ActiveDirectory/Get-KDSRootKeyDetail.ps1 at main · PyroTek3/ActiveDirectory · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# PowerShell script authored by Sean Metcalf (@PyroTek3)
# 2025-09-03
# Script provided as-is

Write-Host "Getting domains in the AD Forest & Discovering forest Domain Controllers"
$ForestDCArray = @()
ForEach ($ForestDomainItem in $((Get-ADForest).Domains) )
 {
   $DomainDC = Get-ADDomainController -Discover -DomainName $ForestDomainItem
   $DomainInfo = Get-ADDomain -Server $($DomainDC.HostName)
   ForEach ($DomainControllerItem in $($DomainInfo.ReplicaDirectoryServers) )
    { [array]$ForestDCArray += Get-ADDomainController $DomainControllerItem -Server $DomainDC }
 }

Write-Host "Scanning for DCs running Windows Server 2025..."
$Forest2025DCArray = $ForestDCArray | Where {$_.OperatingSystem -like "*2025*"}
Write-Host "The following DCs are running Windows Server 2025:"
$Forest2025DCArray | Select Domain,Name,OperatingSystem,Site | format-table -AutoSize

Write-Host "Checking for installed KDS Root Keys (note this may not work if the script is not opened with admin rights)..."
$KDSRootKeyArray = Get-KdsRootKey

Write-Host "Parsing KDS Root key data..."
IF ($KDSRootKeyArray)
 {
    $KDSRootKeyDomainArray = @()
    ForEach ($KDSRootKeyArrayItem in $KDSRootKeyArray)
     {
        $DC1 = $KDSRootKeyArrayItem.DomainController -Replace('CN=',"")
        $DC2 = $DC1 -Replace (',OU=Domain Controllers',"")
        $DomainDC = $DC2 -Replace (',DC=',".")
        $KDSDomainArray = Get-ADDomain -Server $DomainDC
        $KDSDomainArray | Add-Member -MemberType NoteProperty -Name KDSCreationTime -Value $KDSRootKeyArrayItem.CreationTime -Force
        [array]$KDSRootKeyDomainArray += $KDSDomainArray
     }
 }
 Write-Host "The following domains have had the KDS Root Key created:"
 ForEach ($KDSRootKeyDomainArrayItem in $KDSRootKeyDomainArray)
  {
    Write-Host "  * $($KDSRootKeyDomainArrayItem.DNSRoot): KDS root key created on $($KDSRootKeyDomainArrayItem.KDSCreationTime)"
  }

$KDSKey2025DCDomainArray = @()
ForEach ($KDSRootKeyDomainArrayItem in $KDSRootKeyDomainArray)
  {
    ForEach ($Forest2025DCArrayItem in $Forest2025DCArray)
     {
        IF ($KDSRootKeyDomainArrayItem.DNSRoot -eq $Forest2025DCArrayItem.Domain)
         { [array]$KDSKey2025DCDomainArray += $KDSRootKeyDomainArrayItem.DNSRoot }
     }
  }
$KDSKey2025DCDomainArray = $KDSKey2025DCDomainArray | Sort-Object -Unique
Write-Host " "
Write-Host "The following domains have a Windows Server 2025 Domain Controller and the KDS Root Key created:"
ForEach ($KDSKey2025DCDomainArrayItem in $KDSKey2025DCDomainArray)
 { Write-Host "  * $KDSKey2025DCDomainArrayItem" }