Posted on

Event ID 5774

 

 

In general, these events indicates that the machine is unable to register its records with the DNS serverSleeping half-moon it’s configured.

Possible causes:

  • An ISP’s DNS server, or the router’s IP address, is set to be used as a DNS server in NIC properties.
  • The AD zone is configured to not allow dynamic updates.
  • If the 1st DNS entry is in another site, a firewall may be blocking necessary traffic.
  • Altered default security settings on the zone.
  • Altered default security settings in AD.
  • Altered default security settings on C: drive or C:\Windows folder.
  • Antivirus not configured to allow domain communications and services exceptions. See the antivirus vendor documentation on how to configure DCs for exclusions.
  • If the zone is set to Secure Only, possible Kerberos authentication errors will prevent registration. Causes of Kerberos errors can be numerous including misconfigured time service and antivirus exclusion, using an ISP’s DNS, third party installed firewalls or AV, and more.

Note on Firewalls

Active Directory communications require over 29 ports to be allowed, plus the ephemeral ports, and differ among operating system versions:

  • Windows 2003, Windows XP and older: UDP 1024 – 5000
  • Windows 2008, Windows Vista, & newer: UDP 49152 – 65536

DNS updates require TCP 53 & UDP 53, not just TCP 53.
It can be extremely challenging to configure a firewall for AD communications/ General rule of thumb is to just allow all traffic between locations.

Here’s a good list of the ports:

Active Directory Firewall Ports – Let’s Try To Make This Simple (RODC, too)
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

If you need to control the ports AD uses across a firewall:

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

Paul Bergson’s Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html
http://www.pbbergs.com/windows/articles.htm

Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …
http://support.microsoft.com/kb/319553

 

You can run the following tests on AD to ensure there are no errors:

  • DCDIAG /V /C /D /E /s:yourDCName > c:\dcdiag.log
  • Netdiag.exe /v > c:\netdiag.log (Run only on each Windows 2003 or older DCs, not 2008 or 2008 R2)
  • repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
  • ntfrsutl ds domain.com > c:\sysvol.log

Possible solutions:

  1. On the machine logging the above event, in their TCP/IP configuration, make sure they’re not configured for the same DNS server for both Primary and Secondary.
  2. The following registry value is incorrect: “SiteCoverage” under:    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
        This value typically should equal the domain name.
  3. You can try to flip the zone types to reset default settings.
    1. Change the zone type from Active Directory integrated to “Standard Primary”, then stop & start DNS.
    2. Then stop & start the netlogon service on the child DC & verify that the records are registered.
    3. If verified, then change the zone type back to Active Directory integrated and verify that the DC no longer records the Event log errors when the netlogon service is stopped & started.
  4. Make sure the machine logging the above event is pointing to a DNS server that support Dynamic updates and is hosting a zone for the domain (i.e. make sure it’s not pointing to the ISPs DNS server).
  5. Verify if there is no manually created CNAME, A or other record) for the same hostname. If there is, it will prevent the DCs from dynamically registering its host and you need to remove the manually created record.
  6. In a Parent – Child delegated scenario, and Event ID 5774 was logged on the domain controllers in the child domain:
        Setup:
        On the parent DNS servers, there is a delegation for the child DNS servers. The child DNS servers have forwarders up to the parent DNS servers.
        Cause and Fix:
        On the Security tab in the delegations, check if  “Authenticated Users” is missing.
        Added “Authenticated Users” and enabled Full Control.

References:

Domain Controller Generates a Netlogon Error Event ID 5774
http://support.microsoft.com/?id=284963

A DNS Update is recorded as failed: Event ID 5774, 1196, or 1578
This problem occurs when you use a third-party server application for DNS resolution. This includes SCCM causing false alarms, and cluster resources not initiating using a third party DNS server.
Hotfix available for Windows Server 2008 R2 or Windows 7.
http://support.microsoft.com/kb/977158

Event ID: 5774 Source: NETLOGON
http://eventid.net/display.asp?eventid=5774&eventno=353&source=NETLOGON&phase=1

Other References:

Technet thread: “Event 5774, NETLOGON” Friday, November 20, 2009
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

Technet thread: “Netlogon event 5774” Tuesday, February 01, 2011
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/cf5c1e9e-dccb-45e2-9f14-144f8ba1f838/

================================================

Summary

I hope this helps with figuring out and fixing an Event ID 5774. 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Posted on

Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan

Published 4/2014

Original blog post reference:
Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan
https://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/

As many of you that follow my blog know that I have blogged about the Time Service in the past. The original blog can be found here. However, the blog has so much information in it, you may have got lost trying to figure out exactly what to do. In this blog, I’ve condensed it and made it much easier to read by offering the steps as a pseudo flowchart. I hope you find it useful.

Windows Server Time Sync Configuration

The following steps can be used to configure DCs the default Windows time service hierarchy in an AD forest.  The procedure will also remove any errors in the Event Viewer, if any existed.

Do not use if you are using a third party stratum service and refer to the vendor’s documentation for further instructions

Check and Document the Current Time Configuration on the PDC Emulator

  1. First check and document the current configuration:
    1. All Windows Server domain operating systems – run the following on the forest root domain PDC Emulator.
      1. Note: In some cases you must wait a little time for the service to instantiate.
      2. If you do not see expected results immediately, wait 10 min and re-run the following steps
  2. W32tm /query /configuration   
    1. This command confirms the PDC Emulator shows the current source in the [TimeProviders] section, Look for “Type:” You will see one of the following:
      1. Type: NT5DS (Local)   -This means that it’s not synced externally.
      2. Type: NTP (Local)  –This command it is syncing externally.
                 NtpServer: time.windows.com [65.55.56.206] (Local)
    2. For all other DCs, use the command, w32tm /monitor (step 4 below)
  3. w32tm /query /source
    1. On the PDC Emulator, this shows the actual source. One of two possibilities:
      1. CMOS clock                    -Signifies not synced to an external source                                                  (Not what you want to see)
      2. time.windows.com  –The NTP source IPaddress/FQDN  This is correct.
  4. w32tm /monitor or w32tm /monitor /computers:DCNAME
    1. On the PDC Emulator, this command shows the outside time source.
      1. Good example:
        dc01.contoso.com *** PDC ***[10.10.10.200:123]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from dc02.contoso.com
        RefID: time.windows.com [65.55.56.206]
        Stratum: 4
    2. On all other DCs, this command shows the current time source DC for this DC.
      1. You will see an “offset for the PDC from its configured NTP source.
      2. Good example result showing the DC02 is syncing with dc01.contoso.com:
        dc02.contoso.com 10.10.10.210]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from dc01.contoso.com
        RefID: dc01.contoso.com [10.10.10.200]
        Stratum: 4
  5. w32tm /tz
    1. This shows the current time zone to make sure it’s correct.
  6. w32tm /stripchart /computer: target /samples: n /dataonly
    1. This command will show you the time difference between the local computer and a target computer and is helpful in determining if there is an offset. The “n” value is the number of time samples that will be returned from the target to test basic NTP communications.
  7. w32tm /dumpreg
    1. This command dumps the current registry settings found in:
      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
      You can see the current time service configuration entries, such as:
      Type:  NTP

      NTPServer:

*

Configure time sync to a reliable source on the forest rood domain PDC Emulator ONLY.

Do not perform on any other DC in any domain in the forest. PDC in the forest root only.

