Q: What is the new Distributed Key Management (DKM) feature in Microsoft System Center Virtual Machine Manager (VMM) 2012 and how does it benefit the security of the VMM configuration data?

A: The VMM database contains sensitive information, such as product keys and administrator passwords. To protect the contents of this database, VMM uses encryption. By default, the cryptographic keys needed to access the encrypted data are stored locally on the VMM server. However, in a clustered VMM server setup, both cluster nodes might need to access the same encryption keys, so the keys can't be stored on a single cluster node. That's why Microsoft introduced the DKM feature in VMM 2012. Instead of storing the keys locally on the server, DKM lets you store them in a special container named VMMDKM in Active Directory (AD).

You can configure DKM when you're installing a VMM management server with the Virtual Machine Manager Setup Wizard. On the Configure service account and distributed key management page of the wizard, you simply need to select the Store my keys in Active Directory check box and provide the location of the DKM container in AD. For example, if your domain is named windowsitpro.net, you'd specify CN=VMMDKM,DC=windowsitpro,DC=net. If the account you're using to install VMM has permission to create new containers in AD, the VMM installation will automatically create the VMMDKM container. If that's not the case, make sure that you manually create the container in AD before starting the VMM installation. (You can use ADSI Edit to create it.) Also make sure that the account with which you're installing VMM has full control permission to the VMMDKM container. For more information about DKM and how to set it up, see the Microsoft TechNet article "Configuring Distributed Key Management in VMM."