I have recently run into a number of situations where a domain controller develops an issue with issuing Kerberos keys, resulting in Event ID 4 from Security-Kerberos with the text "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ..."
The solution for me was found in this article:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/r…
The steps followed are:
On the broken DC, run the following:
net stop KDC
On a working DC run the following:
Repadmin /replicate brokenDC workingDC dc=domain,dc=domsuffix
e.g. If DC2.contoso.local is broken, and DC1.contoso.local is good, you would run Repadmin /replicate DC2 DC1 dc=contso,dc=local
On the broken DC, run the following:
net start KDC