Microsoft KB Archive/839505

= An error with event ID 5774 is reported in the system log on a Windows Server 2003-based domain controller =

Article ID: 839505

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition

-





Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
On a Windows Server 2003-based domain controller, an error message that is similar to the following may be logged in the system log one time each day: Type: Error

Date: 12/10/03

Time: 7:08:12 AM

Event ID: 5774

Source: NETLOGON

User: N/A

Computer:

Details: The dynamic registration of the DNS record  failed on the following DNS server: DNS server IP address:   Returned Response Code (RCODE): 0 Returned Status Code: 9505 For computers and users to locate this domain controller, this record must be registered in DNS.

USER ACTION: Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. Or, you can manually add this record to DNS, but it is not recommended.



CAUSE
This problem occurs when a Domain Name System (DNS) server that accepts nonsecure dynamic updates registers the IP address of a DNS client, and the DNS client only permits secure dynamic updates. The Net Logon service then reports an error with the 9505 status code on the DNS server. The 9505 status code refers to a nonsecure DNS packet error. When this error occurs, the client successfully updates the client IP address on the DNS server, but the dynamic update is not secure.



RESOLUTION
Make sure that both the _msdcs. zone and the  zone are set to only accept secure dynamic updates. Alternatively, change the Group Policy setting for the DNS client service so that the client does not have to update by using secure updates.

For additional information about dynamic updating in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

246804 How to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003



MORE INFORMATION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can configure a Group Policy object for the DNS client service that forces the client to use a particular type of dynamic update. To force secure dynamic updates without using Group Policy, you can modify the following registry subkey on the client computer:

To modify the  registry subkey, follow these steps.

Note If a Group Policy object is already active in your domain for this setting, the object overrides any local registry changes.  Click Start, click Run, type regedit in the Open box, and then click OK. Locate the following registry subkey:

 Right-click DNSClient, point to New, and then click DWORD Value. Name the new value UpdateSecurityLevel . Double-click UpdateSecurityLevel.</li> In the Edit DWORD Value dialog box, select Hexadecimal under Base, and then type 100 in the Value data box.</li> Click OK.</li> Quit Registry Editor.</li></ol>

<div class="references_section">