Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5774 Source: NETLOGON

Registration of the DNS record '<dns record>'. 600 IN SRV 0 100 3268 <domain name>.' failed with the following error: <error description>.
From a newsgroup post: "There could be many reasons for this event. I got this error because our HQ uses a BIND DNS. Some people fixed this by deleting the problem record by hand and restart the NETLOGON service."

Error: "DNS server unable to interpret format." - This error message may be generated in several circumstances. See ME259277 for a general approach on troubleshooting this. In some cases this may be caused by the security setting on the parent.local server being set to only use secure updates. Changing this to allow "dynamic updates" (instead of only secure) might eliminate the problem.

Another newsgroup discussion thread suggested that the event was caused by the fact that the Active Directory Domain Controller running the DNS server did NOT point to itself as a DNS server (instead it used the ISP DNS servers). Changing the DNS server settings to point to itseld fixed the problem.

Error: "A socket operation was attempted to an unreachable host." - Apparently, the DNS server is not reachable. This could be due to network problems (cables, hubs, etc...) or the server may be down (or the IP address changed). Verify that there is connectivity between the computer reporting the problem and the DNS servers where is trying to register.

Error: "DNS RR set that ought not exist, does exist.".
- As per Microsoft, when the Netlogon service tries to register the GUID record in the _msdcs.forestrootzone, the GUID record may not be registered if there is an MX record that is wildcard character (*). The Netlogon service does a DNS query of type ALL for the guid._msdcs.forestrootzone. If a wildcard record exists, the DNS server responds to the query with the MX server information and the dynamic update does not succeed. See ME325208.
- From a newsgroup post: "If you have a CName (or other record) for the same hostname that was manually entered and is preventing a dynamic host registration then you need to remove the manual record.
1. Rename Netlogon.dnb and Netlogon.dns on the machine that registers the 5774 event
2. Delete Netlogon.dnb and Netlogon.dns on the same machine
3. Reboot Computer
4. Check system log for the error"
In our case, we had one 2003R2 DC reporting this error. We fixed this by resetting the ipsock and winsock using the following commands:
- netsh winsock reset
- netsh int ip reset resetlog.txt
After a reboot, we reconfigured the TCP/IP settings and rebooted one more time. The event went away.
In my case, I was getting this error with "2330" in the data field. Unchecking "BIND Secondaries" in the DNS Server Properties, Advanced tab fixed it.
We had this issue after moving a Domain Controller. We demoted a root level DC, disjoined it from the domain, renamed it and re-promoted it as a child domain controller. At the same time, we saw 40960 errors from source LsaSrv with the description: “The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)".

We fixed the problem by performing the following:
1. Stop the Kerberos Key Distribution service.
2. Set the KDC service to “Disabled”.
3. Restart the server (this forces the DC to get a Kerberos ticket from one of the other DCs).
4. Using the procedure in ME325850 reset the machine account password.
5. Set the KDC service to “Automatic”.
6. Start the KDC service.
7. Restart the domain controller one final time (this may not have been required but seemed like a good idea at the time).
This error occurred when separating a subsidiary company behind a Watchguard Core X750e Firewall. Even though we had given full access between the AD server at their end and the two AD servers at our end, it did not work.

Internet = Port 0
Subsidary = Port 1
DMZ = Port 2
Head Office = Port 3
Everything was connected directly with Ethernet and no routing.

This firewall comes with DNS Proxy installed as default. We deleted that service from the firewall and then everything started to work again.

According to “The Linux BIND+AD HowTo”, if the value is "Error Value: DNS bad key", Returned Response Code (RCODE): 5, Returned Status Code: 9017, and you are in a mixed environment (Bind and Active Directory), adding "check-names ignore" to the Bind's configuration, restarting the bind daemon and the netlogon service, solves the problem. The "check-names ignore" option is required to permit underscores in the DNS names.
- Error: "DNS RR set that ought to exist, does not exist" - In my case, I got this error because of an invalid NS record in DNS reverse lookup zone.
See ME828333 for a hotfix applicable to Microsoft Windows Server 2003.

As per Microsoft: "The DNS record could not be dynamically registered on the DNS server. Computers and users cannot locate this domain controller (DC) unless this record is registered in DNS". See MSW2KDB for more details.

- Error: "DNS server unable to interpret format" - See ME266054.

As per Microsoft: "This problem occurs when a Domain Name System (DNS) server that accepts nonsecure dynamic updates registers the IP address of a DNS client, and the DNS client only permits secure dynamic updates. The Net Logon service then reports an error with the 9505 status code on the DNS server. The 9505 status code refers to a nonsecure DNS packet error. When this error occurs, the client successfully updates the client IP address on the DNS server, but the dynamic update is not secure". See ME839505 to fix this problem. This article applies to Win2k3.

