How it works...
You can configure DKM before installing VMM by using ADSI Edit or during the VMM setup when you will be asked to enter the location in AD that you would like to use for storing the encryption keys. The location is the distinguished name (DN) of the container.
If you choose to create the DKM during the VMM setup, the user running the VMM installation (for example, rllab\vmm-admin) needs to have the following access rights on the location that you specify during setup:
- Read
- Write
- Create all child objects
If you are creating DKM under the root level, you will need those rights at the domain level.
The following screenshot shows the permissions configured for the VMM account:
If the user running the setup has the right to create a container in AD DS, VMM setup will check whether there is a DKM container and then do either of the following:
- If there is a DKM container already created in AD, VMM setup creates a new container under VMMDKM and gives the necessary permissions to the VMM service account for this new container
- If there is no DKM container in AD, the VMM setup will create the container
Note that the VMM service account is also selected on this wizard page. For HA VMM installations, the local system account is disabled.