How Should I Reset the KRBTGT Account Password in a Multi-Domain Setup?

If you're looking for some additional checks during this process, consider using this script I found. It's been updated by a former Microsoft employee. It checks if all domain controllers are online and validates your KRB ticket life to prevent the second reset happening too soon. It also has a test mode that creates a dummy account for you to validate the reset works properly.

For your reset process, you could script the first KRBTGT password reset in the forest root domain, wait the required 10 hours, then run the reset again. Then repeat the steps for the TREE domain. Regarding the locked KRBTGT account, leaving it locked is fine. It won’t block or affect your ability to reset the password. So yes, you can reset its password twice, even while it's locked.

It really doesn't matter what order you do it in, but if you're going for a double reset, consistency is key. Just stick to one method for both resets and complete the root domain first before moving to the child domain. The order isn't critical; starting from the root makes it easier to work downwards. As for the locked KRBTGT account, you actually shouldn't unlock it. It’s best to keep it in a disabled state since unlocking offers no real benefits.

The reason for the two resets is to take care of the cached password associated with the KRBTGT account. After the first reset, you wait 10 hours to ensure the backup password updates, hence the two-step process.