Change the ‘krbtgt’ password

Language: English

Do not delete the krbtgt accounts for the RODCs. The krbtgt account for an RODC is listed in the format krbtgt_number.

If you use a customized password filter (such as passfilt.dll) on a DC, then you might receive an error when you try to reset the krbtgt password. For more information, including a workaround, see Microsoft Knowledge Base article 2549833 (Changing krbtgt password may fail – Application Developer ).

This operation should be performed twice, when resetting the krbtgt user, the reason for resetting it twice, a 10 hour waiting period is required between resets. 10 hours are the Maximum lifetime for user ticket and Maximum lifetime for service ticket in the policy settings.

1. Connect to a domain controller
2. Open Active Directory Users and Computers.
3. Click View, and then click Advanced Features.
4. In the console tree, double-click the domain container, and then click Users.
5. In the details pane, right-click the krbtgt user account, and then click Reset Password.
6. In New password, type a new password, retype the password in Confirm password, and then click OK.The password that you specify is not significant because the system will generate a strong password automatically independent of the password that you specify.

Please note that krbtgt user is disabled and should not be enabled! 

The password history value for the krbtgt account is 2, meaning it includes the 2 most recent passwords. By resetting the password twice you effectively clear any old passwords from the history, so there is no way another DC will replicate with this DC by using an old password.