If you want to use the Group Managed Service Accounts feature, you must first create a root key for the group key distribution service within Active Directory. This is used by the KDS service in Domain Controllers to generate passwords. In this post, I show you how to create the KDS root key using the Add-KdsRootKey cmdlet. Use the Add-KdsRootKey cmdlet with the following syntax:
Add-KdsRootKey -EffectiveTime <DateTime> Add-KdsRootKey -EffectiveImmediately
Run the following PowerShell command as administrator. The correct execution of the command returns the KeyId.
-EffectiveTime Parameter #
The date on which takes effect the newly generated root key. If this parameter is not specified, the default date set is 10 days after the current date. Use the mm/dd/yyyy format.
-EffectiveImmediately Parameter #
This command creates a new root key immediately but must wait up to 10 hours to be available. This is a safety measure to make sure all domain controllers have replicated and are ready to respond to gMSA requests.
Thanks for reading my post. I hope you find it useful.
If you want to know more about Add-KdsRootKey cmdlet, check out this link.