none
Netlogon event 5774 RRS feed

  • Question

  • I've got three Server 2008R2 DCs and one Server 2003 DC. On one of my 2008R2 DCs, I've seen the following error once (it has been a DC since late November 2010)
    Log Name: System
    Source: NETLOGON
    Date: 1/31/2011 8:20:03 PM
    Event ID: 5774
    Task Category: None
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: serverName.dnsDomainName.com
    Description:
    The dynamic registration of the DNS record '_ldap._tcp.ForestDnsZones.dnsDomainName.com. 600 IN SRV 0 100 389 serverName.dnsDomainName.com.' failed on the following DNS server:

    DNS server IP address: preferredDNSServerIP
    Returned Response Code (RCODE): 5
    Returned Status Code: 9005

    For computers and users to locate this domain controller, this record must be registered in DNS.
    USER ACTION
    Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
    Or, you can manually add this record to DNS, but it is not recommended.

    ADDITIONAL DATA
    Error Value: DNS operation refused
    What does "Return Status Code: 9005" mean? This DC is setup so that its preferred DNS servers are the other two 2008R2 DCs and (which are in a different AD site) 127.0.0.1. We are setup for dynamic updates. I logged in and ran dcdiag (without switches) with domain admin credentials. These were my failed results:
    Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=dnsDomainName,DC=com
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=dnsDomainName,DC=com
    ......................... serverName failed test NCSecDesc
    Starting test: NetLogons
    [serverName] User credentials does not have permission to perform this
    operation.
    The account used for this test must have network logon privileges
    for this machine's domain.
    ......................... serverName failed test NetLogons
    Starting test: Replications
    [Replications Check,serverName] DsReplicaGetInfo(PENDING_OPS, NULL)
    failed, error 0x2105 "Replication access was denied."
    ......................... serverName failed test Replications
    Starting test: Services
    Could not open NTDS Service on serverName, error 0x5
    "Access is denied."
    ......................... serverName failed test Services
    Finally, running "nltest.exe /dsregdns" results in:
    I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
    What gives? Thanks
    Tuesday, February 1, 2011 7:45 PM

Answers

  • Generally speaking, a 5774 usually indicated either:

    • An ISP's DNS server, or the router's IP address, is set to be used as a DNS server in NIC properties
    • The zone called DomainName.com (in your example) does not allow dynamic updates
    • If the 1st DNS entry is in another site, a firewall may be blocking necessary traffic. There are over 29 ports, plus the empheral ports (Win2003 and older: UDP 1024 - 5000, and 2008 & newer: UDP 49152 - 65536) that AD communications require. DNS updates require UDP 53, not only TCP 53. Trying to finite this becomes difficult and generally the rule of thumb is to just allow all traffic between locations.

    The Return Status Code: 9005 is usually an access denied message. I assume you're logged on as an account that can perform this operation, such as the default administrator or a user account that is a domain admin or Enterprise admin.

    You can run the following tests on AD to make sure things are working ok and upload the info to SKydrive, if you would like us to assist with the output.

    • -> DCDIAG /V /C /D /E /s:yourDCName > c:\dcdiag.log
    • -> netdiag.exe /v > c:\netdiag.log (Run only on each Windows 2003 or older DCs, not 2008 or 2008 R2)
    • -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
    • -> ntfrsutl ds domain.com > c:\sysvol.log

     

    Summary

    Without knowing info about your infrastructure, (firewall types, what's being blocked, etc), it will be difficult to diagnose. My feeling is it's a firewall block. I would suggest to set itself as the first DNS entry (not the loopback but the actual IP), then run an ipconfig /registerdns and restart the netlogon service, and see if that takes caer of the 5774.

    The replication blocks are also indicative of a firewall blocking necessary AD ports. If you are not sure if there is a block, you can use PortQRY to scan and test each and every port that AD requires.

    The following are my notes on AD firewall ports, portqry, etc. I hope you find it helpful.

    ==================================================================
    ==================================================================
    Active Directory Firewall ports

    Active Directory Replication over Firewalls, Jan 31, 2006. Active Directory relies on remote procedure call (RPC)
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    How to configure a firewall for domains and trusts
    http://support.microsoft.com/?id=179442

    Configuring an Intranet Firewall, Apr 14, 2006. Protocol ports required for the intranet firewall.
    Ports required for Active Directory and Kerberos communications
    http://technet.microsoft.com/en-us/library/bb125069.aspx

    Active Directory and Firewall Ports - I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls. ...
    http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx


    ======
    Download PortQry:

    Download details: PortQry Command Line Port Scanner Version 2.0  Download PortQryV2.exe, a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows ...
    http://www.microsoft.com/downloads/en/details.aspx?familyid=89811747-c74b-4638-a2d5-ac828bdc6983&displaylang=en


    Understanding portqry and the command's output:

    New features and functionality in PortQry version 2.0
    http://support.microsoft.com/kb/832919

    Portqry Remarks
    http://technet.microsoft.com/en-us/library/cc759580(WS.10).aspx
    ======

    Windows 2008, 2008 R2, Vista and Windows 7 use Different Ephermeral Ports Have Changed:

    Default ephemeral (Random service ports) are UDP 1024 - 65535 (See KB179442 below), but for Vista and Windows 2008 it's different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

    Quoted from KB929851 (link posted below): "To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000."

    Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports)
    The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
    http://support.microsoft.com/?kbid=929851
    ======

    Here are some related links to restricting AD replication ports.

    Active Directory Replication over Firewalls
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Paul Bergson's Blog on AD Replication and Firewall Ports
    http://www.pbbergs.com/windows/articles/FirewallReplication.html
    http://www.pbbergs.com/windows/articles.htm

    Restricting Active Directory replication traffic and client RPC ...Restricting Active Directory replication traffic and client RPC traffic to a ... unique port, and you restart the Netlogon service on the domain controller. ...
    http://support.microsoft.com/kb/224196

    How to restrict FRS replication traffic to a specific static port - How to restrict FRS replication traffic to a specific static port ... Windows 2000-based domain controllers and servers use FRS to replicate system policy ...
    http://support.microsoft.com/kb/319553

    Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
    This KB indicates Checkpoint firewalls having an issue with AD communications.
    http://support.microsoft.com/?kbid=899148
    ======

    Checkpoint Firewall and AD, DNS and RPC Communications and Replication traffic

    Checkpoint firewalls have a known issue if you are running version R55 or older. You will need to make a registry entry to allows traffic to flow between the 2 sites via the vpn. The preferred solution is to upgrade the Checkpoint firewall.

    More info:
    Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
    (This link relates to and helps resolve the Checkpoint issue)
    http://support.microsoft.com/?kbid=899148

    NOte from one poster on the internet with a Checkpoint firewall:
    For Windows 2003 R2 and non-R2 remote domain controller we added the Server2003NegotiateDisable entry in
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
    ==================================================================
    ==================================================================

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Edited by Ace Fekay [MCT] Tuesday, February 1, 2011 8:13 PM added info about dcdiag and other AD diagnostics
    • Marked as answer by Joson ZhouModerator Friday, February 11, 2011 5:15 AM
    Tuesday, February 1, 2011 8:05 PM

All replies

  • Generally speaking, a 5774 usually indicated either:

    • An ISP's DNS server, or the router's IP address, is set to be used as a DNS server in NIC properties
    • The zone called DomainName.com (in your example) does not allow dynamic updates
    • If the 1st DNS entry is in another site, a firewall may be blocking necessary traffic. There are over 29 ports, plus the empheral ports (Win2003 and older: UDP 1024 - 5000, and 2008 & newer: UDP 49152 - 65536) that AD communications require. DNS updates require UDP 53, not only TCP 53. Trying to finite this becomes difficult and generally the rule of thumb is to just allow all traffic between locations.

    The Return Status Code: 9005 is usually an access denied message. I assume you're logged on as an account that can perform this operation, such as the default administrator or a user account that is a domain admin or Enterprise admin.

    You can run the following tests on AD to make sure things are working ok and upload the info to SKydrive, if you would like us to assist with the output.

    • -> DCDIAG /V /C /D /E /s:yourDCName > c:\dcdiag.log
    • -> netdiag.exe /v > c:\netdiag.log (Run only on each Windows 2003 or older DCs, not 2008 or 2008 R2)
    • -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
    • -> ntfrsutl ds domain.com > c:\sysvol.log

     

    Summary

    Without knowing info about your infrastructure, (firewall types, what's being blocked, etc), it will be difficult to diagnose. My feeling is it's a firewall block. I would suggest to set itself as the first DNS entry (not the loopback but the actual IP), then run an ipconfig /registerdns and restart the netlogon service, and see if that takes caer of the 5774.

    The replication blocks are also indicative of a firewall blocking necessary AD ports. If you are not sure if there is a block, you can use PortQRY to scan and test each and every port that AD requires.

    The following are my notes on AD firewall ports, portqry, etc. I hope you find it helpful.

    ==================================================================
    ==================================================================
    Active Directory Firewall ports

    Active Directory Replication over Firewalls, Jan 31, 2006. Active Directory relies on remote procedure call (RPC)
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    How to configure a firewall for domains and trusts
    http://support.microsoft.com/?id=179442

    Configuring an Intranet Firewall, Apr 14, 2006. Protocol ports required for the intranet firewall.
    Ports required for Active Directory and Kerberos communications
    http://technet.microsoft.com/en-us/library/bb125069.aspx

    Active Directory and Firewall Ports - I found it hard to find a definitive list on the internet for what ports needed opening for Active Directory to replication between Firewalls. ...
    http://geekswithblogs.net/TSCustomiser/archive/2007/05/09/112357.aspx


    ======
    Download PortQry:

    Download details: PortQry Command Line Port Scanner Version 2.0  Download PortQryV2.exe, a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows ...
    http://www.microsoft.com/downloads/en/details.aspx?familyid=89811747-c74b-4638-a2d5-ac828bdc6983&displaylang=en


    Understanding portqry and the command's output:

    New features and functionality in PortQry version 2.0
    http://support.microsoft.com/kb/832919

    Portqry Remarks
    http://technet.microsoft.com/en-us/library/cc759580(WS.10).aspx
    ======

    Windows 2008, 2008 R2, Vista and Windows 7 use Different Ephermeral Ports Have Changed:

    Default ephemeral (Random service ports) are UDP 1024 - 65535 (See KB179442 below), but for Vista and Windows 2008 it's different. Their default start port range is UDP 49152 to UDP 65535 (see KB929851 below).

