Jump to content


  • 0
AmrelMahdy

Delete KDS root Key

Question

Dears,

I'm having AD on Windows Server 2012 in my test lab , and i was practicing on how to make Single MSA , and the first step was to make the KDS root Key using the command "Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))" to be effective immediately , and during the test i had to run this command many times as i thought it would replace the KDS root key created , but when i ran this command "Get-KDSRootKey" i found all the root keys i created.

my Question is what is the effect of having many KDS root keys ?

and how i can delete them ?

Share this post


Link to post
Share on other sites

1 answer to this question

Recommended Posts

  • 0

Hello,

You can find KDS-RootKey here:

CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=domain,DC=local

To view it, open dssite.msc click on top on "Active Directory Sites and Services" then click "View" and finally "Show Services Node"
Only Domain admins, Enterprise Admins ans SYSTEM have full right on it

For multiple Root key, if think it wont be a problem because it is only used to calculate password for gMSA

If so, it uses a pre-determined algorithm to compute the password (120 characters). This algorithm depends upon a root key ID that is shared across all Windows Server 2012 KDS instances (pre-generated by an administrator), the current time (translated to an epoch) and the SID of the gMSA.

Source: http://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx

Happy labs ^_^

post-19541-0-79284400-1363386360_thumb.png

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.