The Get-KdsRootKey command returns a decommissioned DC.

23 views
Skip to first unread message

Max Coder

unread,
Sep 30, 2025, 8:36:23 AMSep 30
to ntsysadmin
Hi,



I need to configure a gMSA user in the Specops application.

According to the article, it says I need to run the Get-KdsRootKey command.

However, when I run the following command, it returns the previously decommissioned DC02 hostname.

The environment contains a forest root and a tree domain.

I ran this command on the child domain.

PS C:\Windows\system32> Get-KdsRootKey

AttributeOfWrongFormat :
KeyValue             : {216, 26, 81, 249...}
EffectiveTime        : 12/7/2016 1:37:19 PM
CreationTime         : 12/7/2016 1:37:19 PM
IsFormatValid        : True
DomainController     : CN=DC02\0ADEL:45442d45-51b7-4a59-a4b5-e04a4020b0ea,CN=Deleted Objects,DC=CONTOSO,DC=DOMAIN
ServerConfiguration  : Microsoft.KeyDistributionService.Cmdlets.KdsServerConfiguration
KeyId                : 0a356a57-49f4-38df-b910-4ace3ce65ac3
VersionNumber        : 1


My questions are :


1-  Is it possible to create a new key? If so, What does that mean for the existing MSAs?

2 -  Do I need to create a new KDS key for the gMSA user? Or should I continue this way?

Wright, John M

unread,
Sep 30, 2025, 8:46:30 AMSep 30
to ntsys...@googlegroups.com

AFAIK, you can just run “Add-KdsRootKey -EffectiveImmediately” and restart Kdssvc on all the DCs to regenerate the passwords.  If you don’t restart those services, it takes up to 10 hours to become effective.

 

Once you’ve done that, and verified the new gMSA is working, you might want to get rid of the old key:  Remove or delete KDSRootKey (KDS Root Key)

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Max Coder
Sent: Tuesday, September 30, 2025 8:36 AM
To: ntsysadmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] The Get-KdsRootKey command returns a decommissioned DC.

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/8f393934-e0f8-4de6-89ff-b5bcc3bb1bc2n%40googlegroups.com.

James Iversen

unread,
Sep 30, 2025, 8:46:45 AMSep 30
to ntsys...@googlegroups.com
At least it’s in deleted objects and not still in Domain Controllers OU. 
Sent from my iPhone

On Sep 30, 2025, at 8:36 AM, Max Coder <maxc...@gmail.com> wrote:

Hi,
--

maxcoder1

unread,
Sep 30, 2025, 9:27:23 AMSep 30
to ntsys...@googlegroups.com
So there is no need to create a new KDS key.  if this KDS Key is present, can I continue configuring the application? Am I correct ?
Reply all
Reply to author
Forward
0 new messages