[Samba] Client update of DNS records denied

[Roy Eastwood]

AD domain with 2 samba DCs and a number of samba member fileservers.    Windows 10 member workstations in the domain fail to update
their DNS records and regularly produce error messages in the log on one of the DCs:

client @0x7f5ccc11d960 192.168.2.61#51132: update 'microlynx.org/IN' denied
client @0x7f5ccc11d960 192.168.2.61#50486: update '2.168.192.in-addr.arpa/IN' denied

Thinking that the client cannot update the records because it didn't own them, I deleted the DNS entry for the workstation in DNS
and issued the command 'ipconfig /registerdns' on one of the Windows 10 machines.   This failed and the logs above were repeated.

The dns backend is Bind9_DLZ.   named.conf.options on the DC is as follows:
options {
	directory "/var/cache/bind";

	auth-nxdomain yes;
	notify no;
	empty-zones-enable no;

	allow-query { 127.0.0.1; 192.168.2.0/24; };
	allow-update { 127.0.0.1; 192.168.2.0/24; };
	allow-recursion { 127.0.0.1; 192.168.2.0/24; };
	allow-transfer { none; };

	listen-on port 53 { any; };
	listen-on-v6 port 53 { none; };

	forwarders {
		192.168.2.1;	// asus router
	};

	dnssec-enable no;
	dnssec-validation no;

	// for updates to AD zone
# self-compiled version:	tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
	tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
	minimal-responses yes;
};

The smb.conf on the DC is as follows:
[global]
	netbios name = TIGER-DB
	realm = MICROLYNX.ORG
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = MICROLYNX
# prevent CUPS errors in syslog
	printcap name = /dev/null
	load printers = no

# disable smb1
# these are now defaults in version 4.11.x
#	client min protocol = smb2_02
#       server min protocol = smb2_02

# add the following two lines for testing - remove for production
#	winbind enum users = yes
#	winbind enum groups = yes
	
#	following added to see if it prevents smbd from starting (as it does on pi4b)
#	yes it does!
#	bind interfaces only = yes
#	interfaces = lo br0

# allow clients to update their DNS records - not working!
	allow dns updates = nonsecure

# allow AD users to log on
	template shell = /bin/bash
	template homedir = /home/%D/%U
	
	winbind refresh tickets = yes

	log file = /var/log/samba/log.samba
	log level = 1

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/microlynx.org/scripts
	read only = No

OS is Debian Buster, samba is version 4.12.3 (Louis' repo).

Any suggestions on how to get this working?

TIA,

Roy