I'm trying to create a group Managed Service Account (gmsa) on a newly installed Win2012 DC (first computer on domain). Creating the gMSA requires you to first create a KDS Root Key. I launch the Active Directory Module for Windows Powershell using Run as Administrator and issue the following:
Add-KDSRootKey -EffectiveTime ((get-date).addhours(-11))I get an error "The request is not supported". If I change it to -EffectiveImmediately, I get the same error.
Add-KDSRootKey : The request is not supported. (Exception from HRESULT: 0x80070032)... Exception from HRESULT: Microsoft.KeyDistributionService.Cmdlets.AddKDSRootKeyCommand
The KDS cmdlets are installed (I can query/use with get-help KDS) and I can use them to list keys (empty) and view configuration - I just can't seem to add a KDS root key. When I look in my AD Sites and Services at the Services\Root Key, it's empty. I've struggled with this for two days now - any suggestions?