Event ID 5774

 

 

In general, these events indicates that the machine is unable to register its records with the DNS serverSleeping half-moon it’s configured.

Possible causes:

  • An ISP’s DNS server, or the router’s IP address, is set to be used as a DNS server in NIC properties.
  • The AD zone is configured to not allow dynamic updates.
  • If the 1st DNS entry is in another site, a firewall may be blocking necessary traffic.
  • Altered default security settings on the zone.
  • Altered default security settings in AD.
  • Altered default security settings on C: drive or C:\Windows folder.
  • Antivirus not configured to allow domain communications and services exceptions. See the antivirus vendor documentation on how to configure DCs for exclusions.
  • If the zone is set to Secure Only, possible Kerberos authentication errors will prevent registration. Causes of Kerberos errors can be numerous including misconfigured time service and antivirus exclusion, using an ISP’s DNS, third party installed firewalls or AV, and more.

Note on Firewalls

Active Directory communications require over 29 ports to be allowed, plus the ephemeral ports, and differ among operating system versions:

  • Windows 2003, Windows XP and older: UDP 1024 – 5000
  • Windows 2008, Windows Vista, & newer: UDP 49152 – 65536

DNS updates require TCP 53 & UDP 53, not just TCP 53.
It can be extremely challenging to configure a firewall for AD communications/ General rule of thumb is to just allow all traffic between locations.

Here’s a good list of the ports:

Active Directory Firewall Ports – Let’s Try To Make This Simple (RODC, too)
http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

If you need to control the ports AD uses across a firewall:

Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx

Paul Bergson’s Blog on AD Replication and Firewall Ports
http://www.pbbergs.com/windows/articles/FirewallReplication.html
http://www.pbbergs.com/windows/articles.htm

Restricting Active Directory replication traffic and client RPC …Restricting Active Directory replication traffic and client RPC traffic to a … unique port, and you restart the Netlogon service on the domain controller. …
http://support.microsoft.com/kb/224196

How to restrict FRS replication traffic to a specific static port – How to restrict FRS replication traffic to a specific static port … Windows 2000-based domain controllers and servers use FRS to replicate system policy …
http://support.microsoft.com/kb/319553

 

You can run the following tests on AD to ensure there are no errors:

  • DCDIAG /V /C /D /E /s:yourDCName > c:\dcdiag.log
  • Netdiag.exe /v > c:\netdiag.log (Run only on each Windows 2003 or older DCs, not 2008 or 2008 R2)
  • repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
  • ntfrsutl ds domain.com > c:\sysvol.log

Possible solutions:

  1. On the machine logging the above event, in their TCP/IP configuration, make sure they’re not configured for the same DNS server for both Primary and Secondary.
  2. The following registry value is incorrect: “SiteCoverage” under:    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
        This value typically should equal the domain name.
  3. You can try to flip the zone types to reset default settings.
    1. Change the zone type from Active Directory integrated to “Standard Primary”, then stop & start DNS.
    2. Then stop & start the netlogon service on the child DC & verify that the records are registered.
    3. If verified, then change the zone type back to Active Directory integrated and verify that the DC no longer records the Event log errors when the netlogon service is stopped & started.
  4. Make sure the machine logging the above event is pointing to a DNS server that support Dynamic updates and is hosting a zone for the domain (i.e. make sure it’s not pointing to the ISPs DNS server).
  5. Verify if there is no manually created CNAME, A or other record) for the same hostname. If there is, it will prevent the DCs from dynamically registering its host and you need to remove the manually created record.
  6. In a Parent – Child delegated scenario, and Event ID 5774 was logged on the domain controllers in the child domain:
        Setup:
        On the parent DNS servers, there is a delegation for the child DNS servers. The child DNS servers have forwarders up to the parent DNS servers.
        Cause and Fix:
        On the Security tab in the delegations, check if  “Authenticated Users” is missing.
        Added “Authenticated Users” and enabled Full Control.

