The KRBTGT Account - What is it ?

As part of the Active Directory Forest Recovery process the white paper talks about the KRBTGT Account. I often get asked what is this account and why do I need to reset its password twice ?

Well here is the answer

Key distribution service center account.

Windows 2000 Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service itself. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service.

Why do I have to reset it twice as part of the Disaster Recovery Process?

In a large forest recovery situation that is spread across multiple locations then it cannot be necessarily guaranteed that that all domain controllers are shut down or if they are, they are not re-booted again before all appropriate recovery steps have been undertaken. For this reason it is recommended to reset the krbtgt account to ensure that the newly restored domain controller does no replicate with dangerous domain controller . The reason you reset the krbgt password twice, is that the password history is two.

The password can be reset by using the Users and Computers Snap-In.