Hey everyone! I'm struggling with an issue while trying to set up a Group Managed Service Account (gMSA). I've successfully created a KDS root key using the command `Add-KdsRootKey -EffectiveImmediately`, and it's been over two days since its creation, so I shouldn't be facing any issues with replication delay. However, whenever I attempt to run `New-ADServiceAccount`, I keep getting the error message "The key does not exist." I've confirmed that the KDS root key is present by running `Get-KdsRootKey`. I'm hoping someone here has encountered this before and might know if I'm missing something, as everything seems fine with the key and the waiting period has passed. Any insights would be greatly appreciated!
2 Answers
Here are a few things to check:
- Ensure that you have the correct permissions to create gMSAs. Sometimes it helps to specify an Organizational Unit (OU) where you know you have the rights to create objects.
- Additionally, confirm that Active Directory replication is functioning properly.
- Make sure your Domain Functional Level (DFL) and Forest Functional Level (FFL) are sufficiently high as well; low levels could cause issues.
Start there and see if any of these fix the problem!
Don't forget to verify your KDS root key configuration. You can check it with the cmdlet `Test-KdsRootKey -KeyId (Get-KdsRootKey).KeyId`. It should return True if everything is set up correctly. This is a good way to catch any misconfigurations that might be causing the issue!
I ran that command, and it returned "true," so the key seems valid. Any other suggestions?
Thanks for the tips! I ran the command as a domain admin and checked that I can create objects in the OU. I also verified replication, and everything seems fine. My DFL/FFL is set to 2016, which should be good enough, right?