Resetting krbtgt account password in a multi-Domain Forest

121AM 25 Reputation points
2024-09-21T00:13:52.1666667+00:00

Hi,

We have two Active Directory Domains, the parent Domain (Domain A) and the child Domain (Domain B). I want to reset the krbtgt account's password in both Domains for security maintenance (not due to a breach of that account).

In which Domain should I reset the krbtgt account's password first, in the parent Domain or in child Domain?

Once password reset 1 and password reset 2 of krbtgt account is done in the first Domain, how much time should I wait before proceeding with krbtgt account's password reset in the second Domain?

Thank you in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,524 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,834 questions
0 comments No comments
{count} votes

Accepted answer
  1. Yanhong Liu 9,530 Reputation points Microsoft Vendor
    2024-09-23T03:06:02.3733333+00:00

    Hello,

    It is recommended to reset the krbtgt account password in the child domain first, which minimizes the risk of potential problems propagating upward to the parent domain. For each domain, you need to perform two consecutive password resets on the krbtgt account. The second reset ensures that any possible compromise with the old password is invalidated.

    After completing two password resets in the child domain, you should wait for replication to complete and the Kerberos ticket lifetime to expire. The default ticket lifetime is 10 hours, but it is recommended that you wait longer (such as 24 hours) to ensure that any cached tickets expire, and the changes propagate correctly.

    After ensuring the stability of the child domain after the reset, you can proceed to perform two consecutive password resets on the krbtgt account in the parent domain.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. 121AM 25 Reputation points
    2024-09-26T16:10:01.55+00:00

    Hello Yanhong,

    Thank you for your answer.

    To make sure that the replication is complete, I'll wait 24 hours between two password resets in child and parent Domain.

    How long would you suggest to wait between the first and the second password reset in the same Domain?

    Kind regards,

    AM


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.