Installation and Set Up
Prerequisites and Considerations
Decisions you will need to make
Preparing the Environment
We need DNS to resolve the future hostname of the PEM Server. Add a Forward Look Up Zone by opening DNS Manager and navigating to your domain folder.
DNS Manager -> DNS -> Computer Name -> Forward Lookup Zones - > Domain
Right click in the list and select New Host (A or AAAA).
Your Windows Domain Controller needs to have LDAPS enabled, see here for more detail on enabling LDAPS.
PEM requires a service account to be able to operate. Before configuring PEM you'll need to set up a service account with the following privileges:
- Join a computer to the domain (using Samba).
- Make LDAP queries concerning users and groups.
- Run Powershell scripts via WinRM to:
- Create, update and delete GPOs in the domain.
- Generate TLS certificates (using
- Generate a Kerberos keytab for the PEM Server (using
The PEM Server is a virtual appliance, so you'll need a hypervisor to deploy the PEM Server.
In this guide, we'll look at using the vSphere HTML 5 client as an example.
Creating the Virtual Appliance
To get started, download the latest OVA. Please contact Osirium for details on how to download the PEM Server OVA.
Deploying the OVA
Right clicking a folder in the Hosts and Clusters pane of vSphere will display a drop down menu. Select the Deploy OVF Template option.
Either download and verify the OVA locally, or deploy the PEM Server directly from the download link using the URL option.
- Assign a name to the PEM Server and select a folder where the PEM Server will be deployed.
Select a resource pool for the virtual appliance to use.
Review the OVA details.
Read and accept the license agreements.
Select a datastore for the PEM Server to be installed to.
Select a network to connect the PEM Server to.
Review and accept the settings.
Booting the PEM Server
Initially the PEM Server will be in a powererd off state by default, once the appliance has finished deploying, right click it and select Power On.
Configuring the PEM Server
Once the PEM Server has completed booting use
sudo netconf to configure a static IP.
Once you've filled in the details type
sudo reboot to apply the configuration. Once the server has rebooted, check you can ping the DC using its FQDN to ensure the network configuration has been set up correctly.
Optionally at this point, type
sudo sshconf and follow the instructions to set up SSH access to the PEM Server.
Setting up PEM
|Navigate to the static IP address you designated to access the PEM server interface. Assign the password (which is also the MEK), confirm, and log in.
What's a MEK?
MEK stands for "Master Encryption Key". This is a permanent key that is necessary to unlock PEM after rebooting the PEM server. Without it, you will not be able to access the PEM server after a reboot.
|Complete the PEM Management configuration by following the in-product steps. You’ll need the information and assets listed on the pre-install checklist.|