Choosing Service Account and Distributed Key Management Settings During an Upgrade
Updated: May 13, 2016
Applies To: System Center 2012 SP1 - Virtual Machine Manager
This topic provides information to help you choose your service account and distributed key managements settings during a System Center 2012 – Virtual Machine Manager (VMM) upgrade to System Center 2012 Service Pack 1 (SP1).
During the upgrade, on the Configure service account and distributed key management page, you need to specify which account to use for the System Center Virtual Machine Manager service and whether to use distributed key management to store encryption keys in Active Directory Domain Services (AD DS). Please choose your service account and distributed key management settings carefully. In some circumstances, depending on what you choose, encrypted data, such as passwords in templates and profiles, will not be available after the upgrade and you will have to re-enter them manually.
For the service account, you can choose to use either the Local System account or a domain account. In some cases, such as installing a highly available VMM management server, you must use a domain account. For more information, see Specifying a Service Account for VMM.
Distributed key management enables you to store encryption keys in AD DS instead of storing the encryption keys on the computer on which the VMM management server is installed. We recommend that you use distributed key management, and in some cases, such as installing a highly available VMM management server, you must use distributed key management. For more information, see Configuring Distributed Key Management in VMM.
Whether encrypted data is available after the upgrade depends on the following factors:
The account that you are logged in as when you are performing the upgrade.
The account that the System Center Virtual Machine Manager service is using in the current installation of VMM.
The account that the System Center Virtual Machine Manager service will use in the System Center 2012 SP1 installation.
The following table provides information about accounts during an upgrade.
| Account used when upgrading | System Center Virtual Machine Manager service account in System Center 2012 | System Center Virtual Machine Manager service account in System Center 2012 SP1 | Not using distributed key management | Using distributed key management |
|---|---|---|---|---|
| Any valid administrative account | Local System | Local System | Encrypted data is preserved | Encrypted data is preserved |
| Any valid administrative account | Local System | Domain account | Encrypted data is not preserved | Encrypted data is preserved |
| Any valid administrative account | Domain account | Local System | N/A | N/A |
| Same domain account as the System Center Virtual Machine Manager service account in System Center 2012 | Domain account | Domain account | Encrypted data is preserved | Encrypted data is preserved |
| Different domain account from the System Center Virtual Machine Manager service account in System Center 2012 SP1 | Domain account | Domain account | Encrypted data is not preserved | Encrypted data is not preserved |
Note
If the System Center Virtual Machine Manager service in System Center 2012 is configured to use a domain account, when you upgrade to System Center 2012 SP1, you must use the same domain account for the System Center Virtual Machine Manager service. During the upgrade process, you will be required to enter the password for that domain account.
If you perform an upgrade where you are installing VMM on a different computer and using the VMM database from your current VMM installation, encrypted data is never preserved during the upgrade. This is because the encryption keys are stored on the computer that was running System Center 2012 – Virtual Machine Manager. This is a benefit of using distributed key management in VMM in System Center 2012 SP1; the encryption keys are stored in AD DS instead of on the local computer. Therefore, if you have to reinstall VMM for System Center 2012 SP1 on a different computer, encrypted data can be preserved.