Share via


VMM 2008 R2 Service Account Requirements

Note: This article is based on VMM 2008  and might not apply to VMM 2012 (R2)

For the service account in System Center Virtual Machine Manager (VMM), you can use either Local System (the default) or an Active Directory domain account.

When to Use a Domain Account for the VMM Service

In the following environments, you must use a domain account as the VMM service account:

  • If you plan to share ISO images among Hyper-V virtual machines, you must use a domain account for the VMM service account. For additional configuration requirements, see How to Enable Shared ISO Images for Hyper-V Virtual Machines in VMM (http://go.microsoft.com/fwlink/?LinkId=161975).

  • In more restrictive Active Directory environments in which a Restricted Groups group policy is in effect, you must use a domain account instead of Local System for the VMM service account. The Restricted Groups policy does not allow machine accounts to be a member of the local Administrators group. Under a Restricted Groups group policy, the VMM machine account will be removed from the computer, leaving VMM unable to communicate with the host. In that situation, VMM places the host in a Needs Attention state and places the VMM agents on hosts and library servers in Not Responding status in VMM.

  • If VMM will manage hosts in a disjointed namespace environment, where the FQDN of a Windows Server–based host in Active Directory Domain Services does not match the server’s FQDN in DNS, it is recommended that you use an Active Directory domain account as the VMM service account. To be able to add hosts by using the Add Hosts Wizard in VMM, you also must add the SPNs of the DNS host FQDNs to Active Directory Domain Services.

Domain Account Requirements for the VMM Service

The domain account that you use for the VMM service account should meet the following requirements:

  • Use a dedicated account that is not used for any other purpose. In particular, avoid using an account that is used for any other purpose on your host computers. When a host is removed from VMM, VMM removes the account that the VMM service was running under from the local Administrators group on the host. If the same account is used for other purposes on the host, unexpected results can occur.

**Note  ** You cannot use the same domain account that is used as the VMM service account to add or remove a Hyper-V or Virtual Server host from VMM. For more information, see Hardening Virtual Machine Hosts Managed by VMM . You also should not use the VMM service account as the credentials for installing a remote instance of SQL Server during the VMM server setup. For more information, see Configuring a Remote Instance of SQL Server for VMM (http://go.microsoft.com/fwlink/?LinkID=134060).

  • To support Performance and Resource Optimization (PRO), the VMM service account must be a member of the Administrator role in System Center Operations Manager 2007. When you configure Operations Manager integration with VMM during setup, VMM adds the VMM service account to the local Administrators group on the Operations Manager root management server, which by default populates the Administrator role in Operations Manager. If your organization uses a different group to populate that role, you must add the VMM service account to that group on the root management server. For additional information, see Configuring Security for Operations Manager Integration and PRO in VMM . For setup procedures, see Configuring Operations Manager Integration with VMM (http://go.microsoft.com/fwlink/?LinkID=125948).

Specifying the VMM Service Account

The VMM service account is specified during VMM server installation. VMM adds the account to the db_owner fixed database role for the VMM database (by default, VirtualManagerDB).

To update the password for the VMM service, use Service Manager on the VMM server and then restart the VMM service.

**Caution   **We recommend that you choose a new, dedicated domain account for your VMM service account because it's not supported to change the VMM service account after setup. To change the VMM service account, you must uninstall VMM (select the Retain Data option if you want to keep the VMM SQL database) and reinstall VMM using the new service account.

Troubleshooting Issues with a Restricted Groups Group Policy

When a Restricted Groups group policy is causing the removal of the VMM Server machine account from the local Administrators group on the host computer, host refresher jobs fail with Error 2027 (“A Hardware Management error has occurred trying to contact server servername.domainname.com. (Unknown error (0x80338104)”).

To resolve this issue, you can make any of the following changes to the Group Policy settings:

  • Disable the Restricted Groups policy setting.

  • Modify the group setting to allow the VMM machine account in the local Administrators group.

  • Move the VMM Server machine account to its own organizational unit (OU), and block the group policy from being applied to that OU.

If modifying the group policy is not acceptable to your IT security team, your only option is to reinstall the VMM server and specify a domain account with Administrator rights on the VMM server computer. If you choose to retain data from your previous installation when you reinstall VMM, you will need to remove and re-add all your virtual machine hosts.

You Are the Expert

*In your use of VMM, have you encountered special requirements for the VMM service account within your environment, or do you have best practices or tips to share with other VMM customers? If you do, please sign into the TechNet Wiki and update the topic. This topic is provided through the TechNet Wiki, an experimental site that allows members of the Microsoft community to create and enrich content based on their own experiences. *

Find out about the TechNet Wiki

Get started creating content for the TechNet Wiki