References:

Domain Controller Generates a Netlogon Error Event ID 5774
http://support.microsoft.com/?id=284963

A DNS Update is recorded as failed: Event ID 5774, 1196, or 1578
This problem occurs when you use a third-party server application for DNS resolution. This includes SCCM causing false alarms, and cluster resources not initiating using a third party DNS server.
Hotfix available for Windows Server 2008 R2 or Windows 7.
http://support.microsoft.com/kb/977158

Event ID: 5774 Source: NETLOGON
http://eventid.net/display.asp?eventid=5774&eventno=353&source=NETLOGON&phase=1

Other References:

Technet thread: “Event 5774, NETLOGON” Friday, November 20, 2009
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

Technet thread: “Netlogon event 5774” Tuesday, February 01, 2011
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/cf5c1e9e-dccb-45e2-9f14-144f8ba1f838/

================================================

Summary

I hope this helps with figuring out and fixing an Event ID 5774. 

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

DNS Dynamic Updates in a Workgroup

==================================================================
==================================================================
Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
   Microsoft Certified Trainer
   Microsoft MVP: Directory Services
   Active Directory, Exchange and Windows Infrastructure Engineer and Janitor

www.delcocomputerconsulting.com

Prelude

So the machines and devices you want to register into DNS are not in an Active Directory. Therefore, that means none of your Windows computers have been configured with a Primary DNS Suffix. When you join a computer to a domain, one of the many things that occur on the computer is that the Primary DNS Suffix is automatically configured, which matches the name of the AD DNS domain name, which should also be identical to the DNS zone name.

And further, as we already know, that’s what a computer needs to register into a zone with the same name. If you weren’t aware of this basic requirement, you can catch up on how Dynamic DNS registration works by reading my other blog:

AD & Dynamic DNS Updates Registration Rules of engagement
https://blogs.msmvps.com/acefekay/2012/11/19/ad-dynamic-dns-updates-registration-rules-of-engagement

Primary DNS Suffix

However, workgroup computers normally do not have a Primary DNS Suffix, unless you’ve already manually configured all of them. Neither do other devices, such as mobile phones, tablets and other non-Microsoft products.

No fret. We can make this work without a Primary DNS Suffix. After all, non-Windows devices, such as phones and tables, do not have such a setting to configure.

There are actually a number of ways to get this to work. One way is to force the Primary DNS Suffix on your Windows workgroup computers by using a registry script (outlined later below). However, that will only be good for your Windows computers. What about those non-Windows devices?

To register your Windows computers and non-Windows devices, an easier way to go about it is to use Windows Server DHCP to register all leases into the DNS zone. We can do this by using the DHCP service on a non-AD joined Windows Server configured with DHCP credentials, DHCP Option 015, and configured to force all leases to register into the zone whether the device has the ability to register on its own or not.

The credentials allows DHCP to own the record, so in case the device leaves and returns at a later date and gets a new IP, the DHCP service can update the old host record in DNS with the new IP. Without credentials, the device will update, but it may not be able to update its old record, which then you may wind up with duplicate host entries in the zone. Of course, we wouldn’t want that.

Use Windows DHCP to Force Register All Leases

The first thing we need is a Windows Server with the DHCP and DNS services installed and running. To provide a 30,000’ view of what’s involved, we start by creating a regular, non-Administrator, local user account on the server that will be used to configure the DHCP scope to use as credentials for registration. And to stress what I just said, it does NOT have to, nor should it be, an Administrator account. It should just be a plain-Jane user account, but give it a really strong password. In an AD domain environment, the credentials would be a plain-old AD Domain User account. But in this case, it’s a local User account. Then configure DHCP to force update all records, whether the entity can register or not.

Zone’s NS & SOA Entries

For the DNS service to properly work, the DNS server itself must have its own host (A) record reregistered into the zone, as well as registered its record as an NS record in the zone’s properties. This means that the Windows server DNS is installed on, must be configured with a Primary DNS Suffix matching one of the zones that DNS will be authoritative for (meaning that DNS is hosting the zone). We usually pick the main zone for the company environment. Once configured, then this part will automatically occur. If it doesn’t have a Primary DNS Suffix, then this automatic part will not happen.

