Exchange Geek's Weblog

I'm a Geek!

Archive for July, 2010

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 3

Posted by Milind Naphade on 15/07/2010

In last two posts of this series I posted about basic configurations needed on AD RMS cluster and Exchange 2010 server. In this post I will show how to test the configured features using an application that has an RMS client.

So, to test the configuration we need to have at least one client computer installed Microsoft Office. I have used Microsoft Office 2010 RTM on a Windows 7 Ultimate computer for demonstration purposes.As we are discussing IRM in terms of its use with Exchange I have limited the scope of client to Outlook 2010 only.

24. Logon to the computer with a user account with a valid mailbox and launch outlook. Point to new message and select New Message. Select the Options tab on the new message window and click the drop down menu on the Permissions button, and select Manage Credentials as shown in the below picture.


25. Select Use a Microsoft Windows account option on the Select Service dialog box and click OK


26. After you selected the correct option the built in RMS client in outlook will retrieve the SCP from Active Directory and will find out the server name of your AD RMS cluster. You must provide your credentials in order to access your rights.


27. Select your user name from the list that appears in the list after you provide the credentials. In case you have been given more than one credentials you can manage those credentials in the following way. Click OK. Now your client knows where to look for the rights you have been assigned in the AD RMS database.


28. Now time to send a protected content in the form of an email. Again, follow step 24 and select Do not Forward from the drop down before you click send. The moment you select Do not Forward from the drop down, outlook shows a message in the windows and lets the user know that recipients of this email will not be able forward this email.


29. Let’s see how it looks like on the recipient end. Again, the recipient is also notified about the restriction that is on the content.


30. If this message is opened by the recipient, the email options for forwarding are disabled automatically.


31. One can also view the permissions that he or she has on a restricted email that they received by clicking on the information bar highlighted in step 29.


Now if you see the last figure correctly the recipient has permissions like saving the file and editing the file. In some cases even these additional permissions may be dangerous. In the next post I will show how to configure additional templates and assign them to specific group of people so that these permissions can be used correctly.

Related Posts:

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 1

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 2

Posted in Active Directory, Exchange 2010 | Tagged: , | 1 Comment »

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 2

Posted by Milind Naphade on 12/07/2010

In my previous part of this post I showed the steps for installing AD RMS on a Windows Server 2008 R2 system. In this part I will show how to configure AD RMS so that it can be used with Exchange 2010 for securing emails.

14. After you have logged off and logged back on to the AD RMS system. Open the Active Directory Rights Management Services Console either by using Server Manager or by pointing your mouse to Administrative Tools. Below is the first screen that you get after you launch AD RMS management snap in. Results pane shows the general settings used during the installation.


15. You can also change the registered SCP by right clicking on the server name, right clicking and selecting Properties. On the Properties page select SCP tab. You can also use the same page to remove the SCP.


16. When AD RMS is installed Only SYSTEM account gets full control on the ServerCertification.asmx page.


17. For Exchange 2010 to read data from the certification URL, it needs to have at least Read permissions. To set permissions on the certification URL browse to location C:\inetpub\wwwroot\_wmcs\certification and right click on file ServerCertification.asmx, select Security Tab, Click Edit button and then Add the Read and Read & Execute permissions to RMS service account and Exchange Server group as shown below. Read more about this here


18. Next step is to enable Super Users on AD RMS cluster. To enable click Enable Super User in actions pane of AD RMS management snap in.


19. Click on Browse button and specify the name of the group that we created during the prerequisite preparation. This might take up to 24 hours to take effect. Read more at


20. Next is to test the IRM configuration on Exchange 2010 server. To test the configuration open EMS and run the cmdlet Test-IRMConfiguration –Sender "email address of a valid mailbox”. If you see the below screen capture correctly you will notice that the text marked in yellow shows a warning and failure, but this is fine unless you have federated infrastructure. To resolve this problem you must add the FederatedEmailxxxxxxxxxxxxxxxx account must be added as a member of the Super User group that we just configured in previous step.


21. Next is to enable Internal Licensing on Exchange 2010. You can use Set-IRMConfiguration –InternalLicensingEnabled:$True cmdlet to do so. The InternalLicensingEnabled parameter specifies whether to enable IRM features for messages sent to internal recipients. In on-premises deployments, licensing is disabled for internal messages by default. To enable licensing, set the value to $true. Read more here


22. If you are using Exchange 2010 Journaling within your organization you must also enable the journal report decryption using Set-IRMConfiguration –JournalReportDecryptionEnabled:$True . The result should appear like below:


23. Exchange 2010 OWA can also use IRM to protect your email and their attachments. You must make sure that  OWA is correctly configured to use IRM by running Get-OWAVirtualDirectory |FL *RM* cmdlet.


