Posted on

Event ID 5774

 

 

In general, these events indicates that the machine is unable to register its records with the DNS serverSleeping half-moon it’s configured.

Possible causes:

  • An ISP’s DNS server, or the router’s IP address, is set to be used as a DNS server in NIC properties.
  • The AD zone is configured to not allow dynamic updates.
  • If the 1st DNS entry is in another site, a firewall may be blocking necessary traffic.
  • Altered default security settings on the zone.
  • Altered default security settings in AD.
  • Altered default security settings on C: drive or C:\Windows folder.
  • Antivirus not configured to allow domain communications and services exceptions. See the antivirus vendor documentation on how to configure DCs for exclusions.
  • If the zone is set to Secure Only, possible Kerberos authentication errors will prevent registration. Causes of Kerberos errors can be numerous including misconfigured time service and antivirus exclusion, using an ISP’s DNS, third party installed firewalls or AV, and more.

Note on Firewalls

Active Directory communications require over 29 ports to be allowed, plus the ephemeral ports, and differ among operating system versions:

  • Windows 2003, Windows XP and older: UDP 1024 – 5000
  • Windows 2008, Windows Vista, & newer: UDP 49152 – 65536

DNS updates require TCP 53 & UDP 53, not just TCP 53.
It can be extremely challenging to configure a firewall for AD communications/ General rule of thumb is to just allow all traffic between locations.

Here’s a good list of the ports:

Active Directory Firewall Ports – Let’s Try To Make This Simple (RODC, too)
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

If you need to control the ports AD uses across a firewall:

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

Paul Bergson’s Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html
http://www.pbbergs.com/windows/articles.htm

Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …
http://support.microsoft.com/kb/319553

 

You can run the following tests on AD to ensure there are no errors:

  • DCDIAG /V /C /D /E /s:yourDCName > c:\dcdiag.log
  • Netdiag.exe /v > c:\netdiag.log (Run only on each Windows 2003 or older DCs, not 2008 or 2008 R2)
  • repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
  • ntfrsutl ds domain.com > c:\sysvol.log

Possible solutions:

  1. On the machine logging the above event, in their TCP/IP configuration, make sure they’re not configured for the same DNS server for both Primary and Secondary.
  2. The following registry value is incorrect: “SiteCoverage” under:    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
        This value typically should equal the domain name.
  3. You can try to flip the zone types to reset default settings.
    1. Change the zone type from Active Directory integrated to “Standard Primary”, then stop & start DNS.
    2. Then stop & start the netlogon service on the child DC & verify that the records are registered.
    3. If verified, then change the zone type back to Active Directory integrated and verify that the DC no longer records the Event log errors when the netlogon service is stopped & started.
  4. Make sure the machine logging the above event is pointing to a DNS server that support Dynamic updates and is hosting a zone for the domain (i.e. make sure it’s not pointing to the ISPs DNS server).
  5. Verify if there is no manually created CNAME, A or other record) for the same hostname. If there is, it will prevent the DCs from dynamically registering its host and you need to remove the manually created record.
  6. In a Parent – Child delegated scenario, and Event ID 5774 was logged on the domain controllers in the child domain:
        Setup:
        On the parent DNS servers, there is a delegation for the child DNS servers. The child DNS servers have forwarders up to the parent DNS servers.
        Cause and Fix:
        On the Security tab in the delegations, check if  “Authenticated Users” is missing.
        Added “Authenticated Users” and enabled Full Control.

References:

Domain Controller Generates a Netlogon Error Event ID 5774
http://support.microsoft.com/?id=284963

A DNS Update is recorded as failed: Event ID 5774, 1196, or 1578
This problem occurs when you use a third-party server application for DNS resolution. This includes SCCM causing false alarms, and cluster resources not initiating using a third party DNS server.
Hotfix available for Windows Server 2008 R2 or Windows 7.
http://support.microsoft.com/kb/977158

Event ID: 5774 Source: NETLOGON
http://eventid.net/display.asp?eventid=5774&eventno=353&source=NETLOGON&phase=1

Other References:

Technet thread: “Event 5774, NETLOGON” Friday, November 20, 2009
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

Technet thread: “Netlogon event 5774” Tuesday, February 01, 2011
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/cf5c1e9e-dccb-45e2-9f14-144f8ba1f838/

================================================

Summary

I hope this helps with figuring out and fixing an Event ID 5774. 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Posted on

DNS Client side Resolver Service and DNS Forwarders Query Algorithm

As many of you that follow my blogs, I had originally blogged about the client side resolver a few years ago. That can be found here:

http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

I think that many readers may have missed this portion because of the size of the blog, since after all it’s buried in one of the sections. Therefore, I thought to just specifically blog about it and get right to the point.

Background:

An internal DNS infrastructure is usually designed to support internal host name resolution fir internal hosts only. This is the goal whether it’s for any AD infrastructure or non-AD infrastructure, otherwise, why bother with DNS internally?

This is of course, especially true with AD. AD uses DNS. DNS stores AD’s resource and service locations in the form of SRV records, hence how everything that is part of the domain will find resources in the domain.