You can easily tell if any Windows computer has a Primary DNS Suffix by a simple ipconfig /all, however I’m sure you already know if your server has one configured one or not, since this must be manually done on a workgroup computer. As stated, an AD joined computer (server or workstations) will automatically configure itself with a Primary DNS Suffix that matches the AD DNS domain name,

Detailed Steps:

  1. First, assuming you haven’t already installed DNS and created a zone in DNS, let’s go ahead and install and create your zone.
  1. You can install the DNS service Role (yes, it’s a Role, not a Feature), using Server Manager in Windows Server 2008, 2008 R2, 2012, and newer.
    Install a DNS Server
    http://technet.microsoft.com/en-us/library/cc725925.aspx
  2. Once installed, create your zone, such as adatum.com. Also in the zone properties, make sure you allow Updates. And note, with DNS on a non-DC, the only option you have is either “None,” or “Nonsecure and secure.” You have no choice other than “Nonsecure and secure.”
    (Click image to see a larger version of the image in a new window)
  • Obviously it’s important that the DNS & DHCP server is set to a static IP configuration. Pick an IP, and stick to it. Then make sure that the server itself is ONLY using its own IP for DNS entry in its NIC. No others must be in here, otherwise you’ll get unexpected and possibly undesired results.
    (Click image to see a larger version of the image in a new window)
    1. I need to stress that this is extremely important.
    2. If you have any computers in the environment that have a static IP address configured (not getting an IP from DHCP), you must also make sure they are configured with only your own Windows DNS server’s IP.
    3. If you’ve configured it with your ISP’s DNS, because you thought that’s what you need for internet resolution, then that’s wrong, and more importantly, that computer will not register nor be able to resolve internal hosts. 
    4. Same thing using your router (either ISP provided, or something you bought from a retail store such as a Linksys, Dlink, etc). Do not use your router as a DNS address. They are not DNS servers, and they only proxy to an external DNS, which is useless if you are running DNS internally.
    5. And no, you CAN’T mix internal and external DNS entries. It doesn’t work that way. It’s not a DNS server thing, rather it’s based on a DNS client, specifically it’s based on how the client side resolver algorithm works. For a technical explanation for the technically curious, please read my blog explaining it:
    6. http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

    7. The DNS server can use Root Hints to resolve internet names. Or you can configure a Forwarder:
    8. Configure a DNS Server to Use Forwarders – Windows 2008 and 2008 R2 (Includes info on how to create a forwarder)
      http://technet.microsoft.com/en-us/library/cc754941.aspx
      (Click image to see a larger version of the image in a new window)

  • Configure a Primary DNS Suffix on your Windows Servers that’s hosting DNS. To do that:
    Go to Start
    Right-click Computer, properties
    In the computer name tab click change settings
    Then click change
    Then click More
    Type your domain name here.
    Click Ok a few of times, and restart the server.
    (Click image to see a larger version of the image in a new window)

  • After the restart, make sure it registered into the your zone, for example, contoso.com. You can simple check by running an ipconfig /all. Look for the Primary DNS Suffix name.
    (Click image to see a larger version of the image in a new window)

    For more information on all the info that an ipconfig /all provides, please read the following:
  • Why do we ask for an ipconfig /all, when we try to help diagnose AD issues and other issues?
    https://blogs.msmvps.com/acefekay/2013/03/02/why-do-we-ask-for-an-ipconfig-all-when-we-try-to-help-diagnose-ad-issues/

  • In the contoso.com zone properties, Nameserver tab. Make sure it registered itself. If not, manually add it by clicking Add, then type in the server’s FQDN, and click Resolve. If all things are configured correctly, then it should resolve it. Click OK.
    (Click image to see a larger version of the image in a new window)
  • On the “Start of Authority (SOA)” tab click “Browse…” next to the Primary server field and browse for the server’s A record in the contoso.com zone. Click OK.
    (Click image to see a larger version of the image in a new window)
  • Repeat step 4 for the reverse zone, and any other zones you’ve created in DNS.
  • DHCP Options
    1. DHCP Option 015 must be set to your zone, such as adatum.com. This provides a way to work for the interface to use that zone for registration, as well as for the DHCP server to use it to register into the zone.
    2. DHCP Option 006 must be set to only your internal DNS servers. Do not use your router as a DNS address (it’s really not a DNS server anyway), or your ISP’s DNS servers.
      (Click image to see a larger version of the image in a new window)
  • Configure scavenging. The scavenging NoRefresh and Refresh values combined should add up to or greater than the lease length. For example, if the DHCP lease length is 8 days, then the NoRefresh value should be 4, and the Refresh value should be 4.
    More info:
  • Good article by Sean Ivey, MSFT:
    How DNS Scavenging and the DHCP Lease Duration Relate
    (Make the NoRefresh and Refresh each half the lease, so combined, they are equal or greater than the lease).
    http://blogs.technet.com/b/askpfe/archive/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate.aspx

