Language:
DPAPI Domain Backup Keys are an essential part of the recovery of DPAPI secrets. Various attack tools focus on extracting these keys from Domain Controllers using LSA RPC calls. Microsoft recognizes that there is no supported method to rotate nor change these keys. Therefore, if the DPAPI backup keys for the domain are compromised, they recommend creating an entire new domain from scratch which is a costly and lengthy operation.
CQLabs - Extracting Roamed Private Keys from Active Directory