Monday, June 20, 2011

HOW TO: Configure AD RMS with Exchange; Soup to Nutz

It's been a while since I've posted anything related to Exchange and in the time between exam taking and projects I've been working on trying to get Active Directory Rights Management Services (AD RMS) to work with Exchange 2010.

Some of you may be asking yourself why this is important information or you might even be wondering what AD RMS is all about? Well it wasn't until recently that I became interested in this topic and consequently learned the ins and outs of rights management solutions. The topic came to mind when a colleague at work mentioned someone outside the organization had asked them for one of our internal documents. At first I thought "wow, that's some nerve!". Then I began to think about how an organization might attempt to protect this information from 'leakage'; (not this type of leakage). It wasn't the first time I encountered this type of situation but at the time the world of rights management and information leakage was blurred and convoluted. I can't say a lot has changed on this topic but at least Microsoft has started building native support for IRM/AD RMS into their applications such as Exchange Server 2010 and Office 2010.

Some of the challenges I've seen in the other documentation out there seem to exclude the configuration steps necessary to provide an end to end solution with respect to certificate auto-enrollment or AD RMS template configuration. So I'll try...

First off, you want to build up a VM just for the purpose of configuring AD RMS. You can collocate this role on another DC or server but just to make things 'cleaner' I chose to do it this way. In a production environment you may want to do the same.

Next, you'll configure Exchange, then your certificate infrastructure. Finally, we'll finish up with TMG publishing of the AD RMS infrastructure so everything works for your Internet facing employees and customers.

Step 1: Deploy AD RMS
  • Using the Add Roles Wizard in Server Manager, add the Active Directory Rights Management Services role to your new VM.
  • Select just the Active Directory Rights Management Server service and leave OFF the Identity Federation Support option.
  • Accept the default to create a new AD RMS cluster.
  • Choose to use an Internal Database.
  • Create a Domain User account and assign it to AD RMS (i used "adrmsuser").
  • Set the AD RMS Key storage location to be centrally managed.
  • Set the AD RMS Cluster Key Password.
  • Configure AD RMS to use an HTTPS connection by typing in the URL (i.e.
  • Choose to use an existing SSL certificate if you have one already. If not, get one!
  • Accept all remaining defaults.
At this point AD RMS will be installed into your Active Directory domain and a Service Connection Point (SCP) will be created. Exchange 2010 will use this SCP to discover the AD RMS cluster in the environment so the actual amount of configuration necessary is very little.

Step 2: Permit Exchange 2010 access to AD RMS
  • From your AD RMS server, navigate to %systemdrive%\Inetpub\wwwroot\_wmcs\Certification.
  • Right-click the ServerCertification.asmx file and click Properties.
  • Click the Security tab.
  • Click the Edit button.
  • In the Select User, Computer, Service Account, or Group dialog box, click Object Types, select Computers and click OK.
  • Type the names of the Exchange 2010 servers in your environment and click OK.
  • Grant Read & execute and the Read check boxes and click OK.
NOTE: Also check to make sure the local group on your AD RMS server called AD RMS Service Group exists here with the same permissions as outlined above.

Step 3: Configure AD RMS Super Users Group
  • Create a Universal Group (Distribution Group) in AD with a name like "ADRMS-SU" then mail enable it (i.e.
  • Log onto your AD RMS server and open the Active Directory Rights Management Services console.
  • Expand Security Policies then click Super Users.
  • Click Enable Super Users.
  • In the results pane, click Change Super User Group to open the Super Users property sheet.
  • In the Super User group box, type the e-mail address of the designated super users group (, or click Browse to navigate through the defined users and groups in the directory then click OK.
Step 4: Configure Exchange 2010
  • Open an Exchange Management Shell window.
  • Type Set-IRMConfiguration -InternalLicensingEnabled:$True
Step 5: Configure automatic AD RMS Client certificate distribution
  • Run this command: schtasks /Change /TN "\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)" /ENABLE
NOTE: This will enable automatic checking of templates at logon and at 3:00AM each day. To deploy this to all PC's in a domain, consider creating a GPO with a Startup script to run it (due to UAC in Vista and Windows 7, you may not be able to deploy a GPO with a Logon script).
  • IMPORTANT: You must add the following registry entry to the local system (can also be done via GPO) so that the IRM-enabled clients can find the template files.
    • HKCU\Software\Microsoft\Office\14.0\Common\DRM
      • Name: AdminTemplatePath
      • Type: REG_EXPAND_SZ
      • Data: %LocalAppData%\Microsoft\DRM\Templates
If you encounter a situation where the Outlook client can't find the templates, you will only see the default "Do Not Forward" template when you select one from the Permissions button on the ribbon. My suggestion here would be to create a GPO using the 2008 user preferences functionality. Create as many entries as you require to target certain operating systems and versions of Office. For example, you may want to create a single GPO where you populate the registry with values for both Office 2007 and 2010 (just in case). This makes it easier to maintain one GPO than separate ones....or simply use the Item Level Targeting feature of the GPO to determine when and where to apply it.

Step 6: Configure User Certificate Template
  • Log into your Certificate Services server.
  • Open the Certification Authority MMC.
  • Expand the server name in the console, right-click on Certificate Templates and choose Manage.
  • Right-click on the User template and choose Windows 2003 Server, Enterprise Edition.
  • Give the template a name such as "User Template Auto Enrollment".
  • Set the validity period to something acceptable.
  • Click the Request Handling tab and turn off Allow private key to be exported.
  • Click the Security tab and make sure Authenticated Users and Domain Users have Read, Enroll and Autoenroll enabled.
Step 7: Configure Auto Enrollment
  • Log into your server used to manage GPO's.
  • Create a new GPO and link it to an OU or to the Domain.
  • Create a User Configuration setting under Policies\Windows Settings\Security Settings\Public Key Policies.
  • Double-click the Certificate Services Client - Auto - Enrollment object.
  • Set the Configuration Model to Enabled.
  • Turn on Renew expired certificates, update pending certificates, and remove revoked certificates.
  • Turn on Update certificates that use certificate templates.
  • Turn on Expiration Notification then click OK.
  • Close your GPO editor.
At this point your users should automatically enroll their User certificate at logon to any machine matching the GPO you've created in step 6 above. Validate this by logging out and back in, then opening the certmgr.msc file and checking your Personal store.

Step 8: Define your external URL for AD RMS
  • Log into your AD RMS server.
  • Log onto your AD RMS server and open the Active Directory Rights Management Services console.
  • Click on the server name and choose Properties.
  • Click the Cluster URL's tab.
  • Turn on your Extranet URL's and specify an external DNS name (i.e. then click OK.
Step 9: Configure Microsoft Threat Management Gateway to access AD RMS

NOTE: Due to issues with my TMG environment I haven't been able to publish the rest of this article. I'll be back soon to finish it but for now we'll have to wait.

    1 comment:

    1. Hi,
      Did you manage to get the rest of this article written? :-)