I've got a Mac in an AD environment with DHCP. All the Windows machines end up with the right DNS in the domain. Mine doesn't, so my command prompt always has someone else's PTR. The AD admins set me up so the DC will honor my DNS updates without auth. (Thanks guys!) In this example, my machine is tron.sub.domain.com at 192.168.0.42. Here's how I use nsupdate interactively, one command at a time, in a terminal, to restore reality:
> update delete tron.sub.domain.com A
> update delete 184.108.40.206.in-addr.arpa PTR
> update add tron.sub.domain.com 86400 IN A 192.168.0.42
> update add 220.127.116.11.in-addr.arpa. 86400 IN PTR tron.sub.domain.com.
nsupdate will take commands from a file or stdin, so one-liners and scripts are easy. If you need to use auth, look at the -y or -k flag. If your domain's SOA isn't quite aiming your client at the right server, the "server" command lets you specify where to send updates. If your AD admins aren't as accommodating as mine, try buying them a beer.