See ME300202 for information on how to configure DNS for Internet access in Windows 2000.
I found that a bad external DNS server that was set on my mail server caused this problem. I had 2 DNS servers configured, one internal and one external. I have no idea how the external one came about. I found out which DNS was the problem by using the Netdiag tool. Run “NETDIAG /TEST:DNS” and see the error in better detail. Netdiag is part of the resource kit for W2K.
- Error: "DNS RR set that ought to exist, does not exist" – This error appeared after a dcpromo. In fact, the record existed in the DNS root of the forest but not replicated in the forward lookup zone of the tree. In DNS in my tree, I “transfer the zone from the master” and the record was replicated.
I was getting this error on a client’s server because the DHCP Client service was set to DISABLED (and not running). I enabled the service and ran the “ipconfig /registerdns” command. Info taken from ME266319: “The DHCP Client service is responsible for performing the dynamic update for the host record. If the computer has a static IP address, the DHCP Client service also updates the pointer (or reverse lookup) record. This service must be running on all computers that perform dynamic updates, regardless of whether they are configured as DHCP clients”.
Error: "DNS RR set that ought to exist, does not". I was able to cure this event error on my server by adding a GUID to the _gc folder of the dns server under _msdcs on the forward lookup zone in my domain. I.e. with the same GUID of the error message - "cc0df87a-871d-4710-b941-188bcdbcf29d" as the alias name for a new record of type cname with the fully qualified name of the server as the data "".
- Error: "DNS RR set that ought to exist, does not exist" - I had a power surge and one of the NICs went bad on my server. The server had another NIC (which was not in use at the time) and I gave it the same IP address. After I assigned the IP address, the following error showed up every two hours: Registration of the DNS record " 600 IN CNAME" failed with the following error: DNS RR set that ought to exist, does not exist. To resolve the issue I went to the DNS and under _mcds -> gc and then I added an alias. I named it 15cd77e3-7324-4715-8d6a-36c753f7877a, and then in the next box I put in This resolved the issue I have not seen it since.
I had this issue and needed to change the DNS address to the local DNS address on a 2nd NIC to resolve it.

A 5774 error will occur every minute or so if the DNS server that is authoritive for the AD domain is not in the DNS servers list in your TCP/IP settings.
I fixed this problem by deleting the specified key in Event Viewer and restarting DNS Server.
See the link below to Registry Tweaks for a description of the problem.
I found that delaying startup of Netlogon service until DNS was started solved this problem. Just add DNS to the DependOnService entry in HKLM-System-CurrentControlSet-Services-Netlogon. This is described among other things in ME193888.
This event can occur when the IP address of the server is changed.
This Error occurs when DNS Server has its database in Active Directory Integrated mode, and is also a Domain Controller and network adapters have been changed in the system. Fix: Delete affected zones and recreate the zones. This will allow the NETLOGON service to successfully re-register the records that were being reported in the 5774 event.
I had my DNS server setup as a root server, which it is not. Go to the computer Management Console DNS snap-in and drill down to the Forward Lookup Zones. If there is a DOT zone listed "." then your server is setup as a root server. Deleting the Root zone got rid of the error message.
Error: "DNS RR set that ought not exist, does exist." - This can be caused by someone manually creating an alias for that namespace (in this case If none of the published fixes addresses your problem, try this instead. Open the DNS console from the MMC and expand the primary dns server. Select Forward Lookup Zones and select the target zone ( There you should see an A (alias) or CNAME record. Delete it, then stop and start the netlogon service.
Error: "DNS operation refused." - The problem was the time it took logging on to the W2K server, the clients were not able to find the server and waited up to 30 min. before logging on. This was solved by configuring the internal DC as DNS servers instead of the ISP DNS.

I fixed this problem by giving the Domain computers full control the Forward Lookup Zone (the only one I had.
Error: "DNS server unable to interpret formula". I got this error using Cisco Network Registrar version 5 for my DNS server which is authoritative for the primary zone where my Active Directory structure lives. On the domain controller that controls the domain of the same name as the primary zone in DNS, I get the event ID 5774 every two hours. Cisco sent me a hack that will make CNR fool a domain contoller into believing it has successfully updated the record when in reality, it hasn't and it cannot. Here's the hack:

nrcmd>session set visibility=3
nrcmd>dns enable simulate-zone-top-dynupdate

I've tested this in my lab and it works (but only on CNR as of version 5.0.1 - earlier versions don't recognize the command).
I received this event because the DNS service on my Windows 2000 server was bound to a second IP address configured on that server.
Error: "DNS operation refused." Resolution of this situation can be found in ME284963.
I had this problem on a proxy server, running DNS, with internal and external NICs. I had originally configured the external NIC with the DNS of my ISP. To fix the error, I pointed the DNS on both NICs to my internal IP address. Then, in the DNS MMC, I right-clicked my server and selected properties. I selected the "Forwarders" tab, enabled forwarders, and added my external (ISPs) DNS addresses.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.