1. Create Domain Global Distribution Group for AD RMS Super User.
2. Added the Federation mailbox to the AD RMS Super User Group.
3. Executed the Set-IRMConfiguration cmdlet to enable IRM on the CAS server roles.
When testing with Test-IRMConfiguration -sender
Looking at the provided link (http://technet.microsoft.com/library/ee849850(WS.10).aspx), it only covers Windows 2008 R2. For Windows 2012 R2, you want to do the extra step of going to the %systemdrive%\Inetpub\wwwroot\_wmcs\licensing directory for the publish.asmx file and assign the read and read-execute permissions to Exchange Server (domain group) and AD RMS Service Group (local group on the AD RMS server).Acquiring Rights Account Certificate (RAC) and Client Licensor Certificate (CLC) ...- WARNING: Failed to acquire a Rights Account Certificate (RAC) and/or a Client Licensor Certificate (CLC). This failure may cause features such as Transport Decryption, Transport Protection Rules, Journal Report Decryption, IRM in Outlook Web App, IRM in Exchange ActiveSync, and IRM Search to not work. Make sure that theExchange Servers Group is granted "Read" and "Read & Execute" rights on the ServerCertification.asmx and Publish.asmx pipelines on your AD RMS server. For details, see "Set Permissions on the AD RMS Certification Pipe
The publish.asmx file does not exist in the %systemdrive%\Inetpub\wwwroot\_wmcs\Certification\ directory as the link describe.
Hope it helps.