Group Managed Service Accounts: How to create a KDS root key using PowerShell

Group Managed Service Accounts

If you intend to use Group Managed Service Accounts (gMSAs) feature. You will have to create a root key for the group key distribution service within Active Directory. One great benefit is that the gMSA password management moves to the Windows operating system. Due to the complexity and length of gMSA passwords, the likelihood of brute force attacks is minimized. This is used by the KDS service in Domain Controllers to generate passwords. See the link where the Group Managed Service Account was required.

Here are some interesting guides you want to read: Post OS Installation configuration of Windows Server 2019 Properties, how to install Windows Server 2016 Operating System, how to install Windows Server 2019 on a VMware Workstation, and how to install and configure Ubuntu Linux, see this link for more information.

Run the following PowerShell command as administrator privilege. Example A: Run the below syntax below in order to create a KDS rook key.

Add-KdsRootKey -EffectiveImmediately (Get-Date).Addhours(-10)Effective Time Parameter

The date on which takes effect the newly generated root key. If this parameter is not specified, the default date set is 10 days after the current date.  

create KDS root key

Example B: If you would like to use this key immediately, use the cmdlet below.

KDS root key

Effective Immediately Parameter

This command creates a new root key immediately but must wait up to 10 hours to be available. This is a safety measure to make sure all domain controllers have replicated and are ready to respond to gMSA requests. 

To verify if this Key is created correctly, use the cmdlet below
– Get-KdsRootKey 
– Press Enter

Note: This can also be verified from Active Directory Sites and Services (dssite.msc) console.

However, I hope you found this blog post helpful. Furthermore, Please let me know in the comment session if you have any questions.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x