Article ID: 2002490 - View products that this article applies to.
See the following article in the Microsoft Knowledge Base for more information:
After deploying Windows Server 2008 R2 domain controllers in an environment using BIND DNS Servers, the following symptoms are observed:
The symptoms above are known to occur when using BIND 9.2.2.
RFC 2136 allows dynamic update responses to be formed in two ways.
The problem lies in the way that Windows Server 2008 R2 computers interpret the packet received from a DNS server after attempting to dynamically register SRV records.
Microsoft Server 2008 R2 DNS Servers use method 1.
Windows Server 2008 R2 DC Locator treats response #2 as a bad packet, causing the NETLOGON error Event 5774 with status code 9502 (DNS_ERROR_BAD_PACKET) to be logged.
Despite the excessive number of events, DNS SRV records are successfully logged in this condition so the difficulty lies in the administrative overhead that comes as a result of the false positive errors in diagnostic and monitoring tools.
A code fix prevents errors from being logged in the case where a packet's opcode is Update and all of the count values are 0. (i.e. not generate errors when DNS Servers respond with RFC 2136 method 2).
Modifying the "Update Security Level" setting in Administrative Templates -> Network -> DNS Client section of policy does resolve or workaround the symptoms described earlier in this article.
From RFC 2136:
DC Locator logs Event NELOG_NetlogonDynamicDnsRegisterFailure (5774) when API DnsModifyRecordsInSet_UTF8/ DnsReplaceRecordSetUTF8 return an error code. Note that based on the results, looks like DNS records does gets registered even though API returns error code.
Specifically, DC Locator calls API DnsModifyRecordsInSet_UTF8/ DnsReplaceRecordSetUTF8 with option DNS_UPDATE_SECURITY_USE_DEFAULT. In case of error, DNS_EXTRA_INFO.ResultsV1.Status is 9502 (DNS_ERROR_BAD_PACKET) while DnsUpdateExtraInfo.ResultsV1.Rcode is 0. The DC sends every DNS update 3 times as if it disregarded the positive answer of the Bind DNS server. The DC sends only non-secure updates.
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.