(2023-03-04) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 7)

e time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
• (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
• (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)
• (2020-04-06) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 5)
• (2022-12-21) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 6)

This new version has a MINOR bug fix, related to a bug in the S.DS.P. DLLs reporting an incorrect FFL/DFL when either one is running 2016.

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (PS1). If you want to use one of the new features to e-mail the log file, then you also need the XML that stores the mail-related settings. You can download the XML through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (XML)

–

Since the last time, the script was published, the following changes were made:

• v3.4, 2023-03-04, Jorge de Almeida Pinto [MVP-EMS]:
  • – Bug Fix: The PowerShell CMDlets from the ActiveDirectory module DO recognize the 2016 FFL and DFL. The script DOES NOT use those anymore, but instead uses S.DS.P.. The issue appears to be that MSFT did update the ActiveDirectory PowerShell module to recognize the 2016 FFL/DFL, but they apparently did not update the S.DS.P. DLLs to do the same. The script itself now detects this and reports the correct FFL/DFL when it is 2016

–

HAVE FUN!

–

PS: Got any feedback or request, please use Github to report bugs or requests! Thanks!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### https://jorgequestforknowledge.wordpress.com/ ###################

————————————————————————————————————————————————————

IAMTEC

Identity | Security | Recovery

————————————————————————————————————————————————————-

(2022-12-21) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 6)

Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
• (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
• (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)
• (2020-04-06) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 5)

Compared to the previous versions, this new version has many new updates and new features. It took some serious time to code everything, and also to test all scenarios I could think off. I deem it ready to be release to the public for all the benefit from!

Merry Christmas all, and sorry it took so long to release this. Hope it helps to stay secure and it makes your life easier!

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (PS1). If you want to use one of the new features where you want to e-mail the log file, then you also need the XML that store the mail related settings. You can download the XML through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (XML)

–

Since the last time, the script was published, the following changes were made:

• v3.3, 2022-12-20, Jorge de Almeida Pinto [MVP-EMS]:
  • Bug Fix: updated the attribute type when specifying the number of the AD domain instead of the actual FQDN of the AD domain

• v3.2, 2022-11-05, Jorge de Almeida Pinto [MVP-EMS]:
  • New Feature: Adding support for scheduled/automated password reset of KrbTgt account password for either all RWDCs, all individual RODCs or specific RODCs
  • New Feature: Added mail function and parameter to mail the log file for review after execution with results
  • New Feature: Adding support for signed mail
  • New Feature: Adding support for encrypted mail
  • Bug Fix: Minor textual fixes
  • Bug Fix: fix an issue where one confirmation of continueOrStop would be inherited by the next
  • Bug Fix: fix an issue where the forest root domain would always be chosen as the source for replication and GPOs instead of the chosen AD domain when using custom credentials.
    This caused replicate single object to fail and for the determination of the Kerberos settings in the resultant GPO
  • Code Improvement: Added function getServerNames to retrieve server related names/FQDNs
  • Code Improvement: Added support for disjoint namespace, e.g. AD domain FQDN = ADDOMAIN.COM and DCs FQDN for that AD domain = .SOMEDNSDOMAIN.COM
  • Code Improvement: Removed ALL dependencies for the ActiveDirectory PoSH module and replaced those with alternatives
  • Code Improvement: Redefinition of tables holding data for processing
  • Code Improvement: Upgraded to S.DS.P PowerShell Module v2.1.5 (2022-09-20)
  • Improved User Experience: Added the NetBIOS name of the AD domain to the list of AD domains in an AD forest
  • Improved User Experience: Added the option to the function to install required PoSH modules when not available
  • Improved User Experience: Added support to specify the number of an AD domain in the list instead of its FQDN

• v3.1, 2022-06-06, Jorge de Almeida Pinto [MVP-EMS]:
  • Improved User Experience: The S.DS.P PowerShell Module v2.1.4 has been included into this script (with permission and under GPL license) to remove the dependency of the AD PowerShell Module when querying objects in AD. The
    ActiveDirectory PowerShell module is still used to get forest, domain, and domaincontroller information.
  • Improved User Experience: Removed dependency for port 135 (RPC Endpoint Mapper) and 9389 (AD Web Service)
  • Bug Fix: Getting the description of the Test KrbTgt accounts in remote AD forest with explicit credentials to compare and fix later
  • Code Improvement: In addition to check for the correct description, also check if the test KrbTgt accounts are member of the correct groups
  • Code Improvement: Updated function createTestKrbTgtADAccount
  • Bug Fix: Minor textual fixes

