This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 37%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
what happens if i delete kdsroot key from forest domain ? will it impact exist gMSA account ?
Have a look at this page on creating a new KDCRoot Key which has this note:
Gary.
Thanks Gary, even servers are rebooted but still few gMSA accounts are failing but not all..
error says Install-AdServiceAccount : Cannot install service account. Error Message: 'An unspecified error has occurred'.
and user name or password not correct etc..
I tried all available options from internet..but still no go
Are you having issues install a new gMSA account on a server, or reconfigure an existing one?
If it's a new account, make sure that the server is a member of the msDS-GroupMSAMembership attribute of the gMSA account.
Gary.
It is not new account, existing acccount.
it was working before, but all of sudden it started to give above errors..
Have you tried to create a new account to test if the issue is related to the kdcroot recreation and the password\root key is still being cached on the server.
Gary.
new creation works and able to do operation..but existing account failing
we have many, so worried if it start to fail one by one
seems old gmsa will not work any more.. we need back old kdsroot key to make it work
if you create new kdsroot key, old gmsa will not work as per my test
Hi,
There is very little information on the use of the Key Distribution Service, in relation to gMSA. it just says 'The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account'. But doesn't mention what the key is used for. The root key that is used when the gMSA is created is stored against the gMSA object in the msDS-ManagedPasswordId attribute. The current and previous passwords are also stored in the gMSA object and can be retrieved by the allowed principal, this doesn't require the key to access this information. So there must be an RPC service or something similar that is using the key to access the password when the Windows service tries to start.
I think based on your observations and rereading the note above again, deleting the Key Root will impact any existing gMSA that were created using that root key.
Do you have the option to restore the deleted Key from CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<yourdomain>. If not, then you might need to recreate and reinstall all your gMSA accounts based on the deleted root key.
Gary.