This topic shows you how to create a group Managed Service Account (gMSA) in Managed Service for Microsoft Active Directory. You should follow these standard instructions for setting up the account and incorporate the following special considerations for Managed Microsoft AD.
Do not create KDS root key
Usually, the first time you create a gMSA in a domain, you need to generate a Key Distribution Service (KDS) root key. Managed Microsoft AD generates a KDS root key for you when you create the domain, so you can skip that step from the standard instructions.
Viewing the KDS root key
To view the KDS root key, complete the following steps.
Before you begin, be sure that the Active Directory Sites and Services tool is installed from Remote Server Administration Tools (RSAT)
- In Windows, launch the Active Directory Sites and Services tool. To launch
this tool, you can open the Run command dialog box, and then enter
dssite.msc. - In the Active Directory Sites and Services tool, select the View tab.
- In the View menu, select Show Services Node.
- In the left pane, select Services > Group Key Distribution Service > Master Root Keys.
- The right pane shows a list of keys for your domain. Select a key to view its details.
Note that running the Get-KdsRootKey PowerShell cmdlet returns an empty
response even though a valid KDS root key exists. You can only see the key when
you run the Get-KdsRootKey cmdlet as the Domain Admin.
Create account under Managed Service Accounts OU
For a Managed Microsoft AD domain, new gMSAs should be created
under the Managed Service Accounts organizational unit (OU). By default,
the New-ADServiceAccount cmdlet creates new gMSAs in this location. Learn
about the
New-ADServiceAccountcmdlet
Delegate administration of Managed Service Accounts
You can delegate the administration of Managed Service Accounts to a user by
adding them to Cloud Service Managed Service Account Administrators group.
Learn about
the groups that Managed Microsoft AD creates for you.