Hey everyone, I'm looking to rotate the KRBTGT password in our Active Directory domain. I've discovered that the KRBTGT account has been disabled for about 12 years now, yet everything in our setup seems to be running fine (Kerberos authentication, logons, services, etc.). Before I go ahead and run the Microsoft script to reset the password, I want to make sure I'm not overlooking anything important. Specifically, do I need to enable the KRBTGT account first to reset its password, or can the script handle it while it's still disabled?
4 Answers
You can reset the KRBTGT password directly through Active Directory Users and Computers without needing a script. Just remember to perform the reset twice and wait at least 10 hours between the two changes to ensure a smooth process.
It’s actually okay that the KRBTGT account is disabled. It should remain that way. I recently reset ours after 10+ years without any problems at all, and this was part of the process to disable the RC4 encryption. Just make sure to do the reset twice for best results.
The KRBTGT account is typically disabled by default, and generally, it's a good idea to change its password every year or at least twice a year. Remember to run the reset twice with a day in between. That way, you minimize any potential issues.
I've heard that some environments have encountered issues when resetting the KRBTGT password after a long time. It's possibly linked to old RC4 settings if those were in place when the original password was set. Just something to watch out for if you do run into any problems.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures