Yes Brian, that is the issue. Thanks for the link and for the help!
I've tried the first recommendation to fix it (Point the SEPM server to the FQDN of a specific domain controller or ldap server...) without success.
Disabling security connection fixed the problem, but now i want to try second solution "disable Endpoint Identification for directory server connections" In the first line of this workaround is listed " Disable tamper protection on the client". Disable tamper protection on which client?