Resetting the Krbtgt Account Password in a Domain - which PowerShell Script to Use?

JoeAdmin 26 Reputation points
2020-09-16T15:53:21.007+00:00

Hello All,

I Have 2 questions related to resetting the Krbtgt account password in a Domain, of which there are 2 main PS scripts (as you know) out on TechNet & GitHub - "New-CtmADKrbtgtKeys.ps1" & "Reset-KrbTgt-Password-for-RWDCS-And-RODCS.ps1 (now shown on GitHub as Reset-KerberosServiceV2.ps1)". These are both authored & enhanced by Jared Poeppelman (Microsoft) & Jorge de Almeida Pinto (MCC & MVP):

1) Although I'm leaning towards using the "Reset-KerberosServiceV2.ps1" script in my Domain, it's v2.5 was updated on 2020-02-17, while the "New-CtmADKrbtgtKeys.ps1" script was updated on 2020-05-14. Since both Jared & Jorge seem to be involved in the writing/updating of both scripts, which one is the latest & "better" one to use? I apologize in advance for not being a PS expert, so I can't effectively extrapolate the contents of the 2 scripts for a successful comparison. I'm looking for an explanation as to the differences, & which script is the recommended one to use.

2) We'll be running this script in our On-Prem Domain (Hybrid w/ Azure), which is a School District. Of course, due to Covid, most of the students & teachers are remote teaching/learning from home. Some teachers use VPN, but none of the students do - most have not been on the Local Domain since April. Is it recommended & safe to change the Kerberos account password on our On-Prem Domain Controllers while most users are off-site? We do not want to cause any potential issues that may impact users while they are off-site, as well as when they return on-site.

Any & all recommendations would be most appreciated - thank you!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,642 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
Azure Active Directory Domain Services
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,627 questions
{count} votes

Accepted answer
  1. Jorge de Almeida Pinto [MVP] 91 Reputation points
    2020-09-17T18:54:23.627+00:00

    Hi,

    To be clear on a few things:
    Jared wrote the v1 script.
    Based upon the v1 script, I rewrote the script, added tons of features and that is how v2 was born. BUT the so called v2 by MSFT was written by me and is already outdated as on my own Github I have the latest version published. (https://github.com/zjorz/Public-AD-Scripts). This version was published there before Jared “copied” mine from Script Gallery to MSFT Github. It is a bit weird what happened as MSFT moved “my script” and notified me afterwards

    My script also supports RODCs and have multiple TEST modes to help you get an impression of things without impacting your environment

    I have had a few requests to automate the script. I declined that request as I do not believe you should automate this as things can go wrong for multiple environmental reasons. It contains multiple safety measures to make sure things do not go wrong. automation means even more complexity

    Best regards,
    Jorge


3 additional answers

Sort by: Most helpful
  1. BOURBITA Thameur 12,241 Reputation points Microsoft MVP
    2020-09-16T22:43:48.767+00:00

    Hi,

    *which one is the latest & "better" one to use? *

    The both script do the same work (reset krbtgt account).
    I recommend you to test them in your test environment before run them in your production environment.

    *Is it recommended & safe to change the Kerberos account password on our On-Prem Domain Controllers while most users are off-site? *

    The krbtgt password must be changed twice one time per year at least.
    When you change the password first time wait 1 or 2 weekend at least in order to ensure that the new password is replicated on all domain controllers in the domain.

    Please don't forget to mark this reply as answer if it help to fix your issue

    No comments

  2. JoeAdmin 26 Reputation points
    2020-11-11T17:49:01.19+00:00

    Thanks to everyone for chiming in. Reset the password for the Kerberos krbtgt account in our Domain this morning, after Mode 1 & 2 passed all tests. Will be changing it a 2nd time after the default 10 hr max ticket renewal lifetime (later this week). Thanx again!


  3. Alex Wong 1 Reputation point
    2021-05-07T09:01:54.81+00:00

    @JoeAdmin Did you managed to change it a 2nd time successfully without any issues?

    No comments