Reset the krbtgt account password/keys

This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation.

4.6 Star
16,284 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • Multi forest difficulty
    2 Posts | Last post March 11, 2020
    • I wanted to give some feedback on here:  this script "assumes" to use the domain of the user, as others have reported here.  So if I am using an account from one forest and RDP'ed to a DC in another forest, the script thinks I'm trying to work on my account's forest instead of that which the DC controls.  Recommend either have the script ask which domain to action on if it is ambiguous, or set a command line option for it.
    • checkout:
  • RPC connectivity failing between DCs
    2 Posts | Last post March 11, 2020
    • Hi, we're attempting to reset the KRBTGT account password/keys using the below PowerShell script;
      However, the script keeps failing when attempting to check RPC connectivity (Option 1) between the DCs. The checks pass perfectly for all other DCs on the same VLan, but fails when it goes to a DC by way of a firewall or a load balancer. I have verified with our network team that everything is open between the DCs, and they have confirmed that all of data is being passed through.
      Please advise!
    • checkout:
  • Insufficient rights
    3 Posts | Last post March 11, 2020
    • I ran this script in modes 1 and 2, everything came back totally fine.
      I ran it in Mode 3 and it says the following:
         Resetting krbtgt key.....FAILED
         Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped
         Check if krbtgt key on all writable domain controllers was in sync with PDC emulator FAILED. One or more reachable DCs was out of sync with the PDC emulator.
      I'm logged on as a domain admin.  I have rights to reset the password on the account.  Any ideas?
    • Have a look at the Security tab on the krbtgt account. Make sure there are no (unintended) permission entries with Type Deny and make sure Domain Admins have "Reset password" permissions.
    • checkout:
  • Error with RwDcs query
    4 Posts | Last post March 11, 2020
    • Hi all,
      I get an error with line 359 when it is using the -filter {IsReadOnly -eq $false} which is strange as I can see the property exists and is boolean.
      Error is: Get-ADDomainController : Directory object not found
      The $TargetDomain.PDCEmulator is returning the correct value and if I remove the filter the command works, however it only returns the PDC emulator (or any other DC I specify as -server)
      FYI, We do not have any RODCs.
      I have re-written this to overcome the issue.
      I changed line 301 to : $TargetDomain = Get-AdDomain | Select Name,DNSRoot,NetBIOSName,DomainMode,PDCEmulator,ReplicaDirectoryServers,ReadOnlyReplicaDirectoryServers
      and Line 359 to : Try {$RwDcs =  $TargetDomain.ReplicaDirectoryServers|foreach-object {$_|?{$TargetDomain.ReadOnlyReplicaDirectoryServers -notcontains $_}|Get-ADDomainController} | Select Name,Hostname,Domain,Site}
      Just wondering if anyone else encountered similar and if you see any issues with my workaround.
      P.S I am running this from my laptop with all the support tools required and user account is a domain admin. Only tested Mode 1 so far.
    • Thanks, I had the same exact issue.  I believe this has to do with our Riverbed WAN accelerators.  Your changes worked for me. i've only ran mode 1 and mode 2 so far.
    • Thank you for this resolution, we had the same problem and I can confirm that with Riverbed Read-Only domain controllers in the environment that the above changes to the script worked when running all modes including mode 3 which resets the password.
    • checkout:
  • Nice Script, Thanks!
    2 Posts | Last post March 11, 2020
    • Works perfect for us.
      A question only to which I have found no answer:
      Our Domain is a SubDomain in another Tree. Can I change the Password independently from the parent tree?
    • checkout:
  • KRBTGT Execution Error
    3 Posts | Last post March 11, 2020
    • I was able to run Mode 1 of the script on our two domains that are hosted on Windows 2012 R2 domain controllers.  However, in the one domain that is hosted on Windows 2008 R2 domain controllers, I received a script execution error.  Due to the organization's update policy, I cannot update these DC's to Windows 2012 R2 yet.  However, I would prefer not to have to wait to change the krbtgt password.
      When I execute the script on the Windows 2008 R2 PDC, the first couple of tests have a status of PASSED.  Then, after the "Gathering and analyzing krbtgt account information and domain Keberos Policy..." section, it states in red:
      You cannot call a method on a null-valued expression At c:\scripts\...\New-CtmADKrbtgtKeys.ps1:337 char:1
      + $ExpirationTimeForNMinusOneTickets = (($Krbtgt.PasswordLastSet.AddHours($MaxTgtL...