  • In DHCP properties, DNS tab (note -this tab is actually DHCP Option 081, even though it doesn’t say it), choose to force DHCP to update all records whether a DHCP client asks or not. And configure it to register records for machines that can’t.
    (Click image to see a larger version of the image in a new window)
  • Configure a user account to be used for DHCP Credentials (as I said above), then go into DHCP, IPv4, properties, Advanced, Credentials, and enter the credentials.
    (Click image to see a larger version of the image in a new window)
  • Restart the DHCP service.
  • It should now work.
  •  

    Example of what you should see after it’s configured and working:

    (Click image to see a larger version of the image in a new window)

    Other notes and references:

    There are a number of ways to get this to work. Read the following discussion for more info:

    Technet thread: “Server 2008 R2: DNS records not dynamically registering in workgroup situation” 12/31/2010
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/2380872f-2e71-49eb-8fbb-87f980920fc7/

    Registry summarized:

    Not that this will work for your non-Windows devices, but I’m providing this information if you want to only configure your Windows computers.

    You can create and remotely run a registry script for the interface on the workgroup machines using a tool called PSEXEC (free download from Microsoft). Of course you must have the local admin account credentials on all your computers to run this remotely, and the remote Registry service started, and possibly antivirus software and Windows firewall configured to allow this.

    You’ll want to target and populate the following two registry entries with your zone name, such as adatum.com:

    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain
    • HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain

    Using the above two keys, try this VB script:
    SET WSHShell = CreateObject(“WScript.Shell”)
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\NV domain”, “adatum.com“, “REG_SZ”
    WSHShell.RegWrite “HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\domain”, “adatum.com“, “REG_SZ”

    If you are in an AD Environment

    Oh, and if you’re curious how DHCP should be configured in an AD environment to force updates, etc, read my blog on it, please:

    DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a “pen” icon, and more…
    Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM  3758  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx  

    Good summary:
    How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27

    Summary

    I hope you’ve found this helpful. Any suggestions, errors, comments, etc., are all welcomed!

    Ace Fekay

    Why do we ask for an ipconfig /all, when we try to help diagnose AD issues?

    Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP: Directory Services
    Active Directory, Exchange and Windows Infrastructure Engineer
    www.delcocomputerconsulting.com

    Ace here again. Yea, I had to post a blog about this because many people ask, why do you want that? Just for the IP address??

    Nope. Not just for the IP.

    Good question.

    There is quite a bit of information that an ipconfig /all provides us configuration data as a precursor for a diagnosis. Sometimes the ipconfig /all results will help us fix it, but not always.

    Many admins are reluctant to provide this sort of information citing security reasons.

    In some cases, I sympathize and agree, but in many cases, security really isn’t much of a concern, because for one, your internal IP range is a private range, and two, you can substitute your actual internal domain name with something more generic, such as substituting “microsoft.local” with “mydomain.local. You should also substitute your DC names using something generic, such as dc-01. dc-02, etc. But definitely keep track of the substituted DC names if we have additional questions regarding them.

    Let’s take a look at each value in an ipconfig /all

    Believe it or not, the results of an ipconfig /all has numerous information that helps us get an inside view of a DC’s basic network configuration, as well as basic service configuration.

