Delete KDS root Key

[AmrelMahdy]

Dears,

I'm having AD on Windows Server 2012 in my test lab , and i was practicing on how to make Single MSA , and the first step was to make the KDS root Key using the command "Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))" to be effective immediately , and during the test i had to run this command many times as i thought it would replace the KDS root key created , but when i ran this command "Get-KDSRootKey" i found all the root keys i created.

my Question is what is the effect of having many KDS root keys ?

and how i can delete them ?

[neodolphin]

Hello,

You can find KDS-RootKey here:

CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=domain,DC=local

To view it, open dssite.msc click on top on "Active Directory Sites and Services" then click "View" and finally "Show Services Node"
Only Domain admins, Enterprise Admins ans SYSTEM have full right on it

For multiple Root key, if think it wont be a problem because it is only used to calculate password for gMSA

If so, it uses a pre-determined algorithm to compute the password (120 characters). This algorithm depends upon a root key ID that is shared across all Windows Server 2012 KDS instances (pre-generated by an administrator), the current time (translated to an epoch) and the SID of the gMSA.

Source: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

Happy labs