samba - Feb 2018 - DNS update errors after a second DC is added to domain

Hi,
I have a test system consisting of two samba 4.7.5 DCs and a member server based
on Gentoo 4.9.76-gentoo-r1.   Both servers using SAMBA_INTERNAL dns.

When I added the second DC to the domain, the join went OK with no errors
reported, but the log shows errors relating to dns updates and the SRV records
etc for the new DC have not been created.   Running samba_dnsupdate on the new
DC results in "Failed update of 26 entries", all with NOTAUTH(BADSIG)
errors
(also TSIG errors, but I understand that's to be expected as the internal
dns
server doesn't support TSIG).

The log on the original DC shows these errors:

[2018/02/26 21:08:10.634806,  1]
../auth/kerberos/gssapi_helper.c:388(gssapi_check_packet)
  GSS VerifyMic failed:  A token had an invalid MIC: unknown mech-code
2529638943 for mech 1 2 840 113554 1 2 2
[2018/02/26 21:08:10.634820,  0]
../source4/auth/gensec/gensec_gssapi.c:1344(gensec_gssapi_check_packet)
  gssapi_check_packet(hdr_signing=0,sig_size=28,data=171,pdu=171) failed:
NT_STATUS_ACCESS_DENIED

Any help trying to resolve this will be appreciated,

Roy