OpsMgr 2007: What if I lose my RMS encryption key??

So let's say I have a functional OpsMgr 2007 infrastructure in place and then for whatever reason have to reinstall/replace the Root Management Server (RMS), but I didn’t backup my RMS encryption key.  What are the exact ramifications of this and what would I need to do to correct it? 

Prior to Service Pack 1 (SP1), if something happened to your RMS and it had to be replaced, and you didn't backup your key, you were basically out of luck.  Your only recourse was to rebuild from scratch - not a pretty picture.  That's why we always told people to make sure they backed up their key as soon as they installed:

Backing up your RMS encryption key: http://technet.microsoft.com/en-us/library/bb309563.aspx.

Now with SP1, we have a new CREATE_NEWKEY command line switch that can make recovering from a situation like this potentially much easier. We also made running the encryption key backup process a mandatory process of setup, just so you'll have a friendly reminder.

So let's take a look at a couple scenario's:

1.  The Root Management Server is replaced or reinstalled and the key is not backed up or the password to the key is lost. There are no other Management Servers to promote.

Solution: Install a new Management Server (the RMS replacement) and be sure the computer name is the same name as the previous Root Management Server that is being replaced.  Setup will detect that the machine name is same as the Root Management Server in the database so it will recreate a new key and register the licenses.

2.  The Root Management Server is replaced or reinstalled and the key is not backed up or the password to the key is lost. There is at least one Management Server to promote to Root Management Server.

Solution: On the Management Server that will become the new Root Management Server, run MOM.msi with the CREATE_NEWKEY switch (msiexec.exe /i <Path to MOM.msi> CREATE_NEWKEY=1).  Configure the account for SDK/Config services (this account should have permission to the database, the SDK service account should be added to the SDK_users role, and the config service account should be added to the configsvc_users role).  Promote the Management Server to Root Management Server.

3.  The registry on the Root Management Server got corrupted, thus the encryption key is lost.
Solution: Run MOM.msi with special switch (msiexec.exe /i <Path to MOM.msi> CREATE_NEWKEY=1)

So does this mean you don't have to worry about backing up your keys?  No, you should always backup your keys and keep them in a safe place as doing so will potentially save you a lot of trouble down the road, but now if something happens there's possibly a way to recover without having to rebuild.

Hope this helps,

J.C. Hornbeck
[](https://technet.microsoft.com/en-us/library/bb309563.aspx "http://technet.microsoft.com/en-us/library/bb309563.aspx