Add-KdsRootKey -EffectiveTime

Bob De Vivo 6 Reputation points
2021-03-17T19:33:16.447+00:00

I'm curious about the difference between these two commands:

  • Add-KdsRootKey -EffectiveImmediately
  • Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

Are they equivalent? According to the documentation here,

Using Add-KdsRootKey -EffectiveImmediately will add a root key to the target DC which will be used by the KDS service immediately.

However, the same page says that

To create the KDS root key in a test environment for immediate effectiveness, use Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))

The latter page seems to conflict with the documentation here, which states the the -EffectiveTime option:

specifies the date on which the newly generated root key takes effect. If this parameter is not specified, the default date set is 10 days after the current date.

Is it 10 days or 10 hours?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,836 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-03-18T02:34:28.327+00:00

    Hello @Bob De Vivo ,

    Thank you for posting here.

    The two commands are different.

    1.Add-KdsRootKey -EffectiveImmediately ==> will add a root key to the target DC which will be used by the KDS service immediately.

    2.Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))==> It takes effect before 10 hours.

    It takes effect before 10 hours, or you can set it to take effect after 10 hours. You can set the time according to your needs.

    For example:
    78953-time1.png

    3.Add-KdsRootKey -EffectiveTime 03/06/2013==> It means the start time of this day 03/06/2013.

    For example:

    78985-time2.png

    Hope the information baove is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

  2. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-03-29T06:41:32.36+00:00

    Hello @Bob De Vivo ,

    From the link you provided, it did not say it will take effect in 10 hours.

    82294-1111.png

    Best Regards,
    Daisy Zhou

    0 comments
  3. Andrejs Sobolevs 86 Reputation points
    2023-11-29T16:25:31.9966667+00:00

    Hi,

    Running cmdlet:

    Add-KdsRootKey

    Creates new KdsRootKey with EffectiveTime = 10 DAYS after NOW. I have reported this misleading information to MS and hope they will do their best to fix documentation.

    For me it is absolutely not clear, why anybody in the world would ever run Get-Date).AddHours(-10).

    This is nonsence.

    0 comments
  4. Palmgren Zeth RK 0 Reputation points
    2024-03-13T15:00:20.91+00:00

    You should wait 10 hours to make sure that all DC:s are synced.
    If you only have one DC or if you are in a lab enviroment you can use -10 so that the sync flag is "ok".

    If you use -EffectiveImmediately it will by defaut wait 10 hours to set the sync flag as "ok".

    So, to force it to say "ok" right away you need to use "Add-KdsRootKey -EffectiveTime ((get-date).addhours(-10))".

    That way you trick your DC to think that you ran the "-EffectiveImmediately" 10 hours ago.

    0 comments