System Center 2012 Virtual Machine Manager Setup fails to create child objects for DKM


System Center 2012 Virtual Machine Manager installation fails with the following error message:

Unable to create or access the Active Directory container CN=VMMDKM,DC=Domain,DC=local. Access is denied. Specify the distinguished name for the container and verify that you have genericRead|CreateChild|WriteProperty rights on the container.


This can occur if the VMMDKM container was not pre-created in the Active Directory with the required permissions.


To resolve this issue, pre-create the VMMDKM container in the Active Directory and assign the following permissions:

-The account with which you are installing VMM must be given Full Control permissions to the container in AD DS. 
-The permissions must apply to This object and all descendant objects of the container.

Additional information:

- You must create a container in AD DS before installing VMM. You can create the container by using ADSI Edit.
- You must create the container in the same domain as the user account with which you are installing VMM.
- If you specify a domain account to be used by the System Center Virtual Machine Manager service, that account must also be in the same domain.

For example, if the installation account and the service account are both in the domain, you must create the container in that domain. So, if you want to create a container named VMMDKM, you would specify the container location as CN=VMMDKM,DC=corp,DC=contoso,DC=com.

For additional information on Configuring Distributed Key Management in VMM review the following:

Article ID: 2721457 - Last Review: Jul 9, 2012 - Revision: 1