AD RMS Microsoft Exchange Server 2010 Integration Guide

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 R2 with SP1

Among the important innovations in Microsoft® Exchange Server 2010 is the integration of information rights management (IRM) technology. IRM can help your organization avoid disclosing sensitive information through e-mail messaging. When combined with Active Directory Rights Management Services (AD RMS) in Windows Server® 2008 R2 or in Windows Server 2008 with SP2 and hotfix KB973247 ( applied, the IRM features of Exchange 2010 can automatically secure messages that contain sensitive information but still enable protected messages to be scanned and archived unencrypted.

AD RMS enables the following Exchange 2010 features:

  • Transport Protection Rules provides rules-based automatic IRM protection of e-mail messages.

  • Transport Decryption gives trusted agents plaintext access to IRM-protected messages. This enables messages and attachments to be archived and scanned for malware.

  • Journal Report Decryption enables IRM-protected messages to be decrypted for journaling.

  • IRM Decryption for Search gives Exchange Search the ability to index content in IRM-protected messages.

  • IRM-enabled Outlook Web App enables users to send and open IRM-protected messages in Microsoft Office Outlook® Web App (OWA) in any OWA-supported browser without requiring the installation of client software.

  • IRM-enabled Unified Messaging lets users listen to protected voicemail messages in OWA, Outlook, and on the telephone, and provides a “Do Not Forward” policy for private voicemail.

  • Prelicensing attaches a prelicense to protected messages. This allows the client to avoid making repeated trips to the AD RMS server to retrieve a use license. It also enables off-line viewing of IRM-protected messages and attachments, which allows for IRM-protected messages to be viewed in OWA.

Many of these features require the Exchange servers in the enterprise to authenticate their identity with AD RMS. To simplify administration and reduce the number of license requests between Exchange and AD RMS, Exchange 2010 creates a special user account in Active Directory Domain Services called the Federated Delivery Mailbox user account. This account is the rights account certificate (RAC) identity which is shared among all Exchange servers. To enable Exchange servers to decrypt IRM-protected messages, the Federated Delivery Mailbox user account is added to the AD RMS super users group that is given access to all content protected by the AD RMS cluster.

Configuring AD RMS to enable these Exchange 2010 features requires registering the service connection point (SCP) of the AD RMS cluster, setting permissions on the AD RMS certification pipeline, and configuring the AD RMS super users group. In case of AD RMS and Exchange 2010 deployments that cross more than one forest (such as might happen as the result of a corporate merger), additional configuration of the AD RMS infrastructure is necessary to enable Exchange 2010 servers in each forest to access messages protected by Exchange 2010 servers in other forests.

This guide describes the tasks that are required to enable AD RMS support for Exchange 2010 features. It is intended to help the administrator of an organization’s existing AD RMS cluster to prepare for the deployment of Exchange 2010 in the organization. It does not provide information about how to deploy or configure Exchange 2010 itself, nor does it explain how to install and configure an AD RMS cluster. For information about IRM features in Exchange 2010, see Information Rights Management (

The following sections contain information and procedures to help you deploy Exchange 2010 with AD RMS in single-forest and multiple-forest settings.