🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Services using gMSA fail to start, causing authentication errors and application downtime.

Environment & Reproduction

Common in newly created forests where KDS root key has not matured across domain controllers.

Get-KdsRootKey
Test-ADServiceAccount

Root Cause Analysis

KDS root key effective time has not propagated sufficiently, so hosts cannot derive gMSA passwords.

Quick Triage

Check KDS root key creation time and target host AD replication health.

Step-by-Step Diagnosis

Validate SPN, PrincipalsAllowedToRetrieveManagedPassword, and DC reachability.

Get-ADServiceAccount  -Properties *
repadmin /replsummary
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
gMSA and KDS key diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Create or confirm KDS root key and wait for safe propagation before gMSA use in production.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Add-KdsRootKey -EffectiveImmediately
# Lab only fast-forward: -EffectiveTime ((Get-Date).AddHours(-10))
Install-ADServiceAccount
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Service account recovery events β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Temporarily run service with standard domain account until KDS timeline completes.

Verification & Acceptance Criteria

Test-ADServiceAccount returns True and dependent services start normally.

Rollback Plan

Revert service identity to previous account and restore SPN mappings if startup remains blocked.

Prevention & Hardening

Provision KDS root keys during domain build phase, not during live service migrations.

Associated with replication latency, stale DC locator records, and missing account permissions.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: gMSA deployment prerequisites, KDS key behavior, and service account security practices.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.