Jane Lewis's Weblog

Platforms, Active Directory,Administration, Management,Women in Technology, Random Thoughts

The KRBTGT Account - What is it ?

The KRBTGT Account - What is it ?

  • Comments 8
  • Likes

As part of the Active Directory Forest Recovery process the white paper talks about the KRBTGT Account. I often get asked what is this account and why do I need to reset its password twice ?

Well here is the answer

Key distribution service center account.

Windows 2000 Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service.

Why do I have to reset it twice as part of the Disaster Recovery Process?

In a large forest recovery situation that is spread across multiple locations then it cannot be necessarily guaranteed that that all domain controllers are shut down or if they are, they are not re-booted again before all appropriate recovery steps have been undertaken. For this reason it is recommended to reset the krbtgt account to ensure that the newly restored domain controller does no replicate with dangerous domain controller . The reason you reset the krbgt password twice, is that the password history is two.

The password can be reset by using the Users and Computers Snap-In.

KRBGT

Comments
  • Hi Jane,

    Well, I was had planned to ask exactly that question after reading through the white paper... thanks for providing a comprehensive explanation before I asked the question.

    Dave.

  • was looking for this info..thank you!

  • and i thought the account was in some way related to a virus we hd received, thanks for the info.

    Big Hugs

  • I am going to be honest here. This helped me understand what krbttgt is, however that last sentence confused me. What does the writer here mean by saying, "the password history is two."? Is the password history, contained in two locations, is a variable of two, or is literally two different files that are both actively used by the system, or is it something else entirely?

  • Hi Steven, it means that the two most recent passwords are stored in the password history. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another domain controller will replicate with this one using an old password.

    Justin [MSFT]

  • Okay thanks. I havent checked in a few days because this is bookmarked in the school computer I use, but that makes sense now. :)

  • If there are no Windows 2000 servers in the domain, and none are planned until until at least the year 2300, can the account be safely deleted?

  • Hello Rickee,

    Are you 100% sure you won't be doing any Active Directory restores within the next 276 years?


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment