Force Domain Controller to Re-register AD DNS Records Without Restarting Netlogon

Indicators

• AD-specific DNS SRV, A, or CNAME records are missing or stale on the DNS server
• Domain Controllers not appearing correctly in DNS zones for _msdcs, _tcp, _udp, or _sites
• ipconfig /registerdns runs successfully but AD service records remain absent
• Clients unable to locate domain controllers via DNS lookups
• dcdiag /test:dns reports missing or incorrect DC DNS registrations
• 3rd-party DNS server shows no DC SRV records despite the DC being online

Likely causes

• Netlogon service has not yet reached its periodic DNS re-registration interval (approximately hourly)
• Dynamic DNS registration failed silently during DC startup
• 3rd-party DNS server compatibility issues preventing AD dynamic registration
• Network interruption during a scheduled DNS registration cycle
• DNS zone configuration or permissions preventing dynamic updates from the DC machine account

Diagnostic steps

1. Run 'dcdiag /test:dns' on the affected DC to confirm which AD DNS records are missing or incorrectly registered.
2. Run 'ipconfig /registerdns' and note that this only re-registers A and PTR records — it does NOT register AD SRV or CNAME service records managed by netlogon.
3. Run 'nltest /DSREGDNS' directly on the DC to trigger immediate re-registration of all AD-specific DNS records managed by the netlogon service.
4. If executing remotely or from a non-DC workstation, run 'nltest /DSREGDNS /SERVER:<servername>' specifying the target DC by hostname.
5. Verify successful registration by inspecting the DNS server zones for _msdcs, _tcp, _udp, and _sites SRV records associated with the DC. Allow 60–90 seconds for propagation before checking.
6. If nltest /DSREGDNS does not resolve the issue, restart the netlogon service as a definitive fallback: 'net stop netlogon && net start netlogon'.
7. If records still fail to register after a netlogon restart, inspect the DNS zone configuration to confirm secure dynamic updates are permitted from the DC's machine account, and review DNS server logs for rejected update attempts.

Resolution path

• Run 'dcdiag /test:dns' to confirm that AD-specific DNS records (SRV, CNAME, A) are missing or stale on the DNS server.
• Establish that 'ipconfig /registerdns' is insufficient — it handles only A and PTR records, not AD service records.
• Run 'nltest /DSREGDNS' on the affected DC, or 'nltest /DSREGDNS /SERVER:<servername>' from a remote machine, to trigger immediate re-registration of all AD DNS records via netlogon.
• Wait 60–90 seconds then verify the expected SRV and CNAME records appear in the _msdcs, _tcp, _udp, and _sites DNS zones.
• If records are still absent, restart the netlogon service ('net stop netlogon && net start netlogon') as the definitive fallback.
• If the problem recurs, investigate DNS zone dynamic update permissions and 3rd-party DNS server compatibility with AD dynamic registration.

Prevention

• Schedule automated 'dcdiag /test:dns' checks across all DCs and alert on any missing or incorrect AD DNS record registrations.
• Ensure DNS zones used by AD are configured to allow secure dynamic updates from DC machine accounts.
• When using 3rd-party DNS servers, validate compatibility with AD dynamic DNS registration and document any manual record management requirements.
• Monitor the netlogon service health on all DCs via service monitoring tooling and alert on unexpected stops or failures.
• Enable DNS server debug logging or event log monitoring to capture and alert on rejected dynamic update attempts from domain controllers.

Tools

• nltest /DSREGDNS
• nltest /DSREGDNS /SERVER:<servername>
• ipconfig /registerdns
• dcdiag /test:dns
• net stop netlogon && net start netlogon

References

• Force a domain controller to re-register AD DNS records without restarting netlogon — ServerFault