We have a Samba 4.1.16 (Sernet packages) DC running under Ubuntu 14.04 and tested sssd's AD authentication on a Linux client (Ubuntu 14.04).
We made a mistake configuring sssd and set the DC's hostname under the ad_hostname setting (which should be the clients hostname). After that the DC was no longer working properly (no shares, kerberos, ...) because the registration of the client with the DC's hostname changed the DNS A record the DC itself.
IMO this should not be possible and samba should protect it's own DNS record against manipulation by client machines.
Is this any different in Windows? It would be good to work out the mechanism.
BTW, you can seriously damage a Samba or Windows AD DC by changing it's own password from a client joining with the same name (using the admin credentials).