• v3.0, 2022-05-27, Jorge de Almeida Pinto [MVP-EMS]:
  • Bug Fix: Changed variable from $pwd to $passwd
  • Bug Fix: Variable used in single-quoted string. Wrapped in double-quote to fix
  • Bug Fix: Fix missing conditions and eventually credentials when connecting to a remote untrusted AD forest
  • Code Improvement: Minor improvements through scripts
  • Code Improvement: Changed variable from $passwordNrChars to $passwdNrChars
  • Code Improvement: Updated function confirmPasswordIsComplex
  • Code Improvement: Instead of assuming the “Max Tgt Lifetime In Hours” And the “Max Clock Skew In Minutes” is configured in the Default Domain GPO policy (the default)
    It now performs an RSoP to determine which GPO provides the authoritative values, and then uses the values from that GPO
  • Code Improvement: Added check for required PowerShell module on remote RWDC when running Invoke-Command CMDlet
  • Code Improvement: Added function ‘requestForAdminCreds’ to request for admin credentials
  • Improved User Experience: Specifically mentioned the requirement for the ADDS PoSH CMDlets and the GP PoSH CMDlets
  • Improved User Experience: Checking AD forest existence through RootDse connection in addition to DNS resolution
  • Code Improvement: Added a variable for connectionTimeout and changed the default of 500ms to 2000ms

• v2.9, 2021-05-04, Jorge de Almeida Pinto [MVP-EMS]:
  • Improved User Experience: Added additional info and recommendations
  • New Feature: Added function to check UAC elevation status, and if not elevated to start the script automatically using an elevated PowerShell Command Prompt

–

HAVE FUN!

–

PS: Got any feedback or request, please use Github to report bugs or requests! Thanks!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### https://jorgequestforknowledge.wordpress.com/ ###################

————————————————————————————————————————————————————

IAMTEC

Identity | Security | Recovery

————————————————————————————————————————————————————-

(2020-04-06) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 5)

Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
• (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
• (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

Since the last time, the script was published, the following changes were made:

v2.8, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]:

• – Fixed an issue when the RODC itself is not reachable/available, whereas in that case, the source should be the RWDC with the PDC FSMO
• – Checks to make sure both the RWDC with the PDC FSMO role and the nearest RWDC are available. If either one is not available, the script will abort

v2.7, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]:

• – Added DNS name resolution check to the portConnectionCheck function
• – To test membership of the administrators group in a remote AD forest the "title" attribute is now used instead of the "displayName" attribute to try to write to it
• – Removed usage of $remoteADforest variable and only use the $localADforest variable
• – Removed usage of $remoteCredsUsed variable and only use the $adminCrds variable (Was $adminCreds)
• – Added a warning if the special purpose krbtgt account ‘Krbtgt_AzureAD’ is discovered in the AD domain
• – If the number of RODCs in the AD domain is 0, then it will not present the options for RODCs
• – If the number of RODCs in the AD domain is 1 of more, amd you chose to manually specify the FQDN of RODCs to process, it will present a list of RODCs to choose from
• – Operational modes have been changed (WARNING: pay attention to what you choose!). The following modes are the new modes
• – 1 – Informational Mode (No Changes At All)
• – 2 – Simulation Mode | Temporary Canary Object Created To Test Replication Convergence!
• – 3 – Simulation Mode | Use KrbTgt TEST/BOGUS Accounts – No Password Reset/WhatIf Mode!
• – 4 – Real Reset Mode | Use KrbTgt TEST/BOGUS Accounts – Password Will Be Reset Once!
• – 5 – Simulation Mode | Use KrbTgt PROD/REAL Accounts – No Password Reset/WhatIf Mode!
• – 6 – Real Reset Mode | Use KrbTgt PROD/REAL Accounts – Password Will Be Reset Once!
• – When choosing RODC Krb Tgt Account scope the following will now occur:
• – If the RODC is not reachable, the real source RWDC of the RODC cannot be determined. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication
• – If the RODC is reachable, but the real source RWDC of the RODC is not reachable it cannot be used as the source for the change and replication. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication
• – Sections with ‘#XXX’ have been removed
• – Calls using the CMDlet ‘Get-ADReplicationAttributeMetadata’ (W2K12 and higher) have been replaced with .NET calls to support older OS’es such as W2K8 and W2K8R2. A function has been created to retrieve metadata
• – Some parts were rewritten/optimized

v2.6, 2020-02-25, Jorge de Almeida Pinto [MVP-EMS]:

• – Removed code that was commented out
• – Logging where the script is being executed from
• – Updated the function ‘createTestKrbTgtADAccount’ to also include the FQDN of the RODC for which the Test KrbTgt account is created for better recognition
• – In addition to the port 135 (RPC Endpoint Mapper) and 389 (LDAP), the script will also check for port 9389 (AD Web Service) which is used by the ADDS PoSH CMDlets
• – Updated script to included more ‘try/catch’ and more (error) logging, incl. line where it fails, when things go wrong to make troubleshooting easier

–

Have fun!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-03-30) Resetting The Password Of The Special Purpose KrbTgt Account For Azure AD

To reset the password of krbtgt accounts in the AD domain I have written a script that helps you with that.