    Let’s break it down:

    C:\>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : company-dc-01  

    • Name is under 15 characters – good for NetBIOS compatibility. Not a huge concern for many compani
    • Possibly indicates more than one DC based on the –01 portion of the name

    Primary Dns Suffix  . . . . . . . : company.com 

    • The AD DNS Domain name is not a single label name.
    • In some cases, we’ll also ask for the name in ADUC. If the name in ADUC does no match this name, then it’s a Disjointed Namespace condition).
    • Node Type . . . . . . . . . . . . : Hybrid   

      • If Hybrid is set, it tells me that WINS is in use.
      • Hybrid mode, specifically 0x8 (as you would set a WINS server Hybrid mode in DHCP Option 046), tells the client side resolver to use WINS first when attempting to resolve a single name query, and if it can’t resolve it, to then try a broadcast to resolve it. Of course, this is only after DNS resolution fails, since DNS is used first anyway, where the client side resolver will suffix the Search Suffix when attempting to resolve it as a DNS hostname query.
      • If the Node Type is set to “Unknown,” then no big deal. It just means that WINS is not being used, and the resolver service will use broadcast for a  single name resolution.
      • IP Routing Enabled. . . . . . . . : No

        • Means RRAS is not installed
        • If set to Yes, it means RRAS is installed, and it will interfere with AD communications on this DC. 
           

        WINS Proxy Enabled. . . . . . . . : No  

        • On a DC, “No” is what we want to see.
        • If set to Yes, then it means “Enable broadcast name resolution” is checked under General tab in RRAS properties.
          • If this is set to Yes, and there is only one NIC. it could mean either:
          • RRAS is installed only for VPN use
          • RRAS was disabled, but the setting stuck
        • Either way, if it is set to Yes, it will cause problems with AD communications.

        DNS Suffix Search List. . . . . . : company.com

        • This is what the client side resolver will use when attempting to resolve a single name query. For example, if I run nslookup against a single name such as computer1, the resolver will suffix company.com to it, resulting in a query of computer1.company.com.
        • If there are multiple domains in the forest, such as a parent and child domain, or multiple child domains, then each domain must be configured with a search suffix for all other domains in order to be able to resolve everything in the forest. This is also true for additional Trees in the forest.
        • The company.com in this example, was devolved from the Primary DNS Suffix.
          • If the Primary DNS suffix has multiple levels, such as Chicago.ad.company.com, then the resolver will devolve it to show search suffixes of chicago.ad.company.com, ad.company.com, and company.com.
          • However, if ad.company.com is the parent root domain, if using Windows 2008 or newer, it will only devolve to ad.company.com. Windows 2000 and 2003 devolved all levels, which led to some confusion.

        Ethernet adapter Team 1:

        • Obviously this interface is a team.

        Connection-specific DNS Suffix  . :

        • If this is a DHCP client, and DHCP Option 015 is configured with a domain suffix, then it will populate this value. It’s used for a specific interface that gets this configuration, such as if it is a wireless, then that value will populate the wireless connection, but not the wired connection, and will be used as suffix for identification and DNS registration only for that interface, but it is not used as a search suffix.

        Description . . . . . . . . . . . : BASP Virtual Adapter

        • This is the vendor brand name of the adapter

        Physical Address. . . . . . . . . : 00-18-8B-47-F0-D1

        • This is the MAC address of this adapter or Team.

        DHCP Enabled. . . . . . . . . . . : No

        • This means the NIC has a static configuration.

        IP address, mask and subnet

           IP Address. . . . . . . . . . . . : 192.168.80.10
           Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Default Gateway . . . . . . . . . : 192.168.80.1

        • In the above three values, we make sure the IP address and mask are on the same subnet as an ipconfig /all of another machine, if one was provided. You would be surprised how many times we’ve seen subnets mis-configured with an incorrect subnet mask. 

        DNS Servers . . . . . . . . . . . : 192.168.80.5
                                                        192.168.80.10

        • What we look for with DNS address, is only to specify the internal DNS servers hosting the AD zone. If an external DNS addresses are specified, or your router’s DNS address is specified (for example, 192.168.80.1), then you should expect to see numerous problems. This is because your machine is sending the external DNS servers or your router a query whenever it tries to login, authenticate, find domain resources, etc. The external DNS servers or your router, does not have an answer when queried for internal resources. It’s the same as me asking the first person I see walking by out front of my house, “Where’s that beer that was in my refrigerator last night?” Besides the person not having an answer, he’ll probably give me a funny or dirty look. Your DNS server and DC won’t give you a funny look, but you’ll probably get some sort of error and your machine will fail to find your AD domain.
        • The addresses you see listed in this example are showing that it is pointing to a partner DC as the first entry, and itself as the second entry.
          • You may also find in some configuration the loopback as the second entry. This is ok, too. DCPROMO puts in the loopback. Matter of fact, if you were to run the AD BPA, one of the things it looks for is the loopback as the second entry. You can leave it there if you like, or you can change it to the IP of itself, but if you do, just ignore the BPA’s warnings, if you were to run it again.

