capabilities to Exchange 2013, you will need to configure the Security group to be used for the Super Users role in Exchange.

  • In Server manager, expand Roles, Active Directory Rights Management Services, the RMS server’s name, and Security Policies. Click Super Users and confirm that the super users functionality is enabled and that the defined group is listed as the Super User group. If not, enable this functionality and assign the corresponding group.
  • Go back to the Active Directory User and Computers console and navigate to the OU where you created the group to be used as AD RMS SuperUsers.
  • Locate the AD RMS Super Users group. Double click the group, click the Members tab and confirm that the (where xyz is a long, GUID-like string) user is added to the group. Click OK. If not, you can add the Federated mailbox through Exchange Management Shell by running the following command:
    • Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
  • Close all open windows.
  • Close the Server Manager console.

3. To enable Information Rights Management on the Client Access Servers (CAS)

  • Log on to the mail server as an Administrator.
  • Open the Exchange Management Shell from the Start Menu, under Microsoft Exchange Server 2013.
    • Set-IRMConfiguration -ClientAccessServerEnabled $true

4. Set OWA Mailbox Policy

  • To enable IRM in OWA type the following command in the Exchange Management Shell:
    • Get-OWAMailboxPolicy
  • Look for the IRMEnabled parameter. If it is not set to True, run the following command:
    • Set-OWAMailboxPolicy –Identity Default -IRMEnabled $true

5. The following command enables to IRM search and enable the licensing.

  • To verify if indexing for search of protected content in OWA is enabled type the following command in the Exchange Management Shell:
    • Get-IRMConfiguration
    • Look for the SearchEnabled parameter. If it is not set to True, run the following command:
    • Set-IRMConfiguration -SearchEnabled $true
  • For this functionality to work, Internal Licensing must be enabled. Type the following command in the Exchange Management Shell:
    • Get-IRMConfiguration
  • Look for the InternalLicensingEnabled parameter. If it is not set to True, run the following command:
    • Set-IRMConfiguration –InternalLicensingEnabled $true

Read my favorites blogs:

Assigning File Share permissions using Power Shell

Disk Read Error when migrating virtual machine from one cluster to another

Designing a backup less Exchange 2010 Architecture

Appear Offline in Microsoft Office Communicator Server 2007

Microsoft Exchange 2010 Test cases

Microsoft Exchange Server 2010 Disaster Recovery

Comments (19)

  1. Anonymous says:

    Pingback from Microsoft Exchange 2013 and ADRMS Integration | MS Tech BLOG

  2. Anonymous says:

    Occasionally I am asked the following question – how can I protect the messaging environment from a rogue

  3. Anonymous says:

    Bulk mail is often mistaken for spam and is starting to become a larger problem for organizations. EOP

  4. Anonymous says:

    At The Official Microsoft Blog , we revealed more details about our unified technology event for event

  5. Anonymous says:

    We recently released updated versions of both the Exchange 2010 Server Role Requirements Calculator and

  6. Anonymous says:

    What are we talking about today? In Exchange 2013 CU5 (yes 5, V, cinco, fem, and cinque) we started implementing

  7. Anonymous says:

    I was recently working with one of our customers on Lync 2013 project and one of the questions customer

  8. Anonymous says:

    I was recently working on a project using Security Compliance Manager (SCM) for Active Directory based

  9. Anonymous says:

    I was recently working with a customer helping them migrate to the Eliminated state of Sysvol migration

  10. Anonymous says:

    Back at the release of Exchange Server 2013 CU1 we made some necessary changes to the way OWA logoff

  11. Anonymous says:

    This morning we published the first look at the Ignite session catalog providing you a better view of

  12. Anonymous says:

    Sometime ago, I wrote a blog about upgrading from Windows 2003 based Active Directory to Windows 2008

  13. Anonymous says:

    You can protect your organizational Units from accidental deletion by using Power Shell scripts to apply

  14. Anonymous says:

    I was recently working with a customer where one of their Active Directory would not replicate. They

  15. Anonymous says:

    Recently Microsoft Exchange team has written a blog about large messages in Office 365. I see many customers

  16. Anonymous says:

    Microsoft has recently released an initial look at Exchange 2016 architecture and Exchange team has written

  17. Anonymous says:

    Recently Exchange team has written an excellent article on Exchange processor and memory usage and how

  18. anonymouscommenter says:

    In a recent project I was working on ADFS with multiple applications and customer also had SAP to be

  19. anonymouscommenter says:

    Recently i was troubleshooting some integration issues between SCVMM, SPF and Windows Azure Pack (WAP