microsoft / new-krbtgtkeys.ps1 Goto Github PK

This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation.

License: MIT License

PowerShell 100.00%

new-krbtgtkeys.ps1's Introduction

Development of this project has come to an end. It was being maintained by a few dedicated engineers from Microsoft outside of their normal work assignments in their spare time. With changing roles and responsibilities, they have moved on to other projects and no longer are able to maintain this code.

The repo will be archived at some time in the future, date to be determined. The code at the time of archive while functional, did not handle retired DCs that were offline but had not been completely removed from Active Directory. The script generates an error because it cannot reach the offline DC. Newer versions of the script that are published elsewhere reportedly address this issue. The offline DC should be removed from AD using ntdsutil, see these articles for guidance. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

The good news is that there are other coders that have picked up maintaining this code. Some of the other resources that you can check are:

https://gist.github.com/mubix/fd0c89ec021f70023695

https://github.com/zjorz/Public-AD-Scripts/blob/5666e5fcafd933c3288a47944cd6fb289dde54a1/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1

You can also check the Forks of this repo to see other versions.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

new-krbtgtkeys.ps1's People

Contributors

Stargazers

Watchers

Forkers

eizedev noija claudiomerola taffywrinkle zjorz claudiusgonzo aelon-porat poolmanjim a9g-data-droid drgrieg 0zwald morpheusc timb-machine-mirrors limjianan-camelody abakhouz moddingg33k brittadams aps-support fsabse smaresca kgeil saikrishna1729 gubbelgobbel pmichaudrc guillaumepetit84 obs3ssive souldestroyer patroclica zionjah mparcelli1 maltoseye mintgreenminion lmicalle jeff-jerousek m-xen chrisfbwa fabtje dr4571c-s0lu710n5 ahazu dungtv994 0-1-2-3-4 konxan olliedawson test-mass-forker-org-1 philsch27 varunmohanm windshear sudozk apaes ssamir-advancya vasdju luisedmundot29 smillier jessefmoore aymenboumaiza gmi-dsmith neuvillem eaglesgreen20 grzglo guil33 deepak251 kris3d rwstorer b0nb0ns claudiog64 straysheep-dev longmdx rockdriven mcknicks instagib707 f0r3ns1cat0r fabryb safesploit romeo2002 lauck-it seanpm2001 ghostconnection

new-krbtgtkeys.ps1's Issues

Errors via Azure Baston Native rdp

Looks like a couple of display issues via a Azure Baston.

This script must be executed as Administrator

Hello,

If PowerShell is not running as admin, the testAdminRole always failed because
[Security.Principal.WindowsIdentity]::GetCurrent() doesn't return high privileged groups.

Maybe add a check to be sure PowerShell is running as admin ? (https://itpro-tips.com/2019/check-if-a-powershell-script-is-run-as-administrator/)

Setting the new password for [CN=krbtgt,CN=Users,DC=<domain>,DC=local] FAILED on RWDC [DC.<domain>.local]!...

We are having issues resetting the krbtgt user with this script.

The error is:
Setting the new password for [CN=krbtgt,CN=Users,DC=,DC=local] FAILED on RWDC [DC..local]!...

DC is a Windows Server 2019
DC02 is a Windows Server 2012 R2
The Domain has been created in 'German' and is in 2012 functional level.

We've rebooted both servers with no success.


------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:33:39] : TESTING IF REQUIRED PERMISSIONS ARE AVAILABLE (DOMAIN/ENTERPRISE ADMINS OR ADMINISTRATORS CREDENTIALS)...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:39] : The user account '<domain>\administrator' is running with Domain Administrator equivalent permissions in the AD Domain '<domain>.local'!...
[2021-03-11 08:33:39] : The user account '<domain>\administrator' is a member of '<domain>\Domänen-Admins'!...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:39] : Continuing Script...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:39] : 
------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:33:39] : GATHERING TARGETED AD DOMAIN INFORMATION...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:47] : Domain FQDN...........................: '<domain>.local'
[2021-03-11 08:33:47] : Domain Functional Mode................: 'Windows2012R2Domain'
[2021-03-11 08:33:47] : Domain Functional Mode Level..........: '6'
[2021-03-11 08:33:47] : FQDN RWDC With PDC FSMO...............: 'DC.<domain>.local'
[2021-03-11 08:33:47] : DSA RWDC With PDC FSMO................: 'CN=NTDS Settings,CN=DC,CN=Servers,CN=<SITE>,CN=Sites,CN=Configuration,DC=<domain>,DC=local'
[2021-03-11 08:33:47] : Max TGT Lifetime (Hours)..............: '10'
[2021-03-11 08:33:47] : Max Clock Skew (Minutes)..............: '5'
[2021-03-11 08:33:47] : TGT Lifetime/Clock Skew Sourced From..: 'Default Domain GPO'
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : Checking Domain Functional Mode of targeted AD domain '<domain>.local' is high enough...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : The specified AD domain '<domain>.local' has a Domain Functional Mode of 'Windows2008Domain (3)' or higher!...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : Continuing Script...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : ------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:33:47] : GATHERING DOMAIN CONTROLLER INFORMATION AND TESTING CONNECTIVITY...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : List Of Domain Controllers In AD Domains '<domain>.local'...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : 
Host Name                 PDC Site Name DS Type    Krb Tgt Pwd Last Set        Org RWDC                Org Time               Ver IP Address    OS Version                        Reachable Source RWDC FQDN      Source RWDC DSA              
---------                 --- --------- -------    ------- ------------        --------                --------               --- ----------    ----------                        --------- ----------------      ---------------              
DC.<domain>.local    True <SITE>  Read/Write krbtgt  2011-12-01 16:35:23 DC02.<domain>.local 2019-09-13 12:29:32 100003 <IP1> Windows Server 2019 Standard           True N.A.                  N.A.                         
DC02.<domain>.local False <SITE>  Read/Write krbtgt  2011-12-01 16:35:23 DC02.<domain>.local 2019-09-13 12:29:32 100003 <IP2> Windows Server 2012 R2 Datacenter      True DC.<domain>.local CN=NTDS Settings,CN=DC...
------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:34:00] : REAL RESET MODE (MODE 4) - RESETTING PASSWORD OF SCOPED KRBTGT ACCOUNT(S) (1 - Scope of KrbTgt in use by all RWDCs in the AD Domain...)
[2021-03-11 08:34:00] : 
[2021-03-11 08:34:00] : Do you really want to continue and execute 'Mode 4'? [CONTINUE | STOP]: 
[2021-03-11 08:34:08] : 
[2021-03-11 08:34:08] :   --> Chosen: Continue
[2021-03-11 08:34:08] : 
[2021-03-11 08:34:08] : +++++
[2021-03-11 08:34:08] : +++ Processing KrbTgt Account....: 'krbtgt' | 'CN=krbtgt,CN=Users,DC=<domain>,DC=local' +++
[2021-03-11 08:34:08] : +++ Used By RWDC.................: 'All RWDCs' +++
[2021-03-11 08:34:08] : +++++
[2021-03-11 08:34:08] : 
[2021-03-11 08:34:08] :   --> RWDC To Reset Password On.............: 'DC.<domain>.local'
[2021-03-11 08:34:08] :   --> sAMAccountName Of KrbTgt Account......: 'krbtgt'
[2021-03-11 08:34:08] :   --> Distinguished Name Of KrbTgt Account..: 'CN=krbtgt,CN=Users,DC=<domain>,DC=local'
[2021-03-11 08:34:08] :   --> Number Of Chars For Pwd Generation....: '64'
[2021-03-11 08:36:08] : 
[2021-03-11 08:36:08] :   --> Setting the new password for [CN=krbtgt,CN=Users,DC=<domain>,DC=local] FAILED on RWDC [DC.<domain>.local]!...
[2021-03-11 08:36:08] : 
[2021-03-11 08:36:08] : 
[2021-03-11 08:36:09] :   --> Previous Password Set Date/Time.......: '2011-12-01 16:35:23'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Previous Originating RWDC.............: 'DC02.<domain>.local'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Previous Originating Time.............: '2019-09-13 12:29:32'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Previous Version Of Attribute Value...: '100003'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   =================================================================== CHECK 1 ===================================================================
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   - Contacting DC in AD domain ...[DC.<domain>.local]...(SOURCE RWDC)
[2021-03-11 08:36:09] :      * DC is Reachable...
[2021-03-11 08:36:09] :      * The new password for Object [CN=krbtgt,CN=Users,DC=<domain>,DC=local] exists in the AD database
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   - Contacting DC in AD domain ...[DC02.<domain>.local]...
[2021-03-11 08:36:09] :      * DC is Reachable...
[2021-03-11 08:36:09] :      * The new password for Object [CN=krbtgt,CN=Users,DC=<domain>,DC=local] now does exist in the AD database
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Start Time......: 2021-03-11 08:36:09
[2021-03-11 08:36:09] :   --> End Time........: 2021-03-11 08:36:09
[2021-03-11 08:36:09] :   --> Duration........: 0,33 Seconds
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : List Of DCs In AD Domain '<domain>.local' And Their Timing...
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : 
Host Name                 PDC Site Name DS Type    IP Address    Reachable Source RWDC FQDN      Time
---------                 --- --------- -------    ----------    --------- ----------------      ----
DC.<domain>.local    	  True <SITE>  Read/Write  <IP1>         True	 N.A.                    0
DC02.<domain>.local       False <SITE> Read/Write  <IP2>         True	 DC.<domain>.local 	 0,33

"Cannot Index Into a null array" new.krbtgtkeys.ps1:2277 char:5

I've multiple forests - 1 with multiple child domains. The script runs fine in all but 1 of the child domains in the multi-domain forest.

The error appears under "Gathering Domain Controller Information And Testing Connectivity", but before "List of Domain Controllers In AD Domains ''..."

Line 2277 is referenced, which is:
$metadataObjectAttribPwdLastSetOrgRWDCFQDN = $orgRWDCServerObjectObj.dnshostname[0]

The DFL is 'Windows2008Domain(3)'
All DCs are Windows 2016 Core (going to up the DFL soon)
The domain in question

has 6 DCs. 2 each @ 3 AD sites. We have the same spread of DCs (same OS) with 2 other domains.
a child domain without this issue. The child domain only has 2 DCs and both are at one of the same AD sites as its parent.
I transferred the PDCe to the neighbor of the original PDCe ... same outcome.
The list of DCs is complete under "List of DCs in AD Domain"

Here's the screenshot:

Undoubtedly someone at some time has felt it wise to reconfigure (not first time in this env) and/or there's some kind of corruption. During previous round of KRBTGT password reset 5 months ago, we actually had MS on the phone on a different AD item and they briefly tried to assist but couldn't see what was wrong at that time.

I'm going to see if I can slap in some output to console leading up to the point of failure (on a good and bad) and determine where things go south, but I'm curious for feedback if someone has already encountered this.

Thanks in advance!
SJR

Automation / Scheduled Task

Is there a way to make this script something that could be run in an automated format without user interaction on a regular basis?

test for temporary canary object always evaluates to true when running in mode 2

when running the script in mode 2, the statement on line 785 will always evaluate to $true because both $objectOnTargetDCPwdLastSet and $objectOnSourceOrgRWDCPwdLastSet are uninitialized in this mode and are therefore both equal to $null
https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/aaa1b322f3dd4478f733a01b37dd221c8ff1f8c0/New-KrbtgtKeys.ps1#L785

the statement should evaluate to $false when $targetObjectToCheck is $null because it would mean that, for example, Get-ADObject on lines 755 or 758 failed for some reason
https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/aaa1b322f3dd4478f733a01b37dd221c8ff1f8c0/New-KrbtgtKeys.ps1#L755

Does not support single label domains

DNS resolution check on Single Label Domains fail and the script does not continue. Adding the snippet below before the line [System.Net.Dns]::gethostentry($targetedADforestFQDN) | Out-Null and replacing targetedADforestFQDN with targettedDnsFqdn worked for me.

$targettedDnsFqdn = if ($targetedADforestFQDN -notmatch ".") {
$targetedADforestFQDN + "."
} else {
$targetedADforestFQDN
}

Console output states REAL RESET MODEL (Mode 3)

The script console output states 'REAL RESET MODE (MODE 3)' rather than 'SIMULATION RESET MODE (MODE 3)'

[2023-10-30 11:40:06] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-10-30 11:40:06] : SELECT THE SCOPE OF THE KRBTGT ACCOUNT(S) TO TARGET...
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] : Which KrbTgt account do you want to target?
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] : - 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] : - 2 - Scope of KrbTgt in use by specific RODC - Single RODC in the AD Domain
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] : - 3 - Scope of KrbTgt in use by specific RODC - Multiple RODCs in the AD Domain
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] : - 4 - Scope of KrbTgt in use by specific RODC - All RODCs in the AD Domain
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] : - 0 - Exit Script
[2023-10-30 11:40:06] :
[2023-10-30 11:40:06] : Please specify the scope of KrbTgt Account to target: 1
[2023-10-30 11:40:17] :
[2023-10-30 11:40:17] : --> Chosen Scope KrbTgt Account Target: 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain...
[2023-10-30 11:40:17] :
[2023-10-30 11:40:17] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-10-30 11:40:17] : REAL RESET MODE (MODE 3) - RESETTING PASSWORD OF SCOPED KRBTGT ACCOUNT(S) (1 - Scope of KrbTgt in use by all RWDCs in the AD Domain...)
[2023-10-30 11:40:17] :

Cannot index Into a null array

Despite all I'm writing below, it seems other users have pointed out that the "upstream" maintainer/author of this script has made updates but MS hasn't pulled/merged them into this repo. For all I know this bug is fixed upstream. It'd be great if someone from MS can revive this repo and give it the TLC it needs. I for one am more comfortable using a script like this after Microsoft has vetted it.

I'm opening this issue, essentially duplicating #5

1F1D, 2016 DFL and FFL.

I run the New-KrbtgtKeys script a couple times a year. Yesterday while running it in mode 1, I got a flood of red text as described in the previous issue, same line - 2277. Very different than I'm used to. As mentioned by a commentor in that thread, the issue (for me) appears to present because of having recently removed/decommissioned/replaced the DC which is referenced in the LastOriginatingChangeDirectoryServerIdentity property. Instead of appearing as the expected/desired string, it showed up with a 0ADEL prefix. I don't have immediate access to the script's output to share that, but I don't think it matters too much.

Debugging manually, the error appears to be within the line...

$orgRWDCServerObjectObj = ([ADSI]"LDAP://$targetedADdomainRWDCWithPDCFSMOFQDN/$orgRWDCServerObjectDN")

...which shows up a few times throughout the script, so I imagine this isn't the only mode where it occurs. The script assumes the $orgRWDCServerObjectDN variable is going to have the expected data pattern in it, but because it doesn't, this issue then finally cascades through to line 2277.

Looking a bit further in the script, it looks like there was supposed to be handling for if an RWDC was demoted, but I guess the script in its current state does not handle a case like what happens here. This also goes beyond how far I wanted to take my investigation.

Please update to 2.8

This appears to be a script originally maintained by MVP Jorge de Almeida Pinto.

This script is on v2.5 where Jorge's has been updated to v.2.8 almost a year ago. Please consider pulling it and integrating the changes.

List of changes since v2.5

v2.8, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]:

Fixed an issue when the RODC itself is not reachable/available, whereas in that case, the source should be the RWDC with the PDC FSMO

Checks to make sure both the RWDC with the PDC FSMO role and the nearest RWDC are available. If either one is not available, the script will abort

v2.7, 2020-04-02, Jorge de Almeida Pinto [MVP-EMS]:

Added DNS name resolution check to the portConnectionCheck function

To test membership of the administrators group in a remote AD forest the "title" attribute is now used instead of the "displayName" attribute to try to write to it

Removed usage of $remoteADforest variable and only use the $localADforest variable

Removed usage of $remoteCredsUsed variable and only use the $adminCrds variable (Was $adminCreds)

Added a warning if the special purpose krbtgt account 'Krbtgt_AzureAD' is discovered in the AD domain

If the number of RODCs in the AD domain is 0, then it will not present the options for RODCs

If the number of RODCs in the AD domain is 1 of more, amd you chose to manually specify the FQDN of RODCs to process, it will present a list of RODCs to choose from

Operational modes have been changed (WARNING: pay attention to what you choose!). The following modes are the new modes

1 - Informational Mode (No Changes At All)

2 - Simulation Mode | Temporary Canary Object Created To Test Replication Convergence!

3 - Simulation Mode | Use KrbTgt TEST/BOGUS Accounts - No Password Reset/WhatIf Mode!

4 - Real Reset Mode | Use KrbTgt TEST/BOGUS Accounts - Password Will Be Reset Once!

5 - Simulation Mode | Use KrbTgt PROD/REAL Accounts - No Password Reset/WhatIf Mode!

6 - Real Reset Mode | Use KrbTgt PROD/REAL Accounts - Password Will Be Reset Once!

When choosing RODC Krb Tgt Account scope the following will now occur:

If the RODC is not reachable, the real source RWDC of the RODC cannot be determined. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication

If the RODC is reachable, but the real source RWDC of the RODC is not reachable it cannot be used as the source for the change and replication. In that case, the RWDC with the PDC FSMO role is used as the source for the change and replication

Sections with '#XXX' have been removed

Calls using the CMDlet 'Get-ADReplicationAttributeMetadata' (W2K12 and higher) have been replaced with .NET calls to support older OS'es such as W2K8 and W2K8R2. A function has been created to retrieve metadata

Some parts were rewritten/optimized

v2.6, 2020-02-25, Jorge de Almeida Pinto [MVP-EMS]:

Removed code that was commented out

Logging where the script is being executed from

Updated the function 'createTestKrbTgtADAccount' to also include the FQDN of the RODC for which the Test KrbTgt account is created for better recognition

In addition to the port 135 (RPC Endpoint Mapper) and 389 (LDAP), the script will also check for port 9389 (AD Web Service) which is used by the ADDS PoSH CMDlets

Updated script to included more 'try/catch' and more (error) logging, incl. line where it fails, when things go wrong to make troubleshooting easier

Code update from author.

By chance, will Microsoft OpenSource be updating the code version at this repo from the original author's updates?

It currently fixed some bugs on v3.4 as of 3/6/23.

Ref:

Thanks.

Exception calling "SetInfo" while doing a simulation (3) on a RODC

I'm having a problem while using the simulation mode on one of our RODCs.

The exception that comes up:

[2023-01-04 10:26:54] :   - Contacting DC in AD domain ...[RODC1.<domain>]...
[2023-01-04 10:26:54] :      * DC is Reachable...

Exception calling "SetInfo" with "0" argument(s): "An operations error occurred.
"
At C:\temp\new-krbtkeys.ps1:591 char:2
+     $rootDSE.SetInfo()
+     ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

[2023-01-04 10:26:56] :      * The new password for Object [CN=krbtgt_19109_TEST,CN=Users,DC=<domain>,DC=local] now does exist in the AD database

Even though the script informs that the password was replicated to the RODC, it, in fact, wasn't (confirmed by manually checking the passwordLastSet attribute).

There's no such problem with the other RODC that we have.

