This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 62%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
As the title says: is it possible to reset krbtgt password in an Azure AD DS managed domain?
Bonus question: is the krbtgt automatically rotated in an Azure AD DS managed domain?
Backstory:
Having noticed that krbtgt's password last set date changed without our intervention we decided to preventively reset it.
Running the New-KrbtgtKeys.ps1 script returns an error, indicating that the administrator user has insufficient permissions, which is also described in Microsoft documentation.
We opened a support ticket with Microsoft regarding krbtgt password rotation and got the following answer:
Our backend team has informed me that the krbtgt account password is rotated every 7 days.
This confirms that the krbtgt password is automatically rotated by Microsoft in Azure AD DS.
It would be nice if this information could be found in AADDS online documentation, but it's currently not the case.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Yes, this appears to be possible. There are scripts for this here:
https://github.com/zjorz/Public-AD-Scripts
https://github.com/zjorz/Public-AD-Scripts/blob/master/Reset-KrbTgt-Password-For-RWDCs-And-RODCs.ps1
There is another thread related to this topic here.
The keys are not automatically rotated, but you can do so via Powershell:
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey
Let me know if this answers your question!
Thank you for your answer!
However, in this case we are not using an on-prem AD DS hybrid solution with Azure AD Connect. We have an Azure AD and configured Azure AD Domain Services, which provides the Kerberos service. Since this is a managed solution, Microsoft does not grant us domain/enterprise admin privileges, as it can be read in the FAQs
The script you proposed requires domain/enterprise admin privileges:
- To execute this script, the account running the script MUST be a member of the "Domain Admins" or Administrators group in the
targeted AD domain.
- If the account used is from another AD domain in the same AD forest, then the account running the script MUST be a member of the
"Enterprise Admins" group in the AD forest or Administrators group in the targeted AD domain. [...]
- If the account used is from another AD domain in another AD forest, then the account running the script MUST be a member of the
"Administrators" group in the targeted AD domain. [...]
The command you suggested uses the PoSh module AzureADKerberosServer, which is part of AD Connect for a hybrid Azure AD / On-prem AD DS scenario.
Thank you again for your kind answer, but I cannot accept it as the solution to my questions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 71%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYG%3C/text%3E%3C/svg%3E)
SEM-6854,
Did you manage to get it working?
I am dealing with the same issue.....
I have Azure Active directory domain services enabled on the cloud....
i can not run the command... bleh
Hi YairGlikman-1596
With Azure Active Directory Domain Services the AD is provided as a service and we don't have complete administrative rights on it.
Hence, we do not have control over krbtgt's password.
The only viable solution I found is to wait the automatic krbtgt password rotation made by Azure.
This happens every 7 days, which should suffice for most security-related concerns.
In case you need an urgent reset you will have to open a ticket with Microsoft and maybe they can push a password rotation for your domain.
I hope this solves your problem.
Cheers!