We've now shown that Windows does indeed want the extra question sections in the DNS reply to the initial unsigned update. See here for a patch to bind9 that allows it to work with win7 and w2k8r2 clients: http://marc.info/?l=bind-workers&m=126622485032749&w=2 Could we get this documented in the MS-GSSA doc? Cheers, Tridge