Basic info about the host that take part in the process
DC3 - SiteHQ - the source for the replication - Win 2022
DC4 - SiteHQ - PDC - Win 2022
RODC1 - Site1 - the one that we have the problem with - Win 2016
RODC2 - Site2 - the one that the simulation works OK for - Win 2016

I'm wondering whether this is a no go for using the script on this RODC or, maybe, I can just force the replication manually after using the script and that'll be all.

A snippet from a transcript:

[2023-01-04 10:25:55] : LOADING REQUIRED POWERSHELL MODULES...
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] : PoSH Module 'ActiveDirectory' Already Loaded...
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] : PoSH Module 'GroupPolicy' Already Loaded...
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:25:55] : SELECT THE MODE OF OPERATION...
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] : Which mode of operation do you want to execute?
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] :  - 1 - Informational Mode (No Changes At All)
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] :  - 2 - Simulation Mode (Temporary Canary Object Created, No Password Reset!)
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] :  - 3 - Simulation Mode - Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] :  - 4 - Real Reset Mode - Use KrbTgt PROD/REAL Accounts (Password Will Be Reset Once!)
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] :  - 8 - Create TEST KrbTgt Accounts
[2023-01-04 10:25:55] :  - 9 - Cleanup TEST KrbTgt Accounts
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] :  - 0 - Exit Script
[2023-01-04 10:25:55] : 
[2023-01-04 10:25:55] : Please specify the mode of operation: 
[2023-01-04 10:25:57] : 
[2023-01-04 10:25:57] :   --> Chosen Mode: Mode 3 - Simulation Mode - Use KrbTgt TEST/BOGUS Accounts (Password Will Be Reset Once!)...
[2023-01-04 10:25:57] : 
[2023-01-04 10:25:57] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:25:57] : SPECIFY THE TARGET AD FOREST...
[2023-01-04 10:25:57] : 
[2023-01-04 10:25:57] : For the AD forest to be targeted, please provide the FQDN or press [ENTER] for the current AD forest: 
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] :   --> Selected AD Forest: '<domain>'...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : Checking Resolvability of the specified Local AD forest '<domain>' through DNS...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : The specified Local AD forest '<domain>' is resolvable through DNS!
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : Continuing Script...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : Checking Accessibility of the specified AD forest '<domain>' By Trying To Retrieve AD Forest Data...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : The specified AD forest '<domain>' is accessible!
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : Continuing Script...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:26:04] : SELECT THE TARGET AD DOMAIN...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : Forest Mode/Level...: Windows2008R2Forest
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : List Of AD Domains In AD Forest '<domain>'...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : 
Name       DomainSID                                IsRootDomain          DomainMode IsCurrentDomain IsAvailable PDCFsmoOwner   NearestRWDC   
----       ---------                                ------------          ---------- --------------- ----------- ------------   -----------   
<domain> S-1-5-21-839615072-2308167561-3032929121 TRUE         Windows2008R2Domain TRUE            TRUE        DC4.<domain> DC4.<domain>