    Quoted from KB929851 (link posted below): "To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Microsoft Windows that used a default port range of 1025 through 5000."

    Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports)
    The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
    http://support.microsoft.com/?kbid=929851
    ======

    Here are some related links to restricting AD replication ports.

    Active Directory Replication over Firewalls
    http://technet.microsoft.com/en-us/library/bb727063.aspx

    Paul Bergson's Blog on AD Replication and Firewall Ports
    http://www.pbbergs.com/windows/articles/FirewallReplication.html
    http://www.pbbergs.com/windows/articles.htm

    Restricting Active Directory replication traffic and client RPC ...Restricting Active Directory replication traffic and client RPC traffic to a ... unique port, and you restart the Netlogon service on the domain controller. ...
    http://support.microsoft.com/kb/224196

    How to restrict FRS replication traffic to a specific static port - How to restrict FRS replication traffic to a specific static port ... Windows 2000-based domain controllers and servers use FRS to replicate system policy ...
    http://support.microsoft.com/kb/319553

    Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
    This KB indicates Checkpoint firewalls having an issue with AD communications.
    http://support.microsoft.com/?kbid=899148
    ======

    Checkpoint Firewall and AD, DNS and RPC Communications and Replication traffic

    Checkpoint firewalls have a known issue if you are running version R55 or older. You will need to make a registry entry to allows traffic to flow between the 2 sites via the vpn. The preferred solution is to upgrade the Checkpoint firewall.

    More info:
    Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based or Windows Vista-based computers
    (This link relates to and helps resolve the Checkpoint issue)
    http://support.microsoft.com/?kbid=899148

    NOte from one poster on the internet with a Checkpoint firewall:
    For Windows 2003 R2 and non-R2 remote domain controller we added the Server2003NegotiateDisable entry in
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
    ==================================================================
    ==================================================================

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Edited by Ace Fekay [MCT] Tuesday, February 1, 2011 8:13 PM added info about dcdiag and other AD diagnostics
    • Marked as answer by Joson ZhouModerator Friday, February 11, 2011 5:15 AM
    Tuesday, February 1, 2011 8:05 PM
  • Hi Mhashemi

    Please check out the following thread which has a similar problem to yours as well as a solution.

    http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/0507f7cc-c426-439b-a0c6-d36cda2dfee8

    if the problem persists or is rectified please post

     


    tech-nique
    Tuesday, February 1, 2011 8:36 PM
  • Hello,

    Ace already answered, if i read correct most, but not all your open problems:

    Starting test: NCSecDesc
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=DomainDnsZones,DC=dnsDomainName,DC=com
    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
    Replicating Directory Changes In Filtered Set
    access rights for the naming context:
    DC=ForestDnsZones,DC=dnsDomainName,DC=com
    ......................... serverName failed test NCSecDesc

    This should be removed after runing adper /rodcprep. If not please use the following option:

    Click Start, type "adsiedit.msc", find and right-click "DC=domain,DC=com", choose Properties, Security tab, click Advanced. On permissions tab, click ADD if Enterprise Read-only Domain Controllers are not listed. Type Enterprise Read-only Domain Controllers and click OK.

    Then Allow the following permissions:
    - Replicating Directory Changes

    - Replication Synchronization

    - Manage Replication Topology

    After replication run again dcdiag.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, February 1, 2011 8:40 PM
  • Hi there,

    Based on my experience, Comain Controller that has Domain Name System (DNS) installed and integrated with Active Directory to allow secure dynamic updates, you may find that Event Viewer records the Netlogon error Event ID 5774 approximately every 70 seconds. This is related to DNS.

    Please refer to the KB to troubleshoot the issue:

    Troubleshooting Netlogon Event 5774, 5775, and 5781
    http://support.microsoft.com/kb/259277

    Domain Controller Generates a Netlogon Error Event ID 5774
    http://support.microsoft.com/kb/284963

    Hope it helps.

    Scorprio


    TechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin | System Architect
    Wednesday, February 2, 2011 3:40 AM
  • Hi mhashemi,

    Any update on the issue? If you need further information, please feel free to respond back.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, February 9, 2011 4:34 AM
    Moderator
  • For me the solution was locate and delete old SRV entries under root and child _msdcs zones. There was entries with same name but old broken SID security computer from redeploy.

    http://www.mycertprofile.com/Profile/2194019177

    Wednesday, March 14, 2018 8:59 PM