More information can be found through the following links:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
• (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)
• (2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)

–

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

With the passwordless investments made by Microsoft, a preview currently is available to also use passwordless authentication using security keys against the on-premises AD. You can read more about it through the following link:

• Enable passwordless security key sign-in to on-premises resources with Azure Active Directory (preview)

–

To achieve the goal of passwordless authentication using security keys against AD, a special krbtgt account (‘Krbtgt_AzureAD’) is created in every single AD domain where that is required. That krbtgt account is very similar to a krbtgt account for an RODC and represents Azure AD for a specific AD domain. Like any other krbtgt account, that krbtgt account also requires to have its password reset and keys rotated. Very important to note here, is the password reset should not be done like any other regular password reset, but instead a special procedure should be followed. The PowerShell script that I mention above DOES NOT impact that special krbtgt account. Including with other updates, I will update the PowerShell script to warn you if it finds that special krbtgt account in the AD domain, and also include the method and steps to officially reset the password and rotate the keys.

–

To officially officially reset the password and rotate the keys, use the following steps:

• Go to an Azure AD Connect server (v1.4.32.0 or later)
• Open a PowerShell Command Prompt window
• In that window execute the following commands:

# Import The PowerShell Module For Azure AD Kerberos Server
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"

# AD Domain FQDN To Target
$adDdomainFQDN = Read-Host "AD Domain FQDN To Target"

# AD Domain/Enterprise Admin Credentials
$adDomainAdminAccount = Read-Host "AD Admin Account"
$adDomainAdminPassword = Read-Host "AD Admin Account Password" -AsSecureString
$secureAdDomainAdminPassword = ConvertTo-SecureString $adDomainAdminPassword -AsPlainText -Force
$adDomainAdminCreds = New-Object System.Management.Automation.PSCredential $adDomainAdminAccount, $secureAdDomainAdminPassword

# Azure AD Global Admin Credentials
$aadDomainAdminAccount = Read-Host "Azure AD Admin Account"
$aadDomainAdminPassword = Read-Host "Azure AD Admin Account Password" -AsSecureString
[string]$aadDomainAdminPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($aadDomainAdminPassword))
$secureAadDomainAdminPassword = ConvertTo-SecureString $aadDomainAdminPassword -AsPlainText -Force
$aadDomainAdminCreds = New-Object System.Management.Automation.PSCredential $aadDomainAdminAccount, $secureAadDomainAdminPassword

# Check the CURRENT status of the Azure AD Kerberos Server object in Active Directory
Get-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds

# Reset the password and rotate the keys
Set-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds -RotateServerKey

# Check the NEW status of the Azure AD Kerberos Server object in Active Directory
Get-AzureADKerberosServer -Domain $adDdomainFQDN -DomainCredential $adDomainAdminCreds -CloudCredential $aadDomainAdminCreds

REMARKS:

• For AD, domain or enterprise admin credentials are required
• For AAD, global admin credentials are required (accounts with MFA are supported!)
• Make sure the ‘KeyVersion’ value matches the ‘CloudKeyVersion’ value and the ‘KeyUpdatedOn’ value matches the ‘CloudKeyUpdatedOn’ value!

–

Figure 1A: The Popup You Will Get When The AAD Global Admin Account Is MFA Enabled Or Is Targeted Through Conditional Access For MFA

–

Figure 1B: The Popup You Will Get When The AAD Global Admin Account Is MFA Enabled Or Is Targeted Through Conditional Access For MFA

–

Figure 2: When Having The Correct Version Of Azure AD Connect And The KrbTgt Account Does Not Yet Exist

–

Figure 3: The Initial Creation Of The KrbTgt Account For Azure AD

–

Figure 4: How The KrbTgt Account Looks Like Under The Hood

–

Figure 5A: The Placeholder RODC Computer Account For The KrbTgt Account

–

Figure 5B: The Placeholder RODC Computer Account For The KrbTgt Account

–

Figure 6: Result After Resetting The Password Of The KrbTgt Account Like Any Other KrbTgt Account (DO NOT Do This!)

–

Fixing regular reset: Set-AzureADKerberosServer -Domain <AD Domain FQDN> -DomainCredential <AD Domain Admin Creds> -CloudCredential <AAD Global Admin Creds> –RotateServerKey

Official reset: Set-AzureADKerberosServer -Domain <AD Domain FQDN> -DomainCredential <AD Domain Admin Creds> -CloudCredential <AAD Global Admin Creds> -RotateServerKey

Figure 7: Fixing A Regular Reset And Officially Resetting The Passwords

–

Figure 8: Too Frequent (Within 24 Hours) Password Resets Generates A Warning

–

Set-AzureADKerberosServer : You must wait 24 hours in between rolling the Azure AD Kerberos Server keys. Rolling keys too frequently may result in service disruption. You may use the Force option to ignore this warning.
At line:1 char:1
+ Set-AzureADKerberosServer -Domain $adDomainFQDN -DomainCredential $ad …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-AzureADKerberosServer], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.AzureAD.Kdc.Management.SetAzureADKerberosServer

–

Have fun!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-02-18) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 4)

Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)
• (2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

Changes:

    v2.5, 2020-02-17, Jorge de Almeida Pinto [MVP-EMS]:

        – To improve performance, for some actions the nearest RWDC is discovered instead of using the RWDC with the PDC FSMO Role

–

This was tested in a globally distributed multi-domain AD forest. From 17 minutes down to 43 seconds. Previously the RWDC with the PDC FSMO role was targeted for everything. Now for some queries, the nearest RWDC is used instead which makes it seriously faster. Anyone else with a globally distributed (multi-domain) AD forest should benefit from this if the RWDC with the PDC FSMO is not that near or accessible through slow lines.

–

Have fun!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2020-02-10) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 3)

Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)
• (2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

Changes:

    v2.4, 2020-02-10, Jorge de Almeida Pinto [MVP-EMS]:

        – Checked script with Visual Studio Code and fixed all "problems" identified by Visual Studio Code

            – Variable "$remoteCredsUsed" is ignored by me, as the problem is due to the part ‘Creds’ in the variable name

            – Variable "$adminCreds" is ignored by me, as the problem is due to the part ‘Creds’ in the variable name

        – Bug Fix: Fixed language specific issue with the groups ‘Allowed RODC Password Replication Group’ and ‘Denied RODC Password Replication Group’

        – Added support to execute this script against a remote AD forest, either with or without a trust

–

Have fun!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2019-02-25) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 2)

Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link:

• (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs
• (2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

The new version of the script has:

• 1 fix that resolved 2 issues at the same time!

–

Bug Fix: Removed the language specific error checking. Has been replaced with another check. This solution also resolved another issue when checking if a (RW/RO)DC was available or not

–

Have fun!

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2019-02-12) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs (Update 1)

Some time ago I wrote a PowerShell script to reset the KrbTgt Account Password of both RWDCs and RODCs.

–

More information can be found through the following link: (2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs

The script itself can be downloaded through the following link: Reset The KrbTgt Account Password/Keys For RWDCs/RODCs

–

The new version of the script has:

• 1 new feature
• 2 fixes

–

Bug Fix: Instead of searching for "Domain Admins" or "Enterprise Admins" membership, it resolves the default RIDs of those groups, combined with the corresponding domain SID, to the actual name of those domain groups. This helps in supporting non-english names of those domain groups.

Figure 1: Checking Admin Role Membership Based Upon Default RIDs And Corresponding Domain SIDs To Support Non-English Names Of Admin Groups

–

New Feature: Read and display metadata of the KrbTgt accounts before and after the password reset to assure it was really only updated once!

Figure 2: Additional Information Displayed After Resetting The Password

–

and…

Bug Fix: Added a try catch when enumerating details about a specific AD domain that appears not to be available. Instead of an ugly PowerShell exception/error, the table displays the AD domain is not available for targeting.

–

Have fun!

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2018-12-30) PowerShell Script To Reset The KrbTgt Account Password/Keys For Both RWDCs And RODCs

Information provided by Microsoft explaining why this is important

• KRBTGT Account Password Reset Scripts now available for customers

–

The original script written by Jared Poeppelman, who works for Microsoft.

