Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
New-ADServiceAccount : Key does not exist

Answered New-ADServiceAccount : Key does not exist

  • Monday, July 16, 2012 6:19 PM
     
     
    Sign In to Vote
    0

    OK so I've run the following command:

    Add-KdsRootKey –EffectiveImmediately

    and I got the following logged in the KdsSvc event log:

    Event ID: 4004

    Group Key Distribution Service created the first master root key in AD. The key ID is 841452df-e084-1857-750d-b8dae6a149eb.

    So all is good right? Apparently not... because even after a reboot, when I run this command (ripped straight from the example on Technet) :

    New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.mydomain.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts -KerberosEncryptionType RC4, AES128, AES256

    I get the following error:

    "Key does not exist"

    I only have one DC in this test environment and it is running Server 2012, and that's where I am running these powershell commands. Where am I going wrong?

    Thanks

    Chris

    My website (free apps I've written for IT Pro's) : www.cjwdev.co.uk My blog: cjwdev.wordpress.com

     

All Replies

  • Thursday, July 19, 2012 6:57 AM
    Moderator
     
     Answered
    Sign In to Vote
    3

    Hi,

     You must wait 10 hours from creation time to allow all DCs to converge AD replication before you can create gMSA. 10 hours prevents password generation from occurring before all DCs in environment capable of answering gMSA requests.

    If working in a test environment with a minimal number of DCs and the ability to guarantee immediate replication, please use:

    Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))    

    Allows using gMSAs immediately, because it sets the start time 10 hours in past.

    Hope this helps.

    Regards,

    Yan Li

    Yan Li

    TechNet Community Support

     
  • Friday, July 20, 2012 2:06 PM
     
     
    Sign In to Vote
    0
    That would make sense if I had more than one DC... but I don't. I have a single DC, so using the -EffectiveImmediately argument should work instantly surely?

    My website (free apps I've written for IT Pro's) : www.cjwdev.co.uk My blog: cjwdev.wordpress.com

     
  • Monday, July 23, 2012 2:35 AM
    Moderator
     
     
    Sign In to Vote
    0

    Yes, that would make sense for domain with more than one DC, but maybe we should give it a test, to ensure the key was created successfully.

    Regards,

    Yan Li

    Yan Li

    TechNet Community Support

     
  • Thursday, September 20, 2012 7:18 PM
     
     
    Sign In to Vote
    0
    This helps. Thanks!
     
  • Tuesday, December 18, 2012 7:49 PM
     
     
    Sign In to Vote
    0
    Wow... this saved my bacon big time.  Great post.