Since upgrading my OD master and replicas from 10.3.9 to 10.4.2, the Password Service pegs both processors on the OD master for 8-10 minutes whenever a password is changed. Doesn't matter whether the password is changed from WGM, terminal, or managed client. No crashes occur, nothing written to System log, all else seems normal. The following consistent System log entries are also new since the update.
Upon Startup:
Jul 15 14:04:27 msusserver mDNSResponder: Update _kerberos._udp.MSUSSERVER.COLLEGIATE-VA.ORG. failed with rcode 4
Jul 15 14:04:27 msusserver mDNSResponder: Registration of record _kerberos._udp.MSUSSERVER.COLLEGIATE-VA.ORG. type 33 failed with error -65537
Jul 15 14:04:51 msusserver mDNSResponder: Update _kerberos._tcp.MSUSSERVER.COLLEGIATE-VA.ORG. failed with rcode 4
Jul 15 14:04:51 msusserver mDNSResponder: Registration of record _kerberos._tcp.MSUSSERVER.COLLEGIATE-VA.ORG. type 33 failed with error -65537
5-10 times per minute, all the time:
Jul 13 12:05:19 msusserver DirectoryService[39]: GSSAPI Error: Miscellaneous failure (Server not found in Kerberos database)
Other details:
-use "Standard" authentication, not Kerberos, no services Kerberized since upgrade
-all OD processes running as usual
-no dns or name changes made in the upgrade
-forward and reverse lookups come back normal
-appropriate server records exist when requesting "listprincs" from kadmin.local
-edu.mit.Kerberos file and kdc.conf look normal