Hey everyone, I'm considering rotating the KRBTGT password in our Active Directory domain. I found out that the KRBTGT account has been disabled for around 12 years, yet everything seems to be running smoothly — Kerberos authentication, logins, services, you name it. Before I dive in and run the Microsoft script, I want to ensure I'm not overlooking anything. A couple of questions I have: 1. Should I enable the KRBTGT account before resetting its password, or can I run the script while it's still disabled?
4 Answers
I've heard about people running into problems when resetting the krbtgt password after a long time. It’s related to RC4 configurations, especially if the old password was set when RC4 was still used. Just be mindful of that.
It’s normal for the KRBTGT account to be disabled. I reset ours after about 10 years, and it worked just fine. Just remember to follow the recommendation of redoing it twice with some time in between.
Yeah, the KRBTGT account should definitely stay disabled. You won’t run into issues with it being disabled when you reset the password. Just make sure you do it twice within a 24-hour window to keep everything smooth.
You don’t even need to use a script. You can reset the KRBTGT password directly through Active Directory Users and Computers. Just remember to do it twice, waiting at least 10 hours between the changes. It helps avoid issues.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures