
If you intend to use Group Managed Service Accounts (gMSAs) feature. You will have to create a root key for the group key distribution service within Active Directory. One great benefit is that the gMSA password management moves to the Windows operating system. Due to the complexity and length of gMSA passwords, the likelihood of brute force attacks is minimized. This is used by the KDS service in Domain Controllers to generate passwords. See the link where the Group Managed Service Account was required.
Here are some interesting guides you want to read: Post OS Installation configuration of Windows Server 2019 Properties, how to install Windows Server 2016 Operating System, how to install Windows Server 2019 on a VMware Workstation, and how to install and configure Ubuntu Linux, see this link for more information.
Run the following PowerShell command as administrator privilege. Example A: Run the below syntax below in order to create a KDS rook key.
Add-KdsRootKey -EffectiveImmediately (Get-Date).Addhours(-10)Effective Time Parameter
The date on which takes effect the newly generated root key. If this parameter is not specified, the default date set is 10 days after the current date.

Example B: If you would like to use this key immediately, use the cmdlet below.

Effective Immediately Parameter
This command creates a new root key immediately but must wait up to 10 hours to be available. This is a safety measure to make sure all domain controllers have replicated and are ready to respond to gMSA requests.
To verify if this Key is created correctly, use the cmdlet below
– Get-KdsRootKey
– Press Enter
Note: This can also be verified from Active Directory Sites and Services (dssite.msc) console.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.