Hi,
Currently a lot of effort and interest goes into the golden ticket scenario that mimikatz and metasploit are able to do using the krbtgt account.
I know you would have to own a DC or get a NDTS dump to get the hash of the krbtgt account, but for the sake of this question let's assume we want to change the krbtgt password because a domain admin left the company, and could potentially have taken the DB with him.
In a number of scenarios, part of the restore procedure or resolution to an issue is to reset the password of the krbtgt account (for example:http://technet.microsoft.com/en-us/library/cc733991(WS.10).aspx)
As part of a forest recovery procedure you have to change the password of the krbtgt account twice to make sure replication no longer occurs. Wouldn't this mean that existing replication breaks as well when you change the password, as the steer is in a lot of blogs, recommendations or technet articles?
In short, I'm wondering what would break when you change the password of the krbtgt account, and if anything does, for how long and will it automatically repair? It wouldn't be nice to have to tell a customer to do a forest recovery because they followed steer from security companies telling them to change their krbtgt password.
Thanks in advance for your responses!