[2023-01-04 10:26:04] :   --> Found [1] AD Domain(s) in the AD forest '<domain>'...
[2023-01-04 10:26:04] : 
[2023-01-04 10:26:04] : For the AD domain to be targeted, please provide the FQDN or press [ENTER] for the current AD domain: 
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] :   --> Selected AD Domain: '<domain>'...
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] : Checking existence of the specified AD domain '<domain>' in the AD forest '<domain>'...
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] : The specified AD domain '<domain>' exists in the AD forest '<domain>'!
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] : Continuing Script...
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:26:08] : TESTING IF REQUIRED PERMISSIONS ARE AVAILABLE (DOMAIN/ENTERPRISE ADMINS OR ADMINISTRATORS CREDENTIALS)...
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] : The user account '<username>' is running with Domain Administrator equivalent permissions in the AD Domain '<domain>'!...
[2023-01-04 10:26:08] : The user account '<username>' is a member of '<domain>\Domain Admins'!...
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] : Continuing Script...
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:08] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:26:08] : GATHERING TARGETED AD DOMAIN INFORMATION...
[2023-01-04 10:26:08] : 
[2023-01-04 10:26:15] : Domain FQDN...........................: '<domain>'
[2023-01-04 10:26:15] : Domain Functional Mode................: 'Windows2008R2Domain'
[2023-01-04 10:26:15] : Domain Functional Mode Level..........: '4'
[2023-01-04 10:26:15] : FQDN RWDC With PDC FSMO...............: 'DC4.<domain>'
[2023-01-04 10:26:15] : DSA RWDC With PDC FSMO................: 'CN=NTDS Settings,CN=DC4,CN=Servers,CN=SiteHQ,CN=Sites,CN=Configuration,DC=<domain>,DC=local'
[2023-01-04 10:26:15] : Max TGT Lifetime (Hours)..............: '10'
[2023-01-04 10:26:15] : Max Clock Skew (Minutes)..............: '5'
[2023-01-04 10:26:15] : TGT Lifetime/Clock Skew Sourced From..: 'Default Domain GPO'
[2023-01-04 10:26:15] : 
[2023-01-04 10:26:15] : Checking Domain Functional Mode of targeted AD domain '<domain>' is high enough...
[2023-01-04 10:26:15] : 
[2023-01-04 10:26:15] : The specified AD domain '<domain>' has a Domain Functional Mode of 'Windows2008Domain (3)' or higher!...
[2023-01-04 10:26:15] : 
[2023-01-04 10:26:15] : Continuing Script...
[2023-01-04 10:26:15] : 
[2023-01-04 10:26:15] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:26:15] : GATHERING DOMAIN CONTROLLER INFORMATION AND TESTING CONNECTIVITY...
[2023-01-04 10:26:15] : 
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : List Of Domain Controllers In AD Domains '<domain>'...
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : 
Host Name                PDC Site Name   DS Type    Krb Tgt           Pwd Last Set        Org RWDC       Org Time            Ver IP Address   OS Version                              Reachable Source RWDC FQDN Source RWDC DSA               
---------                --- ---------   -------    -------           ------------        --------       --------            --- ----------   ----------                              --------- ---------------- ---------------               
DC4.<domain>          True SiteHQ     Read/Write krbtgt_TEST       2023-01-02 12:12:13 DC4.<domain> 2023-01-02 12:12:13   3 10.10.14.154 Windows Server 2022 Datacenter               True N.A.             N.A.                          
DC3.<domain>         False SiteHQ     Read/Write krbtgt_TEST       2023-01-02 12:12:13 DC4.<domain> 2023-01-02 12:12:13   3 10.10.14.153 Windows Server 2022 Datacenter               True DC4.<domain>   CN=NTDS Settings,CN=DC4,CN=...
DC2.<domain>         False SiteHQ     Read/Write krbtgt_TEST       2023-01-02 12:12:13 DC4.<domain> 2023-01-02 12:12:13   3 10.0.90.32   Windows Server 2012 Standard                 True DC4.<domain>   CN=NTDS Settings,CN=DC4,CN=...
DC1.<domain>         False SiteHQ     Read/Write krbtgt_TEST       2023-01-02 12:12:13 DC4.<domain> 2023-01-02 12:12:13   3 10.0.90.31   Windows Server 2012 Standard                 True DC4.<domain>   CN=NTDS Settings,CN=DC4,CN=...
RODC1.<domain>  False <Site1>        Read-Only  krbtgt_19109_TEST 2023-01-03 16:48:05 DC3.<domain> 2023-01-03 16:48:05   4 172.17.18.10 Windows Server 2016 Standard Evaluation      True DC3.<domain>   CN=NTDS Settings,CN=DC3,CN=...
RODC2.<domain> False <Site2> Read-Only  krbtgt_33912_TEST 2023-01-03 16:58:57 DC3.<domain> 2023-01-03 16:58:57   4 10.102.14.20 Windows Server 2016 Standard                 True DC3.<domain>   CN=NTDS Settings,CN=DC3,CN=...



