Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Hyper-V Network Virtualization Cookbook

You're reading from   Hyper-V Network Virtualization Cookbook Over 20 recipes to ease the creation of new virtual machines in the networking layer using Hyper-V Network Virtualization

Arrow left icon
Product type Paperback
Published in Nov 2014
Publisher
ISBN-13 9781782177807
Length 228 pages
Edition 1st Edition
Tools
Arrow right icon
Author (1):
Arrow left icon
Ryan Boud Ryan Boud
Author Profile Icon Ryan Boud
Ryan Boud
Arrow right icon
View More author details
Toc

Table of Contents (11) Chapters Close

Preface 1. Installing Virtual Machine Manager FREE CHAPTER 2. Configuring Networks for Hyper-V Network Virtualization 3. Creating the Gateway for Virtual Machine Communications 4. IP Address Management Integration with VMM for Hyper-V Network Virtualization 5. Windows Server Gateway Configuration 6. Implementing Network Isolation in Hyper-V 7. Network Access Control Lists A. VM Templates B. Planning the Virtual Machine Manager Index

Creating the distributed key management container in Active Directory

Some of the data stored by VMM needs to be held securely, so it cannot be compromised. For example, when you store user credentials in VMM for Run As accounts, the passwords for these are encrypted. When you install VMM, you are given the choice of where to store the encryption keys, as shown in the following screenshot:

Creating the distributed key management container in Active Directory

It is required to always store your encryption keys in Active Directory if you are going to deploy a highly available (clustered) installation of VMM.

The account used to install VMM must have full control over the container in Active Directory for the duration of the installation. During the installation, the installer program reconfigures the security of the container to ensure that only the correct security principles have access.

For a small scale installation, a single container in the root of Active Directory could be created to store the encryption keys. For a large-scale implementation where several different installations of VMM may be required due to the number of hosts and/or virtual machines, it is advisable to create a parent container in Active Directory and then have containers within the parent for each installation of VMM.

Getting ready

You will need to have sufficient access to Active Directory to create Container objects.

How to do it…

The following diagram shows you the high-level steps involved in this recipe and the tasks required to complete this recipe:

How to do it…

There are two possible methods of creating a container in Active Directory: one is using ADSI Edit and the other is via PowerShell. The method discussed here will be PowerShell-based:

  1. On a Domain Controller, or a machine where the Active Directory PowerShell Module is installed, open an elevated PowerShell console.
  2. The following PowerShell line will create a container called DKMVMM in the root of Active Directory:
    New-ADObject –Name DKMVMM –Type container –Path "DC=ad,DC=demo,DC=com"
  3. Once the container has been created, the user who will be installing VMM needs to have full control of the container and that permission must apply to the container and all descendant objects. The following PowerShell will perform this function:
    Set-PSDrive AD:
    
    $VMMInstallAccount = Get-ADUser -Identity Install_VMM
    
    $SID = New-Object System.Security.Principal.SecurityIdentifier $VMMInstallAccount.SID
    
    $DKMVMMacl = Get-Acl -Path "CN=DKMVMM,DC=ad,DC=demo,DC=com"
    
    $ObjectGuid = New-Object Guid 00000000-0000-0000-0000-000000000000                           
    
    $newACL = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $SID,"GenericAll","Allow",$objectguid,"All"
    
    $DKMVMMacl.AddAccessRule($newACL)
    
    Set-Acl -AclObject $DKMVMMacl -Path "CN=DKMVMM,DC=ad,DC=demo,DC=com"

This recipe is complete and the Distributed Key Management container is now ready to be used by DEMO\Install_VMM during installation.

How it works…

When VMM is installed, it uses the Distributed Key Management container to store its encryption keys and using the privileges granted to it previously, it will lock down the container to ensure that only the account running the VMM Management Service, the VMM Installation Account, and Domain Administrators have access to the container.

You have been reading a chapter from
Hyper-V Network Virtualization Cookbook
Published in: Nov 2014
Publisher:
ISBN-13: 9781782177807
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime