none
Add-KDSRootKey fails with "Request not supported" error RRS feed

  • Question

  • I'm trying to create a group Managed Service Account (gmsa) on a newly installed Win2012 DC (first computer on domain). Creating the gMSA requires you to first create a KDS Root Key. I launch the Active Directory Module for Windows Powershell using Run as Administrator and issue the following:

    Add-KDSRootKey -EffectiveTime ((get-date).addhours(-11))
    

    I get an error "The request is not supported". If I change it to -EffectiveImmediately, I get the same error.

    Add-KDSRootKey : The request is not supported. (Exception from HRESULT: 0x80070032)... Exception from HRESULT: Microsoft.KeyDistributionService.Cmdlets.AddKDSRootKeyCommand

    The KDS cmdlets are installed (I can query/use with get-help KDS) and I can use them to list keys (empty) and view configuration - I just can't seem to add a KDS root key. When I look in my AD Sites and Services at the Services\Root Key, it's empty. I've struggled with this for two days now - any suggestions?

    Wednesday, October 2, 2013 2:37 PM

Answers

  • Have you tried removing/re-adding RSAT from the DC?

    Have you tried installing RSAT on another WS2012 and running it from there?

    hth
    Marcin

    • Marked as answer by MrSanFranMan2 Monday, October 7, 2013 2:11 PM
    Friday, October 4, 2013 2:43 PM

All replies

  • This would be best asked in the PKI forum.  I will move there.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, October 2, 2013 3:11 PM
  • This would be best asked in the PKI forum.  I will move there.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    This actually has nothing at all to do with PKI. Managed Service Accounts are an Active Directory feature and this question properly belongs in a Directory Services forum.

    Sorry for the runaround MrSanFranMan2, I'd move your post but I'm not a moderator.

    Wednesday, October 2, 2013 7:49 PM
  • Please can you confirm that the user that your using is a member of "Domain Admins".

    I had the same issue (and found this post as a result).  After testing I found that in my case the user I was using was only in the "Administrators" group.  After testing it was the missing Domain Admins group.

    Thursday, October 3, 2013 9:07 AM
  • Thanks, everyone.

    Yan - I think it's quite premature to propose an "answer" at this point, don't you?

    To answer the question, yes I am logged in as a member of the domain admins group (I've tried two accounts that were both domain admins).

    A further update - I rebooted and noticed an odd behavior: on the first execution of Add-KDSRootKey, I get a different error:

    Add-KDSRootKey : Could not load file or assembly Microsoft.KeyDistributionService.Cmdlets

    You can see in the screenshot that I'm (a) using AD Powershell, and (b) the KDS module is successfully loaded. Once I run the command a second time (after a reboot), I then receive the "Request is not supported" error.

    Thursday, October 3, 2013 11:49 AM
  • Paul (A.) is (as usual) correct. This is a DS related topic...

    Post the output of
    Get-Module

    Have you tried actually loading the corresponding module explicitly (Import-Module)? What happens when you run it?

    hth
    Marcin


    Thursday, October 3, 2013 12:55 PM
  • Thanks, Marcin.

    Get-Module shows only ActiveDirectory and Powershell Management loaded.

    If I use Import-Module KDS, then run Get-Module, KDS is added. If I then launch Add-KdsRootKey, it fails with the request is not supported: http://i.imgur.com/0TO907W.png


    (FYI - I'm logged in as domain admin)
    Thursday, October 3, 2013 3:58 PM
  • Have you tried removing/re-adding RSAT from the DC?

    Have you tried installing RSAT on another WS2012 and running it from there?

    hth
    Marcin

    • Marked as answer by MrSanFranMan2 Monday, October 7, 2013 2:11 PM
    Friday, October 4, 2013 2:43 PM
  • Sweet! I added the RSAT tools to another non-DC in the domain, logged on as administrator, and bam - got it done. Thanks!

    FYI - you can't remove RSAT from a DC (at least, you can't in 2012+).

    Monday, October 7, 2013 2:11 PM
  • I've tried everything listed here... And I'm still getting the same error message: The request is not supported. (Exception from HRESULT: 0x80070032)

    I was hoping someone could provide some advice, thanks in advance.

    Thursday, February 13, 2014 9:06 PM
  • The forest functional level needs to be Windows Server 2012, apparently... This solved my issue.
    Friday, February 14, 2014 12:06 AM
  • I was also able to run this from just a regular workstation. Didn't need to do it from a DC.

