Here’s a new Knowledge Base article we published. This one talks about an issue where installing VMM 2012 fails with “Unable to create or access the Active Directory container CN=VMMDKM,DC=Domain,DC=local. Access is denied. Specify the distinguished name for the container and verify that you have genericRead|CreateChild|WriteProperty rights on the container”
System Center 2012 Virtual Machine Manager installation fails with the following error message:
Unable to create or access the Active Directory container CN=VMMDKM,DC=Domain,DC=local. Access is denied. Specify the distinguished name for the container and verify that you have genericRead|CreateChild|WriteProperty rights on the container.
This can occur if the VMMDKM container was not pre-created in the Active Directory with the required permissions.
To resolve this issue, pre-create the VMMDKM container in the Active Directory and assign the following permissions:
-The account with which you are installing VMM must be given Full Control permissions to the container in AD DS.
-The permissions must apply to This object and all descendant objects of the container.
– You must create a container in AD DS before installing VMM. You can create the container by using ADSI Edit.
– You must create the container in the same domain as the user account with which you are installing VMM.
– If you specify a domain account to be used by the System Center Virtual Machine Manager service, that account must also be in the same domain.
For example, if the installation account and the service account are both in the corp.contoso.com domain, you must create the container in that domain. So, if you want to create a container named VMMDKM, you would specify the container location as CN=VMMDKM,DC=corp,DC=contoso,DC=com.
For additional information on Configuring Distributed Key Management in VMM review the following: http://technet.microsoft.com/en-us/library/gg697604.aspx
For the most current version of this article please see the following:
J.C. Hornbeck | System Center & Security Knowledge Engineer
App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/