• Reset The Krbtgt Account Password/Keys (Original From Microsoft)

–

This script can be downloaded through the following link:

• Reset The KrbTgt Account Password/Keys For RWDCs/RODCs (Rewritten By Jorge Supporting All The New Good Stuff below)
• Example Log Files

–

WARNING:

• DO NOT CHANGE THE SCRIPT IN ANY WAY, EXCEPT TO SUPPORT ANOTHER LANGUAGE AS EXPLAINED!
• MAKE SURE TO TEST THIS FIRST IN YOUR TEST/LAB ENVIRONMENT!!!
• DO NOT RESET THE PASSWORD OF THE PROD/REAL KRBTGT ACCOUNT(S) AFTER BEING WARNED ABOUT ANY IMPACT!
• BY THE WAY: YOU ARE ON YOUR OWN IF YOU SCREW UP AND DO NOT FOLLOW GUIDELINES!

–

As soon as the script starts you see a question if you want to see extensive information about the script, its behavior and impact. READ IT, therefore type YES. Typing NO, skips all that information, which is NOT recommended!

Figure 1: All Kinds Of Information About The Script And Anything Related To It

–

Assuming you typed YES, press any key to continue twice – more info is presented!

Figure 2: All Kinds Of Information About The Script And Anything Related To It

–

Assuming you typed YES, press any key to continue twice – more info is presented!

Figure 3: All Kinds Of Information About The Script And Anything Related To It

–

Assuming you typed YES, press any key to continue twice – more info is presented!

Figure 4: All Kinds Of Information About The Script And Anything Related To It

–

–

MODE 1 – Informational Mode (No Changes At All)

Here you get to choose the mode you want to executed…

 

Figure 5: Choosing The Mode Of Operation: “Mode 1 – Informational Mode (No Changes At All)”

–

The script presents information about the AD forest you are in such as the forest functional level (FFL), and all the AD domains detected, if it is the AD forest root domain, its domain functional level (DFL) and if it is the current AD domain. The current AD forest and AD domain are determined based upon the computer you are executing the PowerShell on.

To select an AD domain, you enter the FQDN of the chosen AD domain, or press [ENTER] for the current AD domain. Any AD domain specified is checked to see if it indeed exists in the AD forest.

Then a check is done to see if the account that is executing the PowerShell script either has Domain Admins membership (only if for the current AD domain) or it has Enterprise Admins membership (only if any other AD domain in the AD forest than the current AD domain)

Figure 6: Specifying An AD Domain To Target

–

For the chosen AD domain again all kinds of information is displayed, such as domain functional level (DFL), the RWDC with the PDC FSMO role and a full list of RWDCs and if applicable also a full list of RODCs. For every DC various information is displayed and if any DC is reachable or unreachable. Reachability is determined by checking both port TCP:135 (RPC Endpoint Mapper) and port TCP:389 (LDAP). In case of RODCs it also tried to check if an RODC is a real RODC. For example, there may be software/solutions in your AD that have been configured to mimic an RODC. An example of this are Riverbeds in RODC mode (or whatever it is called nowadays!)

If applicable, the script will list the full path of the LOG file with the exact same information as was displayed on screen, except without the colors

Figure 7: Presenting Information About The Targeted AD Domain

–

–

MODE 2 – Simulation Mode (Temporary Canary Object Created, No Password Reset!)

Here you get to choose the mode you want to executed…

Figure 8: Choosing The Mode Of Operation: “Mode 2 – Simulation Mode (Temporary Canary Object Created, No Password Reset!)”

–

The script presents information about the AD forest you are in such as the forest functional level (FFL), and all the AD domains detected, if it is the AD forest root domain, its domain functional level (DFL) and if it is the current AD domain. The current AD forest and AD domain are determined based upon the computer you are executing the PowerShell on.

To select an AD domain, you enter the FQDN of the chosen AD domain, or press [ENTER] for the current AD domain. Any AD domain specified is checked to see if it indeed exists in the AD forest.

Then a check is done to see if the account that is executing the PowerShell script either has Domain Admins membership (only if for the current AD domain) or it has Enterprise Admins membership (only if any other AD domain in the AD forest than the current AD domain)

Figure 9: Specifying An AD Domain To Target

–

For the chosen AD domain again all kinds of information is displayed, such as domain functional level (DFL), the RWDC with the PDC FSMO role and a full list of RWDCs and if applicable also a full list of RODCs. For every DC various information is displayed and if any DC is reachable or unreachable. Reachability is determined by checking both port TCP:135 (RPC Endpoint Mapper) and port TCP:389 (LDAP). In case of RODCs it also tried to check if an RODC is a real RODC. For example, there may be software/solutions in your AD that have been configured to mimic an RODC. An example of this are Riverbeds in RODC mode (or whatever it is called nowadays!)

Figure 10: Presenting Information About The Targeted AD Domain

–

If applicable for the chose mode, you now need to choose the scope of that mode. Although it asks which “KrbTgt Account” to target, it really means which scope the PowerShell should use for the chosen mode of operation. The combination of the choices regarding the mode of operation and if applicable its scope, really determine what will happen!

