Updates from editor

Author: v-phoebh

support/windows-server/active-directory/problems-with-dc-ad-integrated-dns-zones.md

@@ -1,7 +1,7 @@
 ---
 title: Problems occur with DCs in AD integrated DNS zones
 description: Describes problems that can occur with many Domain Controllers in Active Directory integrated DNS zones.
-ms.date: 04/11/2025
+ms.date: 04/14/2025
 manager: dcscontentpm
 audience: itpro
 ms.topic: troubleshooting
@@ -19,7 +19,7 @@ _Applies to:_   Supported versions of Windows Server
 
 Domain Name System (DNS) registrations of SRV and domain controller (DC) locator A records (registered by Netlogon) and NS records (added by the authoritative DNS servers) in an Active Directory-integrated DNS zone for some DCs might not work in a domain that contains a large number of DCs.
 
-For Windows Server 2022 and earlier versions, you can have about 1200 DCs and DNS servers register all DNS records relevant to operate the DNS zones and domains. For Windows Server 2025, you can enable an optional feature that allows about 3200 DCs to register their DNS records. See the [References](#references) section for details.
+For Windows Server 2022 and earlier versions, you can have about 1,200 DCs and DNS servers register all DNS records relevant to operating the DNS zones and domains. For Windows Server 2025, you can enable an optional feature that allows about 3,200 DCs to register their DNS records. See the [References](#references) section for details.
 
 One or more of the following error messages might be logged in the Event log:
 
@@ -66,21 +66,21 @@ Description: The directory replication agent (DRA) was able to successfully appl
 
 ## Cause
 
-In an Active Directory-integrated DNS zone, DNS names are represented by dnsNode objects, and DNS records are stored as values in the multi-valued dnsRecord attribute on dnsNode objects, causing the error messages listed earlier in this article to occur.
+In an Active Directory (AD)-integrated DNS zone, DNS names are represented by dnsNode objects, and DNS records are stored as values in the multi-valued dnsRecord attribute on dnsNode objects, causing the error messages listed earlier in this article to occur.
 
 This problem occurs because Active Directory has a limitation of approximately 1,200 values that can be associated with a single object in Windows Server 2022 and earlier versions. For Windows Server 2025, this limit can be lifted to about 3,200 values.
 
 ## Resolution
 
 You can use the following methods to resolve this issue.
 
-## Experiencing the problem for the NS records of a zone
+## Experiencing the problem with the NS records of a zone
 
 ### Method 1
 
-If your DCs are also DNS servers, they all host the AD-integrated zones and all would add themselves to the NS record for the zone by default. If you exceed the limit for nonlinked attributes, updates to the DNS record AD object will fail.
+If your DCs are also DNS servers, they all host the AD-integrated zones, and all would add themselves to the NS record for the zone by default. If you exceed the limit for non-linked attributes, updates to the DNS record AD object will fail.
 
-If you want to reduce the list of DNS servers that can add NS records corresponding to themselves to a specified zone, choose a subset of DNS servers and then run **Dnscmd.exe** with the `/AllowNSRecordsAutoCreation` switch. Consider having DCs in the list that are well-connected in the network and well-monitored. It could be a set of DCs running in your central datacenters.
+If you want to reduce the list of DNS servers that can add NS records corresponding to themselves to a specified zone, choose a subset of DNS servers and then run **Dnscmd.exe** with the `/AllowNSRecordsAutoCreation` switch. Consider having DCs in the list that are well-connected to the network and well-monitored. This can be a set of DCs running in your central datacenters.
 
 - To set a list of TCP/IP addresses of DNS servers that have permission to automatically create NS records for a zone, use the `/AllowNSRecordsAutoCreation IPList` command. For example:
 
@@ -110,16 +110,16 @@ In an environment in which the majority of the DNS DCs for a domain are located
 > [!IMPORTANT]
 > This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information, see [How to back up and restore the registry in Windows](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692).
 
