[Samba] Server GC/name.dom/dom is not registered with our KDC: Miscellaneous failure (see text): Server (GC/name/dom@DOM) unknown

Today's episode of "why is AD break", brought to you by:

> [2017/09/05 10:17:06.015617,  3] ../source4/auth/gensec/gensec_gssapi.c:613(gensec_gssapi_update)
>   Server GC/graz-dc-1b.ad.tao.at/ad.tao.at is not registered with our KDC:  Miscellaneous failure (see text): Server (GC/graz-dc-1b.ad.tao.at/ad.tao.at@xxxxxxxxx) unknown
> [2017/09/05 10:17:06.015717,  0] ../source4/librpc/rpc/dcerpc_util.c:745(dcerpc_pipe_auth_recv)
>   Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:[1024,seal,krb5,target_hostname=bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at,target_principal=GC/graz-dc-1b.ad.tao.at/ad.tao.at,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=] NT_STATUS_INVALID_PARAMETER
> [2017/09/05 10:17:06.015869,  4] ../source4/dsdb/repl/drepl_notify.c:196(dreplsrv_notify_op_callback)
>   dreplsrv_notify: Failed to send DsReplicaSync to bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at for DC=ad,DC=tao,DC=at - NT_STATUS_INVALID_PARAMETER : WERR_INVALID_PARAM

The few google results for this seem to indicate DNS issues, but I'm not
sure where those should come from. The servers in question resolve
graz-dc-1b.ad.tao.at as well as
bcffbad8-1add-46b9-bf69-90e52c0f09ea._msdcs.ad.tao.at to the correct IP.
Same goes for _kerberos.* and the other SRV records in _msdcs. and the
AD domain itself.

Any ideas where else to look?

