Setting the new password for [CN=krbtgt,CN=Users,DC=<domain>,DC=local] FAILED on RWDC [DC.<domain>.local]!...

[corsch]

We are having issues resetting the krbtgt user with this script.

The error is:
Setting the new password for [CN=krbtgt,CN=Users,DC=,DC=local] FAILED on RWDC [DC..local]!...

DC is a Windows Server 2019
DC02 is a Windows Server 2012 R2
The Domain has been created in 'German' and is in 2012 functional level.

We've rebooted both servers with no success.

------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:33:39] : TESTING IF REQUIRED PERMISSIONS ARE AVAILABLE (DOMAIN/ENTERPRISE ADMINS OR ADMINISTRATORS CREDENTIALS)...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:39] : The user account '<domain>\administrator' is running with Domain Administrator equivalent permissions in the AD Domain '<domain>.local'!...
[2021-03-11 08:33:39] : The user account '<domain>\administrator' is a member of '<domain>\Domänen-Admins'!...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:39] : Continuing Script...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:39] : 
------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:33:39] : GATHERING TARGETED AD DOMAIN INFORMATION...
[2021-03-11 08:33:39] : 
[2021-03-11 08:33:47] : Domain FQDN...........................: '<domain>.local'
[2021-03-11 08:33:47] : Domain Functional Mode................: 'Windows2012R2Domain'
[2021-03-11 08:33:47] : Domain Functional Mode Level..........: '6'
[2021-03-11 08:33:47] : FQDN RWDC With PDC FSMO...............: 'DC.<domain>.local'
[2021-03-11 08:33:47] : DSA RWDC With PDC FSMO................: 'CN=NTDS Settings,CN=DC,CN=Servers,CN=<SITE>,CN=Sites,CN=Configuration,DC=<domain>,DC=local'
[2021-03-11 08:33:47] : Max TGT Lifetime (Hours)..............: '10'
[2021-03-11 08:33:47] : Max Clock Skew (Minutes)..............: '5'
[2021-03-11 08:33:47] : TGT Lifetime/Clock Skew Sourced From..: 'Default Domain GPO'
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : Checking Domain Functional Mode of targeted AD domain '<domain>.local' is high enough...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : The specified AD domain '<domain>.local' has a Domain Functional Mode of 'Windows2008Domain (3)' or higher!...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : Continuing Script...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : ------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:33:47] : GATHERING DOMAIN CONTROLLER INFORMATION AND TESTING CONNECTIVITY...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : List Of Domain Controllers In AD Domains '<domain>.local'...
[2021-03-11 08:33:47] : 
[2021-03-11 08:33:47] : 
Host Name                 PDC Site Name DS Type    Krb Tgt Pwd Last Set        Org RWDC                Org Time               Ver IP Address    OS Version                        Reachable Source RWDC FQDN      Source RWDC DSA              
---------                 --- --------- -------    ------- ------------        --------                --------               --- ----------    ----------                        --------- ----------------      ---------------              
DC.<domain>.local    True <SITE>  Read/Write krbtgt  2011-12-01 16:35:23 DC02.<domain>.local 2019-09-13 12:29:32 100003 <IP1> Windows Server 2019 Standard           True N.A.                  N.A.                         
DC02.<domain>.local False <SITE>  Read/Write krbtgt  2011-12-01 16:35:23 DC02.<domain>.local 2019-09-13 12:29:32 100003 <IP2> Windows Server 2012 R2 Datacenter      True DC.<domain>.local CN=NTDS Settings,CN=DC...
------------------------------------------------------------------------------------------------------------------------------------------------------
[2021-03-11 08:34:00] : REAL RESET MODE (MODE 4) - RESETTING PASSWORD OF SCOPED KRBTGT ACCOUNT(S) (1 - Scope of KrbTgt in use by all RWDCs in the AD Domain...)
[2021-03-11 08:34:00] : 
[2021-03-11 08:34:00] : Do you really want to continue and execute 'Mode 4'? [CONTINUE | STOP]: 
[2021-03-11 08:34:08] : 
[2021-03-11 08:34:08] :   --> Chosen: Continue
[2021-03-11 08:34:08] : 
[2021-03-11 08:34:08] : +++++
[2021-03-11 08:34:08] : +++ Processing KrbTgt Account....: 'krbtgt' | 'CN=krbtgt,CN=Users,DC=<domain>,DC=local' +++
[2021-03-11 08:34:08] : +++ Used By RWDC.................: 'All RWDCs' +++
[2021-03-11 08:34:08] : +++++
[2021-03-11 08:34:08] : 
[2021-03-11 08:34:08] :   --> RWDC To Reset Password On.............: 'DC.<domain>.local'
[2021-03-11 08:34:08] :   --> sAMAccountName Of KrbTgt Account......: 'krbtgt'
[2021-03-11 08:34:08] :   --> Distinguished Name Of KrbTgt Account..: 'CN=krbtgt,CN=Users,DC=<domain>,DC=local'
[2021-03-11 08:34:08] :   --> Number Of Chars For Pwd Generation....: '64'
[2021-03-11 08:36:08] : 
[2021-03-11 08:36:08] :   --> Setting the new password for [CN=krbtgt,CN=Users,DC=<domain>,DC=local] FAILED on RWDC [DC.<domain>.local]!...
[2021-03-11 08:36:08] : 
[2021-03-11 08:36:08] : 
[2021-03-11 08:36:09] :   --> Previous Password Set Date/Time.......: '2011-12-01 16:35:23'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Previous Originating RWDC.............: 'DC02.<domain>.local'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Previous Originating Time.............: '2019-09-13 12:29:32'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Previous Version Of Attribute Value...: '100003'
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   =================================================================== CHECK 1 ===================================================================
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   - Contacting DC in AD domain ...[DC.<domain>.local]...(SOURCE RWDC)
[2021-03-11 08:36:09] :      * DC is Reachable...
[2021-03-11 08:36:09] :      * The new password for Object [CN=krbtgt,CN=Users,DC=<domain>,DC=local] exists in the AD database
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   - Contacting DC in AD domain ...[DC02.<domain>.local]...
[2021-03-11 08:36:09] :      * DC is Reachable...
[2021-03-11 08:36:09] :      * The new password for Object [CN=krbtgt,CN=Users,DC=<domain>,DC=local] now does exist in the AD database
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] :   --> Start Time......: 2021-03-11 08:36:09
[2021-03-11 08:36:09] :   --> End Time........: 2021-03-11 08:36:09
[2021-03-11 08:36:09] :   --> Duration........: 0,33 Seconds
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : List Of DCs In AD Domain '<domain>.local' And Their Timing...
[2021-03-11 08:36:09] : 
[2021-03-11 08:36:09] : 
Host Name                 PDC Site Name DS Type    IP Address    Reachable Source RWDC FQDN      Time
---------                 --- --------- -------    ----------    --------- ----------------      ----
DC.<domain>.local    	  True <SITE>  Read/Write  <IP1>         True	 N.A.                    0
DC02.<domain>.local       False <SITE> Read/Write  <IP2>         True	 DC.<domain>.local 	 0,33

[cchapin-ms]

Check the Security log on dc..local at 2021-03-11 08:36:09. There should be errors related to the failure as to why the password was not able to be changed. Does the simulation mode work (run mode 8 to create test account and then mode 3 to change the password on the test account).

[corsch]

Thank you for your reply. We'll test the simulation mode and check the security logs.