Changing the "krbtgt" Account Password

What is it?

The Kerberos Ticket Granting Ticket (krbtgt) is an automatically created default account used when a Microsoft Active Directory domain is created. Its main purpose is to authenticate Kerberos tickets as the Key Distribution Center (KDC) account. This is used to secure AD users and computers allowing access to AD resources using Kerberos.

Why update?

It is recommended by Microsoft to regularly update this account's password. We have chosen a 6-monthly cycle (182 days) to complete this.

To ensure a smooth update AD will keep the current and previous password valid, this means machines can still contact services with tickets using the old password then receiving a ticket using the new one. To ensure we have fully updated the password, invalidating all tickets using the original password we need to update it twice. To ensure all machines retain access it is recommended to have a gap between updates, at least long enough to allow full domain replication and machines to request new tickets, as an abundance of caution we'll choose 24 hours.

Procedure

Please log a basic RFC for this, mainly to let colleagues know
Open the AD tool using a domain admin account
Search/locate the account "krbtgt"
Reset the password to a new strong password
Update the password manager entry titled "krbtgt"
Wait for 24 hours
Open the AD tool using a domain admin account
Search/locate the account "krbtgt"
Reset the password to another new strong password
Update the password manager entry titled "krbtgt"