If you're trying to grant update rights to a specific machine (rather than every machine in the realm), something like: grant dc$@REALM. subdomain dnsname.; might work better, where "dc$@REALM" is (eg) the Kerberos principle corresponding to your DC and "dnsname" is the tree to which you want to grant rights. The "$" is a Microsoft-ism.