Hello, You can find KDS-RootKey here: CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=domain,DC=local To view it, open dssite.msc click on top on "Active Directory Sites and Services" then click "View" and finally "Show Services Node" Only Domain admins, Enterprise Admins ans SYSTEM have full right on it For multiple Root key, if think it wont be a problem because it is only used to calculate password for gMSA
Source: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx Happy labs
