References

http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf

https://social.technet.microsoft.com/Forums/windowsserver/en-US/53033b4d-766b-4588-95fc-aadd93d8a053/impact-of-resetting-the-password-of-the-krbtgt-account

https://multiplechoicesystemengineer.wordpress.com/2011/11/11/a-hercaclean-task-active-directory-kerberos-and-the-krbtgt-account/

 

Script to use to reset the KRBTGT:

http://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/

 

The krbtgt password can be reset when you suspect intrusion or when a RW DC is stolen. Use the script above to reset only ONCE the password.

For the second password reset it is very important to wait a period of time: >  [10h (TGT lifetime) + TGS lifetime 600minutes + latence de replication AD + Time Skew ]

and it is also recommended to force the AD replication and to stop/start the KDC service on all RW DC.

In short, you can wait 15 days between the FIRST RESET and the SECOND RESET.