Rights Management Server and Exchange 2010 (Part 2)

If you would like to read the other parts in this article series please go to:


This is the second article in a series covering the use of Rights Management Server (RMS) with Exchange 2010. In the first part we covered important background information on the use of RMS and then went onto covering installation pre-requisite information. Here in part two we are going to go ahead and install the RMS role on the server named R-RMS.

Rights Management Server Installation

To install RMS, follow these steps:

  1. Run the Server Manager application from the Administrative Tools folder.
  2. In Server Manager, select the Roles option from the left-hand pane and then in the right-hand pane select the Add Roles option as you can see in Figure 2.

Figure 2: Server Manager – Adding a Role

  1. In the Add Roles Wizard, you may be presented with an initial Before You Begin screen if this is the first time you have run this wizard or you have elected to display this opening screen each time the wizard is run. At this screen, just click Next.
  2. On the Select Server Roles screen, select the Active Directory Rights Management Server option. If your Windows 2008 R2 operating system is a clean build, you will now be presented with a screen advising you that you need to install additional roles to support RMS, namely Internet Information Services, Message Queuing and the Remote Server Administration Tools. This screen is shown in Figure 3. Assuming that you are happy to add these additional roles, click the Add Required Role Services button.

Figure 3: Adding Additional Role Services

  1. You should now be back at the Select Server Roles screen and it should resemble the screen shown below in Figure 4. Click Next to proceed through the wizard.

Figure 4: Selected Server Roles

  1. The next screen presented is an introduction screen for the installation of the RMS role. Review the information on this screen and then click Next.
  2. The Select Role Services screen is presented next and on this screen make sure that the Active Directory Rights Management Server role is selected and then click Next. This screen is shown in Figure 5.

Figure 5: Selecting the Rights Management Server Role Services

  1. You will now be presented with the Create or Join an AD RMS Cluster screen such as the one shown below in Figure 6. In this case, there is no existing RMS cluster to join so we have to select the option to create a new cluster.

Figure 6: Creating a New Rights Management Server Cluster

  1. On the Select Configuration Database screen, we are going to choose the Use Windows Internal Database on this server option since this is simply a lab environment that is restricted to a single-server RMS cluster. Naturally in a production environment it is likely that the option to specify a dedicated database server will be chosen.

Figure 7: Choosing the Configuration Database

  1. On the next screen presented, we can select our service account. As I stated earlier in part one of this article series, and as you can see from the text in Figure 8, the service account is simply a normal domain user account.

Figure 8: Service Account Configuration

  1. The installation of the RMS server requires the creation of a cluster key for the purpose of certificate signing. You can see from the text displayed in Figure 9 the two options available and the pros and cons of each. For this lab environment I’m going to elect to use a password-protected key but for security sensitive environments the option to use a cryptographic service provider should be considered.

Figure 9: Configuring the Cluster Key Storage

  1. Since I have decided to use a password-protected key, the next screen presented gives me the chance to enter a password for this key as you can see from Figure 10. If you do decide to add additional servers to the RMS cluster later, you will need to supply this key password.

Figure 10: Entering the Cluster Key Password

  1. You saw earlier in this article that one of the required services is Internet Information Services and in the next screen presented you have to configure the virtual directory on which RMS is hosted. Here you can see only the default web site is available so that has been chosen for this installation.

Figure 11: Selecting the Rights Management Server Web Site

  1. To allow the RMS clients, such as the Exchange server, to communicate with the RMS server itself, an address must be specified. As you can see from Figure 12, I have chosen a name of rms.neilhobson.com and at the same time I have chosen to use Secure Sockets Layer (SSL) protection as recommended by Microsoft. Once the RMS address has been typed into the Internal Address field, click the Validate button. Doing so will give you a preview of the cluster address and will additionally allow the Next button to become available.

Figure 12: Configuring the Cluster Address

  1. On the next screen we have the option to choose the certificate that we will use to ensure that SSL protection is used. On this screen I have elected to use a certificate that has already been assigned to the web site. This certificate has two Subject Alternate Names defined so that we can connect to the server using the FQDN of r-rms.neilhobson.com or the alternate name rms.neilhobson.com.

Figure 13: Choosing the Certificate

  1. RMS uses Server Licensor Certificates so that the RMS server itself has the necessary permissions required to issue certificates to the RMS clients. The default name entered in the wizard is derived from the name of the server and that’s the name I am maintaining in this environment.

Figure 14: Naming the Server Licensor Certificate

  1. Next, the Register AD RMS Service Connection Point screen is presented as shown in Figure 15. For those of you who have been working with Exchange 2007 or Exchange 2010 you will no doubt be familiar with Service Connection Points (SCPs) in relation to the Client Access Server role. For the RMS server, the SCP is used by the clients to connect to the RMS server itself. Since I am currently logged on with an account that is a member of the Enterprise Admins security group, I have chosen to register the SCP straight away.

Figure 15: Registering the Service Connection Point

  1. Because we need to install Internet Information Services, the next screen presented is an introduction screen for this process. After that, the next screen displayed shows you which role services are required for Internet Information Services. Review the selections and then click the Next button.

Figure 16: Installing Web Server Role Services

  1. Finally we are now at the point where all the various components can be installed and before this is performed a final review screen is presented such as the one you can see in Figure 17. Review the selections before clicking the Install button.

Figure 17: Confirming Installation Selections

  1. Once all the components have been installed, you should be presented with a screen similar to the one shown below in Figure 18. Note the text advising you that you must log off and back on again before administering the RMS server.

Figure 18: Reviewing Installation Output


That completes the installation of the RMS role and its required role services and features on the server R-RMS. In part three we will be looking at the remaining configuration tasks that we need to complete, such as permissions changes and the creation of the ‘super users’ group.


If you would like to read the other parts in this article series please go to:


Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top