  1. Windows 2003 and all newer:
    1. Open an Administrator Command Prompt.
      1. Note that the examples below use either time.windows.com or the pool.ntp.org servers. You can get a full list of reliable time services at:
        A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet: http://support.microsoft.com/kb/262680
    2. w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
      OR – if you want to use the pool.ntp.org time source servers:
    3. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,0x1 /syncfromflags:manual /reliable:yes /update
    4. w32tm /resync /rediscover
    5. net stop w32time && net start w32time
    6. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below.
  2. Windows 2000:
    Generally speaking, the w32tm command is similar to Windows 2003 and newer operating systems.  However, Windows 2000 uses the net time /setsntp method, which was removed in later versions.  There are also some differences between Windows 2000 RTM and various service packs. Therefore, if any issues arise from the commands not setting, it’s recommended to follow the instructions using the registry to configure the time service in Windows 2000:
    How to configure an authoritative time server in Windows 2000:
    http://support.microsoft.com/kb/216734
    1. Open an Administrator Command Prompt.
    2. net time /setsntp:174.140.19.7    – Windows 2000 uses this command to configure an outside source.
    3. net stop w32time
    4. w32tm -once      W32tm performs numerous commands. Their results are displayed on the screen.
    5. net start w32time
    6. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  3. Use the procedure in Step #1 to check and document the new configuration.
  4. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Configure all other DCs to sync using the forest time hierarchy

This includes all other DCs in the forest root domain that are not holding the PDC Emulator role, and any DC in any other domains and trees, including the PDC in those domains.

Do NOT run the following on the PDC Emulator in the forest root domain.

  1. First check and document the current configuration: See Section #3 above.
  2. Windows Server 2003 and all newer server operating systems: 
    1. Open an Administrator Command Prompt
    2. w32tm /config /syncfromflags:domhier /update /reliable:no
    3. w32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  3. Windows 2000:
    For reference with Windows 2000, see the following link for more info:
    How to configure an authoritative time server in Windows 2000
    http://support.microsoft.com/kb/216734
    1. Open an Administrator Command Prompt.
    2. w32tm –s
    3. Net stop w32time && net start w32time
    4. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  4. Use the procedure in Step #1 to check and DOCUMENT the new configuration.
  5. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Time configuration on FSMO transferred or seized DCs

  1. On the new forest root domain PDC Emulator, run the following:
    1. Open an Administrator command prompt:
    2. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org /syncfromflags:manual /reliable:yes /update
      1. Note: time.windows.com is a working time source, however you choose any reliable time services in your locale.
    3. W32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  2. On the server formerly holding the PDC Emulator role, run the following:
    1. Open an Administrator command prompt.
    2. w32tm /config /syncfromflags:domhier /update
    3. w32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  3. Follow the procedure in Step #1 to check and DOCUMENT the new configuration.
  4. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Corrupted Time Service Resolution Section (Contingency)

If any of the procedures did not work or event log errors indicate any issues, you can reset the time service registry entries back to default. The procedure should be done on the DC that you are experiencing issues with and not necessarily on each DC.  Note: This procedure can also be used as a contingency to return a DC (PDC and non-PDCs) back to local CMOS time sync.

  1. On the DC that you’re experiencing issues with, run the following:
    1. Open an Administrator command prompt.
    2. net stop w32time
    3. w32tm /unregister
    4. w32tm /register
    5. net start w32time
    6. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.
  2. The next command is ONLY for Windows 2000 to 2008 DCs. It does not apply to 2008 R2 or newer and will be ignored if you try it.
    1. “net time /setsntp: ”      – Do not use the quotes. Note that there’s a blank space prior to the closing quote.
      This command tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.
    2. net stop w32time && net start w32time
    3. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.

*

W32Time Service Accuracy

Please bear in mind that the Windows W32Time service is not a full featured, accurate service for time sensitive application requirements, nor will Microsoft support it as such. You must use a third party time service that will support this requirement.

For more information, please visit the following link:

Support boundary to configure the Windows Time service for high-accuracy environments
http://support.microsoft.com/kb/939322

==================================================================

References

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/71e76587-28f4-4272-a3d7-7f44ca50c018

Windows Time Service Technical Reference
http://technet.microsoft.com/en-us/library/a0fcd250-e5f7-41b3-b0e8-240f8236e210

Windows Time Service Tools and Settings
Includes specific w32tm command switches and registry entries.
http://technet.microsoft.com/en-us/library/cc773263

=================================================================

Summary

I hope this helped you to easily configure your time service and what to do if it didn’t work.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[6] clip_image004[6] clip_image006[6] clip_image008[6] clip_image010[6] clip_image012[6] clip_image014[6]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.