Rotate the Microsoft Entra Kerberos server key using gMSA or manually using Scheduled task?

EnterpriseArchitect 4,871 Reputation points

I am running hybrid Azure / Entra AD and OnPremise AD DS synchronised using Azure AD connect.

The Key Distribution Center Service Account: krbtgt is currently disabled on-premise under the OU.

The goal here is to create and configure an AD computer object called AzureADKerberos that serves as RODC.

According to this article: I will need to perform the regular key rotation.

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey

Is this required to be rotated periodically or can this be automated using the OnPremise gMSA instead?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,994 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,746 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,848 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 16,511 Reputation points Microsoft Employee


    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you want to confirm if Kerberos server key is required to be rotated periodically or can this be automated using the OnPremise gMSA.

    Please do correct me if this is not the ask by responding in the comments section:

    As per Rotate the Microsoft Entra Kerberos server key

    There are other tools that could rotate the krbtgt keys. However, you must use the tools mentioned in this document to rotate the krbtgt keys of your Microsoft Entra Kerberos server. This ensures that the keys are updated in both on-premises Active Directory and Microsoft Entra ID.

    User's image

    So the recommendation is to use the shared PowerShell command only.


    Akshay Kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful