Step 1 - We need to create KDS root key. This need to run from the domain
controller with domain admin or enterprise admin privileges.
For production Environment use below command in PowerShell
Add-KdsRootKey –EffectiveImmediately
In testing environment use below command to remove the waiting
time
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
To check whether it's created or not.
Get-KdsRootKey
Step 2 − Create below command to create gMSA user
New-ADServiceAccount “gmsauser” -DNSHostName “dc1.example.com”
-PrincipalsAllowedToRetrieveManagedPassword "gmsaGroup"
Step 3 – Use the below step to provide read access to the host server
a) Server Manager =>
Tools => Active Directory Administrative Center
b) locate created gmsa user
c) Security add each of
the domain controllers with read access
d) SHOULD HAVE added the
actual client machine.
f) Reboot each server
including DCs
Step 4 − To install gMSA on a server → open PowerShell terminal and
type in the following commands
ADServiceAccount – Identity gmsauser
ADServiceAccount gmsa1