For purposes of High Availability of the encryption keys SCVMM uses, Microsoft recommend storing them in an AD container. During setup you are asked for the location where you want these keys to be stored. I got the following error while setting up SCVMM in my home lab:
I went through setup logs and saw the following:
The account I was trying to use had full control to the container called DKM, no issues there. The account I was logged on with had domain admin rights. The issue was I specified the incorrect location for the container. I looked up ADSIEdit and sure enough:
So it should have been like this:
Only a subtle difference! OU=SCVMMDKM,OU=DKM,DC=domain,DC=local. NOT – CN=SCVMMDKM,OU=DKM,DC=domain,DC=local. I know the location’s slightly different between the 1st and 2nd screenshots, but the idea is because it’s an OU, its distinguished name should be like this – OU=…, DC=…, DC=… After this, sure enough all was well:
Hope this helps someone.