Figure 11: Choosing The Scope For The Previously Chosen Mode Of Operation

–

Because, the choice for the scope was “1 – Scope of KrbTgt in use by all RWDCs in the AD domain”, the temporary canary object is created on the RWDC with the PDC FSMO role and then every other reachable RWDC is checked for its existence to determine how long it took to replicate.

If the scope was “2 – Scope of KrbTgt in use by specific RODC – Single RODC in the AD Domain”, it would create temporary canary object on the RWDC the RODC is using as its AD replication source. Assuming both are reachable only that RWDC and the RODC are checked for its existence to determine how long it took to replicate. If the scope was “3 – Scope of KrbTgt in use by specific RODC – Multiple RODCs in the AD Domain” or “4 – Scope of KrbTgt in use by specific RODC – All RODCs in the AD Domain” it would do exactly the same for every individual targeted RODC. If the RODC is not reachable, and/or its replication source RWDC is not reachable, it will the RWDC with the PDC FSMO role as the originating RWDC.

If applicable, the script will list the full path of the LOG file with the exact same information as was displayed on screen, except without the colors.

Figure 12: Creating A Temporary Canary Object For The Chosen Scope

–

–

MODE 8 – Create TEST KrbTgt Accounts

Here you get to choose the mode you want to executed…

Figure 13: Choosing The Mode Of Operation: “Mode 8 – Create TEST KrbTgt Accounts”

–

The script presents information about the AD forest you are in such as the forest functional level (FFL), and all the AD domains detected, if it is the AD forest root domain, its domain functional level (DFL) and if it is the current AD domain. The current AD forest and AD domain are determined based upon the computer you are executing the PowerShell on.

To select an AD domain, you enter the FQDN of the chosen AD domain, or press [ENTER] for the current AD domain. Any AD domain specified is checked to see if it indeed exists in the AD forest.

Then a check is done to see if the account that is executing the PowerShell script either has Domain Admins membership (only if for the current AD domain) or it has Enterprise Admins membership (only if any other AD domain in the AD forest than the current AD domain)

Figure 14: Specifying An AD Domain To Target

–

For the chosen AD domain again all kinds of information is displayed, such as domain functional level (DFL), the RWDC with the PDC FSMO role and a full list of RWDCs and if applicable also a full list of RODCs. For every DC various information is displayed and if any DC is reachable or unreachable. Reachability is determined by checking both port TCP:135 (RPC Endpoint Mapper) and port TCP:389 (LDAP). In case of RODCs it also tried to check if an RODC is a real RODC. For example, there may be software/solutions in your AD that have been configured to mimic an RODC. An example of this are Riverbeds in RODC mode (or whatever it is called nowadays!)

Figure 15: Presenting Information About The Targeted AD Domain

–

If the mode of operation was to create TEST/BOGUS KrbTgt accounts to simulate the password reset, it will the determine the name of the KrbTgt account for RWDCs (being KRBTGT, duh!) and if applicable and real RODCs exist in the AD domain it will determine the name of the KrbTgt account for every individual RODC (being KRBTGT_<number>) by reading the forward link value from the RODC computer account. Either way, after determining the value for the KrbTgt account name, it adds “_TEST” to the name and creates it. However, it does check if the TEST/BOGUS KrbTgt accounts already exist. If it already exists, it will skip that account and if it does not exist it will create it!

If applicable, the script will list the full path of the LOG file with the exact same information as was displayed on screen, except without the colors.

Figure 16: Presenting The Resulting Information Of The Chosen Mode Of Operation And Scope

–

–

MODE 3 – Simulation Mode – Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)

Here you get to choose the mode you want to executed…

Figure 17: Choosing The Mode Of Operation: “Mode 3 – Simulation Mode – Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)”

–

The script presents information about the AD forest you are in such as the forest functional level (FFL), and all the AD domains detected, if it is the AD forest root domain, its domain functional level (DFL) and if it is the current AD domain. The current AD forest and AD domain are determined based upon the computer you are executing the PowerShell on.

To select an AD domain, you enter the FQDN of the chosen AD domain, or press [ENTER] for the current AD domain. Any AD domain specified is checked to see if it indeed exists in the AD forest.

