Resetting krbtgt account password in a multi-Domain Forest

Question

Hi,

We have two Active Directory Domains, the parent Domain (Domain A) and the child Domain (Domain B). I want to reset the krbtgt account's password in both Domains for security maintenance (not due to a breach of that account).

In which Domain should I reset the krbtgt account's password first, in the parent Domain or in child Domain?

Once password reset 1 and password reset 2 of krbtgt account is done in the first Domain, how much time should I wait before proceeding with krbtgt account's password reset in the second Domain?

Thank you in advance.

Answer 1

Hello,

It is recommended to reset the krbtgt account password in the child domain first, which minimizes the risk of potential problems propagating upward to the parent domain. For each domain, you need to perform two consecutive password resets on the krbtgt account. The second reset ensures that any possible compromise with the old password is invalidated.

After completing two password resets in the child domain, you should wait for replication to complete and the Kerberos ticket lifetime to expire. The default ticket lifetime is 10 hours, but it is recommended that you wait longer (such as 24 hours) to ensure that any cached tickets expire, and the changes propagate correctly.

After ensuring the stability of the child domain after the reset, you can proceed to perform two consecutive password resets on the krbtgt account in the parent domain.

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Hello Yanhong,

Thank you for your answer.

To make sure that the replication is complete, I'll wait 24 hours between two password resets in child and parent Domain.

How long would you suggest to wait between the first and the second password reset in the same Domain?

Kind regards,

AM