krbtgt Password changed after DFL increase from 2003 to 2012 R2

Shadab Basha 261 Reputation points
2021-10-09T16:36:01.943+00:00

I have raised the Forest functional level and Domain Functional Level from 2003 to 2012 R2.

I expected the KRBTGT password to be changed and it did however the value of MSDS-Keyversionnumber is set to below:

msds-keyversionnumber : 200003

Is it expected ? how is the msds-keyversionnumber calculated in this scenario ?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,188 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,406 Reputation points
    2021-10-10T10:31:58.11+00:00

    Hi @Shadab Basha

    KTPASS is normally used to export the shared secret, it's been a while since I've used it, but I don't think it can change the KVNO, but there might be another tool that can.

    Sorry my mistake, as the attribute is constructed, it will not be replicated to other DCs, so will not appear in the replication meta data, but you will be able to see the unicodepwd, the ver will reflect the number of times the password has been changed.

    Gary.


2 additional answers

Sort by: Most helpful
  1. Gary Reynolds 9,406 Reputation points
    2021-10-10T08:24:48.033+00:00

    Hi @Shadab Basha

    There is no native AD method get the previous values of an attribute after it has been changed, you need to have an external solution to capture i.e. backup, AD recovery tool, or Auditing.

    1 - repladmin /showobjmeta command will show you the time the change happened, the Ver column represents how many times the attribute has been changed. So if the Ver is 2 the password has been changed twice since the object was created.

    2 - The msDS-KeyVersionNumber is a constructed attribute so it is managed by the system, and as shown above, it is incremented each time the password associated to the account is changed. The attribute is the known as KVNO and is used by ktpass to create keypass table that allows non-Windows services that support Kerberos authentication using the AD KDC. I'm not sure if the ktpass command allow you to specify a new KVNO, if not, then the 200003 would suggest that's the number of times password of the krbtgt has been changed, the Ver number from the showobjmeta show reflect that. If not, then something has changed it to 200003.

    I've looked at a couple of my test domains (2008 upgraded to 2019, 2012 build, 2019 build, 2022 build), and none of them have a KVNO this high and it reflects the number of times the password has been changed. Admittedly none of them have been upgraded from 2003 to 2012R2 or used to support Kerberos for non-Windows systems.

    The tools in the screenshots is NetTools, the feature used was Object Compare, it lets you compare the differences between two objects or changed that have been made to a single object. The bottom picture is NetTools Meta Data dialog, which is of the same information you get from repladmin /showobjmeta.

    Gary.

    1 person found this answer helpful.

  2. Gary Reynolds 9,406 Reputation points
    2021-10-09T22:38:22.173+00:00

    Hi @Shadab Basha

    The msds-keyversionnumber is incremented when the password is changed, I did two password changes on my server and the screenshots show the msds-KeyVersionNumber being incremented with each change.

    139086-2021-10-10-09-40-57-ad-exchange-schema-versions-ne.png139171-2021-10-10-09-42-03-nettools.png

    If you want to confirm that the password has been changed, you can look at the meta data for the object to see when the unicodepwd attribute was last changed.

    139076-2021-10-10-09-37-12-meta-data-cnkrbtgtcnusersdcw2k.png