I upgraded to 4.3.0 and I checked with System Diagnostic my DC Master server:
Critical: Check kerberos authenticated DNS update Errors occured while running `kinit` or `nsupdate`. `kinit` for principal dns-hostname with keytab /var/lib/samba/private/dns.keytab failed.
I ckecked with:
kinit --password-file=/etc/machine.secret $(hostname)\$ klist
and everything is OK
Do you think is false positive (like here Critical: Check kerberos authenticated DNS update) even if is on a Master DC role?