How to create a KDS root key using PowerShell (Group Managed Service Accounts)

If you intend using Group Managed Service Accounts feature. You will have to create a root key for the group key distribution service within Active Directory. This is used by the KDS service in Domain Controllers to generate passwords. See the link where the Group Managed Service Account was required https://techdirectarchive.com/2020/04/09/post-deployment-configuration-of-active-directory-federation-service-adfs-in-windows-server/

Run the following PowerShell command as administrators priviledge.

Example A: Run the below syntax below in order to create a KDS rook key.

Add-KdsRootKey -EffectiveImmediately (Get-Date).Addhours(-10)Effective Time Parameter

The date on which takes effect the newly generated root key. If this parameter is not specified, the default date set is 10 days after the current date.  

Example B: If you would like to use this key immediately, use the cmdlet below.

Effective Immediately Parameter: This command creates a new root key immediately but must wait up to 10 hours to be available. This is a safety measure to make sure all domain controllers have replicated and are ready to respond to gMSA requests. 

To verify if this Key is created correctly, use the cmdlet below
– Get-KdsRootKey 
– Press Enter

Note: This can also be verified from Active Directory Sites and Services (dssite.msc) console.

See this article for more information https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview

Other references

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x