Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use the following procedure to reset the krbtgt password for the domain. The following procedure applies to writeable DCs, but not read-only domain controllers (RODC).
Important
If you plan to recover RODC during the forest recovery, don't delete the krbtgt accounts for the RODC. The krbtgt account for an RODC is listed in the format krbtgt_number.
If you use a customized password filter (such as passfilt.dll) on a DC, then you might receive an error when you try to reset the krbtgt password. For more information, including a workaround, see Microsoft Knowledge Base article 2549833.
Reset the krbtgt password
- Select Start, point to Control Panel, point to Administrative Tools, and then select Active Directory Users and Computers.
- Select View, and then select Advanced Features.
- In the console tree, double-click the domain container, and then select Users.
- In the details pane, right-click the krbtgt user account, and then select Reset Password.
- In New password, type a new password, retype the password in Confirm password, and then select OK. The password that you specify isn't significant because the system generates a strong password automatically independent of the password that you specify.
Important
You should perform this operation twice. You must wait 10 hours between password resets. 10 hours are the default Maximum lifetime for user ticket and Maximum lifetime for service ticket policy settings, hence in a case where the Maximum lifetime period changes, the minimum waiting period between resets should be greater than the configured value.
Note
The password history value for the krbtgt account is 2, meaning it includes the two most recent passwords. By resetting the password twice you effectively clear any old passwords from the history, so there's no way another DC replicates with this DC by using an old password.
Next steps
- AD Forest Recovery - Prerequisites
- AD Forest Recovery - Devise a custom forest recovery plan
- AD Forest Recovery - Steps to restore the forest
- AD Forest Recovery - Identify the problem
- AD Forest Recovery - Determine how to recover
- AD Forest Recovery - Perform initial recovery
- AD Forest Recovery - Procedures
- AD Forest Recovery - Frequently Asked Questions (FAQ)
- AD Forest Recovery - Recover a single domain within a multidomain forest
- AD Forest Recovery - Redeploy remaining DCs
- AD Forest Recovery - Virtualization
- AD Forest Recovery - Cleanup