I'm quite aware that it's possible to authenticate local users against
the Kerberos services of Active Directory, but seek a way to detect
what the actual local KDC is in an environment that does not seem to
publish the relevant SRV records for its Active Directory servers.
Does anyone know a graceful way to deduce this, without running a
full-blown nmap across the local network or trying to bother the
Active Directory admins to reveal their secrets?