Reset the krbtgt account password/keys

This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation.

4.6 Star
15,334 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
Sign in to ask a question

  • Add French Language
    1 Posts | Last post December 20, 2019
    • Hello, I used your script and here is what I changed to make it work in "French" OS, maybe you can launch commands in test mode and ask people to get their reply message in local language.
      line 62 : replace "*completed*" by "*effectués*"
      line 84 : replace "*Successfully replicated object*" by "*a été correctement répliqué*"
      works like a charm for now, hope nothing breaks!
  • KRBTGT Execution Error
    2 Posts | Last post December 14, 2019
    • I was able to run Mode 1 of the script on our two domains that are hosted on Windows 2012 R2 domain controllers.  However, in the one domain that is hosted on Windows 2008 R2 domain controllers, I received a script execution error.  Due to the organization's update policy, I cannot update these DC's to Windows 2012 R2 yet.  However, I would prefer not to have to wait to change the krbtgt password.
      When I execute the script on the Windows 2008 R2 PDC, the first couple of tests have a status of PASSED.  Then, after the "Gathering and analyzing krbtgt account information and domain Keberos Policy..." section, it states in red:
      You cannot call a method on a null-valued expression At c:\scripts\...\New-CtmADKrbtgtKeys.ps1:337 char:1
      + $ExpirationTimeForNMinusOneTickets = (($Krbtgt.PasswordLastSet.AddHours($MaxTgtL...
      The rest of the script then executes without issues and all tests PASSED.
      PS version is at 4 with execution policy set to RemoteSigned.
      Is there something I need to do the the Windows 2008 R2 DC's in order for them to execute the script correctly?
    • Hi Terry, 
      (and anyone else who may run into this in December 2019 and beyond)
      I encountered this same error in a domain where the krbtgt account password had never been reset. Since the password had never been changed, the PasswordLastSet value was Null. To fix, I modified and added a couple of lines to check for the Null value, and if so, use the WhenCreated value instead.
      Modify the following lines (line numbers based on version 1.7 of the script)...
      # Change line 322 from:
      $Krbtgt = Get-ADUser krbtgt -Properties PasswordLastSet -Server $TargetDomain.PDCEmulator
      # To this:
      $Krbtgt = Get-ADUser krbtgt -Properties PasswordLastSet,WhenCreated -Server $TargetDomain.PDCEmulator
      # Then remove or comment out line 337:
      $ExpirationTimeForNMinusOneTickets = (($Krbtgt.PasswordLastSet.AddHours($MaxTgtLifetimeHrs)).AddMinutes($MaxClockSkewMins)).AddMinutes($MaxClockSkewMins) # Doubling the clock skew to account for skew in both directions
      # And replace it with:
      if ($Krbtgt.PasswordLastSet -eq $null){$ExpirationTimeForNMinusOneTickets = (($Krbtgt.WhenCreated.AddHours($MaxTgtLifetimeHrs)).AddMinutes($MaxClockSkewMins)).AddMinutes($MaxClockSkewMins)}
      else{$ExpirationTimeForNMinusOneTickets = (($Krbtgt.PasswordLastSet.AddHours($MaxTgtLifetimeHrs)).AddMinutes($MaxClockSkewMins)).AddMinutes($MaxClockSkewMins)}
      Good luck!
      S. Jordan Novick
      Novick Tech
  • Nice Script, Thanks!
    1 Posts | Last post December 05, 2019
    • Works perfect for us.
      A question only to which I have found no answer:
      Our Domain is a SubDomain in another Tree. Can I change the Password independently from the parent tree?
  • Error with RwDcs query
    3 Posts | Last post December 02, 2019
    • Hi all,
      I get an error with line 359 when it is using the -filter {IsReadOnly -eq $false} which is strange as I can see the property exists and is boolean.
      Error is: Get-ADDomainController : Directory object not found
      The $TargetDomain.PDCEmulator is returning the correct value and if I remove the filter the command works, however it only returns the PDC emulator (or any other DC I specify as -server)
      FYI, We do not have any RODCs.
      I have re-written this to overcome the issue.
      I changed line 301 to : $TargetDomain = Get-AdDomain | Select Name,DNSRoot,NetBIOSName,DomainMode,PDCEmulator,ReplicaDirectoryServers,ReadOnlyReplicaDirectoryServers
      and Line 359 to : Try {$RwDcs =  $TargetDomain.ReplicaDirectoryServers|foreach-object {$_|?{$TargetDomain.ReadOnlyReplicaDirectoryServers -notcontains $_}|Get-ADDomainController} | Select Name,Hostname,Domain,Site}
      Just wondering if anyone else encountered similar and if you see any issues with my workaround.
      P.S I am running this from my laptop with all the support tools required and user account is a domain admin. Only tested Mode 1 so far.
