I am doing the design, planning, prepping, etc. for a forest and domain level increase. I was reading the blog below and what caught my eye was this statement:

So when you raise the domain functional level to Windows Server 2008 or Windows Server 2008 R2 from Windows Server 2003 or gasp Windows 2000 the krbtgt password will be changed.

We do not have the original password documented for this, we have cisco, ibm, netapps, VMware, etc. that use AD Authentication. My question is this:

If the password is changed, then how do I ensure that the products that are not Microsoft continue to work and not go down?

http://blogs.technet.com/b/askpfeplat/archive/2012/04/09/a-few-things-you-should-know-about-raising-the-dfl-and-or-ffl-to-windows-server-2008-r2.aspx

The krbtgt account password is not known by any person, application, or service. A domain admin can change the password without knowing the old password. In fact, when you provide the new password, the system actually immediately changes it to a random string, per this blog post:

https://adsecurity.org/?p=1441

If a DC is compromised, it is recommended that the krbtgt password be changed twice, because password history is 2, but I believe the actual resulting password is an entirely different string of random bits.

Richard is right that you can actually change the password without knowing the old password.
 
You might want to take a look at this powershell script, which basically provide the ability to change the KRBTGT and force replication to update the KRBTGT account and validate that it has replicated.
 
https://gallery.technet.microsoft.com/Reset-the-krbtgt-account-581a9e51
 

Regards,

Eth