How to create a KDS root key using PowerShell

If you want to use the Group Managed Service Accounts feature, you must first create a root key for the group key distribution service within Active Directory. This is used by the KDS service in Domain Controllers to generate passwords. In this post, I show you how to create the KDS root key using the Add-KdsRootKey cmdlet.

Use the Add-KdsRootKey cmdlet with the following syntax:

Add-KdsRootKey -EffectiveTime <DateTime>

Add-KdsRootKey -EffectiveImmediately

Run the following PowerShell command as administrator. The correct execution of the command returns the KeyId.

#

-EffectiveTime Parameter>

-EffectiveTime Parameter #

The date on which takes effect the newly generated root key. If this parameter is not specified, the default date set is 10 days after the current date. Use the mm/dd/yyyy format.

-EffectiveImmediately Parameter>

-EffectiveImmediately Parameter #

This command creates a new root key immediately but must wait up to 10 hours to be available. This is a safety measure to make sure all domain controllers have replicated and are ready to respond to gMSA requests.

Checking>

Checking #

Then you can verify it with the Get-KdsRootKey cmdlet.

Or from the Active Directory Sites and Services (dssite.msc) console.

Thanks for reading my post. I hope you find it useful.

If you want to know more about Add-KdsRootKey cmdlet, check out this link.