      The rest of the script then executes without issues and all tests PASSED.
      PS version is at 4 with execution policy set to RemoteSigned.
      Is there something I need to do the the Windows 2008 R2 DC's in order for them to execute the script correctly?
    • Hi Terry, 
      (and anyone else who may run into this in December 2019 and beyond)
      I encountered this same error in a domain where the krbtgt account password had never been reset. Since the password had never been changed, the PasswordLastSet value was Null. To fix, I modified and added a couple of lines to check for the Null value, and if so, use the WhenCreated value instead.
      Modify the following lines (line numbers based on version 1.7 of the script)...
      # Change line 322 from:
      $Krbtgt = Get-ADUser krbtgt -Properties PasswordLastSet -Server $TargetDomain.PDCEmulator
      # To this:
      $Krbtgt = Get-ADUser krbtgt -Properties PasswordLastSet,WhenCreated -Server $TargetDomain.PDCEmulator
      # Then remove or comment out line 337:
      $ExpirationTimeForNMinusOneTickets = (($Krbtgt.PasswordLastSet.AddHours($MaxTgtLifetimeHrs)).AddMinutes($MaxClockSkewMins)).AddMinutes($MaxClockSkewMins) # Doubling the clock skew to account for skew in both directions
      # And replace it with:
      if ($Krbtgt.PasswordLastSet -eq $null){$ExpirationTimeForNMinusOneTickets = (($Krbtgt.WhenCreated.AddHours($MaxTgtLifetimeHrs)).AddMinutes($MaxClockSkewMins)).AddMinutes($MaxClockSkewMins)}
      else{$ExpirationTimeForNMinusOneTickets = (($Krbtgt.PasswordLastSet.AddHours($MaxTgtLifetimeHrs)).AddMinutes($MaxClockSkewMins)).AddMinutes($MaxClockSkewMins)}
      Good luck!
      S. Jordan Novick
      Novick Tech
    • checkout:
  • Add French Language
    2 Posts | Last post March 11, 2020
    • Hello, I used your script and here is what I changed to make it work in "French" OS, maybe you can launch commands in test mode and ask people to get their reply message in local language.
      line 62 : replace "*completed*" by "*effectués*"
      line 84 : replace "*Successfully replicated object*" by "*a été correctement répliqué*"
      works like a charm for now, hope nothing breaks!
    • checkout:
  • This does not work correctly if you are using a user from another domain
    2 Posts | Last post March 11, 2020
    • Run on a domain controller from Domain X, using user from Domain Y.. the code: 
      $TargetDomain = Get-AdDomain | Select Name,DNSRoot,NetBIOSName,DomainMode,PDCEmulator
      incorrectly get the USER's DOMAIN
      consider updating the code to something LIKE...
      $TargetDomain = Get-AdDomain -server $((Get-WmiObject Win32_ComputerSystem).Domain) | Select Name,DNSRoot,NetBIOSName,DomainMode,PDCEmulator
    • checkout:
  • TGT (N-1) expiration value?
    1 Posts | Last post February 19, 2020
    • What is the value of waiting for the existing TGT tickets to have expired?  Don't the Kerberos clients just request a new ticket after expiration?  Do I really need to wait for the expiration before performing a second reset as is done for Golden Ticket reset.  Also I disagree with the algorithm to add a second 5 minute skew interval to the $ExpirationTimeForNMinusOneTickets.  The documentation states "#Doubling the clock skew to account for skew in both directions"  A skew in both directions mathematically would be an addition in one direction and a subtraction in another from your base number.  Adding two time skew values together seems incorrect as the subtraction would already be covered as the lesser number.  Or am I missing something?
      Thanks for the cool script!  It's super helpful.
  • Automation, telemetry and exit codes
    1 Posts | Last post November 19, 2019
    • We run this twice a month, every month on all our Domains.  Our environment is super-stable and we've never yet seen a warning that needed attention.  Needless to say, it's all a bit manual.
      Are there any plans to develop this further?  If so, could we suggest adding the ability to run each part of the process separately without manual intervention from the command line, exit codes (Succeeeded without issue, for example), telemetry (e.g. propagation time and time since last reset).  
      We could then automate this process, reduce workload and most likely increase compliance.
1 - 10 of 33 Items