Scheduled password reset for KrBtGt.

Cobion 111 Reputation points
2022-03-14T10:10:27.177+00:00

Hello everybody!
There is a task of scheduled password reset for the KrBtGt account in the Active Directory domain. I have never had to do this procedure.
Please tell me if there are any conditions for this action, maybe there is an article when it is possible to do this, and when it is not recommended?

Thanks!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,242 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,960 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
423 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
517 questions
0 comments No comments
{count} votes

Accepted answer
  1. Thameur-BOURBITA 32,596 Reputation points
    2022-03-14T14:47:43.63+00:00

    Hi,

    The KRBTGT password should be reset twice.
    Before perform the first reset you should check the replication health of all domain controllers in the domain.
    After the first reset , you should wait at least 10 hours to be should that all kerkeros tickets already delivered before the first reset are expired and renewed. If you don't respect this delay you can face authentication issue.

    You can use the script below to reset the krbtgt for RODC and RWDC. You should test it before deploy it in production environment.

    To reset KRBTGT password you can use the following script mentioned on this link :

    New-KrbtgtKeys.ps1

    This link will help you to have more details about the what the script can do:
    krbtgt-account-password-reset-scripts-now-available-for-customers

    Please don't forget to mark helpful reply as answer


0 additional answers

Sort by: Most helpful