Before going into the practical part, first a little bit of information about Distributed Key Management (DKM). DKM is used to store VMM encryption keys (for example all sensitive data like administrator passwords, Run As Account credentials and license key information) in a special container in Active Directory Domain Services (AD DS), instead of locally on the VMM server. This is the kind of information you don’t want unauthorized people to access!
It can be used for a standalone VMM server setup (optional but recommended). However, when you deploy a clustered installation of VMM (HA VMM) it is required. Why? Because both cluster nodes (in case of a failover from one node to another) need to be able to securely access those encryption keys to decrypt the data in the VMM database.
Herewith some tip and tricks before you start:
- DKM is required when installing a HA VMM
- I always manually configure the DKM container before starting the VMM installation (you can do it during the setup also, but make sure that the account with which you’re installing has rights to create a new container in AD. Easiest is that the user has domain administrator rights).
- You need domain administrator rights to use ADSI Edit.
- The VMDK container and the VMM service account should be created in the same domain as the VMM Management server.
- Make sure to have a reliable AD backup in place to protect and recover all AD data, so those sensitive encryption keys don’t get lost in case of a disaster.
- The domain I use in this example is contoso.local.
- Following users and groups are created prior running the VMM Management server setup: sa-scvmm – SCVMM service account, scvmmadmin – SCVMM RunAs account, SCVMM-Admins – SCVMM Administrators security group. The user’s sa-scvmm and scvmmadmin are made members of the SCVMM-admins global security group. SCVMM-Admins is added to the local administrators group on the VMM Management server(s).
1) Log on into a Domain Controller (DC) with domain admin privileges, open Run and type adsiedit.msc to start Active Directory Service Interfaces Editor
2) In the ADSI Edit console, right-click ADSI Edit and select Connect to. On the Connection Settings page select OK (as name Default naming context should be filled in)
3) Right-click the domain’s container (or another container you desire as a logical place) which in my case is DC=contoso, DC=local, select New and then select Object
4) In the Create Object windows select container as the class and click on Next
5) In the Value textbox, fill in VMMDKM and click on Next (I’ve you prefer to use another name be sure not to use spaces and special characters in it)
6) In the Active Directory Users and Computers window, click on View and select Advanced Features.
7) Now you’re able to see the VMMDKM container. The last thing to do is to set the proper AD permissions. By default the AD groups domain admins, enterprise admins, and the AD user SYSTEM have full permissions to this object and its descendant objects. In my case VMM will be granted the necessary rights based on the SCVMM-Admins security group. So right-click the container and choose Properties
8) Click on the Security tab and click on Add
9) Type the name of the VMM Administrators groups: scvmm-admins
10) Check the Read, Write, and Create all child objects options
11) Next click on the Advanced tab
12) Select scvmm-admins and choose Edit
13) In the Applies to drop-down menu, select This object and all descendant objects
14) Right-click the VMMDKM container and select Properties. Select the attribute distinguishedName and click View. Now copy the Value which you will need later during the installation of VMM
15) When you install the VMM Management Server, on the Configure Service account and distributed key management page, you must specify the location of the container in AD DS, in my example CN=VMMDKM, DC=contoso, DC=local (the copied data from above)
16) After the VMM installation, you can see some data is added to the DKM container
We have now finished preparing to use DKM management for either a standalone or a HA VMM installation.
So this concludes this blog post, hope it’s useful and helps!
Wim Matthyssen (@wmatthyssen)