Isolate a DC - Part 10: Reset KrbTGT password twice
This is Part 10 of a series on Active Directory Forest recovery; a new password for your domain.
Rest KrbTGT password twice
And finally, just in case someone still has a ticket lying around waiting to be used on your restored domain, sort that right out and update your KrbTGT password.
function Reset-KrbtgtPasswordTwice{
[CmdletBinding(
SupportsShouldProcess = $true,
ConfirmImpact = 'High')]param()
$targetPassword = (ConvertTo-SecureString "!7Dm$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)$(get-random -minimum 10000000000000000 -maximum 1000000000000000000)#*&" -AsPlainText -Force)
Write-Warning "Resetting the KRBTGT password twice without allowing replication of the update may result in Domain Controllers that cannot replicate if they have temporarily lost connectivity. Proceed with caution."
if ($pscmdlet.ShouldProcess(((Get-ADUser krbtgt).DistinguishedName))){
Set-ADAccountPassword -Identity (Get-ADUser krbtgt).DistinguishedName -Reset -NewPassword $targetPassword
Set-ADAccountPassword -Identity (Get-ADUser krbtgt).DistinguishedName -Reset -NewPassword $targetPassword
}
}
Reset-KrbtgtPasswordTwice
All the other parts of this series are available here
- Part 1: Configure the Network
- Part 2: Reset SYSVOL Sync State
- Part 3: Activate Administrator Account
- Part 4: Reset DSRM Password
- Part 5: Disable Global Catalog
- Part 6: Raise RID Pools
- Part 7: Seize all FSMO roles
- Part 8: Metadata cleanup all other DCs
- Part 9: Reset Intra-Forest trust passwords
- Part 10: Reset KrbTGT password twice