Then a check is done to see if the account that is executing the PowerShell script either has Domain Admins membership (only if for the current AD domain) or it has Enterprise Admins membership (only if any other AD domain in the AD forest than the current AD domain)

Figure 18: Specifying An AD Domain To Target

–

For the chosen AD domain again all kinds of information is displayed, such as domain functional level (DFL), the RWDC with the PDC FSMO role and a full list of RWDCs and if applicable also a full list of RODCs. For every DC various information is displayed and if any DC is reachable or unreachable. Reachability is determined by checking both port TCP:135 (RPC Endpoint Mapper) and port TCP:389 (LDAP). In case of RODCs it also tried to check if an RODC is a real RODC. For example, there may be software/solutions in your AD that have been configured to mimic an RODC. An example of this are Riverbeds in RODC mode (or whatever it is called nowadays!)

Figure 19: Presenting Information About The Targeted AD Domain

–

If applicable for the chose mode, you now need to choose the scope of that mode. Although it asks which “KrbTgt Account” to target, it really means which scope the PowerShell should use for the chosen mode of operation. The combination of the choices regarding the mode of operation and if applicable its scope, really determine what will happen!

Figure 20: Choosing The Scope For The Previously Chosen Mode Of Operation

–

Because, the choice for the scope was “1 – Scope of KrbTgt in use by all RWDCs in the AD domain”, the password of the TEST/BOGUS KrbTgt account is reset on the RWDC with the PDC FSMO role and then every other reachable RWDC is checked for its existence to determine how long it took to replicate.

If the scope was “2 – Scope of KrbTgt in use by specific RODC – Single RODC in the AD Domain”, it would reset the password of the TEST/BOGUS KrbTgt account on the RWDC the RODC is using as its AD replication source. Assuming both are reachable only that RWDC and the RODC are checked for its existence to determine how long it took to replicate. If the scope was “3 – Scope of KrbTgt in use by specific RODC – Multiple RODCs in the AD Domain” or “4 – Scope of KrbTgt in use by specific RODC – All RODCs in the AD Domain” it would do exactly the same for every individual targeted RODC. If the RODC is not reachable, and/or its replication source RWDC is not reachable, it will the RWDC with the PDC FSMO role as the originating RWDC.

If applicable, the script will list the full path of the LOG file with the exact same information as was displayed on screen, except without the colors.

Figure 21: Presenting The Resulting Information Of The Chosen Mode Of Operation And Scope

–

If you try to reset the password again too early, it will warn you there would be impact involved. The highly recommended action is to STOP and wait at least the time difference is at least higher than the specified “Max TGT Lifetime (Hours)”.

However, because this involves the TEST/BOGUS KrbTgt accounts there is NO IMPACT although it does mention that. It mentions it so that you can see what would happen when using the PROD/REAL KrbTgt accounts!

Figure 22: Presenting A Warning If Impact Is Detected

–

–

MODE 4 – Real Reset Mode – Use KrbTgt PROD/REAL Accounts (Password Will Be Reset Once!)

Here you get to choose the mode you want to executed…

Figure 23: Choosing The Mode Of Operation: “Mode 4 – Simulation Mode – Use KrbTgt PROD/REAL Accounts (Password Will Be Reset Once!)”

–

The script presents information about the AD forest you are in such as the forest functional level (FFL), and all the AD domains detected, if it is the AD forest root domain, its domain functional level (DFL) and if it is the current AD domain. The current AD forest and AD domain are determined based upon the computer you are executing the PowerShell on.

To select an AD domain, you enter the FQDN of the chosen AD domain, or press [ENTER] for the current AD domain. Any AD domain specified is checked to see if it indeed exists in the AD forest.

Then a check is done to see if the account that is executing the PowerShell script either has Domain Admins membership (only if for the current AD domain) or it has Enterprise Admins membership (only if any other AD domain in the AD forest than the current AD domain)

Figure 24: Specifying An AD Domain To Target

–

For the chosen AD domain again all kinds of information is displayed, such as domain functional level (DFL), the RWDC with the PDC FSMO role and a full list of RWDCs and if applicable also a full list of RODCs. For every DC various information is displayed and if any DC is reachable or unreachable. Reachability is determined by checking both port TCP:135 (RPC Endpoint Mapper) and port TCP:389 (LDAP). In case of RODCs it also tried to check if an RODC is a real RODC. For example, there may be software/solutions in your AD that have been configured to mimic an RODC. An example of this are Riverbeds in RODC mode (or whatever it is called nowadays!)

Figure 25: Presenting Information About The Targeted AD Domain

–

Targeting The KrbTgt Account Of Every Individual RODCs In The AD Domain At Once

–

If applicable for the chose mode, you now need to choose the scope of that mode. Although it asks which “KrbTgt Account” to target, it really means which scope the PowerShell should use for the chosen mode of operation. The combination of the choices regarding the mode of operation and if applicable its scope, really determine what will happen!

