I ran "Add-KdsRootKey -EffectiveImmediately" and now I get "New-ADServiceAccount : Key does not exist" .

Pratiksha Shetty 21 Reputation points Microsoft Employee
2021-06-18T04:12:36.853+00:00

I have one DC installed on Azure VM. I ran "Add-KdsRootKey -EffectiveImmediately" get-KdsRootKey gives the correct output as well. I ran the next command New-ADServiceAccount MDI -DNSHostName..... it failed with following error "New-ADServiceAccount : Key does not exist" .
Ask :

  1. Can I run this command now even after creating the KDS root key once "Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))"
  2. If not then will it take 10 hours even if I have one DC ?
  3. Is there any workaround to skip the waiting hours and run the new-adserviceaccount command ?
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2021-06-18T07:18:32.307+00:00

    Hello @Pratiksha Shetty ,

    Thank you for posting here.

    Here are the answers for your reference.

    1) Can I run this command now even after creating the KDS root key once "Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))"

    A: If you run this command now even after creating the KDS root key once "Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))", this will create multiple new KDS root keys.

    For example:
    106942-ser2.png

    And you can view all the keys by the cmdlet: Get-KDSRootKey.

    106895-ser3.png

    We recommend to create the KDS Root Key only once per domain.

    Here is a similar case for your reference.

    What happens if you Generate a new root key for the Group Key Distribution Service if one exissts?
    https://social.technet.microsoft.com/Forums/en-US/c80a270a-9354-4a2a-812e-e6b6e7a2e159/what-happens-if-you-generate-a-new-root-key-for-the-group-key-distribution-service-if-one-exissts?forum=winserver8gen

    2) If not then will it take 10 hours even if I have one DC?
    A: It seems it will take 10 hours even if you have one DC if you run command "Add-KdsRootKey -EffectiveImmediately".

    But if you it will take effect immediately even if you have one DC if you run command "Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))".

    For example:
    In another new AD lab, on my newly AD Domain Controller (only one DC).
    106923-ser4.png

    3) Is there any workaround to skip the waiting hours and run the new-adserviceaccount command ?
    A: Based on my knowledge, there is no any workaround to skip the waiting hours.

    If you must want to create service account immediately, you can run command "Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))" and create service account immediately, then delete one of the two KDS root Key.

    Refer to:
    Delete KDS root Key:
    http://www.windows-noob.com/forums/index.php?/topic/7625-delete-kds-root-key/

    Tip: We do not recomment to create multiple the KDS Root Keys in one domain.

    If you create more than one KDS root Keys and delete the redundant ones, we are not sure whether it will have any impact in the production environment.

    Hope the information above is also helpful.

    Should you have any question or concern, please feel free to let us know.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Pratiksha Shetty 21 Reputation points Microsoft Employee
    2021-06-18T08:26:44.957+00:00

    Thank you so much for responding . I will wait for 10 hours to complete and I hope after that I should be able to run the new-ADservice account command without getting the key error. b) To create a gMSA using the New-ADServiceAccount cmdlet . Is the below approach correct?

    Created a security group with name "SensorDCs" and add the DC's which will have sensors installed on them in my case I just added 1 "DC01"

    b)New-ADServiceAccount MDI -DNSHostName DC01.domain.com -PrincipalsAllowedToRetrieveManagedPassword SensorDCs -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/DC01.domain.com/domain.com

    To create a gMSA for outbound authentication only using the New-ADServiceAccount cmdlet----------- is this step needed?
    New-ADServiceAccount ITFarm1 -RestrictToOutboundAuthenticationOnly - PrincipalsAllowedToRetrieveManagedPassword SensorDCs

    c) Add member hosts to gMSA
    Set-ADServiceAccount [-Identity] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword SensorDCs
    Or a better option:
    You could create AD Security Group “SensorDCs” whose members are Sensor DCs and set AD service account to allow retrieving password:
    Set-ADServiceAccount ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword SensorDCs----------- (is this step not being done already in step b ????)


  2. Anonymous
    2021-06-21T06:37:55.417+00:00

    Hello @Pratiksha Shetty ,

    I am sorry for the late reply.

    Thank you for your update and accepking my reply as answer.

    After I run command New-ADServiceAccount service11 -DNSHostName vchzho451vm.b.com, I will see this gmsa immediately in ADUC.

    Tip: vchzho451vm is my DC name.

    107472-service1.png

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.