Freigeben über


The KRBTGT Account - What is it ?

As part of the Active Directory Forest Recovery process the white paper talks about the KRBTGT Account. I often get asked what is this account and why do I need to reset its password twice ?

Well here is the answer

Key distribution service center account.

Windows 2000 Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service.

Why do I have to reset it twice as part of the Disaster Recovery Process?

In a large forest recovery situation that is spread across multiple locations then it cannot be necessarily guaranteed that that all domain controllers are shut down or if they are, they are not re-booted again before all appropriate recovery steps have been undertaken. For this reason it is recommended to reset the krbtgt account to ensure that the newly restored domain controller does no replicate with dangerous domain controller . The reason you reset the krbgt password twice, is that the password history is two.

The password can be reset by using the Users and Computers Snap-In.

KRBGT

Comments

  • Anonymous
    January 01, 2003
    Hi Steven, it means that the two most recent passwords are stored in the password history. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another domain controller will replicate with this one using an old password. Justin [MSFT]

  • Anonymous
    January 01, 2003
    Hi Jane, Well, I was had planned to ask exactly that question after reading through the white paper... thanks for providing a comprehensive explanation before I asked the question. Dave.

  • Anonymous
    November 11, 2011
    was looking for this info..thank you!

  • Anonymous
    November 24, 2011
    The comment has been removed

  • Anonymous
    February 11, 2013
    I am going to be honest here. This helped me understand what krbttgt is, however that last sentence confused me. What does the writer here mean by saying, "the password history is two."? Is the password history, contained in two locations, is a variable of two, or is literally two different files that are both actively used by the system, or is it something else entirely?

  • Anonymous
    February 25, 2013
    Okay thanks. I havent checked in a few days because this is bookmarked in the school computer I use, but that makes sense now. :)

  • Anonymous
    September 27, 2013
    If there are no Windows 2000 servers in the domain, and none are planned until until at least the year 2300, can the account be safely deleted?

  • Anonymous
    March 20, 2014
    Hello Rickee,

    Are you 100% sure you won't be doing any Active Directory restores within the next 276 years?


  • Anonymous
    September 18, 2014
    Its very useful article I very like this, i already read and i will always update to your next information.I appreciate everything you have added to my knowledge base.http://www.healthforus.info

  • Anonymous
    July 02, 2015
    The comment has been removed

  • Anonymous
    September 10, 2015
    Thanks for the best post in the world for sure and th eother parts of the reckoning and the watch of youtubehttps://www.youtube.com/watch?v=FMVdbiWghqk when the self balancing scooter and the best affordable speakers for sure and we could see the only ones for surehttps://www.youtube.com/watch?v=zKX_XepLt9Q and we will know the under money clips for surehttp://powerstarvoice.com/cheap-leather-money-clips-and-credit-card-holder-gold-mens-womens/ money clips for salewe could see the making for sure and this is a great site for me. Now thehttps://www.youtube.com/watch?v=tjAtm0NtYs0 we can see the partial and the good ones of the meaning of affordable watches.