New users are not authenticated (and are not knows to univention server)

Hi everyone.
I have a UCS server with 2 microsoft domain controller (Windows 2012R2)
all user are replicated on UCS but new users are not.
If I had a new user he/she can not log in UCS server application like nexcloud onlyoffice or whatever. I can not see it in “user” menu.
however the user is availlable with AD and external app, like NAS or email service.
just not in univention.

system diagnostics report a critical problem with kerberos:
CRITICAL: Check kerberos authenticated DNS updates
errors occured while running ‘kinit’ or nsupdate

root@ucs-srv-ad:~# lsb_release -a
No LSB modules are available.
Distributor ID: Univention
Description: Univention Corporate Server 4.4-3 errata443 (Blumenthal)
Release: 4.4-3 errata443
Codename: Blumenthal

root@ucs-srv-ad:~# ucr get server/role

If I do a “getent passwd” with an old user I get his profile, but with a new user I got no response.

don’t know what to do by now, hope to ear from you,