How to Back Up the Root Management Server Encryption Key

  • Article

Applies To: Operations Manager 2007 R2, Operations Manager 2007 SP1

The root management server (RMS) is the central point of configuration management and overall health monitoring for the entire managed environment.

The root management server encryption key is necessary to decrypt secure data in the operational database. To successfully restore a failed root management server, you must import the key you had backed up previous to the failure.  If this encryption key is lost and the root management server fails for any reason, you must rebuild the management group.

To back up or to restore the root management server key, you need to use the SecureStorageBackup tool. The tool can start the Encryption Key Backup or Restore Wizard, or run as a command-line tool. The availability and the behavior of the tool depend on whether or not the console is installed on the management server.

The SecureStorageBackup tool functions as follows:

  • If the console and a management server are both installed, the tool is installed in the System Center Operations Manager 2007 installation folder.

    In this case, by default, the Encryption Key Backup or Restore Wizard runs at the final stage of setup, allowing you to back up the key. Also, if you start the tool without arguments, it starts the Encryption Key Backup or Restore Wizard, and if you start the tool with arguments, it runs as a command-line tool.

  • If the console is not installed, the SecureStorageBackup tool is not installed. For example, this happens if you are installing Operations Manager RMS on a cluster without installing the console on any server. In this case, to use the tool, you must first copy it from the SupportTools folder on the installation media to the installation folder on the management server.

    In this case, the tool runs as a command-line tool, and you must provide proper arguments. You can run SecureStorageBackup.exe with the '/?' switch to get help for the tool.

When backing up the encryption key, always ensure that you provide a backup location that is easily accessible in case you later need to retrieve the key. For more information about backing up the root management server encryption key, see the Microsoft System Center Operations Manager 2007 Deployment Guide.

Use the procedures below to back up the root management server encryption key.

To start the Encryption Key Backup or Restore Wizard to back up the root management server encryption key

  1. Log on to the computer hosting the root management server with an account that is a member of the Administrators group.

  2. Open a command prompt window using the Run as Administrator option.

  3. At the command prompt, type

    cd <Operations Manager Installation Folder>

  4. Type SecureStorageBackup and then press ENTER.

  5. In the Encryption Key Backup or Restore Wizard, on the Backup or Restore? page, select the Backup the Encryption Key option, and then complete the wizard.

To run the SecureStorageBackup tool in a command-line mode to back up the root management server encryption key

  1. Log on to the computer hosting the root management server with an account that is a member of the Administrators group.

  2. Open a command prompt window using the Run as Administrator option.

  3. At the command prompt, type

    cd\<Operations Manager Installation Folder>

    SecureStorageBackup Backup <BackupFile>

  4. At the Please enter the password to use for storage/retrieval prompt, type a password that is at least eight characters long, and then press ENTER.

  5. At the Please re-enter your password prompt, type the same password, and then press Enter.