Defender for Identity - gMSA account

karthik palani 1,016 Reputation points

HI All,

While creating gMSA account for Defender for Identity, i am facing failed messages as below and followed exact information mentioned in



Even i did KDS root refresh - Add-KdsRootKey -EffectiveImmediately, should i wait for sometime since i am getting FALSE for below Identity testing

Test-ADServiceAccount -Identity 'mdiSvc01'

Please suggest

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,703 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,687 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,125 questions
Microsoft Entra
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 44,101 Reputation points

    Hello Karthik palani,

    I would recommend you take a look at the official KDS article, as for instance:


    Domain Controllers (DC) require a root key to begin generating gMSA passwords. The domain controllers will wait up to 10 days from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA. Waiting up to 10 days is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering gMSA requests. Trying to use a gMSA too soon might fail when the gMSA host attempts to retrieve the password, as the key may not have been replicated to all domain controllers. gMSA password retrieval failures can also occur when using DCs with limited replication schedules or if there's a replication issue.


    Deleting and recreating the root key may lead to issues where the old key continues to be used after deletion due to caching of the key. The Key Distribution Service (KDC) should be restarted on all domain controllers if the root key is recreated.


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Givary-MSFT 25,766 Reputation points Microsoft Employee

    @karthik palani Thank you for reaching out to us, As I understand you are trying to configure gMSA account for Defender for Identity configuration, steps mentioned in this article [,Create%20a%20gMSA%20account,-In%20the%20following are correct, addition to that would suggest running these commands and verify if KDS root key is configured correctly or not

    Below command lets us create a KDS key without the normal 10hour wait



    Add-KdsRootKey –EffectiveTime $b

    Check to see if the KDS root key is present:


    Next step would be to create gMSA account

    Check the password principle by using this command Get-AdserviceAccount <serviceaccountname> -Properties PrincipalsAllowedToRetrieveManagedPassword

    Let me know if these steps doesnt help, we can connect offline to troubleshoot further on the same.

    0 comments No comments