The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server

Hi Experts,

Periodically our PDC issues EventID 4 "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server **** The target name used was ldap/****.***.com.au/***.com.au@***.COM.AU. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (***.COM.AU) is different from the client domain (***.COM.AU), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server."

We can then see this error replicated on the other domain controllers and more importantly to our Exchange Servers. At that point we can no longer authenitcate Outlook clients and email essentially stops working. From what I've read this is related to the machine password being updated and not replicating properly. I've done some digging as to why that would be and checked all DNS settings which seem to be fine. No issues reported with AD replication either. I think restarting the KCC service resolves the issue but we'd like to understand the root cause.