Share via

How to recreate the Keys and Managed Service Accounts containers in Active Direcotry

Eric Johnson 10 Reputation points
2025-03-20T15:02:04.18+00:00

We are running on a 2016 domain and forest functional level in Active Directory and the Keys and Managed Service Accounts containers have been deleted. These have been deleted for so long that they are no longer recoverable from the AD Recycle Bin. How can I restore these two containers?

When I run the command Get-ADObject (Get-ADRootDSE).DefaultNamingContext -Properties otherwellKnownObjects it returns the following:

B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys\0ADEL:a777313f-03d0-4057-873a-fd9b16f91ca2,CN=Deleted Objects,DC=domain,DC=com

B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts\0ADEL:bcbe48c9-dc34-4c61-8170-d78454565521,CN=Deleted Objects,DC=domain,DC=com

Windows for business | Windows Server | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Eric Johnson 10 Reputation points
    2025-04-03T21:25:01.1333333+00:00

    I was able to fix my issue by using the code below after recreating the Keys and Managed Service Accounts containers in Active Directory. Current state just outputs the current configuration of OtherWellKnownObjects and change would be made. Uncomment the Set-ADobject lines to actually make the change to reassign the SID to the container locations. 

    Param (
[bool] $ProcessManagedServiceAccounts = $true,
[bool] $ProcessKeys = $true
)

$DomainDN = (Get-ADDomain).distinguishedName

(Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects

if ($ProcessManagedServiceAccounts) {
# Handle Managed Service Accounts
$TargetOWKOIDString = "1EB93889E40C45DF9F0C64D23BBB6237" # Identifier for wellknown SID (Managed Service Accounts).
$TargetOWKOTemplate = "B:32:$TargetOWKOIDString`:{0}" # String.Format replacable string.
$TargetDN = "CN=Managed Service Accounts,$DomainDN"

$OtherWellKnownObjectsOG = (Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects
$TargetOWKOIndex = $OtherWellKnownObjectsOG.IndexOf( $OtherWellKnownObjectsOG.where({ $PSItem -like "*$TargetOWKOIDString*" })[0])

Write-Host "`nIndex in OWKO for Managed Service Accounts is $TargetOWKOIndex"
Write-Host "If updating - would set OWKO for Keys to $TargetOWKOTemplate"

#Set-ADObject -Identity $DomainDN -Add @{'otherwellknownobjects' = ($TargetOWKOTemplate -f "$TargetDN")} -Remove @{'otherwellknownobjects' = $OtherWellKnownObjectsOG[$TargetOWKOIndex]}
}

if ($ProcessKeys) {
# Handle Keys
$TargetOWKOIDString = "683A24E2E8164BD3AF86AC3C2CF3F981" # Identifier for wellknown SID (Keys).
$TargetOWKOTemplate = "B:32:$TargetOWKOIDString`:{0}" # String.Format replacable string.
$TargetDN = "CN=Keys,$DomainDN"


$OtherWellKnownObjectsOG = (Get-ADObject -filter "objectClass -eq 'domainDns'" -Properties otherwellknownobjects).otherwellknownobjects
$TargetOWKOIndex = $OtherWellKnownObjectsOG.IndexOf( $OtherWellKnownObjectsOG.where({ $PSItem -like "*$TargetOWKOIDString*" })[0])

Write-Host "Index in OWKO for Keys is $TargetOWKOIndex"
Write-Host "If updating - would set OWKO for Keys to $TargetOWKOTemplate"

#Set-ADObject -Identity $DomainDN -Add @{ 'otherwellknownobjects' = ($TargetOWKOTemplate -f "$TargetDN") } -Remove @{ 'otherwellknownobjects' = $OtherWellKnownObjectsOG[$TargetOWKOIndex] }
}
    2 people found this answer helpful.
  2. Anonymous
    2025-03-21T02:19:25.6433333+00:00

    Hello Eric Johnson,
    Thank you for posting in Q&A forum.

    Based on the description, I understand that the Keys and Managed Service Accounts containers have been deleted for a long time, and the Active Directory Recycle Bin was enabled before the Keys and Managed Service Accounts containers were deleted.
    Now you want to restore the Keys and Managed Service Accounts containers.

    1.If the time is no longer than 180 days. Please check if you can see the Keys and Managed Service Accounts containers via ADAC (Active Directory Administrative Center).

    Open ADAC and navigate to domain.com\Deleted Objects container, open Deleted Objects container to see if there is the Keys and Managed Service Accounts containers.

    User's image

    If so, you can right click them and restore them.

    1. If the two containers cannot be restored by ADAC. Please check whether you have a backup of one Domain Controller with the two containers (Keys and Managed Service Accounts).

    If you have such Domain Controller backup with the two containers (Keys and Managed Service Accounts). You can perform a nonauthoritative restore of this Domain Controller, after nonauthoritative restore of this Domain Controller is complete, please wait to AD replication finish, then you can perform a authoritative restore of the two containers (Keys and Managed Service Accounts).

    For more information, please refer to links below.

    https://techcommunity.microsoft.com/blog/askds/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting/396944

    Active Directory Forest Recovery - Perform a nonauthoritative restore of Active Directory Domain Services

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-perform-nonauthoritative-restore

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/active-directory-recycle-bin?tabs=adac

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.