ok another step:
I exported the principal via samba-tools and then imported it with ktutil copy /tmp/samba_export.keytab /etc/krb5.keytab. restarted slapd it was working but still I think this shouldn’t happened at all after takeover…can somebody from univention comment on this please ? I’m happy to provide a bug report if it is really a bug…