SCOM 2012 – Encryption Key To Backup Or Not To Backup

Once in a time there comes the question about the encryption key in SCOM 2012 (SP1). Older SCOM administrators were used to backup their SCOM encryption key using the SecureStorageBackup.exe utility in SCOM 2007 R2. This encryption key is essential for restoring a SCOM 2007 R2 RMS server.

http://technet.microsoft.com/en-us/library/cc540390.aspx

The root management server encryption key is necessary to decrypt secure data in the operational database. To successfully restore a failed root management server, you must import the key you had backed up previous to the failure.  If this encryption key is lost and the root management server fails for any reason, you must rebuild the management group.

Is this also necessary for SCOM 2012 (SP1)?

SCOM 2012 has an entire different architecture than SCOM 2007 R2 had. In SCOM 2007 R2 you had one management server (=> RMS server) which handled all the database and console connections, configuration and special targeted workflows. If you are still interested in “legacy SCOM 2007 R2” there is a TechNet article about the RMS role.

In SCOM 2012 (SP1) there is NO such single-point of failure anymore and because ALL SCOM management servers share this RMS functionality there is NO NEED to backup the encryption key anymore in SCOM 2012 (SP1)! There is also NO SecureStorageBackup.exe on the SCOM 2012 (SP1) source media.

What does the mean in a disaster scenario?

There are basically two disaster scenarios in a SCOM 2012 scenario:

1. All of your management servers are down.

2. You have two or more management server and one or more go down.

http://technet.microsoft.com/en-us/library/hh531578.aspx

There are two scenarios for recovery. The first scenario is when you have to recover a management server when all management servers in the management group have failed. In this case, you must recover all of the failed management servers, and then reconfigure the RunAs accounts. The second scenario is when you have a failed management server, but one or more management servers are still online. In this case, you just recover all of the failed management servers. You should not reconfigure the RunAs accounts.

Conclusion: NO encryption key backup or restore needs in SCOM 2012 (SP1) but make sure you have all your RunAs credentials stored in a known and secure place :).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s