Microsoft Exchange 2013 and ADRMS Integration

I recently did an Exchange 2013 deployment at one of our customers and also integrated with ADRMS so I thought to outline the high level integration steps to assist others.

1. Verify Exchange Servers in Microsoft Exchange Security Groups OU contain your Exchange servers.

2. Modify the default AD RMS ACLs settings in order to allow Exchange to use AD RMS information protection capabilities. Perform the following steps on ADRMS server.

  • Log on as an administrator.
  • From the Start Menu open the Internet Information Services (IIS) Manager.
  • Expand the server’s name, Sites, Default Web Site, and _wmcs. Click Certification.
  • In the third pane, select the Content View option located in the very bottom of the window.
  • Right click the ServerCertification.asmx file and then select Edit Permissions…
  • In the ServerCertification.asmx Properties dialog box verify that the Exchange Servers and the AD RMS Service group (which is a local group on ADRMS server) are granted Read & Execute and Read permissions. Click OK and close all open windows.
  • If you made any changes restart the IIS Service using the command iisreset in a command prompt window with elevated privileges.

2. In order to provide encryption and decryption capabilities to Exchange 2013, you will need to configure the Security group to be used for the Super Users role in Exchange.

  • In Server manager, expand Roles, Active Directory Rights Management Services, the RMS server’s name, and Security Policies. Click Super Users and confirm that the super users functionality is enabled and that the defined adrmssuperuser@saudioger.com group is listed as the Super User group. If not, enable this functionality and assign the corresponding group.
  • Go back to the Active Directory User and Computers console and navigate to the OU where you created the group to be used as AD RMS SuperUsers.
  • Locate the AD RMS Super Users group. Double click the group, click the Members tab and confirm that the FederatedEmail.xyz (where xyz is a long, GUID-like string) user is added to the group.Click OK. If not, you can add the Federated mailbox through Exchange Management Shell by running the following command:
    • Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
  • Close all open windows.
  • Close the Server Manager console.

3. To enable Information Rights Management on the Client Access Servers (CAS)

  • Log on to the mail server as an Administrator.
  • Open the Exchange Management Shell from the Start Menu, under Microsoft Exchange Server 2013.
    • Set-IRMConfiguration -ClientAccessServerEnabled $true

4. Set OWA Mailbox Policy

  • To enable IRM in OWA type the following command in the Exchange Management Shell:
    • Get-OWAMailboxPolicy
  • Look for the IRMEnabled parameter. If it is not set to True, run the following command:
    • Set-OWAMailboxPolicy –Identity Default -IRMEnabled $true

5. The following command enables to IRM search and enable the licensing.

  • To verify if indexing for search of protected content in OWA is enabled type the following command in the Exchange Management Shell:
    • Get-IRMConfiguration
    • Look for the SearchEnabled parameter. If it is not set to True, run the following command:
    • Set-IRMConfiguration -SearchEnabled $true
  • For this functionality to work, Internal Licensing must be enabled. Type the following command in the Exchange Management Shell:
    • Get-IRMConfiguration
  • Look for the InternalLicensingEnabled parameter. If it is not set to True, run the following command:
    • Set-IRMConfiguration –InternalLicensingEnabled $true

Read my favorites blogs:

Assigning File Share permissions using Power Shell

Disk Read Error when migrating virtual machine from one cluster to another

Designing a backup less Exchange 2010 Architecture

Appear Offline in Microsoft Office Communicator Server 2007

Microsoft Exchange 2010 Test cases

Microsoft Exchange Server 2010 Disaster Recovery