I'm trying to create a group Managed Service Account (gmsa) on a newly installed Win2012 DC (first computer on domain). Creating the gMSA requires you to first create a KDS Root Key. I launch the Active Directory Module for Windows Powershell using Run as Administrator and issue the following:

Add-KDSRootKey -EffectiveTime ((get-date).addhours(-11))

I get an error "The request is not supported". If I change it to -EffectiveImmediately, I get the same error.

Add-KDSRootKey : The request is not supported. (Exception from HRESULT: 0x80070032)... Exception from HRESULT: Microsoft.KeyDistributionService.Cmdlets.AddKDSRootKeyCommand

The KDS cmdlets are installed (I can query/use with get-help KDS) and I can use them to list keys (empty) and view configuration - I just can't seem to add a KDS root key. When I look in my AD Sites and Services at the Services\Root Key, it's empty. I've struggled with this for two days now - any suggestions?

• Moved by pbbergsMicrosoft community contributor Wednesday, October 02, 2013 3:11 PM

This would be best asked in the PKI forum.  I will m

Please can you confirm that the user that your using is a member of "Domain Admins".

I had the same issue (and found this post as a result).  After testing I found that in my case the user I was using was only in the "Administrators" group.  After testing it was the missing Domain Admins group.

• Proposed as answer by Yan Li_Microsoft contingent staff, Moderator Thursday, October 03, 2013 9:40 AM
• Unproposed as answer by MrSanFranMan2 Thursday, October 03, 2013 11:50 AM

Thanks, everyone.

Yan - I think it's quite premature to propose an "answer" at this point, don't you?

To answer the question, yes I am logged in as a member of the domain admins group (I've tried two accounts that were both domain admins).

A further update - I rebooted and noticed an odd behavior: on the first execution of Add-KDSRootKey, I get a different error:

Add-KDSRootKey : Could not load file or assembly Microsoft.KeyDistributionService.Cmdlets

You can see in the screenshot that I'm (a) using AD Powershell, and (b) the KDS module is successfully loaded. Once I run the command a second time (after a reboot), I then receive the "Request is not supported" error.

Paul (A.) is (as usual) correct. This is a DS related topic...

Post the output of
Get-Module

Have you tried actually loading the corresponding module explicitly (Import-Module)? What happens when you run it?

hth
Marcin

• Edited by Marcin PolichtMVP Thursday, October 03, 2013 12:56 PM

Thanks, Marcin.

Get-Module shows only ActiveDirectory and Powershell Management loaded.

If I use Import-Module KDS, then run Get-Module, KDS is added. If I then launch Add-KdsRootKey, it fails with the request is not supported: http://i.imgur.com/0TO907W.png

• Edited by MrSanFranMan2 Thursday, October 03, 2013 3:59 PM

Have you tried removing/re-adding RSAT from the DC?

Have you tried installing RSAT on another WS2012 and running it from there?

hth
Marcin

• Marked as answer by MrSanFranMan2 Monday, October 07, 2013 2:11 PM

Sweet! I added the RSAT tools to another non-DC in the domain, logged on as administrator, and bam - got it done. Thanks!

FYI - you can't remove RSAT from a DC (at least, you can't in 2012+).

I've tried everything listed here... And I'm still getting the same error message: The request is not supported. (Exception from HRESULT: 0x80070032)

I was hoping someone could provide some advice, thanks in advance.

I was also able to run this from just a regular workstation. Didn't need to do it from a DC.

FYI for anyone finding this question in the future. I was able to resolve it like this:

• (1) Log on to another non-DC in the domain 
• (2) Log on as a domain admin 
• (3) Install/add the RSAT tools (the AD ones in particular)
• (4) Launch the PowerShell AD tool
• (5) Run the Add-KDSRootKey from the new machine.

Was there ever a workable solution to this issue.  I'm having the same issue and I have tried the last solution of using a non-DC Srvr 2012R2 member server with RSAT installed and I still get the same error message.  Funny thing is that the command worked on my Forest Root DC.  I'm trying this on my resource domain.  Any suggestions greatly appreciated

This didn't work for me, but in playing in my DEV domain, it seems you need Enterprise Admin or Domain Admin in the forest root domain for this command to work. I think you could delegate this by changing the acl on the following container: (assuming you use contoso.com as your domain, change it for your environment).

CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=contoso,DC=com

I would recommend just leveraging an Enterprise Admin account when doing this for your resource domains.

This didn't work for me, but in playing in my DEV domain, it seems you need Enterprise Admin or Domain Admin in the forest root domain for this command to work. I think you could delegate this by changing the acl on the following container: (assuming you use contoso.com as your domain, change it for your environment).

CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=contoso,DC=com

I would recommend just leveraging an Enterprise Admin account when doing this for your resource domains.

• Proposed as answer by mikerez Thursday, May 07, 2015 8:48 PM

Yep, right-click Powershell > "Run as Administrator". This resolved the issue for me as well.

• Edited by Paul Andres Pedroza Martinez 5 hours 57 minutes ago