Figure 26: Choosing The Scope For The Previously Chosen Mode Of Operation

–

If the scope was “4 – Scope of KrbTgt in use by specific RODC – All RODCs in the AD Domain”, for every real RODC it finds it will reset the password of the PROD/REAL KrbTgt account on the RWDC the RODC is using as its AD replication source. Assuming both are reachable only that RWDC and the RODC are checked for its existence to determine how long it took to replicate. If the RODC is not reachable, and/or its replication source RWDC is not reachable, it will the RWDC with the PDC FSMO role as the originating RWDC.

If applicable, the script will list the full path of the LOG file with the exact same information as was displayed on screen, except without the colors.

Figure 27: Presenting The Resulting Information Of The Chosen Mode Of Operation And Scope

–

If you try to reset the password again too early, it will warn you there would be impact involved. The highly recommended action is to STOP and wait at least the time difference is at least higher than the specified “Max TGT Lifetime (Hours)”.

Figure 28: Presenting A Warning If Impact Is Detected

–

Targeting The KrbTgt Account Of The RWDCs In The AD Domain

–

If applicable for the chose mode, you now need to choose the scope of that mode. Although it asks which “KrbTgt Account” to target, it really means which scope the PowerShell should use for the chosen mode of operation. The combination of the choices regarding the mode of operation and if applicable its scope, really determine what will happen!

Figure 29: Choosing The Scope For The Previously Chosen Mode Of Operation

Because, the choice for the scope was “1 – Scope of KrbTgt in use by all RWDCs in the AD domain”, the password of the PROD/REAL KrbTgt account is reset on the RWDC with the PDC FSMO role and then every other reachable RWDC is checked for its existence to determine how long it took to replicate.

If applicable, the script will list the full path of the LOG file with the exact same information as was displayed on screen, except without the colors.

Figure 30: Presenting The Resulting Information Of The Chosen Mode Of Operation And Scope

–

If you try to reset the password again too early, it will warn you there would be impact involved. The highly recommended action is to STOP and wait at least the time difference is at least higher than the specified “Max TGT Lifetime (Hours)”.

Figure 31: Presenting A Warning If Impact Is Detected

–

–

MODE 9 – Cleanup TEST KrbTgt Accounts

Here you get to choose the mode you want to executed…

Figure32: Choosing The Mode Of Operation: “Mode 9 – Cleanup TEST KrbTgt Accounts”

–

The script presents information about the AD forest you are in such as the forest functional level (FFL), and all the AD domains detected, if it is the AD forest root domain, its domain functional level (DFL) and if it is the current AD domain. The current AD forest and AD domain are determined based upon the computer you are executing the PowerShell on.

To select an AD domain, you enter the FQDN of the chosen AD domain, or press [ENTER] for the current AD domain. Any AD domain specified is checked to see if it indeed exists in the AD forest.

Then a check is done to see if the account that is executing the PowerShell script either has Domain Admins membership (only if for the current AD domain) or it has Enterprise Admins membership (only if any other AD domain in the AD forest than the current AD domain)

Figure 33: Specifying An AD Domain To Target

–

For the chosen AD domain again all kinds of information is displayed, such as domain functional level (DFL), the RWDC with the PDC FSMO role and a full list of RWDCs and if applicable also a full list of RODCs. For every DC various information is displayed and if any DC is reachable or unreachable. Reachability is determined by checking both port TCP:135 (RPC Endpoint Mapper) and port TCP:389 (LDAP). In case of RODCs it also tried to check if an RODC is a real RODC. For example, there may be software/solutions in your AD that have been configured to mimic an RODC. An example of this are Riverbeds in RODC mode (or whatever it is called nowadays!)

Figure 34: Presenting Information About The Targeted AD Domain

–

If the mode of operation was to delete/cleanup TEST/BOGUS KrbTgt accounts, it will the determine the name of the KrbTgt account for RWDCs (being KRBTGT, duh!) and if applicable and real RODCs exist in the AD domain it will determine the name of the KrbTgt account for every individual RODC (being KRBTGT_<number>) by reading the forward link value from the RODC computer account. Either way, after determining the value for the KrbTgt account name, it adds “_TEST” to the name and deletes the KrbTgt accounts that end with “_TEST”. The PROD/REAL are NOT deleted!. However, it does check if the TEST/BOGUS KrbTgt accounts do exist to be able to delete. If it exists, it will delete that account and if it does not exist it will do nothing!

If applicable, the script will list the full path of the LOG file with the exact same information as was displayed on screen, except without the colors.

Figure 35: Presenting The Resulting Information Of The Chosen Mode Of Operation And Scope

–

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-