How to create a KDS root key using PowerShell
If you intend to use Group Managed Service Accounts (gMSAs) feature. You will have to create a root key for the group key distribution service within Active Directory. One great benefit is that the gMSA password management moves to the Windows operating system. In this article, we will discuss how to create a KDS root key using PowerShell. Please see How to reset MySQL Root password, how to Import certificates into Trusted Root and Personal certificate store, and Create and Delete Registry Keys via PowerShell in Windows.
Due to the complexity and length of gMSA passwords, the likelihood of brute force attacks is minimized. This is used by the KDS service in Domain Controllers to generate passwords. See this post where the Group Managed Service Account was required.
Here are some interesting guides you want to read: Post OS Installation configuration of Windows Server 2019 Properties, how to install Windows Server 2016 Operating System, how to install Windows Server 2019 on a VMware Workstation, and how to install and configure Ubuntu Linux.
Create a KDS root
Run the following PowerShell command as administrator privilege. You can check the if a root key exists by running the command below in PowerShell. You will also use this to verify the creation of a kds root key.
Get-KdsRootKey Note: Microsoft recommends to create only one root key per domain.
Example A
Run the below syntax below in order to create a KDS rook key.
Add-KdsRootKey -EffectiveImmediately (Get-Date).Addhours(-10)Effective Time Parameter
The date on which takes effect the newly generated root key. If this parameter is not specified, the default date set is 10 days after the current date.
Here is how to enable MFA on Root Account: Create a User on AWS and Register MFA, and “Connecting to the RDP host: Fix the Certificate could not be verified back to the root certificate“.
Example B
If you would like to use this key immediately, use the cmdlet below.
Effective Immediately Parameter: This command creates a new root key immediately but must wait up to 10 hours to be available. This is a safety measure to make sure all domain controllers have replicated and are ready to respond to gMSA requests.
Note: To mitigate the wait time which is advisable only in a test environment. Please use the command below. This will ensure that the key is effective 10 hours before the time of creation.
Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10)). To verify if this Key is created correctly, use the cmdlet below
- Get-KdsRootKey
- Press Enter
Note: This can also be verified from Active Directory Sites and Services (dssite.msc) console.
FAQs
Can the krbtgt also be reset 10 hours behind similar to the creation of the KDS rootkey?
No, the KRBTGT account password reset cannot be backdated like the KDS root key using the Add-KdsRootKey -EffectiveImmediately (Get-Date).Addhours(-10) parameter.
The KRBTGT account password reset must be performed in real-time.
When you reset the KRBTGT account password, the Kerberos Key Distribution Center (KDC) uses the new password to issue and validate Ticket Granting Tickets (TGTs) moving forward. Unlike the KDS root key, which supports backdating for Distributed Key Generation Services, resetting the KRBTGT password has no option to specify an earlier effective time.
Kerberos tickets issued prior to the reset will still be validated using the previous KRBTGT password until they expire, and a second reset can be scheduled if needed to finalize the transition.
How can the kbrtgt be reset backward?
The KRBTGT account password cannot be reset backward in time. Kerberos does not support backdating when resetting the KRBTGT account password.
Once the KRBTGT password is reset, the change takes effect immediately, and all new Ticket Granting Tickets (TGTs) are issued using the new password. There is no mechanism in Active Directory to backdate or apply a past effective time to a KRBTGT password reset.
It is recommended to reset the KRBTGT password twice with a delay (usually hours or days) between the two resets. This ensures that tickets using the old password are phased out before the second reset.
However, I hope you found this blog post on how to create a KDS root key using PowerShell helpful. Furthermore, Please let me know in the comment session if you have any questions.
