I have a Windows Server 2012 domain controller (sole DC and first computer in the domain) all freshly built and all up to date. I'm trying to create a group Managed Service Account (gmsa) which requires a KDS Root Key first. I launch the Active Directory Module for Windows Powershell using Run as Administrator and issue the following:
Add-KDSRootKey -EffectiveTime ((get-date).addhours(-11))
I get an error "The request is not supported".
If I change it to -EffectiveImmediately, I get the same error.
The KDS cmdlets are installed
and I can use them to list keys (empty) and view configuration – I just can't seem to add a KDS root key. I've struggled with this for two days now – any suggestions?
Best Answer
FYI for anyone finding this question in the future. I was able to resolve it like this:
Hope this helps someone