Isolate a DC - Part 9: Reset Intraforest trust passwords

This is Part 9 of a series on Active Directory Forest recovery; trust no-one, or at least no peer domains.

Reset Intraforest trust passwords

To avoid accidentally permitting interforest authentication with a Domain Controller that hasn’t been restored yet we need to reset the Intra-Forest trust passwords to a common value on both sides. This way the restored domains will all talk with the same hash. Update the trust shared secret to something actually secret before running this command.

function Reset-IntraForestTrustPasswords{
    [CmdletBinding(
    SupportsShouldProcess = $true,
    ConfirmImpact = 'High')]param([parameter(Mandatory=$true)]
    [String[]]$trustSharedSecret)
    $trusts = get-adtrust -filter {intraforest -eq $true}
    $localdomain = [system.directoryservices.activedirectory.domain]::GetCurrentDomain()
    Write-Warning "Resetting the Intra-frest Trust passwords will break the Intraforest trusts, the same password must be used to reset the password on the other side to restore trust connectivity"
    $trusts.name | %{
        if ($pscmdlet.ShouldProcess($_)){
            $localdomain.UpdateLocalSideOfTrustRelationship($_,$trustSharedSecret) 
        }   
    } 
}

Reset-IntraForestTrustPasswords -trustSharedSecret "OhWhatASecretySecretThisIs!Somuchsecret"

All the other parts of this series are available here

• Part 1: Configure the Network
• Part 2: Reset SYSVOL Sync State
• Part 3: Activate Administrator Account
• Part 4: Reset DSRM Password
• Part 5: Disable Global Catalog
• Part 6: Raise RID Pools
• Part 7: Seize all FSMO roles
• Part 8: Metadata cleanup all other DCs
• Part 9: Reset Intra-Forest trust passwords
• Part 10: Reset KrbTGT password twice