        Primary WINS Server . . . . . . . : 192.168.80.10

        • This tells me the server is running WINS. Why? Because it is pointing to itself, as it should be for a WINS server.
        • If a WINS server is pointing to any other WINS servers, it will cause numerous problems with WINS record ownership.

        NetBIOS over Tcpip. . . . . . . . : Enabled

        • Of course this one is obvious. But here’s one for you. If you have NetBIOS disabled, but you are using WINS, what’s the point??

        AD & Dynamic DNS Updates Registration Rules of engagement

        Keep in mind, for the most part it automatically works "out of the box" without much administrative overhead.

        Original Compilation: 11/19/2012

        ===

        Summary

        1. The machine’s DNS entries in the NIC, must be ONLY configured to use the internal DNS servers that host the zone. No others.
            a. DHCP Option 006 MUST only be the internal DNS server(s) you want to use, otherwise if using an ISP’s DNS or your router, expect undesired results.

        2. The Primary DNS Suffix on the machine MUST match the zone name in DNS.
            a. For joined machines, this is default.
            b. For non-joined machines, it must be manually configured or scripted.

        3. If using DHCP Option 015 (Connection Specific Suffix), it must match the zone name and have "Use This Connection’s DNS Suffix in DNS Registration" along with "Register This Connection’s Addresses in DNS" checked in the NIC’s IPv4, Advanced, DNS tab.

        4. The Zone must be configured to allow updates.

        5. For AD Integrated Zones and Secure Only Updates:
           a. If the machine’s DNS is statically configured:
              – It must only point to the internal DNS
              – It must be joined to the domain in order to authenticate using Kerberos to update.
           b. If statically configured and not joined to the domain, the client can’t update if the zone is set to Secure Only.
           c. For non-joined domain DHCP clients, you can configure DHCP to update in lieu of the client updating into a Secure Only zone.

        6. For any non-Windows statically configured machine, it must support the DNS Dynamic Updates feature and the zone configured to allow Secure and Unsecure updates.

        7. If the DNS server is multihomed and not configured properly to work with multihoming, it may cause problems with Dynamic Updates.

        8. If the zone is single label name, such as ‘domain’ instead of the proper minimal format of ‘domain.com,’ ‘domain.net,’ etc., it will NOT update.

        9. The client will "look" for the SOA of the zone when it attempts registration. If the SOA is not available or resolvable, it won’t register. Keep in mind with AD integrated zones the SOA rotates among the DCs because of the multimaster feature. This is default and expected behavior, but if there are any DCs that have any problems, and the client resolved the SOA to that DC, it may not accept the update.

        10. The zone in DNS must NOT be a single lable name, such as "DOMAIN" instead of the required minimum of two hierarchal levels such as domain.com, domain.local, domain.me, domain.you, etc. Single label name zones are problematic, do not conform to the DNS RFC, and causes excessive internet traffic to the Root Servers when DNS tries to resolve a single label name query, such as querying for computername.domain – in such a query, the domain name is actually treated as a TLD. ISC has made a note of the excessive traffic generated by Microsoft DNS servers configured with a single label name in 2004 with Microsoft, which in turn disabled the ability for Microsoft DNS in Windows 2000 SP4 and newer to resolve single label names without a registry band aid. More info on this:

        Active Directory DNS Domain Name Single Label Names – Problematic
        Published by Ace Fekay, MCT, MVP DS on Nov 12, 2009 at 6:25 PM  641  0
        http://msmvps.com/blogs/acefekay/archive/2009/11/12/active-directory-dns-domain-name-single-label-names.aspx

        11. For Windows 2008 and all newer operating systems, IPv6 must not be disabled. If disabled, it will cause other problems:
        The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
        Quoted by Joseph Davies, MSFT:
        "IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. "Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be."
        http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

        Arguments against disabling IPv6
        Demoire, [MSFT], 24 Nov 2010 12:37 AM
        http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx

        Full explanation:

        1. Active Directory’s DNS Domain Name is NOT a single label name ("DOMAIN" vs. the minimal requirement of "domain.com." "domain.local," etc).

