(2020-04-06) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 5)

Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
• (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
• (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

Since the last time, the script was published, the following changes were made:

v2.8, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]:

• – Fixed an issue when the RODC itself is not reachable/available, whereas in that case, the source should be the RWDC with the PDC FSMO
• – Checks to make sure both the RWDC with the PDC FSMO role and the nearest RWDC are available. If either one is not available, the script will abort

v2.7, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]:

• – Added DNS name resolution check to the portConnectionCheck function
• – To test membership of the administrators group in a remote AD forest the "title" attribute is now used instead of the "displayName" attribute to try to write to it
• – Removed usage of $remoteADforest variable and only use the $localADforest variable
• – Removed usage of $remoteCredsUsed variable and only use the $adminCrds variable (Was $adminCreds)
• – Added a warning if the special purpose krbtgt account ‘Krbtgt_AzureAD’ is discovered in the AD domain
• – If the number of RODCs in the AD domain is 0, then it will not present the options for RODCs
• – If the number of RODCs in the AD domain is 1 of more, amd you chose to manually specify the FQDN of RODCs to process, it will present a list of RODCs to choose from
• – Operational modes have been changed (WARNING: pay attention to what you choose!). The following modes are the new modes
• – 1 – Informational Mode (No Changes At All)
• – 2 – Simulation Mode | Temporary Canary Object Created To Test Replication Convergence!
• – 3 – Simulation Mode | Use KrbTgt TEST/BOGUS Accounts – No Password Reset/WhatIf Mode!
• – 4 – Real Reset Mode | Use KrbTgt TEST/BOGUS Accounts – Password Will Be Reset Once!
• – 5 – Simulation Mode | Use KrbTgt PROD/REAL Accounts – No Password Reset/WhatIf Mode!
• – 6 – Real Reset Mode | Use KrbTgt PROD/REAL Accounts – Password Will Be Reset Once!
• – When choosing RODC Krb Tgt Account scope the following will now occur:
• – If the RODC is not reachable, the real source RWDC of the RODC cannot be determined. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication
• – If the RODC is reachable, but the real source RWDC of the RODC is not reachable it cannot be used as the source for the change and replication. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication
• – Sections with ‘#XXX’ have been removed
• – Calls using the CMDlet ‘Get-ADReplicationAttributeMetadata’ (W2K12 and higher) have been replaced with .NET calls to support older OS’es such as W2K8 and W2K8R2. A function has been created to retrieve metadata
• – Some parts were rewritten/optimized

v2.6, 2020-02-25, Jorge de Almeida Pinto [MVP-EMS]:

• – Removed code that was commented out
• – Logging where the script is being executed from
• – Updated the function ‘createTestKrbTgtADAccount’ to also include the FQDN of the RODC for which the Test KrbTgt account is created for better recognition
• – In addition to the port 135 (RPC Endpoint Mapper) and 389 (LDAP), the script will also check for port 9389 (AD Web Service) which is used by the ADDS PoSH CMDlets
• – Updated script to included more ‘try/catch’ and more (error) logging, incl. line where it fails, when things go wrong to make troubleshooting easier

–

Have fun!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-