Isolate a DC - Part 10: Reset KrbTGT password twice

This is Part 10 of a series on Active Directory Forest recovery; a new password for your domain.

Rest KrbTGT password twice

And finally, just in case someone still has a ticket lying around waiting to be used on your restored domain, sort that right out and update your KrbTGT password.

function Reset-KrbtgtPasswordTwice{
[CmdletBinding(
    SupportsShouldProcess = $true,
    ConfirmImpact = 'High')]param()
    $targetPassword = (ConvertTo-SecureString "!7Dm$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)#*&" -AsPlainText -Force)
     Write-Warning "Resetting the KRBTGT password twice without allowing replication of the update may result in Domain Controllers that cannot replicate if they have temporarily lost connectivity. Proceed with caution."
     if ($pscmdlet.ShouldProcess(((Get-ADUser krbtgt).DistinguishedName))){
        Set-ADAccountPassword -Identity (Get-ADUser krbtgt).DistinguishedName -Reset -NewPassword $targetPassword
        Set-ADAccountPassword -Identity (Get-ADUser krbtgt).DistinguishedName -Reset -NewPassword $targetPassword
    }
}

Reset-KrbtgtPasswordTwice

All the other parts of this series are available here

• Part 1: Configure the Network
• Part 2: Reset SYSVOL Sync State
• Part 3: Activate Administrator Account
• Part 4: Reset DSRM Password
• Part 5: Disable Global Catalog
• Part 6: Raise RID Pools
• Part 7: Seize all FSMO roles
• Part 8: Metadata cleanup all other DCs
• Part 9: Reset Intra-Forest trust passwords
• Part 10: Reset KrbTGT password twice