Morning all!
So I have taken over and environment that was a bit of a mess. one thing I am in the process of configuring is setting up gMSAs instead of the usual culprit of dedicated domain user accounts used to run applications and service.
On inspection, there are rounds in the magazine, and no rounds in the... oh wait sorry...
I mean... on inspection (using command "get-kdsrootkey") on one of the live DCs, I can see that the original server that was configured with the KDS lets call it DC1, which has now long been replaced by DC2 and DC3, and then looks like it has been decommissioned.
So my questions are:
- I assume that I need to now re-run the KDS generation to set a new KDS ID/Key/Etc... on one of the live servers?
- In doing so, will this kill any service account that is already in use? Or will the service in use (although I don't think there are any), will they just pickup the new KDS keys and generate new passwords.
Thanks in advance for any help!
Chris.