AD 林恢复-正在重置 krbtgt 密码AD Forest Recovery - Resetting the krbtgt password

适用于: Windows Server 2019、Windows Server 2016、Windows Server 2012 和 2012 R2、Windows Server 2008 和 2008 R2Applies To: Windows Server 2019, Windows Server 2016, Windows Server 2012 and 2012 R2, Windows Server 2008 and 2008 R2

使用以下过程为域重置 krbtgt 密码。Use the following procedure to reset the krbtgt password for the domain. 下面的过程适用于只读域控制器 (Rodc) 。The following procedure applies writeable DCs, but not read-only domain controllers (RODCs).


如果计划在林恢复期间联机恢复 Rodc,请不要删除 Rodc 的 krbtgt 帐户。If you plan to recover RODCs online during the forest recovery, do not delete the krbtgt accounts for the RODCs. RODC 的 krbtgt 帐户以格式 krbtgt_ 列出。The krbtgt account for an RODC is listed in the format krbtgt_ number.

如果在 DC 上使用自定义的密码筛选器 (例如 passfilt.dll) ,则在尝试重置 krbtgt 密码时可能会收到错误。If you use a customized password filter (such as passfilt.dll) on a DC, then you might receive an error when you try to reset the krbtgt password. 有关详细信息,包括解决方法,请参阅 Microsoft 知识库 文章 2549833 ( 。For more information, including a workaround, see Microsoft Knowledge Base article 2549833 (

重置 krbtgt 密码To reset the krbtgt password

  1. 单击 " 开始",指向 "控制面板",指向 " 管理工具",然后单击 " Active Directory 用户和计算机"。Click Start, point to Control Panel, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. 单击“查看” ,然后单击“高级功能” 。Click View, and then click Advanced Features.

  3. 在控制台树中,双击域容器,然后单击 " 用户"。In the console tree, double-click the domain container, and then click Users.

  4. 在详细信息窗格中,右键单击 krbtgt 用户帐户,然后单击 " 重置密码"。In the details pane, right-click the krbtgt user account, and then click Reset Password.


  5. 在 " 新密码" 中,键入新密码,在 " 确认密码" 中再次键入密码,然后单击 "确定"In New password, type a new password, retype the password in Confirm password, and then click OK. 指定的密码不是很重要,因为系统将自动独立于指定的密码生成强密码。The password that you specify is not significant because the system will generate a strong password automatically independent of the password that you specify.


你应执行两次此操作。You should perform this operation twice. 重置密钥发行中心服务帐户密码两次时,重置之间需要10小时的等待期。When resetting the Key Distribution Center Service Account password twice, a 10 hour waiting period is required between resets. "用户票证的默认 最长生存期 " 和 " 服务票证的最长生存期 " 策略设置为10小时,因此,如果更改了最长生存期,则重置间隔的最小等待时间应大于配置的值。10 hours are the default Maximum lifetime for user ticket and Maximum lifetime for service ticket policy settings, hence in a case where the Maximum lifetime period has been altered, the minimum waiting period between resets should be greater than the configured value.


Krbtgt 帐户的密码历史记录值为2,这意味着它包含2个最新密码。The password history value for the krbtgt account is 2, meaning it includes the 2 most recent passwords. 通过重置密码两次,可以有效地清除历史记录中的任何旧密码,因此无法使用旧密码将其他 DC 与此 DC 进行复制。By resetting the password twice you effectively clear any old passwords from the history, so there is no way another DC will replicate with this DC by using an old password.

后续步骤Next Steps