Backing up the Synchronization Service Encryption Key

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on MSDN on Aug 07, 2015

After you install FIM (Forefront Identity Manager) or MIM (Microsoft Identity Manager) one of the first things you need to do after you ensure that the correct people that will be administrating or supporting the the Synchronization Service are include in the correct Synchronization Service Admin Groups is to back up the Encryption Key. The Encryption Key should be stored in a secure location (not on the server that the Synchronization Service is installed on) this Encryption Key is a vital component to the restore of your Synchronization Service if you are ever presented with a situation where you need to restore your Synchronization Service. Without this Key the current data and configuration that the FIMSynchronizationService Database holds would be lost in a sense as it would be unusable. This would add to the time it takes to properly restore your Synchronization Service and add additional complexity and possibly introduce more issues while trying to restore your environment.

it may also be a best practice to make the Making up of the Encryption Key as part or the Extended Backup process. This doesn't mean that you should back it up every day or even every week but possibly make this part of your monthly, or bi monthly back up procedure that would be in addition to the normal daily back up process. I do not believe that the Encryption Key ever changes so 1 good back up of the Encryption Key should be good for the life of the Synchronization Service but one can never be too safe which is why i like to add this in the extended backup procedure.

Backing up the Encryption Key

  • On the Server that the Synchronization Service is installed on locate the Synchronization Service Key Management tool

    • Server 2012 you can just click on the windows key to open the start menu and start typing SYNC

    • Server 2008 you may need to open up the Forefront Identity Manager tools from Program Files

  • Click on the "Synchronization Service Key Management tool" to open the utility

  • By Default the Export key set is already selected

  • Click on Next

  • You will now be prompted to enter the FIMSync account information

  • Enter and verify the FIM Sync Account information

    • Account Name - Account name of the Synchronization Service account used during the initial install

    • Password - Password of Synchronization Service account

    • Domain - Domain that the Synchronization Service account is apart of

  • Once you entered the information click on Next

  • If you entered something incorrectly you will receive the following error

    • Click on OK and re enter information

  • Once you have successfully entered the Account information you will be presented with an option to change the destination (export file location) of the back up encryption key

    • By Default the export file location is C:\Windows\system32 \miiskeys-1.bin.

  • Enter the updated destination (export file location) if any with a new name to the encryption key if you choose to rename it.

    • Because i take bi-Monthly back ups of the encryption key i add a date to the name.

  • I know i said don't store the encryption key local to the server but i initially save to a back up folder than i move a copy of the encryption key to a secure location off the local server.

  • Once you verify the location and the name click on Next

  • You are now ready to export the key

  • Click on Finish to complete

  • The back up will happen usually fairly quickly and you will get a basic status report

  • Your done now click on Close and do some Syncing

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.