Add-KdsRootKey : The request is not supported. (Exception from HRESULT: 0x80070032)

Question

I am working a task to creating KDS root key, here are what I have tried:

1. login to DC Windows 2016 server with domain admin account;
2. Run powershell as administrator;
3. Run: Import-Module Kds Get-Module ---> it shows Kds installed. Add-KdsRootKey -EffectiveImmediately or any commends which start with Add-KdsRootKey ; Get errs: Add-KdsRootKey : The request is not supported. (Exception from HRESULT: 0x80070032) At line:3 char:1 Add-KdsRootKey -EffectiveImmediately ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-KdsRootKey], COMException + FullyQualifiedErrorId : The request is not supported. (Exception from HRESULT: 0x80070032),Microsoft.KeyDistributionService.Cmdlets.AddKdsRootKeyCommand
4. Login to non-DC Windows 2016 domain server, installed RSAT features;
   2. Run powershell as administrator;
5. Run: Import-Module Kds Get-Module ---> it shows Kds installed. Add-KdsRootKey -EffectiveImmediately or any commends which start with Add-KdsRootKey ; Get errs: Add-KdsRootKey : The request is not supported. (Exception from HRESULT: 0x80070032) At line:3 char:1 Add-KdsRootKey -EffectiveImmediately ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   • CategoryInfo : NotSpecified: (:) [Add-KdsRootKey], COMException
   • FullyQualifiedErrorId : The request is not supported. (Exception from HRESULT: 0x80070032),Microsoft.KeyDistributionService.Cmdlets.AddKdsRootKeyCommand

I have tried everything I can google from Internet, but no luck at all...

Answer 1

For anyone else who comes across this like I did and is looking for an answer:

1. Log on to another non-DC in the domain
2. Log on as a domain admin
3. Install/add the RSAT tools (the AD ones in particular)
4. Launch the PowerShell, Import or install the AD module
5. Run the Add-KDSRootKey from the new machine.

I don't know why you can't run this on the DC. However, any of the KDS powershell command give faulty information when run from the DC. Mine reported there was no key even, when there was. However running it from a non-DC on the domain will work. Maybe someone else can point out why the commands don't work on a DC. MS docs also don't say anything about running it from another machine.

Answer 2

Hello @WZJ ,

Thank you for posting here.

it seems that some thing is not supported.

1.Please check if the PowerShell you are running is 32 bits or 64 bits.

if($env:Processor_Architecture -eq "x86"){write "running on 32bit"}else{write "running on 64bit"}  

For example:

From the following link, we can see:

A 64-bit architecture is required to run the Windows PowerShell commands which are used to administer group Managed Service Accounts.

Create the Key Distribution Services KDS Root Key
https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key

If it does not work above, please confirm:

1.What is the operating system of the 2016 DC?
2.What is the forest functional level and domain functional level?

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

I'm having the same issue in a domain controller running windows server 2019 datacenter

Answer 4

Quick assistance is needed. Have checked that the current PowerShell is 64bit