I'm preparing to change the Kerberos account (KRBTGT) password, but I want to ensure everything is functioning correctly before I do that. Is there a way to perform a health check to confirm replication and that the accounts are working properly across all domain controllers? It would really help to have some sort of validation in place before I go ahead and reset the password, allowing for a gap of a few days between the two resets. Any recommendations?
2 Answers
Microsoft actually has a script that performs a bunch of checks before you change the password. It's a good way to make sure everything's in order!
You might want to check out this resource from Microsoft: it offers some really useful scripts for resetting the KRBTGT password. Here's the link: https://www.microsoft.com/en-us/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/. There's also a GitHub repo with scripts that work great for this. It's been helpful for me in the past!
Thanks for the links! I've used that GitHub repo before, and it worked really well for me too!