How to Force Re-registration of AD DNS Records Without Netlogon Service Restart


2 views

When working with Active Directory environments that use third-party DNS servers, administrators often encounter situations where critical SRV records (_ldap._tcp.dc._msdcs, _kerberos._tcp, etc.) fail to properly register or update. The standard ipconfig /registerdns command only handles the host's A/PTR records, leaving the essential AD-specific records untouched.

The Netlogon service handles automatic registration of these records during:

  • Service startup
  • Every 60 minutes by default
  • When detecting network changes

The registry key controlling this interval is found at:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DnsRefreshInterval
(default value 0x36EE80 = 3,600,000 ms = 1 hour)

Instead of restarting Netlogon or rebooting, use this PowerShell approach:

# Method 1: Trigger Netlogon DNS registration
Import-Module NetSecurity
Invoke-Command -ScriptBlock {
    $signature = @'
[DllImport("netapi32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
public static extern uint I_NetLogonControl2(
    string serverName,
    uint functionCode,
    uint queryLevel,
    IntPtr data,
    out IntPtr buffer);
'@
    $Netapi32 = Add-Type -MemberDefinition $signature -Name "Netapi32" -Namespace "Win32" -PassThru
    $SERVER_NAME = $null # local machine
    $NETLOGON_CONTROL_REDISCOVER = 9
    $NETLOGON_CONTROL_TC_QUERY = 1
    $buffer = [IntPtr]::Zero
    $result = $Netapi32::I_NetLogonControl2($SERVER_NAME, $NETLOGON_CONTROL_REDISCOVER, $NETLOGON_CONTROL_TC_QUERY, [IntPtr]::Zero, [ref]$buffer)
    if ($result -ne 0) {
        Write-Warning "Failed to trigger rediscovery (Error: $result)"
    }
}

For cases where PowerShell isn't available, consider these approaches:

# Method 2: Using nltest.exe
nltest /dsregdns

# Method 3: Manual registration via dnscmd
dnscmd /recordadd %USERDNSDOMAIN% _ldap._tcp SRV 0 0 389 dc1.%USERDNSDOMAIN%.
dnscmd /recordadd %USERDNSDOMAIN% _kerberos._tcp SRV 0 0 88 dc1.%USERDNSDOMAIN%.

After triggering registration, verify with:

# Check DNS registration
nslookup -type=SRV _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%

# Verify Netlogon operational status
dcdiag /test:dns /v /e /s:%COMPUTERNAME%

If records still don't appear:

  • Ensure the DNS zone allows dynamic updates
  • Check Netlogon debug logging with:
    nltest /dbflag:0x2080FFFF
  • Verify network connectivity to DNS servers
  • Confirm proper service principal names (SPNs) are set

When working with Active Directory (AD) environments, proper DNS registration is critical for domain controller (DC) functionality. The netlogon service handles automatic registration of AD-specific records like SRV, A, and CNAME records in DNS. While ipconfig /registerdns works for basic host records, it doesn't cover the full spectrum of AD DNS records.

While restarting the netlogon service (or rebooting the DC) forces a full DNS registration pass, this approach has drawbacks:

  • Service interruption during production hours
  • Temporary authentication service disruption
  • Potential impact on replication

You can force DNS record registration without service restart using these methods:

Method 1: Using nltest Utility

The most reliable approach is using the built-in nltest utility:

nltest /dsregdns

This command triggers the same registration process that netlogon performs during its periodic updates.

Method 2: PowerShell Alternative

For environments where you prefer PowerShell:

# Force DNS registration via PowerShell
Import-Module ActiveDirectory
$dc = Get-ADDomainController
$dc | ForEach-Object {
    nltest /server:$_.HostName /dsregdns
}

After triggering registration, verify the records with:

dcdiag /test:dns /v

Or for specific record checks:

nslookup -type=SRV _ldap._tcp.dc._msdcs.yourdomain.com

For proactive monitoring, consider this PowerShell script that checks and repairs DNS registration:

# DNS Registration Health Check Script
$domain = Get-ADDomain
$dnsServers = Resolve-DnsName -Name $domain.DNSRoot -Type NS | Select-Object -ExpandProperty NameHost

foreach ($dc in (Get-ADDomainController -Filter *)) {
    $missingRecords = @()
    
    # Check basic records
    foreach ($dnsServer in $dnsServers) {
        try {
            $result = Resolve-DnsName -Name $dc.HostName -Server $dnsServer -ErrorAction Stop
        } catch {
            $missingRecords += "A record missing on $dnsServer"
        }
    }
    
    if ($missingRecords) {
        Write-Warning "DNS issues detected for $($dc.HostName)"
        nltest /server:$($dc.HostName) /dsregdns
    }
}

If records still don't appear after manual registration:

  1. Check DNS server permissions - DCs need write access
  2. Verify secure dynamic updates are enabled in DNS zones
  3. Check for replication delays between DNS servers