"Cannot Index Into a null array" new.krbtgtkeys.ps1:2277 char:5

[redlimey]

I've multiple forests - 1 with multiple child domains. The script runs fine in all but 1 of the child domains in the multi-domain forest.

The error appears under "Gathering Domain Controller Information And Testing Connectivity", but before "List of Domain Controllers In AD Domains ''..."

Line 2277 is referenced, which is: $metadataObjectAttribPwdLastSetOrgRWDCFQDN = $orgRWDCServerObjectObj.dnshostname[0]

The DFL is 'Windows2008Domain(3)' All DCs are Windows 2016 Core (going to up the DFL soon) The domain in question

• has 6 DCs. 2 each @ 3 AD sites. We have the same spread of DCs (same OS) with 2 other domains.
• a child domain without this issue. The child domain only has 2 DCs and both are at one of the same AD sites as its parent.
• I transferred the PDCe to the neighbor of the original PDCe ... same outcome.
• The list of DCs is complete under "List of DCs in AD Domain"

Here's the screenshot:

Undoubtedly someone at some time has felt it wise to reconfigure (not first time in this env) and/or there's some kind of corruption. During previous round of KRBTGT password reset 5 months ago, we actually had MS on the phone on a different AD item and they briefly tried to assist but couldn't see what was wrong at that time.

I'm going to see if I can slap in some output to console leading up to the point of failure (on a good and bad) and determine where things go south, but I'm curious for feedback if someone has already encountered this.

Thanks in advance! SJR

[cchapin2020]

Do you still have Windows 2008 (not 2008r2) DC's in the environment and that is why you are at Windows2008Domain(3)? If not, you should raise the DFL to whatever the oldest version you have in the environment. Also convert the replication to DFS-R if not already done - it will be required as part of upgrading to 2016. If you are running on 2008, it might be that the .Net call is not implemented on that version of the OS. In that case, you would need to use the manual reset process instead of this script. https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password

As for the error on line 2277, the array is created on line 2275 with this .Net call.

$orgRWDCServerObjectObj = New-Object System.DirectoryServices.DirectoryEntry(("LDAP://$targetedADdomainRWDCWithPDCFSMOFQDN/$orgRWDCServerObjectDN"),$adminUserAccountRemoteForest, $adminUserPasswordRemoteForest)

The variable $orgRWDCServerObjectObj is not getting set is my guess, so the array is null. That points to an issue with the LDAP query and not being able to connect to the PDC emulator in the remote domain. Try using LDP.exe to connect to it.

[cchapin-ms]

No response from user reporting issue. Error appears to be related to environmental issue.

[Tigger42RG]

For information I had the same problem. It turned out that the password was last reset on a Domain Controller that has now been removed. Once the password had been updated, re-running option 1 no errors occurred.

[jamesaepp]

I faced this same issue today when attempting to run the script as is routine. I believe @Tigger42RG is correct that this is behavior that happens when the previous DC that did the reset is removed/delete/demoted. The script doesn't handle this gracefully. If my review of the script is correct, this is only an aesthetic thing and does not stop the script from running.

That said I'll try to open a new issue tomorrow on this. The maintenance of this script looks a bit dead which is unfortunate, I'll see if I can poke someone at MS to have this project/script/repo get the TLC it needs.