建立按鍵 Distribution 服務 KDS 根金鑰Create the Key Distribution Services KDS Root Key

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

告訴您如何使用 Windows PowerShell 來管理服務 Account 群組的密碼產生在 Windows Server 的網域控制站上建立的 Microsoft 金鑰 Distribution 服務 (kdssvc.dll) 根金鑰本主題適用於 IT 專業人員?This topic for the IT professional describes how to create a Microsoft Key Distribution Service (kdssvc.dll) root key on the domain controller using Windows PowerShell to generate group Managed Service Account passwords in Windows Server?? 2012.2012.

Windows Server 2012 網域控制站 (DC) 需要根金鑰產生 gMSA 密碼。Windows Server 2012 domain controllers (DC) require a root key to begin generating gMSA passwords. 10 小時的時間讓所有的網域控制站整合允許 gMSA 建立之前他們 AD 複寫建立等待網域控制站。The domain controllers will wait up to 10 hours from time of creation to allow all domain controllers to converge their AD replication before allowing the creation of a gMSA. 10 小時都是安全考量,以預防密碼代發生之前環境中的所有網域控制站的回答 gMSA 要求的功能。The 10 hours is a safety measure to prevent password generation from occurring before all DCs in the environment are capable of answering gMSA requests. 如果您嘗試使用 gMSA 太快按鍵可能不已複寫所有 Windows Server 2012 網域控制站,因此密碼擷取可能會失敗 gMSA 主機嘗試擷取密碼。If you try to use a gMSA too soon the key might not have been replicated to all Windows Server 2012 DCs and therefore password retrieval might fail when the gMSA host attempts to retrieve the password. 使用 Dc 有限的複寫排程或是否有複寫問題時,也可能會發生 gMSA 密碼抓取失敗。gMSA password retrieval failures can also occur when using DCs with limited replication schedules or if there is a replication issue.

在成員資格網域系統管理員企業系統管理員」群組或等最小,才能完成此程序。Membership in the Domain Admins or Enterprise Admins groups, or equivalent, is the minimum required to complete this procedure. 適用於使用適當帳號和群組成員資格的詳細資訊,請查看本機和網域預設群組For detailed information about using the appropriate accounts and group memberships, see Local and Domain Default Groups.

注意

64 位元架構,才能執行的 Windows PowerShell 命令可用來管理管理服務帳號群組。A 64-bit architecture is required to run the Windows PowerShell commands which are used to administer group Managed Service Accounts.

若要建立使用 New-KdsRootKey cmdlet KDS 根金鑰To create the KDS root key using the New-KdsRootKey cmdlet

  1. Windows Server 2012 網域控制站,從工作列上執行的 Windows PowerShell。On the Windows Server 2012 domain controller, run the Windows PowerShell from the Taskbar.

  2. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    Add-KdsRootKey。EffectiveImmediatelyAdd-KdsRootKey ???EffectiveImmediately

    提示

    有效的時間參數,可用於提供按鍵所有網域控制站在使用之前會傳送至時間。The Effective time parameter can be used to give time for keys to be propagated to all DCs before use. 使用 Add-KdsRootKey:設為目標,將會使用 KDS 服務立即俠 EffectiveImmediately 將根金鑰。Using Add-KdsRootKey ???EffectiveImmediately will add a root key to the target DC which will be used by the KDS service immediately. 不過,其他 Windows Server 2012 網域控制站將無法再使用根鍵,直到複寫成功。However, other Windows Server 2012 DCs will not be able to use the root key until replication is successful.

只有一個俠的測試環境,您可以建立 KDS 根金鑰和設定,以避免使用下列程序的主要代間隔等候過去的開始時間。For test environments with only one DC, you can create a KDS root key and set the start time in the past to avoid the interval wait for key generation by using the following procedure. 驗證的 4004 事件已登入 kds 事件登入。Validate that a 4004 event has been logged in the kds event log.

若要建立 KDS 根金鑰立即效率的測試環境中To create the KDS root key in a test environment for immediate effectiveness

  1. Windows Server 2012 網域控制站,從工作列上執行的 Windows PowerShell。On the Windows Server 2012 domain controller, run the Windows PowerShell from the Taskbar.

  2. Windows PowerShell Active Directory 模組的命令提示字元中,輸入下列命令,,然後按 ENTER 鍵:At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

    $= 取得日期$a=Get-Date

    $b=$a.AddHours(-10)$b=$a.AddHours(-10)

    Add-KdsRootKey。EffectiveTime $bAdd-KdsRootKey ???EffectiveTime $b

    或者使用單一命令Or use a single command

    Add-KdsRootKey。EffectiveTime ((get-date).addhours(-10))Add-KdsRootKey ???EffectiveTime ((get-date).addhours(-10))

也了See Also

開始使用群組管理帳號服務Getting Started with Group Managed Service Accounts