For more information on configurable parameters using Set-IRMConfiguration cmdlet you can read at

In the next part of this post I will post the ways to use IRM on client side and a little about the considerations about clients.

Posted in Active Directory, Exchange 2010 | 3 Comments »

Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 1

Posted by Milind Naphade on 11/07/2010

Information theft and leakage is a major concern for every organization. Information leakage in one form or another can happen despite of many precautions. Humans are the weakest link of information leakage. Organizations always try to protect their sensitive information from being leaked by any means. Sensitive information is passed out to inappropriate hands using many media. For most of the information theft and information leakage cases email has become a major media. Because of huge traffic flowing in and out it becomes really hard for administrators and security teams to manage this security hole.

The worry of information theft and leakage to unauthorized sources gave birth to the concept of Information Rights Management very well-known as IRM. Microsoft launched its product named Rights Management Server first to help their customers protecting and securing their sensitive data. Because of easy configuration and easy administration it has become a popular solution for most of the companies these days. Later with the launch of Windows 2008 the product was made available built inside the operating system and was renamed to Active Directory Rights Management Services. To minimize the risk of such things AD RMS can prove its usability and reliability both. AD RMS on Windows Server 2008 SP2 or Windows Server 2008 R2 can be used to minimize the risk of information leakage significantly. As you all know that RMS (legacy version of AD RMS) could be used with outlook to protect office documents and email messages created using Microsoft Office but with very limited support and integration with email server (Exchange Server and mostly on the server-side).

Exchange 2010 extends the use of ADRMS with better features and manageability. With the IRM features in Exchange 2010, your organization and users can control the rights recipients have for e-mail message. IRM also helps allow or restrict recipient actions such as forwarding a message to other recipients, printing a message or attachment, or extracting message or attachment content by copying and pasting. IRM protection can be applied by users in Microsoft Outlook or Outlook Web App, or it can be based on your organization’s messaging policies and applied by using transport protection rules or Outlook protection rules. Unlike other e-mail encryption solutions, IRM also allows your organization to decrypt protected content to enforce policy compliance.

In short IRM can help you with:

  • Prevent an authorized recipient of IRM-protected content from forwarding, modifying, printing, faxing, saving, or cutting and pasting the content.
  • Protect supported attachment file formats with the same level of protection as the message.
  • Support expiration of IRM-protected messages and attachments so they can no longer be viewed after the specified period.
  • Prevent IRM-protected content from being copied by using the Snipping Tool in Windows.
  • In this post I will show how to install AD RMS on a Windows Server 2008 R2 system and configure it to be usable by Exchange 2010. Yet, if you are planning to implement ADRMS for your organization in order to integrate it with your Exchange 2010 deployment then you must know some facts about AD RMS or any IRM solution:

    IRM fails to protect you from:

  • Third-party screen capture programs
  • Use of imaging devices such as cameras to photograph IRM-protected content displayed on the screen
  • Users remembering or manually transcribing the information
  • And, more to add into limitations of AD RMS and Exchange Server 2010 in terms of supportability:

    Scenario IRM-protection supported?
    Messages sent to mailbox users within your Exchange organization Yes
    Messages sent to distribution groups within your organization Yes, If the distribution group includes recipients outside your Exchange organization, see “Messages sent to recipients outside your organization”.
    Messages sent between on-premises and Exchange Online recipients in a cross-premise deployment Yes, Recipients with mailboxes located on an on-premises exExchange2010 SP1 server can send and receive IRM-protected messages to/from recipients within their organization with mailboxes located in Exchange Online
    Messages sent to recipients outside your organization No, Exchange 2010 doesn’t include a solution for sending IRM-protected messages to external recipients. AD RMS offers solutions by using trust policies. You can configure a trust policy between your AD RMS cluster and Windows Live ID. For messages sent between two organizations, you can create a federated trust between the two Active Directory forests by using Active Directory Federation Services (AD FS). To learn more you can read at
    Messages sent to distribution groups or distribution lists external to your Exchange organization No, External distribution list or distribution group expansion doesn’t occur within your Exchange organization. IRM-protected messages sent to external distribution groups contain a license for the group, but not for group members. Group members will be unable to access the message.

    For detailed information on IRM and Exchange 2010 here: The table above comes from the same document.

