question

JoeAdmin-9326 avatar image
0 Votes"
JoeAdmin-9326 asked SimplyHappy21 commented

Resetting the Krbtgt Account Password in a Domain - which PowerShell Script to Use?

Hello All,

I Have 2 questions related to resetting the Krbtgt account password in a Domain, of which there are 2 main PS scripts (as you know) out on TechNet & GitHub - "New-CtmADKrbtgtKeys.ps1" & "Reset-KrbTgt-Password-for-RWDCS-And-RODCS.ps1 (now shown on GitHub as Reset-KerberosServiceV2.ps1)". These are both authored & enhanced by Jared Poeppelman (Microsoft) & Jorge de Almeida Pinto (MCC & MVP):

1) Although I'm leaning towards using the "Reset-KerberosServiceV2.ps1" script in my Domain, it's v2.5 was updated on 2020-02-17, while the "New-CtmADKrbtgtKeys.ps1" script was updated on 2020-05-14. Since both Jared & Jorge seem to be involved in the writing/updating of both scripts, which one is the latest & "better" one to use? I apologize in advance for not being a PS expert, so I can't effectively extrapolate the contents of the 2 scripts for a successful comparison. I'm looking for an explanation as to the differences, & which script is the recommended one to use.

2) We'll be running this script in our On-Prem Domain (Hybrid w/ Azure), which is a School District. Of course, due to Covid, most of the students & teachers are remote teaching/learning from home. Some teachers use VPN, but none of the students do - most have not been on the Local Domain since April. Is it recommended & safe to change the Kerberos account password on our On-Prem Domain Controllers while most users are off-site? We do not want to cause any potential issues that may impact users while they are off-site, as well as when they return on-site.

Any & all recommendations would be most appreciated - thank you!

windows-server-powershellwindows-active-directorywindows-server-securityazure-ad-domain-services
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Wanted to point out that under behavior:
Behavior:
- In this script a DC is reachable/available, if its name is resolvable and connectivity is possible for all of the following ports:
TCP:135 (Endpoint Mapper), TCP:389 (LDAP) and TCP:9839 (AD Web Services)

The port for ADWS is incorrect here, should read 9389. The actual check on line 3115 of the script is correct though. Couldn't figure out why my domain controllers were reachable except one but then realized they were all unreachable over 9839 so something was not right. For someone who might get stuck here, just worth noting if a v3 of the script ever came out :)

Thank you for all of your time pulling this together.

0 Votes 0 ·

Hi,

What is the issue here? Just a textual typo? Or something else?

Best regards,
Jorge

0 Votes 0 ·
JorgeDeAlmeidaPinto avatar image
2 Votes"
JorgeDeAlmeidaPinto answered 81238559 commented

Hi,

To be clear on a few things:
Jared wrote the v1 script.
Based upon the v1 script, I rewrote the script, added tons of features and that is how v2 was born. BUT the so called v2 by MSFT was written by me and is already outdated as on my own Github I have the latest version published. (https://github.com/zjorz/Public-AD-Scripts). This version was published there before Jared “copied” mine from Script Gallery to MSFT Github. It is a bit weird what happened as MSFT moved “my script” and notified me afterwards

My script also supports RODCs and have multiple TEST modes to help you get an impression of things without impacting your environment

I have had a few requests to automate the script. I declined that request as I do not believe you should automate this as things can go wrong for multiple environmental reasons. It contains multiple safety measures to make sure things do not go wrong. automation means even more complexity

Best regards,
Jorge

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JoeAdmin-9326
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?


If any reply/answer helped resolve your question, please remember to "mark as answer" so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·

Thanks for a great script!

It is to my knowledge allowed to fork, clone or copy code under GNU3, as long as they keep the license and names of the authors in it.
But dont think they're allowed to slap an MIT license on it.
I though MIT license allows the code to be used in commercial closed-source applications, while GNU tries to maintain "copyleft"

I think however it would be easier for people to trust code (that is so long to read thru and performs such a critical task) if it is published under Microsofts organization on GitHub.
My suggestion is to make a pull-request to their repo, and maybe also include the original license, if you want as many people as possible to benefit from your excellent work.

Best Regards

Niklas

0 Votes 0 ·
Thameur-BOURBITA avatar image
1 Vote"
Thameur-BOURBITA answered

Hi,

which one is the latest & "better" one to use?

The both script do the same work (reset krbtgt account).
I recommend you to test them in your test environment before run them in your production environment.

Is it recommended & safe to change the Kerberos account password on our On-Prem Domain Controllers while most users are off-site?

The krbtgt password must be changed twice one time per year at least.
When you change the password first time wait 1 or 2 weekend at least in order to ensure that the new password is replicated on all domain controllers in the domain.


Please don't forget to mark this reply as answer if it help to fix your issue

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoeAdmin-9326 avatar image
1 Vote"
JoeAdmin-9326 answered SimplyHappy21 commented

Thanks to everyone for chiming in. Reset the password for the Kerberos krbtgt account in our Domain this morning, after Mode 1 & 2 passed all tests. Will be changing it a 2nd time after the default 10 hr max ticket renewal lifetime (later this week). Thanx again!

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Joe, were you able to reset it the second time?

Did you have any VPN users affected in all the process?

I am also in the same situation that you were.

0 Votes 0 ·
AlexWong-1435 avatar image
0 Votes"
AlexWong-1435 answered AlexWong-1435 published

@JoeAdmin-9326 Did you managed to change it a 2nd time successfully without any issues?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.