Configuring Security

Export Users

For security reasons, KMS does not allow you to import users until they have been exported from another Key Management server. To export users, you will need to know the location of the importing server's certificate, which is determined in Save the KMS Certificate.

Important   As a precautionary measure, before exporting users, you should back up your KMS database.

To export KMS users:

  1. Start System Manager
    On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the console tree, click Advanced Security.
  3. In the details pane, right-click Key Manager, point to All Tasks, and then click Export Users.
  4. In the Key Management Service Login dialog box, type your password, and then click OK. The default password is password.

    Note   You will have to re-type your password each time you try to perform a task or click a tab in the Key Manager Properties dialog box.

  5. In Exchange KMS Key Export Wizard, on the Encryption Certificate screen, type the path of the location of the destination Key Management server's certificate, or click Browse to navigate to it.
  6. On the Certificate Thumbprint Verification screen, type the first eight characters of the saved certificate's thumbprint. This is a precautionary measure to ensure that the correct certificate is being used.
  7. On the Export Filename screen, type a file name for the exported information. KMS will save this file to the exporting server's Exchsrvr\KMSData directory.
  8. On the User View Selection screen, perform one of the following tasks:

After the export process is complete, you will get a summary screen displaying how many users were exported. The following table describes the different exportation possibilities:

Status Description
Users could not be revoked (still exported) When users are exported, their certificates are revoked. This field indicates the number of users who could not have their certificates revoked, most likely because KMS could not contact the Certificate Services server. Though users were removed from the KMS database and exported, you should make sure the old certificates are revoked before these users' keys are recovered on the destination Key Management server.
Users had no key history (deleted but not exported) This field indicates the number of users who were in the KMS database, but have not been issued keys. For example, these are users who were given an enrollment token but never used it, or users that were removed from the server's KMS database but not exported. These users can be issued new tokens on their new server.
Total users exported This field indicates the number of users that were successfully exported.