When dynamically re-registering DNS, the DNS client attempts to send a secure dynamic update only when a non-secure dynamic update has been refused.

Using REG.EXE, built into Windows XP and Windows Server 2003, or from the Windows 2000 Support Tools, I have scripted CFGSNSDNS.bat to configure a DNS client to send secure updates only, non-secure updates only, or the default, described above.

The syntax for using CFGSNSDNS.bat is:

CFGSNSDNS X

Where X is:

<b>D -</b> The default, send a secure dynamic update only when a non-secure dynamic update has been refused.

<b>S -</b> Send secure updates only.

<b>N - </b>Send non-secure updates only.
NOTE: You must shutdown and restart your client for this entry to become effective.

NOTE: See Your Windows Server 2003 domain controller System event log records event ID 5774?

CFGSNSDNS.bat contains:

@echo off
setlocal
if \{%1\}==\{\} goto err
set type=%1
if /i "%type%" EQU "D" set X=0&goto setit
if /i "%type%" EQU "N" set X=16&goto setit
if /i "%type%" EQU "S" set X=256&goto setit
goto err
:setit
call :quiet>nul 2>&1
endlocal
goto :EOF
:quiet
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V UpdateSecurityLevel /T REG_DWORD /F /D %X%
goto :EOF
:err
@echo Syntax: CFGSNSDNS Type
endlocal