In my example case, there are two ways in which we should alter /etc/resolv.conf. First, the AD server should be the nameserver, in case the regular DNS server is lagging behind w.r.t. the Kerberos DNS records:

nameserver 192.168.85.2
nameserver 192.168.85.3
      

And second, all the servers are not only in the Kerberos realm WSPACE.MYDOMAIN.NL, but also in the domain wspace.mydomain.com. This enables Windows to call them by their short names (i.e. their plain hostnames instead of their FQDNs), and it frequently does. To get rid of the trouble that causes, we add to /etc/resolv.conf:

search wspace.mydomain.com
      

If your resolv.conf is generated by resolvconf, here's how to fix it.