Windows Server 2008 R2 Dynamic DNS updates to BIND DNS log NETLOGON error event 5774 with status 9502

Article translations Article translations
Close Close
Article ID: 2002490 - View products that this article applies to.
Expand all | Collapse all

Symptoms

See the following article in the Microsoft Knowledge Base for more information:

977158 DNS updates may be incorrectly reported as failed when you use a third-party DNS server application for DNS registration on a computer that is running Windows Server 2008 R2 or Windows 7

After deploying Windows Server 2008 R2 domain controllers in an environment using BIND DNS Servers, the following symptoms are observed:

  1. Windows Server 2008 R2 domain controllers successfully register DNS SRV records but log NETLOGON error Event 5774 with status code 9502 in the System log each time DNS SRV records are dynamically registered. Active Directory domain controllers dynamically register approximately 15 to 30 SRV records every hour and log this event for each registration attempt.

    Log Name: System
    Source: NETLOGON
    Event ID: 5774
    Level: Error

    Description:

    The dynamic registration of the DNS record '._tcp.dc._msdcs.. 600 IN SRV 0 100 88 xxx.yyy.zzz' failed on the following DNS server:

    DNS server IP address:
    Returned Response Code (RCODE): 0
    Returned Status Code: 9502

    For computers and users to locate this domain controller, this record must be registered in DNS.

    USER ACTION
    Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Or, you can manually add this record to DNS, but it is not recommended.

    ADDITIONAL DATA
    Error Value: Bad DNS packet


    The error status code 9502 decimal (0x251 hex) indicates symbolic error DNS_ERROR_BAD_PACKET with friendly error "Bad DNS packet."

  2. The %SystemRoot%\Debug\NETLOGON.LOG file on the domain controller logging the Event 5774 contains:

    YY/MM HH:MM:SS [MISC] Eventlog: 5774 (1) "<record>.<DNS zone>.<AD DNS domain>. 600 IN A <DNS IP>" 9502 "<IP Address>" "0" "9502" <snip>

  3. If you run the DCDIAG tool, the output will contain:

     An error event occurred.  EventID: 0x0000168E
                Time Generated: <date>   <time>
                Event String:
                The dynamic registration of the DNS record '<record>.<DNS zone>. 600 IN A <DNS Server IP>' failed on the following DNS server:

  4. DC Locator code will assume that the DNS record registration failed and hence will not deregister the DNS records if needed (during demotion). This will cause stale DNS records to exist until DNS expires (scavenges) the records.

  5. Monitoring systems will raise the alert for error Event 5774 (NELOG_NetlogonDynamicDnsRegisterFailure) which can result in unnecessary administrative overhead as administrators investigate those false positive alerts.

The symptoms above are known to occur when using BIND 9.2.2.

Cause

RFC 2136 allows dynamic update responses to be formed in two ways.

  1. Respond with the ZOCOUNT, PRCOUNT, UPCOUNT  and ADCOUNT fields copied.

  2. Respond with the ZOCOUNT, PRCOUNT, UPCOUNT and ADCOUNT fields set to 0.

The problem lies in the way that Windows Server 2008 R2 computers interpret the packet received from a DNS server after attempting to dynamically register SRV records.

Microsoft Server 2008 R2 DNS Servers use method 1.
BIND and other 3rd party DNS Servers use method 2 and cannot be configured to use method 1.

Windows Server 2008 R2 DC Locator treats response #2 as a bad packet, causing the NETLOGON error Event 5774 with status code 9502 (DNS_ERROR_BAD_PACKET) to be logged.

Resolution

Despite the excessive number of events, DNS SRV records are successfully logged in this condition so the difficulty lies in the administrative overhead that comes as a result of the false positive errors in diagnostic and monitoring tools.

A code fix prevents errors from being logged in the case where a packet's opcode is Update and all of the count values are 0. (i.e. not generate errors when DNS Servers respond with RFC 2136 method 2).

Install the following post-Windows Server 2008 R2 RTM hotfix:

977158 DNS updates may be incorrectly reported as failed when you use a third-party DNS server application for DNS registration on a computer that is running Windows Server 2008 R2 or Windows 7

Modifying the "Update Security Level" setting in Administrative Templates -> Network -> DNS Client section of policy does resolve or workaround the symptoms described earlier in this article.

More Information

From RFC 2136:

Dynamic Updates in the Domain Name System (DNS UPDATE)

3.8 - Response

At the end of UPDATE processing, a response code will be known.  A response message is generated by copying the ID and Opcode fields from the request, and either copying the ZOCOUNT, PRCOUNT, UPCOUNT, and ADCOUNT fields and associated sections, or placing zeros (0) in the these "count" fields and not including any part of the original update. The QR bit is set to one (1), and the response is sent back to the requestor. If the requestor used UDP, then the response will be sent to the requestor's source UDP port. If the requestor used TCP, then the response will be sent back on the requestor's open TCP connection.

DC Locator logs Event NELOG_NetlogonDynamicDnsRegisterFailure (5774) when API DnsModifyRecordsInSet_UTF8/ DnsReplaceRecordSetUTF8 return an error code. Note that based on the results, looks like DNS records does gets registered even though API returns error code.

Specifically, DC Locator calls API DnsModifyRecordsInSet_UTF8/ DnsReplaceRecordSetUTF8 with option DNS_UPDATE_SECURITY_USE_DEFAULT. In case of error, DNS_EXTRA_INFO.ResultsV1.Status is 9502 (DNS_ERROR_BAD_PACKET) while DnsUpdateExtraInfo.ResultsV1.Rcode is 0. The DC sends every DNS update 3 times as if it disregarded the positive answer of the Bind DNS server. The DC sends only non-secure updates.

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2002490 - Last Review: June 15, 2010 - Revision: 15.0
APPLIES TO
  • Windows Server 2008 R2 Standard
Keywords: 
KB2002490

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com