How to create a KDS root key using PowerShell
Add-KdsRootKey dssite.msc Get-KdsRootKey Microsoft
If you want to use the Group Managed Service Accounts feature, you must first create a root key for the group key distribution service within Active Directory. This is used by the KDS service in Domain Controllers to generate passwords.