The KRBTGT Account - What is it ?
As part of the Active Directory Forest Recovery process the white paper talks about the KRBTGT Account. I often get asked what is this account and why do I need to reset its password twice ?
Well here is the answer
Key distribution service center account.
Windows 2000 Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service.
Why do I have to reset it twice as part of the Disaster Recovery Process?
In a large forest recovery situation that is spread across multiple locations then it cannot be necessarily guaranteed that that all domain controllers are shut down or if they are, they are not re-booted again before all appropriate recovery steps have been undertaken. For this reason it is recommended to reset the krbtgt account to ensure that the newly restored domain controller does no replicate with dangerous domain controller . The reason you reset the krbgt password twice, is that the password history is two.
The password can be reset by using the Users and Computers Snap-In.
Comments
Anonymous
January 01, 2003
Hi Steven, it means that the two most recent passwords are stored in the password history. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another domain controller will replicate with this one using an old password. Justin [MSFT]Anonymous
January 01, 2003
Hi Jane, Well, I was had planned to ask exactly that question after reading through the white paper... thanks for providing a comprehensive explanation before I asked the question. Dave.Anonymous
November 11, 2011
was looking for this info..thank you!Anonymous
November 24, 2011
The comment has been removedAnonymous
February 11, 2013
I am going to be honest here. This helped me understand what krbttgt is, however that last sentence confused me. What does the writer here mean by saying, "the password history is two."? Is the password history, contained in two locations, is a variable of two, or is literally two different files that are both actively used by the system, or is it something else entirely?Anonymous
February 25, 2013
Okay thanks. I havent checked in a few days because this is bookmarked in the school computer I use, but that makes sense now. :)Anonymous
September 27, 2013
If there are no Windows 2000 servers in the domain, and none are planned until until at least the year 2300, can the account be safely deleted?Anonymous
March 20, 2014
Hello Rickee,
Are you 100% sure you won't be doing any Active Directory restores within the next 276 years?Anonymous
September 18, 2014
Its very useful article I very like this, i already read and i will always update to your next information.I appreciate everything you have added to my knowledge base.http://www.healthforus.infoAnonymous
July 02, 2015
The comment has been removedAnonymous
September 10, 2015
Thanks for the best post in the world for sure and th eother parts of the reckoning and the watch of youtubehttps://www.youtube.com/watch?v=FMVdbiWghqk when the self balancing scooter and the best affordable speakers for sure and we could see the only ones for surehttps://www.youtube.com/watch?v=zKX_XepLt9Q and we will know the under money clips for surehttp://powerstarvoice.com/cheap-leather-money-clips-and-credit-card-holder-gold-mens-womens/ money clips for salewe could see the making for sure and this is a great site for me. Now thehttps://www.youtube.com/watch?v=tjAtm0NtYs0 we can see the partial and the good ones of the meaning of affordable watches.