Ryan Bolger

Ryan Bolger

Adventures In Tech

Ryan Bolger

Over the course of my career, I’ve worked with several Active Directory environments that ran the domain’s DNS zones on 3rd party DNS products like Infoblox or BIND instead of directly on the domain controllers. GSS-TSIG and secure dynamic updates work great with these non-Windows DNS servers when configured properly. But sometimes, getting the settings right can be tricky for the DNS admins and having a way trigger a DC’s record registration process while troubleshooting is super helpful.

Introducing Netlogon

Netlogon service in services.msc

The Netlogon service on a DC is ultimately responsible for registering the AD related DNS records. It will attempt to register the records when it first starts and then repeatedly on a schedule about once an hour in a default configuration. Thus, restarting the service (or rebooting the OS) is the most common way to force the DC to re-register its records.

Until recently, I thought it was the only way. And that can be an annoying limitation when you’re trying to migrate a production AD environment and don’t want to break authentication on that DC even for a few seconds while the service restarts. But it turns out there’s another way that requires zero downtime for Netlogon.

Nltest has the Answer

I had been fruitlessly searching the web on and off for years for a way to do this before I decided to finally post a Server Fault question asking the wider sysadmin community if they knew. Massimo had the answer for me about 30 min later, nltest /dsregdns.

nltest.exe partial help output

The nltest.exe utility is a diagnostic swiss-army knife with a veritable smorgasbord of useful functionality that has been around since at least Windows Server 2003. It has so much packed into it that I’m not even surprised I never realized it could help me with this problem. It’s right there in the default help output, plain as day, and I never noticed. Go figure.

/DSREGDNS - Force registration of all DC-specific DNS records

Wrapping Up

Many thanks to Joel Spolsky and Jeff Atwood for creating Stack Overflow, Server Fault, and the rest of the Q&A sites in the Stack Exchange Network. And even more thanks to the current teams that keep everything running and continually improve the platform. It is a fantastic resource for free knowledge on the web.

I was embarrassingly excited to finally have this answer and kicking myself for not having posted the question years ago. It reminded me that we’re all constantly learning, and you should never be afraid to reach out and ask questions. Even if you don’t get the answer you’re looking for, conversations about the problem almost always lead to better understanding about the subject.

Recent Posts