    Okay, looks like we are good to go with installation if you have prepared yourself to accept the benefits and limitations of IRM. I am demonstrating a configuration from my lab setup. Below table shows my lab setup:

    Computer Name Operating System Role
    ExchangeDC Windows Server 2003 SP2 DC, GC, CA
    E1401 Windows Server 2008 R2 Exchange Server 2010 CAS, HT and MBX
    E1402 Windows Server 2008 R2 Exchange Server 2010 CAS, HT and MBX
    DBSRV Windows Server 2003 SP2 SQL Server 2005 SP3
    ADRMS Windows Server 2008 R2 AD RMS

    Preparing Prerequisites for ADRMS installation:

    • Create a service account named RMSSvc. This account will later be used during the installation of AD RMS. This server must have permissions to logon locally to the server.
    • Make sure you have at least one database server installed SQL server 2005 database server. Please see AD RMS SQL Server Requirements for more information. If you are using the MSDE 2000 to host the Rights Management Services (RMS) databases, you cannot upgrade to AD RMS. An upgrade is only supported if you are using Microsoft SQL Server 2000 or Microsoft SQL Server 2005 to host the AD RMS databases. Also, if the upgrade is to AD RMS in Windows Server 2008 RTM, SQL 2000 will work. If the upgrade is to AD RMS in Windows Server 2008 R2 then it must be either SQL 2005 or SQL 2008.
    • A distribution group named RMS SU Group in your exchange organization. This group will be used for Super User Group later.
    • And following components on the server where you are installing AD RMS:

    Web Server Role (IIS) and its features:

    • Web Server (IIS)
      • Web Server
        • Common HTTP Features
          • Static Content
          • Directory Browsing
          • HTTP Errors
          • HTTP Redirection
        • Performance
          • Static Content Compression
        • Health and Diagnostics
          • HTTP Logging
          • Logging Tools
          • Request Monitor
          • Tracing
        • Security
          • Windows Authentication
      • Management Tools
        • IIS Management Console
        • IIS 6 Management Compatibility
          • IIS 6 Metabase Compatibility
          • IIS 6 WMI Compatibility

    Operating System Features:

    • Message Queuing
    • Message Queuing Services
    • Message Queuing Server
  • .NET Framework 3.5.1 Features
    • .NET Framework 3.5.1

    Installing AD RMS Using Server Manager:

    1. Open Server Manager and select Roles node in left hand side pane and click Add Roles in the action pane.

    2. The Add Roles Wizard appears on the screen. Select Active Directory Rights Management Services from the list. Now, if you do not have the software prerequisites installed on the server, the wizard will add them for you automatically


    3. Click Next on the page that appears.


    4. If you are installing the first RMS Server in your organization then the following screen with one of the options disabled will appear. This page allows you to create a new AD RMS cluster.


    5. Specify the database server settings on the next page.


    6. Specify the service account details on the next page. This is the service account we created earlier.


    7. Specify the location where you want to store the cluster key. Allow setup wizard to store the key in the centrally managed storage. This helps you to get over the trouble of providing the cluster key when you add new nodes to the cluster.

    8. Provide a strong password for the cluster key in the next step.


    9. Select the website in IIS where you want to host your certification virtual directories. If you have more than one IIS websites created on the server then you can select anything other than the Default Web Site.


    10. Select the options as shown below. Do not select to use HTTP which is a non secure access. Also, keep in mind that the URL your are specifying here will be used by clients for licensing requests so if you are using anything other than the server name then you must create the aliases in DNS.


    11. Specify the certificate options on the next page. The certificate you are going to use in this step must contain the FQDN of the cluster address specified in the last step. I have used a certificate issued by my internal CA.


    12. The next step is to provide the licensor certificate name. Just click next on this page.


    12. After you clicked next the SCP (Service Connection Point) Registration page appears. SCP is registered in AD and can be modified anytime later using AD RMS management console. Select Register the AD RMS service connection point now.


    13. After this step you can simply keep clicking next and wait till the wizard completes installing AD RMS. As you can see on the last page of the wizard, you must log off from the computer and log back in in order to manage the AD RMS cluster that you just created.


    That is all for now, in the next post I will show how to configure AD RMS server to use with Exchange 2010 and vice versa.

    Related Posts:

    Installing Windows 2008 R2 ADRMS and Configuring for Exchange 2010 IRM – Part 2

    Posted in Active Directory, Exchange 2010 | 2 Comments »

    Mystery of Notes in Exchange 2010 OWA

    Posted by Milind Naphade on 07/07/2010

    I have seen a few questions on Technet Forums recently which were related to Notes section in Exchange 2010 OWA.

    The symptom is that a user is not able to create any notes after selecting Notes folder.


    I just learnt that this Notes folder is left behind and will be unsupported in OWA. So, currently there is no way that you can fix this problem and get notes created using OWA. You must use Outlook for doing so.

    Posted in CAS, Exchange 2010 | Comments Off on Mystery of Notes in Exchange 2010 OWA