Choosing Service Account and Distributed Key Management Settings During an Upgrade
Updated: May 13, 2016
Applies To: System Center 2012 - Virtual Machine Manager
This topic provides information to help you choose your service account and distributed key management settings during an upgrade to System Center 2012 – Virtual Machine Manager (VMM).
During an upgrade to System Center 2012 – Virtual Machine Manager, on the Configure service account and distributed key management, you must specify which account to use for the System Center Virtual Machine Manager service and specify whether to use distributed key management to store encryption keys in Active Directory Domain Services (AD DS). Be sure to choose your service account and distributed key management settings carefully. Certain setting selections can cause encrypted data, such as passwords in templates and profiles, to become unavailable after the upgrade so that you will have to re-enter this data manually.
For the service account, you can use either the Local System account or a domain account. In some cases, such as when you install a highly available VMM management server, you must use a domain account. For more information, see Specifying a Service Account for VMM.
Distributed key management enables you to store encryption keys in AD DS instead of storing the encryption keys on the computer on which the VMM management server is installed. The use of distributed key management is generally recommended, and may be specifically required in some cases, such as when you install a highly available VMM management server. For more information, see Configuring Distributed Key Management in VMM.
Note
Distributed key management is not available in VMM 2008 R2 SP1.
Whether encrypted data is available after the upgrade depends on the following factors:
The account that are you are logged in as when performing the upgrade.
The account that the Virtual Machine Manager service is using in your VMM 2008 R2 SP1 installation.
The account that the System Center Virtual Machine Manager service will use in your installation of System Center 2012 – Virtual Machine Manager.
The type of upgrade that you are performing. The two types of upgrades are:
On the computer that is running VMM 2008 R2 SP1, performing an in-place upgrade.
On a different computer, installing System Center 2012 – Virtual Machine Manager and using the VMM database from your VMM 2008 R2 SP1 installation.
The following table provides information for an in-place upgrade.
Account used when upgrading | VMM 2008 R2 SP1 service account | System Center 2012 – Virtual Machine Manager service account | Not using distributed key management | Using distributed key management |
---|---|---|---|---|
Any valid administrative account | Local System | Local System | Encrypted data is preserved | Encrypted data is preserved |
Any valid administrative account | Local System | Domain account | Encrypted data is not preserved | Encrypted data is preserved |
Any valid administrative account | Domain account | Local System | (This configuration is not supported.) | (This configuration is not supported.) |
Same domain account as the VMM 2008 R2 SP1 service account | Domain account | Domain account | Encrypted data is preserved | Encrypted data is preserved |
Different domain account from the VMM 2008 R2 SP1 service account | Domain account | Domain account | Encrypted data is not preserved | Encrypted data is not preserved |
Note
If the Virtual Machine Manager service in VMM 2008 R2 SP1 is configured to use a domain account, when you upgrade to System Center 2012 – Virtual Machine Manager, you must use the same domain account for the System Center Virtual Machine Manager service. During the upgrade process, you will be required to enter the password for that domain account.
Encrypted data is not preserved during an upgrade in which you install System Center 2012 – Virtual Machine Manager on a different computer and use the VMM database from your VMM 2008 R2 SP1 installation. This is because the encryption keys are stored on the computer that was running VMM 2008 R2 SP1. This failure to preserve encrypted data can be avoided by using distributed key management in System Center 2012 – Virtual Machine Manager; the encryption keys are stored in AD DS instead of on the local computer. Because of this, if you have to reinstall System Center 2012 – Virtual Machine Manager on a different computer, encrypted data can be preserved.