An error with event ID 5774 is reported in the system log on a Windows Server 2003-based domain controller

On a Windows Server 2003-based domain controller, an error message that is similar to the following may be logged in the system log one time each day:

Type: Error
Date: 12/10/03
Time: 7:08:12 AM
Event ID: 5774
Source: NETLOGON
User: N/A
Computer: ComputerName

Details: The dynamic registration of the DNS record recordName failed on the following DNS server: DNS server IP address: ServerIPAddress Returned Response Code (RCODE): 0 Returned Status Code: 9505 For computers and users to locate this domain controller, this record must be registered in DNS.
USER ACTION: Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. You can find this program on the Windows Server 2003 installation CD in Support\Tools\support.cab. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. Or, you can manually add this record to DNS, but it is not recommended.

This problem occurs when a Domain Name System (DNS) server that accepts nonsecure dynamic updates registers the IP address of a DNS client, and the DNS client only permits secure dynamic updates. The Net Logon service then reports an error with the 9505 status code on the DNS server. The 9505 status code refers to a nonsecure DNS packet error. When this error occurs, the client successfully updates the client IP address on the DNS server, but the dynamic update is not secure.

Make sure that both the _msdcs.domain.suffix zone and the domain.suffix zone are set to only accept secure dynamic updates. Alternatively, change the Group Policy setting for the DNS client service so that the client does not have to update by using secure updates.

For additional information about dynamic updating in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can configure a Group Policy object for the DNS client service that forces the client to use a particular type of dynamic update. To force secure dynamic updates without using Group Policy, you can modify the following registry subkey on the client computer:To modify the registry subkey, follow these steps.

Note If a Group Policy object is already active in your domain for this setting, the object overrides any local registry changes.

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate the following registry subkey:
   HKEY_Local_Machine\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
3. Right-click DNSClient, point to New, and then click DWORD Value.
4. Name the new value UpdateSecurityLevel.
5. Double-click UpdateSecurityLevel.
6. In the Edit DWORD Value dialog box, select Hexadecimal under Base, and then type 100 in the Value data box.
7. Click OK.
8. Quit Registry Editor.

For additional information about Group Policy and DNS in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: