Secure your Simple AD directory
This section describes considerations for securing your Simple AD environment.
How to reset a Simple AD krbtgt account password
The krbtgt account plays an important role in the Kerberos ticket exchanges. For more
information, see Samba
documentation
You can reset the krbtgt account password from one of the following Simple AD joined instances:
-
Amazon EC2 Windows
-
Amazon EC2 Linux
Note
Amazon Simple AD is powered by Samba-AD. Samba-AD doesn't store N-1 hash for the krbtgt account. Therefore, when the krbtgt account password is reset, the Kerberos client will be required to negotiate a new Ticket Granting Ticket (TGT) during their next Service Ticket (ST) request. To minimize potential service disruptions, you should schedule the krbtgt account password resets outside of business hours. This approach mitigates impacts on ongoing operations and ensures smooth authentication continuity.
The following procedures shows how you can reset the krbtgt account password from either an EC2 Windows or Linux instance.
Prerequisites
-
Before you can begin this procedure, complete the following:
-
You have domain joined an EC2 instance to your Simple AD directory.
-
For more information on how to join an EC2 Windows instance to a Simple AD, see Seamlessly join an Amazon EC2 Windows instance to your Simple AD Active Directory.
-
For more information on how to join an EC2 Linux instance to a Simple AD, see Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory.
-
-
You have the Simple AD directory administrator credentials. You will be signing in as the Simple AD directory administrator for this procedure.
-