Microsoft Exchange 2013 and ADRMS Integration

I recently did an Exchange 2013 deployment at one of our customers and also integrated with ADRMS so I thought to outline the high level integration steps to assist others.

1. Verify Exchange Servers in Microsoft Exchange Security Groups OU contain your Exchange servers.

2. Modify the default AD RMS ACLs settings in order to allow Exchange to use AD RMS information protection capabilities. Perform the following steps on ADRMS server.

  • Log on as an administrator.
  • From the Start Menu open the Internet Information Services (IIS) Manager.
  • Expand the server’s name, Sites, Default Web Site, and _wmcs. Click Certification.
  • In the third pane, select the Content View option located in the very bottom of the window.
  • Right click the ServerCertification.asmx file and then select Edit Permissions…
  • In the ServerCertification.asmx Properties dialog box verify that the Exchange Servers and the AD RMS Service group (which is a local group on ADRMS server) are granted Read & Execute and Read permissions. Click OK and close all open windows.
  • If you made any changes restart the IIS Service using the command iisreset in a command prompt window with elevated privileges.

2. In order to provide encryption and decryption capabilities to Exchange 2013, you will need to configure the Security group to be used for the Super Users role in Exchange.

  • In Server manager, expand Roles, Active Directory Rights Management Services, the RMS server’s name, and Security Policies. Click Super Users and confirm that the super users functionality is enabled and that the defined adrmssuperuser@saudioger.com group is listed as the Super User group. If not, enable this functionality and assign the corresponding group.
  • Go back to the Active Directory User and Computers console and navigate to the OU where you created the group to be used as AD RMS SuperUsers.
  • Locate the AD RMS Super Users group. Double click the group, click the Members tab and confirm that the FederatedEmail.xyz (where xyz is a long, GUID-like string) user is added to the group.Click OK. If not, you can add the Federated mailbox through Exchange Management Shell by running the following command:
    • Add-DistributionGroupMember ADRMSSuperUsers -Member FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
  • Close all open windows.
  • Close the Server Manager console.

3. To enable Information Rights Management on the Client Access Servers (CAS)

  • Log on to the mail server as an Administrator.
  • Open the Exchange Management Shell from the Start Menu, under Microsoft Exchange Server 2013.
    • Set-IRMConfiguration -ClientAccessServerEnabled $true

4. Set OWA Mailbox Policy

  • To enable IRM in OWA type the following command in the Exchange Management Shell:
    • Get-OWAMailboxPolicy
  • Look for the IRMEnabled parameter. If it is not set to True, run the following command:
    • Set-OWAMailboxPolicy –Identity Default -IRMEnabled $true

5. The following command enables to IRM search and enable the licensing.

  • To verify if indexing for search of protected content in OWA is enabled type the following command in the Exchange Management Shell:
    • Get-IRMConfiguration
    • Look for the SearchEnabled parameter. If it is not set to True, run the following command:
    • Set-IRMConfiguration -SearchEnabled $true
  • For this functionality to work, Internal Licensing must be enabled. Type the following command in the Exchange Management Shell:
    • Get-IRMConfiguration
  • Look for the InternalLicensingEnabled parameter. If it is not set to True, run the following command:
    • Set-IRMConfiguration –InternalLicensingEnabled $true

Read my favorites blogs:

Assigning File Share permissions using Power Shell

Disk Read Error when migrating virtual machine from one cluster to another

Designing a backup less Exchange 2010 Architecture

Appear Offline in Microsoft Office Communicator Server 2007

Microsoft Exchange 2010 Test cases

Microsoft Exchange Server 2010 Disaster Recovery

Comments

  • Anonymous
    May 25, 2014
    Pingback from Microsoft Exchange 2013 and ADRMS Integration | MS Tech BLOG
  • Anonymous
    September 16, 2014
    Occasionally I am asked the following question – how can I protect the messaging environment from a rogue
  • Anonymous
    September 28, 2014
    Bulk mail is often mistaken for spam and is starting to become a larger problem for organizations. EOP
  • Anonymous
    October 20, 2014
    At The Official Microsoft Blog , we revealed more details about our unified technology event for event
  • Anonymous
    October 25, 2014
    We recently released updated versions of both the Exchange 2010 Server Role Requirements Calculator and
  • Anonymous
    November 09, 2014
    What are we talking about today? In Exchange 2013 CU5 (yes 5, V, cinco, fem, and cinque) we started implementing
  • Anonymous
    November 30, 2014
    I was recently working with one of our customers on Lync 2013 project and one of the questions customer
  • Anonymous
    December 23, 2014
    I was recently working on a project using Security Compliance Manager (SCM) for Active Directory based
  • Anonymous
    December 31, 2014
    I was recently working with a customer helping them migrate to the Eliminated state of Sysvol migration
  • Anonymous
    January 13, 2015
    Back at the release of Exchange Server 2013 CU1 we made some necessary changes to the way OWA logoff
  • Anonymous
    January 31, 2015
    This morning we published the first look at the Ignite session catalog providing you a better view of
  • Anonymous
    February 08, 2015
    Sometime ago, I wrote a blog about upgrading from Windows 2003 based Active Directory to Windows 2008
  • Anonymous
    February 15, 2015
    You can protect your organizational Units from accidental deletion by using Power Shell scripts to apply
  • Anonymous
    March 23, 2015
    I was recently working with a customer where one of their Active Directory would not replicate. They
  • Anonymous
    April 24, 2015
    Recently Microsoft Exchange team has written a blog about large messages in Office 365. I see many customers
  • Anonymous
    May 12, 2015
    Microsoft has recently released an initial look at Exchange 2016 architecture and Exchange team has written
  • Anonymous
    June 30, 2015
    Recently Exchange team has written an excellent article on Exchange processor and memory usage and how
  • Anonymous
    July 31, 2015
    In a recent project I was working on ADFS with multiple applications and customer also had SAP to be
  • Anonymous
    December 13, 2015
    Recently i was troubleshooting some integration issues between SCVMM, SPF and Windows Azure Pack (WAP