Resetting the Krbtgt Account Password in a Domain - which PowerShell Script to Use?

Question

Hello All,

I Have 2 questions related to resetting the Krbtgt account password in a Domain, of which there are 2 main PS scripts (as you know) out on TechNet & GitHub - "New-CtmADKrbtgtKeys.ps1" & "Reset-KrbTgt-Password-for-RWDCS-And-RODCS.ps1 (now shown on GitHub as Reset-KerberosServiceV2.ps1)". These are both authored & enhanced by Jared Poeppelman (Microsoft) & Jorge de Almeida Pinto (MCC & MVP):

1) Although I'm leaning towards using the "Reset-KerberosServiceV2.ps1" script in my Domain, it's v2.5 was updated on 2020-02-17, while the "New-CtmADKrbtgtKeys.ps1" script was updated on 2020-05-14. Since both Jared & Jorge seem to be involved in the writing/updating of both scripts, which one is the latest & "better" one to use? I apologize in advance for not being a PS expert, so I can't effectively extrapolate the contents of the 2 scripts for a successful comparison. I'm looking for an explanation as to the differences, & which script is the recommended one to use.

2) We'll be running this script in our On-Prem Domain (Hybrid w/ Azure), which is a School District. Of course, due to Covid, most of the students & teachers are remote teaching/learning from home. Some teachers use VPN, but none of the students do - most have not been on the Local Domain since April. Is it recommended & safe to change the Kerberos account password on our On-Prem Domain Controllers while most users are off-site? We do not want to cause any potential issues that may impact users while they are off-site, as well as when they return on-site.

Any & all recommendations would be most appreciated - thank you!

Answer 1

Hi,

To be clear on a few things:
Jared wrote the v1 script.
Based upon the v1 script, I rewrote the script, added tons of features and that is how v2 was born. BUT the so called v2 by MSFT was written by me and is already outdated as on my own Github I have the latest version published. (https://github.com/zjorz/Public-AD-Scripts). This version was published there before Jared “copied” mine from Script Gallery to MSFT Github. It is a bit weird what happened as MSFT moved “my script” and notified me afterwards

My script also supports RODCs and have multiple TEST modes to help you get an impression of things without impacting your environment

I have had a few requests to automate the script. I declined that request as I do not believe you should automate this as things can go wrong for multiple environmental reasons. It contains multiple safety measures to make sure things do not go wrong. automation means even more complexity

Best regards,
Jorge

Answer 2

Hi,

*which one is the latest & "better" one to use? *

The both script do the same work (reset krbtgt account).
I recommend you to test them in your test environment before run them in your production environment.

*Is it recommended & safe to change the Kerberos account password on our On-Prem Domain Controllers while most users are off-site? *

The krbtgt password must be changed twice one time per year at least.
When you change the password first time wait 1 or 2 weekend at least in order to ensure that the new password is replicated on all domain controllers in the domain.

Please don't forget to mark this reply as answer if it help to fix your issue

Answer 3

Thanks to everyone for chiming in. Reset the password for the Kerberos krbtgt account in our Domain this morning, after Mode 1 & 2 passed all tests. Will be changing it a 2nd time after the default 10 hr max ticket renewal lifetime (later this week). Thanx again!

Answer 4

I know this is a very old post. Can someone (preferably Jorge) point me in the right direction for the latest script here please? Thanks

Answer 5

@JoeAdmin Did you managed to change it a 2nd time successfully without any issues?