none
New-ADServiceAccount : Key does not exist

    Question

  • OK so I've run the following command:

    Add-KdsRootKey –EffectiveImmediately

    and I got the following logged in the KdsSvc event log:

    Event ID: 4004

    Group Key Distribution Service created the first master root key in AD. The key ID is 841452df-e084-1857-750d-b8dae6a149eb.

    So all is good right? Apparently not... because even after a reboot, when I run this command (ripped straight from the example on Technet) :

    New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.mydomain.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts -KerberosEncryptionType RC4, AES128, AES256

    I get the following error:

    "Key does not exist"

    I only have one DC in this test environment and it is running Server 2012, and that's where I am running these powershell commands. Where am I going wrong?

    Thanks

    Chris


    My website (free apps I've written for IT Pro's) : www.cjwdev.co.uk My blog: cjwdev.wordpress.com

    Monday, July 16, 2012 6:19 PM

Answers

  • Hi,

     You must wait 10 hours from creation time to allow all DCs to converge AD replication before you can create gMSA. 10 hours prevents password generation from occurring before all DCs in environment capable of answering gMSA requests.

    If working in a test environment with a minimal number of DCs and the ability to guarantee immediate replication, please use:

    Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))    

    Allows using gMSAs immediately, because it sets the start time 10 hours in past.

    Hope this helps.

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Thursday, July 19, 2012 6:57 AM
    Moderator

All replies

  • Hi,

     You must wait 10 hours from creation time to allow all DCs to converge AD replication before you can create gMSA. 10 hours prevents password generation from occurring before all DCs in environment capable of answering gMSA requests.

    If working in a test environment with a minimal number of DCs and the ability to guarantee immediate replication, please use:

    Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))    

    Allows using gMSAs immediately, because it sets the start time 10 hours in past.

    Hope this helps.

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Thursday, July 19, 2012 6:57 AM
    Moderator
  • That would make sense if I had more than one DC... but I don't. I have a single DC, so using the -EffectiveImmediately argument should work instantly surely?

    My website (free apps I've written for IT Pro's) : www.cjwdev.co.uk My blog: cjwdev.wordpress.com

    Friday, July 20, 2012 2:06 PM
  • Yes, that would make sense for domain with more than one DC, but maybe we should give it a test, to ensure the key was created successfully.

    Regards,

    Yan Li


    Yan Li

    TechNet Community Support

    Monday, July 23, 2012 2:35 AM
    Moderator
  • This helps. Thanks!
    Thursday, September 20, 2012 7:18 PM
  • Wow... this saved my bacon big time.  Great post.
    Tuesday, December 18, 2012 7:49 PM
  • Yup I was looking at server 2012 docs and running R2 so I figured -effectiveimmediately was just that but now I know better. Would be worth adding a little note in the Powershell docs.
    Saturday, November 23, 2013 12:40 AM