Monday, October 3, 2011

Updating Dynamic DNS registration after security group membership change

Updating a dynamic DNS record after a computer is added to a group providing the necessary permission usually requires a restart.  An alternative is to clear the Network Service Kerberos ticket cache and restart the DNS Client service.  This procedure was tested on Windows Server 2008 R2:
Clear the current list of tickets for the Network Service account
klist -lh 0 -li 0x3e4 purge
Restart the DNS Client service
sc stop dnscache
sc start dnscache

How to refresh Windows 2008 R2 computer group membership without reboot using klist

There are many cases where it is useful to force a server to refresh its group membership without restarting the server.  This is a simple task using the klist.exe utility on Windows 2008 R2.  In an elevated command prompt:
Retrieve the current list of tickets for the computer account
klist -lh 0 -li 0x3e7
Clear the current list of tickets for the computer account
klist -lh 0 -li 0x3e7 purge
Note that the syntax of this command is different than reported in many posts on the internet that were created prior to the release of Windows 2008 R2.  In Windows 2008 R2 the lh parameter is now required.  If the lh parameter is not specified, klist will return the usage.