OpsMgr 2007: What if I lose my RMS encryption key??

So let's say I have a functional OpsMgr 2007 infrastructure in place and then for whatever reason have to reinstall/replace the Root Management Server (RMS), but I didn’t backup my RMS encryption key.  What are the exact ramifications of this and what would I need to do to correct it? 

Prior to Service Pack 1 (SP1), if something happened to your RMS and it had to be replaced, and you didn't backup your key, you were basically out of luck.  Your only recourse was to rebuild from scratch - not a pretty picture.  That's why we always told people to make sure they backed up their key as soon as they installed:

Backing up your RMS encryption key: http://technet.microsoft.com/en-us/library/bb309563.aspx.

Now with SP1, we have a new CREATE_NEWKEY command line switch that can make recovering from a situation like this potentially much easier. We also made running the encryption key backup process a mandatory process of setup, just so you'll have a friendly reminder.

So let's take a look at a couple scenario's:

1.  The Root Management Server is replaced or reinstalled and the key is not backed up or the password to the key is lost. There are no other Management Servers to promote.

Solution: Install a new Management Server (the RMS replacement) and be sure the computer name is the same name as the previous Root Management Server that is being replaced.  Setup will detect that the machine name is same as the Root Management Server in the database so it will recreate a new key and register the licenses.

2.  The Root Management Server is replaced or reinstalled and the key is not backed up or the password to the key is lost. There is at least one Management Server to promote to Root Management Server.

Solution: On the Management Server that will become the new Root Management Server, run MOM.msi with the CREATE_NEWKEY switch (msiexec.exe /i <Path to MOM.msi> CREATE_NEWKEY=1).  Configure the account for SDK/Config services (this account should have permission to the database, the SDK service account should be added to the SDK_users role, and the config service account should be added to the configsvc_users role).  Promote the Management Server to Root Management Server.

3.  The registry on the Root Management Server got corrupted, thus the encryption key is lost.
Solution: Run MOM.msi with special switch (msiexec.exe /i <Path to MOM.msi> CREATE_NEWKEY=1)

So does this mean you don't have to worry about backing up your keys?  No, you should always backup your keys and keep them in a safe place as doing so will potentially save you a lot of trouble down the road, but now if something happens there's possibly a way to recover without having to rebuild.

Hope this helps,

J.C. Hornbeck

Comments (6)
  1. Anonymous says:

    We’ve been getting some calls here and there on this so I wanted to send out a quick clarification regarding

  2. Anonymous says:

    thank you

  3. Anonymous says:

    Just so you know, this post saved us the other day.  Thanks for sharing this so long ago!  I posted our experiences at blogs.technet.com/…/how-the-create-newkey-switch-on-mom-msi-saved-my-hide.aspx and there are a few things we encountered along the way that it would be good to get validated/documented.  Cheers!  Cory Delamarter

  4. Anonymous says:

    what about the other management servers that were connected to the RMS, how do they get the new key when solution 1 is used?

  5. Wouter Visser says:

    I have ran into the first scenario that you described, unfortunately OpsMgr is not showing new data in my RMS. The management group name, accounts and databases have the same names as the originally installation. In the log i see the error 29106

    The request to synchronize state for OpsMgr Health Service identified by "6c7579e3-c9a4-c35d-cb6e-f52003220aef" failed due to the following exception "System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.

    Server stack trace:

      at Microsoft.EnterpriseManagement.Mom.Internal.AesNativeTransform.DepadBlock(Byte[] block, Int32 offset, Int32 count)  

    I had restored the originally encryption key, but it doesn't did the trick.

    Have you seen this before? I hope you can help me, i am playing with this problem a few weeks now.

    Thanks in advanced.

    Wouter Visser

Comments are closed.

Skip to main content