If the ISP’s DNS is configured in the any of the internal AD member machines’ IP properties, (including all client machines and DCs), the machines will be asking the ISP’s DNS ‘where is the domain controller for my domain?” whenever it needs to perform a function, such as for a logon request, DC to DC replication communications requests, querying and applying GPOs, and more. Unfortunately, the ISP’s DNS does not have that info and they reply with an, “I dunno know” response, and things just fail.

Using an ISP’s DNS, or the router as a DNS address, is analogous to asking the first passerby on the street, “Hey, where’s that case of beer that was in my refrigerator last night?” He’ll either not have an answer, or he’ll tell you his friends took it, which is the wrong answer anyway.

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

If you mix the internal DNS and an external DNS, such as the DC as the first DNS entry, and the ISP’s DNS, or even using your router’s IP address as the second entry, will do the same thing. This because of the way the client side resolver service works on all machines (DCs and clients). The following should help better understand the client side service algorithm when attempting to resolve DNS names.

To summarize:

If a DNS query has already occurred and the client had already received a response, then the response is cached in the local resolver cache for the TTL of the DNS host record.  You can run “ipconfig /displaydns” to show what’s in cache and the remaining TTL of the host record. YOu can repeatedly repeat the command to see the TTL count down to 0, at which point it will disappear from the cache.

If there was no prior query and it’s not cached or the TTL has expired, and if there are multiple DNS entries on a machine’s NIC (whether a DC, member server or client), it will ask the first entry first.

  • If it receives a response, but say if the DNS server does not have the zone data (such as if you were to use your ISP’s DNS or your router as a DNS address, and expect that to work with AD), then it will be an NXDOMAIN or NACK response, meaning it got a response, even though it was wrong, and it will not go to the next DNS entry in the NIC’s list.
  • If it doesn’t respond, which is evident of a NULL response (no response, such as if the DNS server is down), it will go to the second entry after a time out period, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, and won’t go back to it for another 15 minutes (or forcing it by restarting the DNS Client service). This can also happen when a DC/DNS is down, or taken offline purposely for some reason, such as performing DC maintenance during production hours, it may cause issues within AD when accessing a resource such as a printer, folder, getting GPOs to function, etc. You can also reset the eligible resolvers list by:
  • If using Windows 2008/Vista and newer, restart the DNS Client Service
  • If using Windows 2000, 2003 or XP, restart the DHCP Client Service
  • Configure a registry entry to force the TTL to reset the list after each query.
  • Run an ipconfig /flushdns
  • Restart the machine.

If the ISP’s is the first one in the list in the NIC’s properties, obviously it will be knocked out when a client is trying to login.

This will be be noticed by a significantly long logon time period the client will experience before it goes to the second one, your internal DNS. So now the first one is knocked out for 15 minutes. Then say the client decides to go to an internet site. It will be querying the internal DNS at this point. As long as the internal DNS is configured with forwarders to an outside DNS, or use it’s Roots, it will resolve it.

Specifics on the resolver process:

Understanding the DNS Client Service and how Name Resolution works
http://networkadminkb.com/KB/a118/understanding-dns-client-service-how-name-resolution-works.aspx

Don’t Use your ISP’s DNS or your Router as a DNS Address on any Machine

So why even bother with an ISP in the client? This is another good reason to ONLY use the internal DNS server in the VPN’s DHCP service for VPN clients. Keep in mind, the client will probably be configured with an ISP’s anyway if outside the network. Fine, otherwise it can’t find the VPN server on the internet anyway. But once the VPN authenticates and is connected, the VPN interface will be the first on the binding order, which now you WANT to only have the internal DNS servers in that interface.

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to Vista and newer, too)
http://support.microsoft.com/kb/320760

Therefore, the ISP’s DNS, some other external DNS server, or using the router as a DNS address, should not be used in any internal AD client or any other machine that is part of the AD infrastructure that must find a domain controller in order to function.

Ipconfig examples:

  • BAD EXAMPLE

In this BAD example, there are mixture of internal and external DNS servers. On top of that, there are just way too many DNS servers, which the client side resolver time out will never see beyond the third one, if lucky.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               208.67.222.222
                                              208.248.240.23
                                             4.2.2.2
                                             4.3.4.4
                                             10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

  • GOOD EXAMPLE – You can see only the internal DNS servers are specified.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

Configure a Forwarder Using your ISP’s DNS

That’s your best bet. It’s easy.

  • Open the DNS console
  • Right-click the DNS server name
  • Choose Properties
  • Click the Forwarder tab.
  • Enter the ISP’s DNS address in the Forwarders list.

And also, keep in mind, that if you have more than two or three Forwarders, the third one will probably never get checked because of the time-out of the client side resolver service *waiting* for a response to a query.

Router’s IP as a DNS Service

Don’t do it! Your router is NOT a DNS server. If you do, what the router will do is it will proxy the query request to its outside interface, which it will more than likely be using the ISP’s DNS. So that won’t work. Remove it from any machines as a DNS address.

Summary

I hope that helps understand why not to use an ISP’s DNS in your internal network.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

FaceBookTwitterLinkedIn