Menu
I'm trying to create Managed Service Accounts for using with SQL Server' services in AD DS on Windows Server 2012 R2. I use the following PowerShell command:
Import-Module ActiveDirectory
New-ADServiceAccount -Name "SQLDBEngine" -DNSHostName "<hostname with AD integrated DNS>" -Enabled $true
But receive the following error message:
Key does not exist
+ CategoryInfo : NotSpecified: (CN=SQLDBEngine,...HMS-BI,DC=LOCAL:String) [New-ADServiceAccount], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:-2146893811,Microsoft.ActiveDirectory.Management.Commands.NewADServiceAccount
Looks like I did everything correct but still unable create managed account. Error message seems not so informative. Any ideas how to debug or fix the issue?
796
I found the blog-post here that helped me to solve the problem. The point was that there's a new service in Windows Server 2012 named Key Distribution Service (KDS) and before starting to add new managed accounts one need to add KDS root key with the following PS command for the immediate effectiveness:
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With