On the very bottom of this article https://adsecurity.org/?p=3592
- If the RODC is configured to cache passwords, change the RODC’s krbtgt_###### account’s password on a regular basis (2x every year). Microsoft’s krbtgt change script is not geared for the RODC krbtgt account (the risk of changing the RODC krbtgt password is very low). In Active Directory Users and Computers, right-click on the krbtgt_###### and change the password (set it to pretty much anything, Windows should automatically set the password to a random value).
If you read the article, the krbtgt account on a RODC is similar to the one from the "real" domain (writable DC), just limited to several groups of users/computers, if it was set up correctly. So resetting RODC krbtgt-accounts also makes sense.
(I wonder why something like this is not built into AD. A checkbox somewhere, to enable auto-rotation of all those krbtgt accounts.... would be nice :) )