        2. The Primary DNS Suffix MUST matches the zone name that is allowing updates. Otherwise the client doesn’t know what zone name to register in. You can also have a different Connection Specific Suffix in addition to the Primary DNS Suffix to register into that zone as well.

        3. AD/DNS zone MUST be configured to allow dynamic updates, whether Secure or Secure and Non-Secure. For client machines, if a client is not joined to the domain, and the zone is set to Secure, it will not register either.

        4. You must ONLY use the DNS servers that host a copy of the AD zone name or have a reference to get to them. Do not use your ISP’s, an external DNS address, your router as a DNS address, or any other DNS that does not have a copy of the AD zone. Internet resolution for your machines will be accomplished by the Root servers (Root Hints), however it’s recommended to configure a forwarder for efficient Internet resolution. .

        5. The domain controller is multihomed (which means it has more than one unteamed, active NIC, more than one IP address, and/or RRAS is installed on the DC).

        6. The DNS addresses configured in the client’s IP properties must ONLY reference the DNS server(s) hosting the AD zone you want to update in.

        This means that you must NOT use an external DNS in any machine’s IP property in an AD environment. You can’t mix them either. That’s because of the way the DNS Client side resolver service works. Even if you mix up internal DNS and ISP’s DNS addresses, the resolver algorithm can still have trouble asking the correct DNS server. It will ask the first one first. If it doesn’t get a response, it removes the first one from the eligible resolvers list and goes to the next in the list. It will not go back to the first one unless you restart the machine, restart the DNS Client service, or set a registry entry to cut the query TTL to 0. The rule is to ONLY use your internal DNS server(s) and configure a forwarder to your ISP’s DNS for efficient Internet resolution.

        This is the reg entry to cut the query to 0 TTL (normally this is not necessary, but I’m posting it as a reference).

        The DNS Client service does not revert to using the first server …The Windows 2000 Domain Name System (DNS) Client service (Dnscache) follows a certain algorithm when it decides the order in which to use the DNS servers …
        http://support.microsoft.com/kb/286834

        The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to all Operating Systems, too)
         http://support.microsoft.com/kb/320760

        For more info, please read the following on the client side resolver service:

        DNS, WINS NetBIOS & the Client Side Resolver, Browser Service, Disabling NetBIOS, Direct Hosted SMB (DirectSMB), If One DC is Down Does a Client logon to Another DC, and DNS Forwarders Algorithm if you have multiple forwarders.
        http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

        7. For DHCP clients, DHCP Option 006 for the clients are set to the same DNS server.

        8. If using DHCP, DHCP server must only be referencing the same exact DNS
        server(s) in it’s own IP properties in order for it to ‘force’ (if you set
        that setting) registration into DNS. Otherwise, how would it know which DNS
        to send the reg data to?

        9. If the AD DNS Domain name is a single label name, such as "EXAMPLE", and not the proper format of "example.com" and/or any child of that format, such as "child1.example.com", then we have a real big problem. DNS will not allow registration into a single label domain name.
        This is for two reasons:
               1. It’s not the proper hierarchal format. DNS is
                   hierarchal, but a single label name has no hierarchy.
                   It’s just a single name.
               2. Registration attempts causes major Internet queries
                   to the Root servers. Why? Because it thinks the
                   single label name, such as "EXAMPLE", is a TLD
                  (Top Level Domain), such as "com", "net", etc. It
                  will now try to find what Root name server out there
                  handles that TLD. In the end it comes back to itself
                 and then attempts to register. Unfortunately it doe NOT
                 ask itself first for the mere reason it thinks it’s a TLD.

