KDS and gMSA Re-Setup and Configure

ChrisL 21 Reputation points
2022-08-02T07:14:10.037+00:00

Morning all!

So I have taken over and environment that was a bit of a mess. one thing I am in the process of configuring is setting up gMSAs instead of the usual culprit of dedicated domain user accounts used to run applications and service.

On inspection, there are rounds in the magazine, and no rounds in the... oh wait sorry...

I mean... on inspection (using command "get-kdsrootkey") on one of the live DCs, I can see that the original server that was configured with the KDS lets call it DC1, which has now long been replaced by DC2 and DC3, and then looks like it has been decommissioned.

So my questions are:

  1. I assume that I need to now re-run the KDS generation to set a new KDS ID/Key/Etc... on one of the live servers?
  2. In doing so, will this kill any service account that is already in use? Or will the service in use (although I don't think there are any), will they just pickup the new KDS keys and generate new passwords.

Thanks in advance for any help!
Chris.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,180 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,908 questions
Windows Server Setup
Windows Server Setup
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
241 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,729 questions
0 comments
Accepted answer
  1. Gary Reynolds 9,391 Reputation points
    2022-08-02T09:03:54.777+00:00

    Hi,

    Once you recreate the key, the existing gMSA accounts will stop working, this may take a while to happen due to caching but it will happen.

    227204-image.png

    The Key is replicated to all DCs in the domain, any new DCs added to the domain will also use this Key. Unless you think your environment has been compromised, there is no real reason to change the Key. Change it will impact all the existing gMSA managed services.

    Gary.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChrisL 21 Reputation points
    2022-08-02T10:33:29.013+00:00

    "Unless you think your environment has been compromised, there is no real reason to change the Key." - Does "no real need" include the domain controller that the KDS was originally hosted on was "deleted". Running "get-kdsrootkey" indicated it was hosted on DC1, which now does not exist. Will the key still work without the KDS Server it was created/hosted on?

  2. ChrisL 21 Reputation points
    2022-08-02T12:43:21.453+00:00

    Amazing! Thanks Gary. That basically confirms what i did plus some more. Thanks for going the extra mile testing too. Appreciated.

    0 comments