gmsa account parent / child domain

Yogesh Arora 1 Reputation point
2021-02-19T13:33:34.283+00:00

I have a managed service account already created in Child domain(abc.xyz.local) and its working as expected. I am also able to retrieve KDS key in child domain using “Get-KDSrootkey” command.

However in Parent domain “xyz.local”, I cant find any key when running “Get-KDSrootkey”.
I am concerned if I need to create new Key in parent domain first before creating gmsa account in parent domain ?

Also is it going to impact existing gmsa account in child domain ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,073 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,214 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,139 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-02-22T01:40:19.703+00:00

    Hi,
    Not sure the process you created the GMSA.
    If you try to use a gMSA too soon the key might not have been replicated to all domain controllers and therefore password retrieval might fail when the gMSA host attempts to retrieve the password. gMSA password retrieval failures can also occur when using DCs with limited replication schedules or if there is a replication issue.

    I would recommend you recreate the KDSrootkey.
    The Key Distribution Service (KDC) should be restarted on all domain controllers if the root key is recreated.
    For your reference:
    https://learn.microsoft.com/en-us/powershell/module/kds/add-kdsrootkey?view=win10-ps
    https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key

    Best Regards,


  2. Jordan Mills 1 Reputation point
    2021-02-22T17:09:04.453+00:00

    You'll need a KDS root key object in every domain where you create a GMSA. It won't hurt anything to create one in the other domain.