I have found few article about this, but i'm still wondering few thing about the process. I'm really appreciate if someone can help.
I have test the script provided by Microsoft and successfully reset the password for first time. Then after 30 minute later, i continue for second time reset. But i have noticed some error:
Checking if all tickets based on the previous (N-1) krbtgt key have expired...failed
May i know what of this error? Is it safe enough to proceed for second reset if this error appear? Based on my test environment, im just proceed it and dont see any issue. But unsure whether it safe or not for production. From the script i also found another info:
Kerberos maximum lifetime for user ticket (TGT lifetime): 10 hours.
Is it mean we need to wait after 10 hour before proceed the second reset? I'm a bit confuse about this because most article mention, we just need to ensure replication completed to all DC (for first Reset) then proceed second reset.
2.For another method, can i do first reset example by today, and second reset on next day to ensure first reset successfully replicated to all DC? Any issue on that approach? I have plan to do manual reset (without using script) and make it on different day for first and second reset.
3.What actually will happen to end user if this process went wrong? Example if i reset second password without waiting first password being complete replicate to all DC. Is it user unable to authenticate to DC? Or it just impact for DC replication? How to fix this, those problematic DC require to demote and promote?