After join a ESXi in AD environment, operating system search continually host _kerberos-master._udp.domainname which by default does not exist in an Active Directory-integrated DNS zone.
This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. This entry is used only in one case, when the user is logging in and the password appears to be incorrect; the master KDC is then contacted, and the same password used to try to decrypt the response, in case the user's password had recently been changed and the first KDC contacted hadn't been updated. Only if that fails is an "incorrect password" error given."
