An error with event ID 5774 is reported in the system log on a Windows Server 2003-based domain controller (839505)

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

On a Windows Server 2003-based domain controller, an error message that is similar to the following may be logged in the system log one time each day: Type: Error
Date: 12/10/03
Time: 7:08:12 AM
Event ID: 5774
Source: NETLOGON
User: N/A
Computer: ComputerName

Details: The dynamic registration of the DNS record recordName failed on the following DNS server: DNS server IP address: ServerIPAddress Returned Response Code (RCODE): 0 Returned Status Code: 9505 For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION: Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. Or, you can manually add this record to DNS, but it is not recommended.

CAUSE

This problem occurs when a Domain Name System (DNS) server that accepts nonsecure dynamic updates registers the IP address of a DNS client, and the DNS client only permits secure dynamic updates. The Net Logon service then reports an error with the 9505 status code on the DNS server. The 9505 status code refers to a nonsecure DNS packet error. When this error occurs, the client successfully updates the client IP address on the DNS server, but the dynamic update is not secure.

RESOLUTION

Make sure that both the _msdcs.domain.suffix zone and the domain.suffix zone are set to only accept secure dynamic updates. Alternatively, change the Group Policy setting for the DNS client service so that the client does not have to update by using secure updates.

For additional information about dynamic updating in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

246804 How to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003

MORE INFORMATION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can configure a Group Policy object for the DNS client service that forces the client to use a particular type of dynamic update. To force secure dynamic updates without using Group Policy, you can modify the following registry subkey on the client computer:

HKEY_Local_Machine\Software\Policies\Microsoft\Windows NT\DNSClient

To modify the DNSClient registry subkey, follow these steps.

Note If a Group Policy object is already active in your domain for this setting, the object overrides any local registry changes.