Replication Version Number for your KrbTGT account password?

When  we flipped our REDMOND domain to Server 2008 domain functional mode, we experienced an issue with some of our application servers suddenly failing to authenticate.  We found that this was because Kerberos authentication was failing, as the domain KerbTGT password was changed during the domain mode switch.  In fact, if you look at our domain KrbTGT account, you see it as the following replication metadata:

C:\>repadmin /showobjmeta red-dc-11 “CN=krbtgt (Key Distribution Center Service Account),CN=Users,DC=redmond,DC=corp,DC=microsoft,DC=com”

Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute
=======                          =============== ========= =============        === =========
65585069                      NA-WA-RED\RED-DC-10 151889264 2007-11-01 16:06:02    4 pwdLastSet

The “version 4″ indicates that our KrbTGT password has actually been changed a few times in the past 8 years.

Naturally, we all thought this was “bad” (outages usually are), and the dev’s weren’t quite sure why the system didn’t handle this much more gracefully.  Although it’s unlikely that anyone would actually change their KrbTGT password, the system is designed to handle it.

We suspected a bug, so collected a bunch of data, and tried to repro this in a lab.  Unfortunately, we couldn’t ever repro the outages, so we went to the next step and worked with the developers to get some instrumentation to use when we did our next production domain.  This time we chose an Exchange resource domain to move to 2008 DFM, and everything went smoothly.

Even though there aren’t any bugs to fix, the PG has agreed to include documentation indicating that the krbtgt password gets changed when you flip to domain functional mode.

Just another one of those random tidbits of information which is good to have in your back pocket.

About these ads