Microsoft
Microsoftrobertro-sit - Thanks for sharing your testing and research. Many enterprises have pockets of legacy OSs (2003\XP) as well as old keytab files which were not created to support AES. If RC4 support was removed from the DCs those devices would be impacted which is why I recommended leveraging audit logs to uncover and resolve RC4 use rather than completely disabling it at the domain level. In environments without legacy dependencies you could certainly save considerable time by removing RC4 support from the DCs if the organization is willing to accept some risk of impact.
I was not aware that hashcat can support kerberoasting AES tickets. I will edit my phrasing. That bit of information highlights the importance of setting long and complex (non-guessible) passwords on service accounts in addition to enabling them for AES. Too often that is not the case because service accounts have been made exempt from password changes and as a result the current passwords were set when the organization had much more lax password standards. Personally I am fan of leveraging fine grained password policy to hold service accounts to a higher standard than the average user account. Of cource the PSO would not be enforced until the service account passwords are cycled.
Your correct about server 2019 addressing the issue with ticket down grade attacks. That improvement alone is great justification to get domain controllers up to 2019 (or 2022) as soon as possible. If the DC upgrades cannot happen in the near term, Microsoft Defender for Identity is a good mitigation given it will alert you when such ticket ecryption downgrade are occurring.