[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : REMARKS:
[2023-01-04 10:26:16] :  - 'N.A.' in the columns 'Source RWDC FQDN' and 'Source RWDC DSA' means the RWDC is considered as the master for this script.
[2023-01-04 10:26:16] :  - 'RODC Unreachable' in the columns 'Source RWDC FQDN' and 'Source RWDC DSA' means the RODC cannot be reached to determine its replicating source
[2023-01-04 10:26:16] :      RWDC/DSA. The unavailability can be due to firewalls/networking or the RODC actually being down.
[2023-01-04 10:26:16] :  - 'Unknown' in various columns means that an RODC was found that may not be a true Windows Server RODC. It may be an appliance acting as an RODC.
[2023-01-04 10:26:16] :  - 'RWDC Demoted' in the column 'Org RWDC' means the RWDC existed once, but it does not exist anymore as it has been decommissioned in the past.
[2023-01-04 10:26:16] :      This is normal.
[2023-01-04 10:26:16] :  - 'No Such Object' in the columns 'Pwd Last Set', 'Org RWDC', 'Org Time' or 'Ver' means the targeted object was not found in the AD domain.
[2023-01-04 10:26:16] :      Although this is possible for any targeted object, this is most likely the case when targeting the KrbTgt TEST/BOGUS accounts and if those
[2023-01-04 10:26:16] :      do not exist yet. This may also occur for an appliance acting as an RODC as in that case no KrbTgt TEST/BOGUS account is created.
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :   --> Found [6] Real DC(s) In AD Domain...
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :   --> Found [4] RWDC(s) In AD Domain...
[2023-01-04 10:26:16] :   --> Found [4] Reachable RWDC(s) In AD Domain...
[2023-01-04 10:26:16] :   --> Found [0] UnReachable RWDC(s) In AD Domain...
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :   --> Found [2] RODC(s) In AD Domain...
[2023-01-04 10:26:16] :   --> Found [2] Reachable RODC(s) In AD Domain...
[2023-01-04 10:26:16] :   --> Found [0] UnReachable RODC(s) In AD Domain...
[2023-01-04 10:26:16] :   --> Found [0] Undetermined RODC(s) In AD Domain...
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:26:16] : SELECT THE SCOPE OF THE KRBTGT ACCOUNT(S) TO TARGET...
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : Which KrbTgt account do you want to target?
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :  - 1 - Scope of KrbTgt in use by all RWDCs in the AD Domain
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :  - 2 - Scope of KrbTgt in use by specific RODC - Single RODC in the AD Domain
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :  - 3 - Scope of KrbTgt in use by specific RODC - Multiple RODCs in the AD Domain
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :  - 4 - Scope of KrbTgt in use by specific RODC - All RODCs in the AD Domain
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] :  - 0 - Exit Script
[2023-01-04 10:26:16] : 
[2023-01-04 10:26:16] : Please specify the scope of KrbTgt Account to target: 
[2023-01-04 10:26:38] : 
[2023-01-04 10:26:38] :   --> Chosen Scope KrbTgt Account Target: 2 - Scope of KrbTgt in use by specific RODC - Single RODC in the AD Domain...
[2023-01-04 10:26:38] : 
[2023-01-04 10:26:38] : Specify the FQDN of single RODC for which the KrbTgt Account Password must be reset: 
[2023-01-04 10:26:46] : 
[2023-01-04 10:26:46] :   --> Specified RODC:
[2023-01-04 10:26:46] :        * RODC1.<domain>
[2023-01-04 10:26:46] : 
[2023-01-04 10:26:46] : ------------------------------------------------------------------------------------------------------------------------------------------------------
[2023-01-04 10:26:46] : REAL RESET MODE (MODE 3) - RESETTING PASSWORD OF SCOPED KRBTGT ACCOUNT(S) (2 - Scope of KrbTgt in use by specific RODC - Single RODC in the AD Domain...)
[2023-01-04 10:26:46] : 
[2023-01-04 10:26:46] : Do you really want to continue and execute 'Mode 3'? [CONTINUE | STOP]: 
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   --> Chosen: continue
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] : +++++
[2023-01-04 10:26:54] : +++ Processing KrbTgt Account....: 'krbtgt_19109_TEST' | 'CN=krbtgt_19109_TEST,CN=Users,DC=<domain>,DC=local' +++
[2023-01-04 10:26:54] : +++ Used By RODC.................: 'RODC1.<domain>' (Site: Site1) +++
[2023-01-04 10:26:54] : +++++
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   --> RWDC To Reset Password On.............: 'DC3.<domain>'
[2023-01-04 10:26:54] :   --> sAMAccountName Of KrbTgt Account......: 'krbtgt_19109_TEST'
[2023-01-04 10:26:54] :   --> Distinguished Name Of KrbTgt Account..: 'CN=krbtgt_19109_TEST,CN=Users,DC=<domain>,DC=local'
[2023-01-04 10:26:54] :   --> Number Of Chars For Pwd Generation....: '64'
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   --> Previous Password Set Date/Time.......: '2023-01-03 16:48:05'
[2023-01-04 10:26:54] :   --> New Password Set Date/Time............: '2023-01-04 10:26:54'
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   --> Previous Originating RWDC.............: 'DC3.<domain>'
[2023-01-04 10:26:54] :   --> New Originating RWDC..................: 'DC3.<domain>'
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   --> Previous Originating Time.............: '2023-01-03 16:48:05'
[2023-01-04 10:26:54] :   --> New Originating Time..................: '2023-01-04 10:26:54'
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   --> Previous Version Of Attribute Value...: '4'
[2023-01-04 10:26:54] :   --> New Version Of Attribute Value........: '5'
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   --> The new password for [CN=krbtgt_19109_TEST,CN=Users,DC=<domain>,DC=local] HAS BEEN SET on RWDC [DC3.<domain>]!...
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   =================================================================== CHECK 1 ===================================================================
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   - Contacting DC in AD domain ...[DC3.<domain>]...(SOURCE RWDC)
[2023-01-04 10:26:54] :      * DC is Reachable...
[2023-01-04 10:26:54] :      * The new password for Object [CN=krbtgt_19109_TEST,CN=Users,DC=<domain>,DC=local] exists in the AD database
[2023-01-04 10:26:54] : 
[2023-01-04 10:26:54] :   - Contacting DC in AD domain ...[RODC1.<domain>]...
[2023-01-04 10:26:54] :      * DC is Reachable...
[2023-01-04 10:26:56] :      * The new password for Object [CN=krbtgt_19109_TEST,CN=Users,DC=<domain>,DC=local] now does exist in the AD database
[2023-01-04 10:26:56] : 
[2023-01-04 10:26:56] : 
[2023-01-04 10:26:56] :   --> Start Time......: 2023-01-04 10:26:54
[2023-01-04 10:26:56] :   --> End Time........: 2023-01-04 10:26:56
[2023-01-04 10:26:56] :   --> Duration........: 2.34 Seconds
[2023-01-04 10:26:56] : 
[2023-01-04 10:26:56] : 
[2023-01-04 10:26:56] : List Of DCs In AD Domain '<domain>' And Their Timing...
[2023-01-04 10:26:56] : 
[2023-01-04 10:26:56] : 
Host Name               PDC Site Name DS Type    IP Address   Reachable Source RWDC FQDN Time
---------               --- --------- -------    ----------   --------- ---------------- ----
DC3.<domain>        False SiteHQ   Read/Write 10.10.14.153      True N.A.                0
RODC1.<domain> False Site1      Read-Only  172.17.18.10      True DC3.<domain>   2.34

