Configuring Distributed Key Management in VMM

During the installation of a VMM management server, you will need to configure distributed key management. On the Configure service account and distributed key management page of Setup, you can select to use distributed key management to store encryption keys in Active Directory Domain Services (AD DS) instead of storing the encryption keys on the computer on which the VMM management server is installed.

Important

By default, VMM encrypts some data in the VMM database (for example Run As account credentials and passwords in guest operating system profiles) by using the Windows Data Protection API (DPAPI). The encryption of this data is tied to the specific computer on which VMM is installed and the service account used by VMM. Therefore, if you need to move your VMM installation to another computer, the encrypted data will not be retained. Distributed key management, however, stores the encryption keys in AD DS. Therefore, if you need to move your VMM installation to another computer, the encrypted data will be retained, because the other computer will have access to the encryption keys in AD DS.

If you choose to enable distributed key management, coordinate with your Active Directory administrator about creating the appropriate container in AD DS for storing the cryptographic keys.

The following are some considerations about using distributed key management in VMM:

• If you are installing a highly available VMM management server, you must use distributed key management to store encryption keys in AD DS.
  
  Distributed key management is required in this scenario because when the Virtual Machine Manager service fails over to another node in the cluster, the Virtual Machine Manager service still needs access to the encryption keys in order to access data in the VMM database. This is only possible if the encryption keys are stored in a central location like AD DS.
  
  
• You must create a container in AD DS before installing VMM. You can create the container by using ADSI Edit.
  
  
• You must create the container in the same domain as the user account with which you are installing VMM. Also, if you specify a domain account to be used by the System Center Virtual Machine Manager service, that account must also be in the same domain.
  
  For example, if the installation account and the service account are both in the corp.contoso.com domain, you must create the container in that domain. So, if you want to create a container named VMMDKM, you would specify the container location as CN=VMMDKM,DC=corp,DC=contoso,DC=com.
  
  
• After the Active Directory administrator has created the container, the account with which you are installing VMM must be given Full Control permissions to the container in AD DS. Also, the permissions must apply to This object and all descendant objects of the container.
  
  
• On the Configure service account and distributed key management page, you must specify the location of the container in AD DS by typing. For example, by typing CN=VMMDKM,DC=corp,DC=contoso,DC=com.