Looking for kpasswd_server is a bad idea because of AD. In practice it doubles the number of account lockout attempts when you give a bad password. We had a fairly long design discussion that lead to the current logic. However I thought we did look for master KDCs with admin_server.