I joined my freenas box to the AD server the other day, but the join page was a bit confusing and had a field under the servers fields, but above the password fields called 'netbios name', which to me meant the netbios name of the server. Well the join appeared to work fine, until I noticed certain things not working on my main DC, when I asked about this in IRC, I found out that that field should actually contain the Netbios Name I wanted to join with. So I had completely broken the trust of my main DC to the rest of my system by joining freenas as the name of my main DC. It took a bit of work (and a great deal of help from Andrew Bartlet), but finally I rejoined the DC to the network and got my 2 DC's back in sync. Andrew asked me to file a bug on this stating that the DBCheck should make sure that the DC is correct with its own NTDS settings, server and account objects and that it is in sync with secrets.ldb.
We should perhaps also simply refuse to have our own DC account broken by a client connecting to us. This would be a divergence from Windows, but helpful I think.