An error with event ID 5774 is reported in the system log on a Windows Server 2003-based domain controller

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry


On a Windows Server 2003-based domain controller, an error message that is similar to the following may be logged in the system log one time each day:


This problem occurs when a Domain Name System (DNS) server that accepts nonsecure dynamic updates registers the IP address of a DNS client, and the DNS client only permits secure dynamic updates. The Net Logon service then reports an error with the 9505 status code on the DNS server. The 9505 status code refers to a nonsecure DNS packet error. When this error occurs, the client successfully updates the client IP address on the DNS server, but the dynamic update is not secure.


Make sure that both the _msdcs.domain.suffix zone and the domain.suffix zone are set to only accept secure dynamic updates. Alternatively, change the Group Policy setting for the DNS client service so that the client does not have to update by using secure updates.

For additional information about dynamic updating in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

246804 How to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003

More Information

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can configure a Group Policy object for the DNS client service that forces the client to use a particular type of dynamic update. To force secure dynamic updates without using Group Policy, you can modify the following registry subkey on the client computer:
HKEY_Local_Machine\Software\Policies\Microsoft\Windows NT\DNSClient
To modify the DNSClient registry subkey, follow these steps.

Note If a Group Policy object is already active in your domain for this setting, the object overrides any local registry changes.
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate the following registry subkey:
    HKEY_Local_Machine\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
  3. Right-click DNSClient, point to New, and then click DWORD Value.
  4. Name the new value UpdateSecurityLevel.
  5. Double-click UpdateSecurityLevel.
  6. In the Edit DWORD Value dialog box, select Hexadecimal under Base, and then type 100 in the Value data box.
  7. Click OK.
  8. Quit Registry Editor.


For additional information about Group Policy and DNS in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

294785 New Group Policies for DNS in Windows Server 2003


ID do Artigo: 839505 - Última Revisão: 4 de jan de 2008 - Revisão: 1