Remove or delete KDSRootKey (KDS Root Key)

When creating GMSA (group managed service account) for Docker it is easy to run scripts too many times leaving yourself with multiple KDSRootKeys – I’m not aware of a Powershell command to remove them, but this user interface based method works to delete the unwanted KDS Root Keys.

To view the kds keys

Use the Powershell command;

Get-KdsRootKey

This will list the keys as shown with the KeyId that will be required next.

get-kdsRootkey

 

If you accidentally created more than one key by running the scripts to create a GMSA user multiple times, then you may delete the keys you don’t need. The creation time will give you a clue as to the keys you don’t need.

 

To remove or delete the KDSRootKey

From the run command type

dssite.msc

dssite.msc

This will launch the Active Directory Sites and Services, use the View menu to select “Show Services Node”.

show services

From the displayed keys, they should match the previous key ids and by clicking on the key you wish to delete, it can be deleted by right click > Delete or the Action menu > Delete

It is possible to view the created date properties by right clicking each key and selecting properties, then selecting the object tab. However I prefer the PowerShell method as it presents a nicely formatted list in one hit, when there are many keys created this can be more efficient. 

DeleteKdsKey

Docker build and UilttiuyVM: The parameter is incorrect - Failed to regis error

The following error can occur when doing a Docker build.

Docker image

Docker . failed to register layer: re-exec error: exit status 1: output: processUtilityWImage

\\?\C:\ProgramData\docker\windowsfilter \UtilityVM: The parameter is incorrect.

At line: 2 char: 1

+ Docker build - -tag tw/gp2018 .

+ CategoryInfo :NotSpecified: (failed to regis…r is incorrect.:String) []. Remote Exception

+FullyQualifiedErrorId : NativeCommnadError

 

On a windows build, this is often due to the base image not being compatible with operating system of the Docker host machine.

For example, I moved my dockerfile and build directory from Windows 10 to Windows Server 2016 and experienced this error.

Turns out that the windowscore I was attempting to use was not compatible.

See here https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility for the guide on the windows container versions compatible with different hosts.

dockercompat

I was attempting to use microsoft/windowsservercore:1803, but the only version that is compatible on Server 2016, from the above table, without using Hyper-V isolation (where a small Linux machine is used to host container), is build 14393.

Thus in my dockerfile, changing the base image instruction to

FROM microsoft/windowsservercore:ltsc2016

solved the above error on the server host.

The reason is obvious really, Docker works by sharing the underlying kernel from the host with the containers, overlaying layers of files until you reach the image. Changes to the host operating system will adversely affect this layering, as expected components may not be present that were there when the image was created. The container my start but fail later.

Using Hyper-V isolation works, as the Hyper-V isolation introduces its own kernel instead of the host’s thus isolating the container from the host operating system. This still gives us benefits if multiple containers are ran, and the benefits of portability are still present, but less efficient on disk storage. Use the switch parameter –isolation=hyperv to enable this isolation.

Installing Docker onto Windows Server 2016

 

https://docs.docker.com/install/windows/docker-ee/

Docker comes in two editions, free community edition and enterprise edition.

The company Docker and Microsoft entered into a commercial agreement to bring Docker to windows server as a commercially supported container enterprise product.

Docker running containers on Windows is the result of a two-year collaboration between Microsoft that involved the Windows kernel growing containerization primitives, Docker and Microsoft collaborating on porting the Docker Engine and CLI to Windows to take advantage of those new primitives and Docker adding multi-arch image support to Docker Hub. (https://blog.docker.com/2016/09/dockerforws2016/)

 

 

As a result of the agreement Docker Enterprise is already licenced as part of Windows Server 2016. So you just need to install and use it!

 

There are two types of containers, Linux and Windows. To run Windows OS containers, you must install the windows provider. Choose the appropriate container type below and issue the relevant commands.

For Install for Windows containers:

Install-Module -Name DockerMsftProvider -Repository PSGallery -Force

Install-Package -Name docker -ProviderName DockerMsftProvider

For Install for Linux Containers:

Install-Module DockerProvider –Force

Install-Package Docker -ProviderName DockerProvider –Force

 

When installed there will be a Docker Service on the machine:

Docker Service

When the command has finished executing (can take some time), then powershell should be aware of Docker commands. Thus issuing the following command:

Docker version

will return information about the Docker version.

Docker Version

 

Uninstall docker from Windows Server 2016

Uninstall-Module dockerprovider

Uninstall-package docker

or for windows container:

Uninstall-Module DockerMsftProvider

Uninstall-package docker