Script to use to reset the KRBTGT:


The krbtgt password can be reset when you suspect intrusion or when a RW DC is stolen. Use the script above to reset only ONCE the password.

For the second password reset it is very important to wait a period of time: >  [10h (TGT lifetime) + TGS lifetime 600minutes + latence de replication AD + Time Skew ]

and it is also recommended to force the AD replication and to stop/start the KDC service on all RW DC.

In short, you can wait 15 days between the FIRST RESET and the SECOND RESET.