Some relevant attributes on a dMSA account are msDS-DelegatedMSAState, which indicates whether the migration process is unknown, in progress, or completed; msDS-ManagedAccountPrecededByLink, which indicates the superseded account; and msDS-GroupMSAMembership, which indicates which principals (users, groups, and computers) can authenticate as the account.
Once migration to a dMSA account is complete, any machine that authenticates as the superseded service account will receive from Domain Controller an error indicating that the old account was disabled, along with a KERB-SUPERSEDED-BY-USER field to indicate the dMSA that replaced it. The machine will then retry authentication as the dMSA to obtain an authenticated session ticket that allows them to perform the action.
This is where the Key Distribution Center (KDC) comes into play. In the Kerberos protocol, which AD uses, the KDC ensures secure access to network resources by verifying user identities, granting them access based on their permissions.
