thanks your reply, I don't know how to collect full secd log, bellow is what I collected logs.

ontap_913::*> event log show -node ontap_913-01 -event secd*
Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
12/5/2024 01:34:17 ontap_913-01 ERROR secd.unexpectedFailure: Unexpected SecD failure in Vserver "svm_s3". Details: Error: Machine account creation procedure failed
[ 8142] Loaded the preliminary configuration.
[ 8216] Created a machine account in the domain
[ 8219] SID to name translations of Domain Users and Admins completed successfully
[ 8220] Successfully connected to ip 8.47.176.15, port 88 using TCP
[ 8223] Successfully connected to ip 8.47.176.15, port 464 using TCP
**[ 8298] FAILURE: Kerberos password set for 'NETAPP2$@WIN2025AD.COM' failed with Message stream modified (KRB5KRB_AP_ERR_MODIFIED)
[ 8313] Deleted existing account 'CN=NETAPP2,CN=Computers,DC=win2025ad,DC=com'
[ 8313] Retry requested, but the retry window (7000 ms) has expired; giving up.
12/5/2024 01:34:08 ontap_913-01 NOTICE secd.conn.auth.failure: Vserver (svm_s3) could not make a connection over the network to server (ip 8.46.176.15, port 389). Error: Network is unreachable (Operation: AnonymousBind).

Any updates to this problem? The suggested work arounds selecting a different preffered DC only works for already domain joined SVM´s.

Unfortunately we have to wait for Microsoft to provide a fix

Preferred DC and discovery modes can be set even before cifs server creation (like the security settings)

There are people reporting that in WS2025 September update this kpasswd bug might be resolved (see https://gitlab.freedesktop.org/realmd/adcli/-/issues/40).

Could that mean that this problem (also described in https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-Issues/CONTAP-347583) has been finally resolved?