Replication Version Number for your KrbTGT account password?
Posted by BPuhl on December 19, 2007
When we flipped our REDMOND domain to Server 2008 domain functional mode, we experienced an issue with some of our application servers suddenly failing to authenticate. We found that this was because Kerberos authentication was failing, as the domain KerbTGT password was changed during the domain mode switch. In fact, if you look at our domain KrbTGT account, you see it as the following replication metadata:
C:\>repadmin /showobjmeta red-dc-11 “CN=krbtgt (Key Distribution Center Service Account),CN=Users,DC=redmond,DC=corp,DC=microsoft,DC=com”
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
65585069 NA-WA-RED\RED-DC-10 151889264 2007-11-01 16:06:02 4 pwdLastSet
The “version 4” indicates that our KrbTGT password has actually been changed a few times in the past 8 years.
Naturally, we all thought this was “bad” (outages usually are), and the dev’s weren’t quite sure why the system didn’t handle this much more gracefully. Although it’s unlikely that anyone would actually change their KrbTGT password, the system is designed to handle it.
We suspected a bug, so collected a bunch of data, and tried to repro this in a lab. Unfortunately, we couldn’t ever repro the outages, so we went to the next step and worked with the developers to get some instrumentation to use when we did our next production domain. This time we chose an Exchange resource domain to move to 2008 DFM, and everything went smoothly.
Even though there aren’t any bugs to fix, the PG has agreed to include documentation indicating that the krbtgt password gets changed when you flip to domain functional mode.
Just another one of those random tidbits of information which is good to have in your back pocket.