Configuring Distributed Key Management in VMM
Updated: November 1, 2013
Applies To: System Center 2012 - Virtual Machine Manager, System Center 2012 R2 Virtual Machine Manager, System Center 2012 SP1 - Virtual Machine Manager
During the installation of a VMM management server, you will need to configure distributed key management. On the Configure service account and distributed key management page of Setup, you can select to use distributed key management to store encryption keys in Active Directory Domain Services (AD DS) instead of storing the encryption keys on the computer on which the VMM management server is installed.
|By default, VMM encrypts some data in the VMM database (for example Run As account credentials and passwords in guest operating system profiles, and ProductKey information on virtual hard disk properties which is used for Virtual Machine Role scenarios and configuration) by using the Windows Data Protection API (DPAPI). The encryption of this data is tied to the specific computer on which VMM is installed and the service account used by VMM. Therefore, if you need to move your VMM installation to another computer, the encrypted data will not be retained. In that case, you will need to enter this data (such as credentials, passwords and ProductKey information) manually to fix the VMM objects. For Virtual Machine Roles, if the encrypted data is not retained, you will not be able to enter it manually and so, managing Virtual Machine Roles will not be possible. Distributed key management, however, stores the encryption keys in AD DS. Therefore, if you need to move your VMM installation to another computer, the encrypted data will be retained, because the other computer will have access to the encryption keys in AD DS.|
If you choose to enable distributed key management, coordinate with your Active Directory administrator about creating the appropriate container in AD DS for storing the cryptographic keys.
The following are some considerations about using distributed key management in VMM:
If you are installing a highly available VMM management server, you must use distributed key management to store encryption keys in AD DS.
Distributed key management is required in this scenario because when the Virtual Machine Manager service fails over to another node in the cluster, the Virtual Machine Manager service still needs access to the encryption keys in order to access data in the VMM database. This is only possible if the encryption keys are stored in a central location like AD DS.
For future upgrades that involve Virtual Machine Roles, it is recommended that you use distributed key management during setup. This will ensure that Virtual Machine Roles are properly upgraded, and that you can manage them after the upgrade.
You must create a container in AD DS before installing VMM. You can create the container by using ADSI Edit.
You must create the container in the same domain as the user account with which you are installing VMM. Also, if you specify a domain account to be used by the System Center Virtual Machine Manager service, that account must also be in the same domain.
For example, if the installation account and the service account are both in the corp.contoso.com domain, you must create the container in that domain. So, if you want to create a container named VMMDKM, you would specify the container location as CN=VMMDKM,DC=corp,DC=contoso,DC=com.
After the Active Directory administrator has created the container, the account with which you are installing VMM must be given Full Control permissions to the container in AD DS. Also, the permissions must apply to This object and all descendant objects of the container.
On the Configure service account and distributed key management page, you must specify the location of the container in AD DS by typing. For example, by typing CN=VMMDKM,DC=corp,DC=contoso,DC=com.
For additional resources, see Information and Support for System Center 2012.
Tip: Use this query to find online documentation in the TechNet Library for System Center 2012. For instructions and examples, see Search the System Center 2012 Documentation Library.