        (Quoted from Alan Woods, Microsoft, 2004):
        "Due to this excessive Root query traffic, which ISC found from a study that discovered Microsoft DNS servers are causing excessive traffic because of single label names, Microsoft, being an internet friendly neighbor and wanting to stop this problem for their neighbors, stopped the ability to register into DNS with Windows 2000 SP4, XP SP1, (especially XP,which cause lookup problems too), and Windows 2003. After all, DNS is hierarchal, so therefore why even allow single label DNS domain names?"

        The above also *especially* applies to Windows Vista, Windows 7, &, 2008, 2008 R2, Windows 2012, and newer.

        10. ‘Register this connection’s address" on the client is not enabled under the NIC’s IP properties, DNS tab.

        11. Maybe there’s a GPO set to force Secure updates and the machine isn’t a joined member of the domain.

        12. With Windows 2000, 2003 and XP, the "DHCP client" Service is not running.  In Windows 2008, Windows Vista and all newer operating systems, it’s now the DNS Client Service. This is a requirement for DNS registration and DNS resolution even if the client is not actually using DHCP.

        Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
        http://support.microsoft.com/?id=264539

        13. You can also configure DHCP to force register clients for you, as well as keep the DNS zone clean of old or duplicate entries. The following has more information on how to do that:

        DHCP, Dynamic DNS Updates, Scavenging, static entries & timestamps, and the DnsProxyUpdate Group (How to remove and prevent future duplicate DNS host records)
        Published by acefekay on Aug 20, 2009 at 10:36 AM  3758  2 
        http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx

         

        What will stop AD SRV registration:

        1) External DNS servers are configured under TCP/IP properties.  Only use internal DNS servers when part of an Active Directory domain.  AD Domain machines must ever be pointed at an external (ISP) DNS server or even use an ISP DNS server as an "Alternate DNS server".

        2. Are any services disabled such as the DHCP Client service? (it’s required).

        No DNS registration functions if DHCP Client Service Is Not Running (2000/2003/XP only)
        http://support.microsoft.com/?id=268674

        Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops (2000/2003/XP only)
        http://support.microsoft.com/?id=264539

        For all Windows 2008, Windows Vista and all newer operating systems, it’s the DNS Client Service.

        3. The AD/DNS zone not configured to allow dynamic updates.

        4. Make sure ‘Register this connection’s address" in DNS is enabled under TCP/IP properties.

        5. Missing or incorrect "Primary DNS suffix" or "Connection-specific DNS suffix" of the domain to which the machine belongs.  With a missing/incorrect DNS suffix a machine cannot find the correct zone to register in. If missing or incorrect, it is called a Disjoined Domain Name.

        6. Is the firewall service enabled? (disable it).

        7. Were the default C: drive permissions altered and was a hotfix installed a recently?

        "Systems that have changed the default Access Control List permissions on the
        %windir%\registration directory may experience various problems after you
        install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC"
        http://support.microsoft.com/kb/909444

        For more info about this issue, see:
        http://blogs.technet.com/steriley/archive/2005/11/08/414002.aspx

        8. If using Secure Updates: Not authenticated to the domain (which can be due to DNS misconfiguration or DNS server problem)

        9. Is the File and Print services enabled?

        10. Microsoft Client Services enabled?

        11. Is DNS listening on the private LAN interface?

        12. More than one NIC?

        13. Updates allowed on the zone?

        14. Primary DNS suffix matches the zone name in DNS and the AD domain name?

        15. Was Zone Alarm ever installed on these machines?

        16. Any Event log errors?

        17. Was a Registry entry configured to stop registration?
        246804 – How to Enable-Disable Windows 2000 Dynamic DNS Registrations (per NIC too):
        http://support.microsoft.com/?id=246804

        18. Spyware or something else such as DotNetDns installed on it?

        19. Single Label Domain Name?

        20. Netlogon and DFS services are started.

        21. Malware or virus altering network services preventing it from registering.

        22. Some sort of firewall in place, whether the Windows firewall disabling File and Print Services, or a 3rd party firewall, which many AV programs now have built in and must be adjusted to allow this sort of traffic and exclude the NTDS and SYSVOL folders. If Windows Firewall, run the following to see what settings are enabled:
        netsh firewall show config

        23. Is IPv6 disabled? That will stop registration. Enable it.

         

        Suggestions, Comments, Corrections are welcomed.

        Ace Fekay, MCT, MVP Directory Services