Netlogon 5775 Errors

[Barry Pain]

I wonder if anyone can help. We have 2 DC's running W2K and one DNS
zone (company.internal.co.uk). The zone is AD integrated and updates
are allowed. I keep getting 5775 errors on the "second" DC with This
meaages:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5775
Date: 14/07/2003
Time: 12:08:24
User: N/A
Computer: GANDALF
Description:
Deregistration of the DNS record
'_kerberos._tcp.Default-First-Site-Name._sites.service-line.co.uk. 600
IN SRV 0 100 88 GANDALF.service-line.co.uk.' failed with the following
error:
DNS operation refused.

I have noticed that using the DNS snap-in on each machine for the
forward look-up zone states that DC1 says it is the primary and DC2
(gandalf) says it is the primary, could that be a problem? I have
checked and the 1st DC points at itself for name resolution and the
2nd points to both the first and itself as per MS recommendations. I
changed the settings for this on Friday in an attempt to fix the
problem as previously the 1st DC was pointing outside the AD fior it's
secondary name resolution. These errors occur every two hours on this
DC.

 

[Kevin D. Goodknecht Sr. [MVP]]

In Barry Pain <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.

I wonder if anyone can help. We have 2 DC's running W2K and one DNS
zone (company.internal.co.uk). The zone is AD integrated and updates
are allowed. I keep getting 5775 errors on the "second" DC with This
meaages:

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5775
Date: 14/07/2003
Time: 12:08:24
User: N/A
Computer: GANDALF
Description:
Deregistration of the DNS record
'_kerberos._tcp.Default-First-Site-Name._sites.service-line.co.uk. 600
IN SRV 0 100 88 GANDALF.service-line.co.uk.' failed with the following
error:
DNS operation refused.

I have noticed that using the DNS snap-in on each machine for the
forward look-up zone states that DC1 says it is the primary and DC2
(gandalf) says it is the primary, could that be a problem? I have
checked and the 1st DC points at itself for name resolution and the
2nd points to both the first and itself as per MS recommendations. I
changed the settings for this on Friday in an attempt to fix the
problem as previously the 1st DC was pointing outside the AD fior it's
secondary name resolution. These errors occur every two hours on this
DC.

These errors are being cause when netlogon tries to register the addresses
of the DC in DNS.

I have found two causes for this:
1. You are using your ISP's DNS in TCP/IP properties remove that
and/or
2. You have "Allow dynamic updates" set to "Secure updates only"

A workaround for this is to change the AD FLZ Allow dynamic updates to "Yes"
Or point the DCs only to their own IP address.

I've never really been able to find the reason why secure updates are not
allowed from one DC to the other but if someone can clue me in I would
appreciate it, too.

 

[Barry Pain]

Just to clairify:

The first DC points at itself, the second (one the error meaasges
appear on) points at the first DC, then itself, as do all DHCP
clients. Allow updates is set to yes on both machines.

 

[Kevin D. Goodknecht Sr. [MVP]]

In Barry Pain <[email protected]>
posted their concerns,
Then Kevin D4Dad added his reply at the bottom.

Just to clairify:

The first DC points at itself, the second (one the error meaasges
appear on) points at the first DC, then itself, as do all DHCP
clients. Allow updates is set to yes on both machines.

Does the error go away if you point the second DC only to itself?

Try this on the second before you try the above, netdiag /v /test:dns

and DCDIAG /e /v