-Similar to method 1, pick a number of DCs you want to have present with an NS record for the zones they host. For the DNS servers you don't want to add NS records corresponding to themselves to any Active Directory-integrated DNS zone, use Registry Editor (Regedt32.exe) to configure the following registry value on each affected DNS server:
+Similar to method 1, pick a number of DCs you want to have present with an NS record for the zones they host. For the DNS servers you don't want to add NS records corresponding to themselves to any AD-integrated DNS zone, use Registry Editor (Regedt32.exe) to configure the following registry value on each affected DNS server:
 
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters`
 
-Registry value: DisableNSRecordsAutoCreation  
+Registry value: `DisableNSRecordsAutoCreation`  
 Data type: REG_DWORD  
 Data range: 0x0 | 0x1  
 Default value: 0x0
 
-This value affects all Active Directory-integrated DNS zones. The values have the following meanings:
+This value affects all AD-integrated DNS zones. The values have the following meanings:
 
 |Value  |Meaning  |
 |---------|---------|
@@ -129,16 +129,16 @@ This value affects all Active Directory-integrated DNS zones. The values have th
 > [!NOTE]
 > To apply the changes to this value, you must restart the DNS Server service.
 
-## Experiencing the problem for the SRV and A records of a zone owned by DCs
+## Experiencing the problem with the SRV and A records of a zone owned by DCs
 
 > [!IMPORTANT]
 > This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information, see [How to back up and restore the registry in Windows](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692).
 
-Netlogon is managing the registration of a DCs DNS record. To prevent a DC from attempting dynamic updates of certain DNS records that by default are dynamically updated by Netlogon, use Regedt32.exe to configure the following registry value:
+Netlogon manages the registration of a DC's DNS record. To prevent a DC from attempting dynamic updates of certain DNS records that by default are dynamically updated by Netlogon, use Regedt32.exe to configure the following registry value:
 
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters`
 
-Registry value: DnsAvoidRegisterRecords  
+Registry value: `DnsAvoidRegisterRecords`  
 Data type: REG_MULTI_SZ
 
 In this value, specify the list of mnemonics corresponding to the DNS records that shouldn't be registered by this DC.
@@ -172,20 +172,20 @@ The list of mnemonics includes:
 |Rfc1510UdpKpwd     |SRV         |_kpasswd._udp.\<DnsDomainName>         |
 
 > [!NOTE]
-> It isn't necessary to restart the Netlogon service. If the DnsAvoidRegisterRecords registry value is created or modified while the Netlogon service is stopped or within the first 15 minutes after Netlogon is started, appropriate DNS updates take place with a short delay (however, the delay is no later than 15 minutes after Netlogon starts).
+> It isn't necessary to restart the Netlogon service. If the `DnsAvoidRegisterRecords` registry value is created or modified while the Netlogon service is stopped or within the first 15 minutes after Netlogon is started, appropriate DNS updates take place with a short delay (however, the delay is no later than 15 minutes after Netlogon starts).
 
 You can also set the list of DNS records to suppress using a Group Policy:
 
-GPS: Specify DC Locator DNS records not registered by the DCs
+**GPS: Specify DC Locator DNS records not registered by the DCs**
 
-DNS registrations of A records performed by Netlogon can be also be modified by using the RegisterDnsARecords registry value. For more information, see [How to enable or disable DNS updates in Windows](../networking/enable-disable-dns-dynamic-registration.md).
+DNS registrations of A records performed by Netlogon can be also be modified by using the `RegisterDnsARecords` registry value. For more information, see [How to enable or disable DNS updates in Windows](../networking/enable-disable-dns-dynamic-registration.md).
 
