Active Directory KDS stands for Key Distribution Service. It is a feature introduced in Windows Server 2012 that enhances the security of Active Directory environments by reducing the risk of stolen or compromised domain controller (DC) keys. KDS is used to distribute and manage the secret keys used to encrypt Kerberos tickets and is built on top of the existing Kerberos infrastructure in Active Directory.
The KDS Root Key is the root of trust for the KDS service. It is used to create and manage key pairs for domain controllers in the domain. The KDS Root Key is generated when the first domain controller in a domain is promoted to a domain controller, and it is automatically replicated to all other domain controllers in the domain.
KDS is used to protect the Kerberos authentication process against some common types of attacks, such as Golden Ticket and Silver Ticket attacks. These attacks involve the use of forged Kerberos tickets to gain unauthorized access to resources on the network. KDS reduces the risk of these attacks by using a more secure key distribution method, which helps prevent the use of compromised keys.
To use KDS, the Active Directory domain must have at least one domain controller running Windows Server 2012 or later. KDS is enabled by default on domain controllers running Windows Server 2012 R2 and later.
To manage the KDS service, you can use the following PowerShell cmdlets:
- Get-KdsRootKey: This cmdlet retrieves the KDS Root Key from a domain controller.
- Add-KdsRootKey: This cmdlet creates a new KDS Root Key.
- Get-KdsConfiguration: This cmdlet retrieves the current KDS configuration settings.
- Set-KdsConfiguration: This cmdlet modifies the KDS configuration settings.
In summary, Active Directory KDS is a security feature that enhances the protection of Kerberos authentication by reducing the risk of stolen or compromised domain controller keys. It uses a more secure key distribution method to prevent common types of attacks. The KDS Root Key is generated automatically and managed using PowerShell cmdlets.
