upgrade the inter-realm trust key to AES

[Giuseppe Mazza]

Dear All,

I would like to upgrade my inter-realm trust key from DES to AES.

My current situation is
i] Domain IC.AC.UK (Windows Server 2012): I have no access to it. People 
from College manage it.

Users in IC.AC.UK (Windows) can login and use services in DOC.IC.AC.UK 
(Linux).

ii] Realm DOC.IC.AC.UK (Ubuntu14.04): I have got full control on it

I have got the keys below:
kadmin:  get_principal krbtgt/DOC.IC.AC.UK at IC.AC.UK
Principal: krbtgt/DOC.IC.AC.UK at IC.AC.UK
...
Number of keys: 5
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, des-cbc-crc, no salt
Key: vno 1, des-cbc-crc, Version 4
Key: vno 1, des-cbc-crc, AFS version 3
Key: vno 1, arcfour-hmac, no salt
MKey: vno 1
Attributes:
Policy: default


Here are my questions:
1]
do you know any utility - kind of get_principal - in Windows?

2]
My College counterpart, i.e. the Windows person from College, tells me 
that it will be enough to enable (via GP) the AES enctype for the 
inter-realm trust key on the Windows side.

However I am a bit concerned: our inter-realm trust is very old and was 
created when no AES support existed in Windows.
They have upgraded through the different versions of Windows Server upto 
the 2012 one, but the inter-realm trust has remained the same since it 
was created.
My naive understanding is that the AES inter-realm trust key will works 
only if
- the actual AES key exists
- the AES enctype is enabled

Is it plausible there is no AES key on their Windows DCs?

( In principal I could use the command below (on the linux side):
kadmin> change_password -e aes256-cts-hmac-sha1-96:normal -keepold 
krbtgt/DOC.IC.AC.UK at IC.AC.UK )

All the best,
Giuseppe