JSI Tip 7919. Your Windows Server 2003 domain controller System event log records event ID 5774?

When you inspect the System event log on your Windows Server 2003 domain controller, it contains one event per day, similar to:

Type: Error
Date: MM/DD/YYYY
Time: HH:MM:SS
Event ID: 5774
Source: NETLOGON
User: N/A
Computer: <Computer Name>
Details: The dynamic registration of the DNS record recordName failed on the following DNS server: DNS server IP address: ServerIPAddress Returned Response Code (RCODE): 0 Returned Status Code: 9505 For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION: Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. Or, you can manually add this record to DNS, but it is not recommended.

When a DNS server, that accepts non-secure dynamic updates, registers the IP address of a DNS client that only permits secure dynamic updates, the NETLOGON service reports an error with status 9505 to the DNS server.

NOTE: The update was successful but it is NOT secure.

To resolve this issue, insure that both the _msdcs.domain.suffix and domain.suffix zones are set to only accept secure dynamic updates, or change the Group Policy for the DNS client service so it does not have to use secure dynamic updates (see tip 4968).

You can use group policy for the DNS client service to force what type of dynamic update you desire.

To force a client computer to use secure dynamic updates without using group policy:

1. Copy / Paste the following to a UpdateSecurityLevel.reg file:

REGEDIT4

\[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\]
"UpdateSecurityLevel"=dword:00000100

2. Merge the UpdateSecurityLevel.reg file with the client registry, or run regedit /s UpdateSecurityLevel.reg

3. Restart the client computer.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish