How to move Distributed Key Management(DKM) in VMM from one container to another

The details of Distributed Key Management(DKM) is available in the below TechNet article.

Once you have installed the VMM Management Server and configured the DKM, it will keep on working fine until you decide to move your DKM to a different container.

In case you or someone accidently moved the DKM to a different container, you will basically see these two issues.

  1. All your VMs will be in a "Not Responding State" and all your Refresh jobs will fail with the below error:


Error (20552)

VMM does not have appropriate permissions to access the resource on the server.

Recommended Action

Ensure that Virtual Machine Manager has the appropriate rights to perform this action.

Also, verify that CredSSP authentication is currently enabled on the service configuration of the target computer To enable the CredSSP on the service configuration of the target computer, run the following command from an elevated command line: winrm set winrm/config/service/auth @{CredSSP="true"}

2.  And if you try to update the password of any RunAsAccount and create new RunAsAccount, you will get the below error:



Note: Take a Full Fresh Backup of your VMM Database before proceeding with the steps. Open a support case with Microsoft in case you are not familiar with SQL database.

  1. Access to your "Active Directory Users and Computers" and locate the DKM. Note: It is not a bad idea to have your AD Administrator by your side.
  2. In case you have not moved your DKM yet and not aware of its location, login to your VMM Database and run the below query:SELECT PropertyName, PropertyValue
    FROM [VirtualManagerDB].[dbo].[tbl_VMM_GlobalSetting]
    WHERE PropertyName like '%Container%';
  3. Once your locate the DKM container, move the DKM to the new container as desired. If already moved no actions are required in ADDS. (Wait till it reflects under the new container)
  4. Right click on the DKM -> Properties -> Attribute Editor -> distinguishedName

  5. Double click on distinguishedName, copy it.
  6. Expand VMM DB -> Locate the table "[dbo].[tbl_VMM_GlobalSetting]" -> Right Click -> Edit 200 Rows -> Locate the row "TopContainerName" -> Change the PropertyValue to the new DKM location copied in Step 5 -> Cntrl+S -> Close the table editor.

  7. Once you made the changes run the below query again to verify the changes are done properly.      SELECT PropertyName, PropertyValue
          FROM [VirtualManagerDB].[dbo].[tbl_VMM_GlobalSetting]
          WHERE PropertyName like '%Container%';
  8. Once you verify that the container name is right in VMM DB, login to your VMM management Server and restart the service "System Center Virtual Machine Manager".
  9. Enter the password of the RunAsAccounts again. They should work now.
  10. The Refresh Jobs should now run successfully and the VMs will be back to Responding State.

Comments (0)

Skip to main content