If you want to use Group Managed Service Accounts feature, you must first create a root key for the group key distribution service within Active Directory. This is used by the KDS service in Domain Controllers to generate passwords.

In this post, I show you how to create the KDS root key using the Add-KdsRootKey cmdlet.

Add-KdsRootKeyUse the Add-KdsRootKey cmdlet with the following syntax:

Run the following PowerShell command as administrator.The correct execution of the command returns the KeyId. 

Kds Root Key

-EffectiveTime Parameter

The date on which takes effect the newly generated root key. If this parameter is not specified, the default date set is 10 days after the current date. Use the mm/dd/yyyy format.

-EffectiveImmediately Parameter

This command creates a new root key immediately but must wait up to 10 hours to be available. This is a safety measure to make sure all domain controllers have replicated and are ready to respond to gMSA requests.


Then you can verify it with the Get-KdsRootKey cmdlet.


Or from the Active Directory Sites and Services (dssite.msc) console.


If you want to know more about Add-KdsRootKey cmdlet, check out this link: https://docs.microsoft.com/en-us/powershell/module/kds/add-kdsrootkey?view=win10-ps