    FYI for anyone finding this question in the future. I was able to resolve it like this:

    • (1) Log on to another non-DC in the domain 
    • (2) Log on as a domain admin 
    • (3) Install/add the RSAT tools (the AD ones in particular)
    • (4) Launch the PowerShell AD tool
    • (5) Run the Add-KDSRootKey from the new machine.

    Friday, March 28, 2014 11:03 PM
  • Was there ever a workable solution to this issue.  I'm having the same issue and I have tried the last solution of using a non-DC Srvr 2012R2 member server with RSAT installed and I still get the same error message.  Funny thing is that the command worked on my Forest Root DC.  I'm trying this on my resource domain.  Any suggestions greatly appreciated

    Tuesday, April 8, 2014 8:39 PM
  • This didn't work for me, but in playing in my DEV domain, it seems you need Enterprise Admin or Domain Admin in the forest root domain for this command to work. I think you could delegate this by changing the acl on the following container: (assuming you use contoso.com as your domain, change it for your environment).

    CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=contoso,DC=com

    I would recommend just leveraging an Enterprise Admin account when doing this for your resource domains.

    Friday, November 21, 2014 4:44 PM
  • This didn't work for me, but in playing in my DEV domain, it seems you need Enterprise Admin or Domain Admin in the forest root domain for this command to work. I think you could delegate this by changing the acl on the following container: (assuming you use contoso.com as your domain, change it for your environment).

    CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=contoso,DC=com

    I would recommend just leveraging an Enterprise Admin account when doing this for your resource domains.

    Friday, November 21, 2014 4:44 PM
  • I had this same issue and fixed it by running Power Shell as administrator.  Yes, I was logged in with Domain Admin but I still needed to select Run As.  Good luck.
    • Proposed as answer by mikerez Thursday, May 7, 2015 8:48 PM
    Friday, December 12, 2014 4:03 PM
  • Yep, right-click Powershell > "Run as Administrator". This resolved the issue for me as well.

    Thursday, May 7, 2015 8:49 PM
  • You first must be a Domain Admin, then run PowerShell as Admnistrator and retry.
    Saturday, June 20, 2015 5:41 PM
  • Maybe your domain is a child domain.

    You can try this solution.
    1、Add your child domain administrator to forest Enterprise Admin group.
    2、Relogin DC, run add-ksdrootkey
    3、Remove your child domain administrator from  Enterprise Admin group if you want.

    Thursday, August 4, 2016 9:44 AM
  • This worked like a champ for me!  I was logged in as another administration level on a machine running RSAT and it was a no-go.  Logged into the domain controller as domain admin and ran PS AS Administrator, command ran and BOOM!  Done!  Thanks!
    Saturday, October 1, 2016 4:52 PM
  • Would just like to add, I had the same issue, had to actually load the AD modules, bam worked! 
    Thursday, July 27, 2017 1:14 AM
  • Hello There,


    I always think it's never too late.

    Please note: KDS root key needs to be created once per forest and you just need to add the account in Enterprise admin group.

    Follow below steps in order to get this fixed:

    1. Add the account in the enterprise admin group

    2. Log off and re-login again into DC in order to refresh the group membership

    3. Run PowerShell as administrator

    4. Finally, run below-mentioned code

    Import-Module ActiveDirectory
    Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10))

    Please let me know if that helps !!



    Tuesday, December 18, 2018 4:36 PM
  • This was answered 4 years ago. You've added nothing new here.
    Tuesday, December 18, 2018 5:38 PM
  • Not to offend you !!

    There are a lot of things already happened in the past but it doesn't mean that they don't require improvements.

    We are here to help each other not to poke anyone.

    If someone proposing any answer in a systematic way, instead of appreciating you are complaining... Great !!

    Tuesday, December 18, 2018 5:59 PM
  • The point is that you haven't added anything new here after 4 years, you've simply repeated what has already been posted and then marked your own post as a proposed answer.
    Tuesday, December 18, 2018 7:07 PM
  • Oh okay... did that offend you in any way?
    Tuesday, December 18, 2018 11:19 PM
  • On the Child DC running the PS as the enterprise admin solved the issue.
    Tuesday, March 26, 2019 5:46 PM
  • I just got the same error (originally installing ADFS asked me to configure that KDS Root Key). When I went to PowerShell I got your error. I restarted the server, opened PowerShell in admin mode (right click - Run as Administrator), and it worked.

    Six years later I think you've solved your problem, but this may help someone in the future.

    Luis

    Saturday, May 4, 2019 10:19 PM
  • This solution worked for me.thank you Fran
    Monday, September 30, 2019 4:34 PM