-Be aware that both the DnsAvoidRegisterRecords and the RegisterDnsARecords registry values need to allow registering the host (A) record:
+Be aware that both the DnsAvoidRegisterRecords and the `RegisterDnsARecords` registry values need to allow registering the host (A) record:
 
 - RegisterDnsARecords = 0x1<br>
-    If you list LdapIpAddress and GcIpAddress in the DnsAvoidRegisterRecords registry value settings, A records aren't registered.
+    If you list LdapIpAddress and GcIpAddress in the `DnsAvoidRegisterRecords` registry value settings, A records aren't registered.
 - RegisterDnsARecords = 0x0<br>
-    No matter whether you list LdapIpAddress and GcIpAddress in the DnsAvoidRegisterRecords registry value settings, A records aren't registered.
+    No matter whether you list LdapIpAddress and GcIpAddress in the `DnsAvoidRegisterRecords` registry value settings, A records aren't registered.
 
 To prevent the problem described earlier in this article from occurring in an environment in which a set of DCs and/or global catalog (GC) servers are located in a central location and a large number of the DCs and/or GC servers are located in branch offices, the administrator can disable registration of some of the DNS records by Netlogon on the DCs/GCs in the branch offices. In this situation, the list of mnemonics that should not be registered includes:
 
@@ -214,19 +214,19 @@ GC-specific records:
 > [!NOTE]
 > These lists do not include the site-specific records. Therefore, DCs and GC servers in branch offices are located by site-specific records that are usually used by a DC locator. If a program searches for a DC/GC by using generic (non-site-specific) records such as any of the records in the lists that are listed earlier in this article, it finds a DC/GC in the central location.
 >
-> Read-Only DCs default to registering DNS records specific to their site.
+> Read-only DCs default to registering DNS records specific to their site.
 
-An administrator might also choose to limit the number of the DC locator records such as SRV and A records registered by Netlogon for the same generic DNS name (_ldap._tcp.dc._msdcs.\<DomainName>), even in a scenario with fewer DCs than the non-linked attribute value limit in the same domain, to reduce the size of DNS responses to queries for such records.
+An administrator might also choose to limit the number of the DC locator records, such as SRV and A records registered by Netlogon for the same generic DNS name (_ldap._tcp.dc._msdcs.\<DomainName>), even in a scenario with fewer DCs than the non-linked attribute value limit in the same domain, to reduce the size of DNS responses to queries for such records.
 
-You can create this setting in a Group Policy linked to the Domain Controllers OU, put all branch DCs into an "AD Branch DCs" group and set the Group Policy to apply only to members of the "AD Branch DCs" group.
+You can create this setting in a Group Policy linked to the DCs OU, put all branch DCs into an "AD Branch DCs" group, and set the Group Policy to apply only to members of the "AD Branch DCs" group.
 
 ## Status
 
 Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
 
-## More Information
+## More information
 
-Every DNS server that is authoritative for an Active Directory-integrated DNS zone adds an NS record. By default, every DC in a domain registers an SRV record for a set of non-site-specific names such as "_ldap._tcp.\<domain_name>" and A record(s) that map(s) the Active Directory DNS domain name to the TCP/IP address(es) of the DC. When a DNS server tries to write a record with many values for the same shared name, Local Security Authority Subsystem Service (LSASS) runs at 100 percent CPU usage for approximately 10 seconds and the registration doesn't succeed. Netlogon retries this registration every hour; the 100 percent CPU usage spike reappears at least once an hour and the attempted registrations don't succeed.
+Every DNS server that is authoritative for an Active Directory-integrated DNS zone adds an NS record. By default, every DC in a domain registers an SRV record for a set of non-site-specific names such as "_ldap._tcp.\<domain_name>" and A record(s) that map(s) the Active Directory DNS domain name to the TCP/IP address(es) of the DC. When a DNS server tries to write a record with many values for the same shared name, Local Security Authority Subsystem Service (LSASS) runs at 100% CPU usage for approximately 10 seconds and the registration doesn't succeed. Netlogon retries this registration every hour; the 100% CPU usage spike reappears at least once an hour and the attempted registrations don't succeed.
 
 ## References