    • Thanks, I had the same exact issue.  I believe this has to do with our Riverbed WAN accelerators.  Your changes worked for me. i've only ran mode 1 and mode 2 so far.
    • Thank you for this resolution, we had the same problem and I can confirm that with Riverbed Read-Only domain controllers in the environment that the above changes to the script worked when running all modes including mode 3 which resets the password.
  • Automation, telemetry and exit codes
    1 Posts | Last post November 19, 2019
    • We run this twice a month, every month on all our Domains.  Our environment is super-stable and we've never yet seen a warning that needed attention.  Needless to say, it's all a bit manual.
      Are there any plans to develop this further?  If so, could we suggest adding the ability to run each part of the process separately without manual intervention from the command line, exit codes (Succeeeded without issue, for example), telemetry (e.g. propagation time and time since last reset).  
      We could then automate this process, reduce workload and most likely increase compliance.
  • Insufficient rights
    2 Posts | Last post November 01, 2019
    • I ran this script in modes 1 and 2, everything came back totally fine.
      I ran it in Mode 3 and it says the following:
         Resetting krbtgt key.....FAILED
         Krbtgt reset failed. Check to ensure you have sufficient rights to reset the krbtgt account. Replication will be skipped
         Check if krbtgt key on all writable domain controllers was in sync with PDC emulator FAILED. One or more reachable DCs was out of sync with the PDC emulator.
      I'm logged on as a domain admin.  I have rights to reset the password on the account.  Any ideas?
    • Have a look at the Security tab on the krbtgt account. Make sure there are no (unintended) permission entries with Type Deny and make sure Domain Admins have "Reset password" permissions.
  • RPC connectivity failing between DCs
    1 Posts | Last post October 30, 2019
    • Hi, we're attempting to reset the KRBTGT account password/keys using the below PowerShell script;
      However, the script keeps failing when attempting to check RPC connectivity (Option 1) between the DCs. The checks pass perfectly for all other DCs on the same VLan, but fails when it goes to a DC by way of a firewall or a load balancer. I have verified with our network team that everything is open between the DCs, and they have confirmed that all of data is being passed through.
      Please advise!
  • Multi forest difficulty
    1 Posts | Last post October 01, 2019
    • I wanted to give some feedback on here:  this script "assumes" to use the domain of the user, as others have reported here.  So if I am using an account from one forest and RDP'ed to a DC in another forest, the script thinks I'm trying to work on my account's forest instead of that which the DC controls.  Recommend either have the script ask which domain to action on if it is ambiguous, or set a command line option for it.
  • Checking RPC connectivity to DC2........
    2 Posts | Last post September 25, 2019
    • Could I please ask for advice. 
      I am running this on a domain with 2xDCs and it is failing on:
      Checking RPC connectivity to Domain Controller:
         Checking RPC connectivity to DC1.FQDN........PASSED
         Checking RPC connectivity to DC2.FQDN........FAILED
      Check for RPC connectivity to writable domain controllers FAILED. One or more writable DCs was unreachable. 
      I have tested with that "rpcping.exe -s DC2.FQDN" from the CLi and it passes with:
      Completed 1 calls in 31 ms
      32 T/S or 31.000 ms/T
      Could you please advise or point me in the right direction? Possibly Firewall rules?
      Thanks in advance. 
    • Solved - It was a firewall issue.
  • Notification: New version of script soon to be available
    3 Posts | Last post July 12, 2019
    • Hi,
      I'm writing a new version of this script which I will make available soon. That new script is based upon the version that Jared wrote, but it supports RODCs and contains additional tests and checks.
      Check out to be the first to get that bew version. Any feature requests are welcome. Use the contact form on the blog to contact me.
      For anyone using Riverbeds in RODC mode, could you please send me the output of the RODC computer object and the NTDS Settings object so that I can check if the logic that I built also applies to your scenario?
      Jorge de Almeida Pinto
      MVP Enterprise mobility And Security (previously MVP Directory Services)
    • And as promised, here is the link to the info about the new script (it also contains a link to the new script!)
      Have fun, enjoy, but be careful!
    • Jorge, the script that you wrote is awesome. Thank you for all the work that you put into it, especially all of technical documentation that you provided within.
1 - 10 of 31 Items