I try to set up GSS-TSIG but cannot get the DC in my lab to even send signed updates. I restart the "Net Logon" service (for SRV RRs) or run ipconfig /registerdns (A & PTR) to test this.

I can verify with Wireshark that the DC sends plain dynamic updates and if I allow them on the DNS server side (using an IP-based ACL) the DDNS updates do succeed.

As soon as I only allow GSS-TSIG signed updates on the DNS server side the DC again sends plain dynamic updates but when being refused it just does not attempt to use Secure Dynamic Updates (GSS-TSIG) at all. The default behaviour should be to attempt Secure Dynamic Updates when "Unsecure" Dynamic Updates are refused.

If I enforce Dynamic Updates to be "Secure only" (either via Registry Key or GPO) on the DC side it does not send any Dynamic Updates at all when restarting the Net Logon service.

I don't find any Kerberos-related errors when enabling debugging for the Net Logon Service. Also it it possible to use "klist get DNS/ibdns.fqdn" from a command shell to get a ticket into the Kerberos Ticket Cache which can be displayed with "klist" on the DC, so the Principal Name for the DNS Service has been correctly set for the corresponding user when running ktpass.

I ran out of ideas what might prevent the DC from even attempting to use GSS-TSIG updates. And yesI did

• delete and re-add the AD users for the DNS service
• export the keytab with different crypto settings (AES256-SHA1 and RC4-HMAC-NT)
• reboot the DC multiple times
• a fresh installation of the DC
• installed the latest updates from Microsoft

This is on Windows 2022 with 2016 functional level.Any ideas what to check are welcome.