Silent Operation and Command Line Parameters?

With modern advice around changing the KrbTgt Password every 40 days we need a more automated way to perform this action. It should be just as easy as resetting any user password. (Honestly, Windows should do this automatically based on a GPO setting)

I am working on a fork that will have parameters for every interactive question asked and a Silent operation mode. This way I can get it going in Interactive mode and then automate it once it's running successfully.

Are there any pitfalls I should be aware of?

If have a headless task where I force continue through the script are there any dangerous situations I could get in to?

Will it fail gracefully and just log the errors?

When is it best to reset password again?

It would be helpful if the script provided information on when it would be considered safest to reset the krbtgt password a second time if we are looking to minimize impact on the domain? Do I understand this to be the datetime specified under "Date/Time N-1 Kerberos Tickets"? If so, it would be helpful to state this, and to provide additional guidance if attempting to reset a second time within this timeframe that there may be an impact. And if resetting past this timeframe, to clarify that sufficient time has password and it is safe to perform a second reset with minimal impact.

I noticed this with the v2 script.

Thanks.

Issue in Get-GpoReport

Found an issue where in a trusted domain, the Get-GpoReport gets the Max TGT LifeTime and Max Clock Skew as empty/Null. Which causes the second iteration of the script to reset the krbtgt password as the check for the last time password was set difference to currenttime succeeds and no warning is presented with "MAJOR Impact".

[2021-05-26 17:51:04] : Max TGT Lifetime (Hours)..............: ''
[2021-05-26 17:51:04] : Max Clock Skew (Minutes)..............: ''
[2021-05-26 17:51:04] : TGT Lifetime/Clock Skew Sourced From..: 'Default Domain GPO'

I was able to add an additional check to make sure the Max TGT LifeTime is not Null to ensure that is not missed and the second iteration just succeeds.

                    If ($targetedADdomainMaxTgtLifetimeHrs -eq $null)
                       {
                       Logging "  --> Max TGT Lifetime (Hours)..............: 'This was determined to be null. Ensure to run the script from a computer joined to appropriate forest'" "WARNING"
                       Logging "  --> EXITING SCRIPT  "
                       Sleep 20
                       EXIT
                       }

...................

Interestingly later debugging, i was also able to see this peculiar behaviour with Get-GpoReport which seems to behave in a bad fashion.

the Fix was to use

[xml]$gpoObjXML = Get-GPOReport -Domain $targetedADdomainFQDN -Guid '{31B2F340-016D-11D2-945F-00C04FB984F9}' -ReportType Xml -Server $targetedADdomainFQDN

if i use a domain controller FQDN for the $targetedADdomainFQDN it seems to come up with empty for the MAXTgTLifetime and other values.

I also examined the XML and saw that it was coming as "BLOCKED" which was weird. Just wanted to apprise of this happening and i was able to add an additional roadblock if it reported as NULL.

Never store the password in clear text.

Currently, a custom password generation and verification method is used to generate the new password. It is passed around in clear text variables where it could be captured. It should remain a secure string at all times to mitigate this vulnerability.

I might use [System.Web.Security.Membership]::GeneratePassword(20,3) to generate the strong password but we can't verify it will pass complexity requirements without reading the plain text. We can meet length and special symbol requirements so that only leaves upper\lower case letters and maybe digits. It is possible that a password with letters of the same case could be generated and fail.

https://docs.microsoft.com/en-us/dotnet/api/system.web.security.membership.generatepassword?view=netframework-4.8

Mode 4 (Real Reset of krbtgt) Has Less Information Than Mode 3

Hello! I noticed that when running Mode 3 (Simulation Mode with krbtgt_TEST), it provides some useful information when compared to Mode 4 (Real Reset Mode). For instance, Mode 3 states:

"Resetting KrbTgt Accnt Password Means.: 'MAJOR DOMAIN WIDE IMPACT'"
Date/Time N-1 Kerberos Tickets........: ''

It would be helped to include more warnings when resetting the real krbtgt account in Mode 4. If I have misunderstood something though, please let me know.

I am using the new version 2 committed on May 12.

Thanks!

Where is Version 2? Is this version 2 ?

Which version of the script takes care for rodc's as well? I know here is another script that does it...just checking to see if this script does it as well or not?