This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 66%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Morning all!
So I have taken over and environment that was a bit of a mess. one thing I am in the process of configuring is setting up gMSAs instead of the usual culprit of dedicated domain user accounts used to run applications and service.
On inspection, there are rounds in the magazine, and no rounds in the... oh wait sorry...
I mean... on inspection (using command "get-kdsrootkey") on one of the live DCs, I can see that the original server that was configured with the KDS lets call it DC1, which has now long been replaced by DC2 and DC3, and then looks like it has been decommissioned.
So my questions are:
Thanks in advance for any help!
Chris.
Hi,
Once you recreate the key, the existing gMSA accounts will stop working, this may take a while to happen due to caching but it will happen.
The Key is replicated to all DCs in the domain, any new DCs added to the domain will also use this Key. Unless you think your environment has been compromised, there is no real reason to change the Key. Change it will impact all the existing gMSA managed services.
Gary.
"Unless you think your environment has been compromised, there is no real reason to change the Key." - Does "no real need" include the domain controller that the KDS was originally hosted on was "deleted". Running "get-kdsrootkey" indicated it was hosted on DC1, which now does not exist. Will the key still work without the KDS Server it was created/hosted on?
All DCs which are 2012 or later provide are a KDS server, and will use the existing Key stored in the AD. The best test is to create a new gMSA account and configure a service to run under the gMSA account. This will confirm the key is working.
I've done a bit more research, and it appears that information around the impact of multiple Keys is a little vague. Deleting an existing Key will impact the existing gMSA that have been created using the key, however, there is no consistent information what will happen if there are multiple Keys. So I did a quick test.
If you create a new gMSA after creating the new Key the new Key is not used, until the KDS service is restarted and it picks up the new Key. I'm sure there will be a timeout\refresh period after which it will pickup the new Key but not sure what this is.
If you want to check which Key has been used for each gMSA, you can use the AD Properties dialog in NetTools which will display the Key used. https://nettools.net/ad-properties-dialog/
Amazing! Thanks Gary. That basically confirms what i did plus some more. Thanks for going the extra mile testing too. Appreciated.