With the release of Exchange 2010 Sp1 Beta, I was eager to find out what has changed when it boils down to the integration between Exchange 2010 and Active Directory Rights Management Server.
As stated on The Microsoft Exchange Team Blog, in their “Yes Virginia, there is an Exchange Server 2010 SP1” blog post, there are at least two new IRM-related features:
Eager to find out, time to configure an Exchange 2010 Sp1 Beta (Single Forest) environment for IRM :-)
I’ve chosen to deploy the Rights Management Server role on a Windows 2008 R2 member server in my environment.
After deploying the RMS role, nothing will work, until you configure Exchange. A very useful Exchange Management Shell cmdlet that is available for you to test your progress is Test-IRMConfiguration! Before doing any configuration this is the output:
As can be seen in the output, Exchange is able to retrieve by using the Service Connection Point, the URL it has to use to connect to the RMS server…
but that Exchange is unable to acquire a server box RAC (Rights Account Certificate), with an error status of 401: Unauthorized.
As described here: http://technet.microsoft.com/en-us/library/ee849850(WS.10).aspx
By default, only the local system account has permission to access the Active Directory Rights Management Services (AD RMS) server certification pipeline (ServerCertification.asmx). IRM features in Exchange 2010 require that Exchange servers and the AD RMS Services Group be granted permissions to read and execute this file on all servers in the AD RMS cluster
Check the solution, by running Test-IRMConfiguration again :-)
Overall Result now is = PASS with warnings on disabled features.
Looking at the error message, it is clear what needs to be done, namely “Please make sure that the account “FederatedEmail….” representing Exchange Servers Group is granted Super User privileges on the Active Directory Rights Management Services server”
Looking at the same URL provided above, it is defined as the third step to configure Exchange 2010 and RTM:
Give Exchange servers the ability to decrypt protected messages and attachments by configuring the AD RMS super users group. The AD RMS super user group is a special group that has full control over all rights-protected content managed by the cluster. Its members are granted full owner rights in all use licenses that are issued by the AD RMS cluster on which the super users group is configured. This means that members of this group can decrypt any rights-protected content file and remove rights-protection from it. To configure the super users group for Exchange 2010, you add the Federated Delivery Mailbox user account to a group in the same forest as the AD RMS installation and then enable the super users group on the AD RMS cluster.
First, let’s create a mail-enabled universal distribution or universal security group, and add the given FederatedEmail* user as a member.
Then, enable the Super Users group feature using the AD RMS management tool:
In the Actions pane, select Enable Super Users….
Then in the Middle Pane, you can select Change super user group…
Browse to find the just create RMS_Super_Users universal distribution group…
And it’s done :-)
THIS MIGHT TAKE ABOUT 24 HOURS BEFORE TAKING EFFECT!!!!! (source = http://technet.microsoft.com/en-us/library/cc720274(WS.10).aspx)
Another step you need to take is, to enable Internal Licensing…
Using OWA I’ll send an email to user1, protect it using the built-in RMS template Do Not Forward, and attach a PowerPoint deck to my mail.
And it works :-) Open as Web Page is available :-)
Beat me too it, I was actually starting to setup RM two nights ago but go side track, had planned to blog about it, but this was still helpful since I haven't started setting up the exchange portion.
Very cool to see you got this working! We've added some other fun supportability features in SP1 which will make it easier to diagnose issues. Stay tuned for a blog post on it.
-- Ed Banti
Exchange PM for IRM Integration