When dynamically re-registering DNS, the DNS client attempts to send a secure dynamic update only when a non-secure dynamic update has been refused.

Using REG.EXE, built into Windows XP and Windows Server 2003, or from the Windows 2000 Support Tools, I have scripted CFGSNSDNS.bat to configure a DNS client to send secure updates only, non-secure updates only, or the default, described above.

The syntax for using CFGSNSDNS.bat is:

CFGSNSDNS X

Where X is:

D - The default, send a secure dynamic update only when a non-secure dynamic update has been refused.                              S - Send secure updates only.                              N - Send non-secure updates only.
NOTE: You must shutdown and restart your client for this entry to become effective.

NOTE: See Your Windows Server 2003 domain controller System event log records event ID 5774?

CFGSNSDNS.bat contains:

@echo off                              setlocal                              if \{%1\}==\{\} goto err                              set type=%1                              if /i "%type%" EQU "D" set X=0&goto setit                              if /i "%type%" EQU "N" set X=16&goto setit                              if /i "%type%" EQU "S" set X=256&goto setit                              goto err                              :setit                              call :quiet>nul 2>&1                              endlocal                              goto :EOF                              :quiet                              REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V UpdateSecurityLevel /T REG_DWORD /F /D %X%                              goto :EOF                              :err                              @echo Syntax: CFGSNSDNS Type                              endlocal