Hi there.

I have a question on KDS Root Keys. My set up is a single forest with root and 1 child domain. Schema is 2012 R2. DCs on 2008 R2 and 2012 R2. 2012 R2 DCs are present in both domain. Do I add a KDS Root Key per domain? I have seen articles that say 1 time per forest and others that say 1 time per domain.

So I tested it out in a lab, and no problem creating the key on a 2012 R2 DC in the root domain. And get-KdsRootKey returns the expected result. However when I run get-KdsRootKey from a DC in this child domain I get nothing back. Looking at the permissions on the key in the Configuration partition, shows that SYSTEM has full control, as do Domain Admins and Enterprise Admins from the root domain. There are no permissions granted to security principals in the child domain.

So what is the recommended guidance for this?

(1) Do I add Domain Admins from the child domain to this key with Full Control, if I do that then get-KdsRootKey returns the expected result on a Child domain 2012 DC. Is that what you are meant to do? Will Child DCs be able to use this key?

(2) Or do I add a KDS key from a child DC? To do this I need to be logged onto a child 2012 DC with child domain DA credentials, but also be a member of Enterprise admins to update the Master Root Keys container? When this key is created it will have security of SYSTEM full control, Domain Admins from child domain Full Control, and Enterprise Admins Full Control. But Domain Admins from the Root Domain will not be present. Will this key work in both domains?

(3) Have one key for the root domain and one for the child domain? But that doesn't seem correct to me?

I hope someone out there has gone through this already, I can't seem to find any answers using Google-Fu!