Export (0) Print
Expand All
8 out of 11 rated this helpful - Rate this topic

Configuring Distributed Key Management in VMM

Updated: February 26, 2014

Applies To: System Center 2012 - Virtual Machine Manager, System Center 2012 R2 Virtual Machine Manager, System Center 2012 SP1 - Virtual Machine Manager

During the installation of a System Center 2012 – Virtual Machine Manager (VMM) management server, you must configure distributed key management. On the Configure service account and distributed key management page of Setup, you can select to use distributed key management to store encryption keys in Active Directory Domain Services (AD DS) instead of storing the encryption keys on the computer on which the VMM management server is installed.

By default, VMM encrypts some data in the VMM database by using the Data Protection Application Programming Interface (DPAPI). For example, VMM encrypts Run As account credentials and passwords in guest operating system profiles. VMM also encrypts product key information in virtual hard disk properties for virtual machine role scenarios and configuration. The encryption of this data is tied to the specific computer on which VMM is installed and the service account that VMM uses. Therefore, if you move your VMM installation to another computer, VMM will not retain the encrypted data. In that case, you must enter this data manually to fix the VMM objects.

Distributed key management, however, stores the encryption keys in AD DS. Therefore, if you must move your VMM installation to another computer, VMM will retain the encrypted data because the other computer will have access to the encryption keys in AD DS.

ImportantImportant
For virtual machine roles, if the encrypted data is not retained, you will not be able to enter it manually, so you will not be able to manage the roles.

If you choose to enable distributed key management, coordinate with your AD DS administrator about creating the appropriate container in AD DS for storing the cryptographic keys.

The following are some considerations about using distributed key management in VMM:

  • If you are installing a highly available VMM management server, you must use distributed key management to store encryption keys in AD DS.

    Distributed key management is required in this scenario because when the Virtual Machine Manager service fails over to another node in the cluster, the Virtual Machine Manager service still needs access to the encryption keys in order to access data in the VMM database. This access is possible only if the encryption keys are stored in a central location like AD DS.

  • For future upgrades that involve virtual machine roles, we recommend that you use distributed key management during setup. This will help ensure that virtual machine roles are properly upgraded, and that you can manage them after the upgrade.

  • You must create a container in AD DS before you install VMM. You can create the container by using Active Directory Service Interfaces Editor (ADSI Edit).

  • You must create the container in the same domain as the user account with which you are installing VMM. Also, if you specify a domain account that the VMM service will use, that account must also be in the same domain.

    For example, if the installation account and the service account are both in the corp.contoso.com domain, you must create the container in that domain. So, if you want to create a container that is named VMMDKM, you specify the container location as CN=VMMDKM,DC=corp,DC=contoso,DC=com.

  • After the AD DS administrator has created the container, the account with which you are installing VMM must have Full Control permissions to the container in AD DS. Also, the permissions must apply to this object and all descendant objects of the container.

  • On the Configure service account and distributed key management page, you must specify the location of the container in AD DS. For example, type CN=VMMDKM,DC=corp,DC=contoso,DC=com.

-----
For additional resources, see Information and Support for System Center 2012.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.
-----
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.