Okay, great 
That looks as expected.
Now, how should we proceed … I think it’s necessary to determine if this is a problem of UCS itself or maybe caused by a networking/firewall issue.
- I recommend to update the UCS system to the latest Errata-Level (26). That won’t solve your problem, but Errata 18 contains a critical security fix for Samba.
- Is the pfSense “between” the Windows client and the UCS? If so, please double check your firewall config. I’ve seen UDP packets denied but TCP packets allowed for DNS (port 53), leading to similiar strange responses.
- Please check if you have any S4-Connector-Rejects:
univention-s4connector-list-rejected - Please try to update the relevant DNS entries via this samba command on the UCS:
samba_dnsupdate
Does this change anything? - Try to check the DNS records directly on the UCS. I’ll attach a patched version of a script that will do this (the version delivered with UCS 4.2 has a little flaw causing it to fail, unfortunately. Fix is on the way).
→ copy the attachedcheck_essential_samba4_dns_records.txtto your UCS (usingscpor something like WinSCP or downloading it via the direct link with a commandline tool likewgetorcurl)
→ rename it:mv check_essential_samba4_dns_records.txt check_essential_samba4_dns_records.sh
→ make it executable:chmod +x check_essential_samba4_dns_records.sh
→ execute it:./check_essential_samba4_dns_records.sh
→ copy&paste the output