Script to use to reset the KRBTGT:
The krbtgt password can be reset when you suspect intrusion or when a RW DC is stolen. Use the script above to reset only ONCE the password.
For the second password reset it is very important to wait a period of time: > [10h (TGT lifetime) + TGS lifetime 600minutes + latence de replication AD + Time Skew ]
and it is also recommended to force the AD replication and to stop/start the KDC service on all RW DC.
In short, you can wait 15 days between the FIRST RESET and the SECOND RESET.