It seems that, when setting up a Kerberos realm in CDOT, in the case where the KDC is really Active Directory, I can not include a second(ary) Domain Controller into the realm as a potential failover. Am I mistaken or is this not really a concern?
Configuring a Kerberos Realm A Kerberos realm is needed so that the cluster knows how to format Kerberos ticket requests. Doing so is similar to configuring /etc/krb5.conf on NFS clients. To create a Kerberos realm, use the following example as a guide for the command to run on the SVM hosting the NFS server:
Note: The IP addresses specified in the Kerberos-realm commands are used only during creation of the machine account object or SPN; these IP addresses are not used for actual Kerberized NFS traffic. Therefore, there is no need to worry about failover or DNS aliases for these commands. KDC failover for Kerberized traffic is handled using DNS SRV records. For more information, see the section “Domain Controller Redundancy and Replication.”
Uhh, thanks, Mjizzini, but I already have a working Kerberos config. I'm asking about the possibility of configuring in a "secondary" KDC server in an Active Directory environment (since they would effectively be the same trust "zone").