For our NT 4.0 domain, I have our primary DNS server on Windows 2003. I recently added a pristine AD domain but trusted with the PDC and its set up to use the 2003 DNS Server, the PDC WINS server. When I was preparing it, I temporarily enabled dynamic updates to allow the AD wizard to add its "AD" records to the zone file. Then I turned it off. It was all good but now I see events logs at the AD machine that it can't do dynamic update. If there a way to "whitelist" the AD machine which is on the same subnet for dynamic updates? The steps described the KB is just beyond my basic "AD" knowledge at this point, and it wants new setups of a DCHP server and/or another DNS server which seems a bit much for this. Are my choices just filtering it (update request on port 53) at the ethernet firewall or having some DNSCMD script take the %systemroot%\system32\config\NETLOGON.DNS generated for the new update recorded in the auto update Event failure description? TIA Hector Santos, http://www.santronics.com Via Wildcat! Live Exchange NNTP Gateway http://opensite.winserver.com

Hi, Thanks for the post. Please understand that when a Windows Server 2003 or later based domain controller starts up, the Net Logon service uses dynamic updates to register SRV and A resource records in the DNS database. You can use a text editor, such as Microsoft Notepad, to view %systemroot%\system32\config\NETLOGON.DNS. In this case, you could make a VBscript to query the desired records from this file. For more information about DNS and Active Directory, please refer to the following articles: http://support.microsoft.com/kb/816587 http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx Hope this helps. Miles Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Miles, The solution for us was 1) Add an internal DNS on the AD machine for it to do its updates and have this DNS forward any external request to our public DNS server which is locked down to disallowed updates. I should note adding the DNS role to the AD machine was automated with its setup and IP changes to the machine. Make sure you select the first wizard option of creating a forwarding+roots zone. It did everything, including changing the machine DNS client IP to point to itself. It also set the DNS forwarding IP as well and set secure updates only for this private side DNS server. 2) Then at the public DNS server machine, we added a delegated zone to the AD domain. Issue resolved (for us). Many Thanks to Ace Fekay.Hector Santos, http://www.santronics.com Via Wildcat! Live Exchange NNTP Gateway http://opensite.winserver.com

I'm glad to have help! :-) AceAce Fekay MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services This posting is provided AS-IS with no warranties or guarantees and confers no rights.