DNS bad key in NETLOGON 5774. Help!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

Hi all

Currently, I have 2 DC in a subdomain, both Global Catalog and DNS server,
containing a forward lookup zone (AD integrated) subdomain.domain.corp
delegated from parent domain and allowing dynamic updates. Both DNS clients
point to itself. No replication problems, automatic and forced. Now the
problem, when I run dcpromo in a new server (NEWDC) everything goes ok, but
then, when I reboot NEWDC, error events appear, NETLOGON 5774, and
replications fail, automatic a forced, KCC warning id 1265 and error 1311
appear in both domain controllers. Run dcdiag in NEWDC and fails in
connectivity test. Reports below. Any suggestions?
Thanks in advance.



Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 16/07/2004
Time: 12:17:36
User: N/A
Computer: NEWDC
Description:
Registration of the DNS record 'd02956dd-e532-46b8-a174-
5b5f50759a48._msdcs.dominio.corp. 600 IN CNAME
newdc.subdominio.dominio.corp.' failed with the following
error:
DNS bad key.
Data:
0000: 39 23 00 00 9#..

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date: 16/07/2004
Time: 12:17:36
User: N/A
Computer: NEWDC
Description:
Registration of the DNS record '_ldap._tcp.54668727-5f5d-
4ba7-8484-fe86a2659159.domains._msdcs.dominio.corp. 600
IN SRV 0 100 389 newdc.subdominio.dominio.corp.' failed
with the following error:
DNS bad key.
Data:
0000: 39 23 00 00 9#..


Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\dcdiag /test:connectivity /s:newdc


Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Site-SITIO\NEWDC
Starting test: Connectivity
d02956dd-e532-46b8-a174-
5b5f50759a48._msdcs.dominio.corp's server GUI
D DNS name could not be resolved to an
IP address. Check the DNS server, DHCP, server
name, etc
Although the Guid DNS name
(d02956dd-e532-46b8-a174-
5b5f50759a48._msdcs.dominio.corp) couldn't
be resolved, the server name
(newdc.subdominio.dominio.corp) resolved to
the IP address (x.x.x.253) and was pingable.
Check that the IP
address is registered correctly with the DNS
server.
......................... NEWDC failed test
Connectivity

Doing primary tests

Testing server: Site-SITIO\NEWDC

Running enterprise tests on : dominio.corp

..
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:ON6wC1KcEHA.644@tk2msftngp13.phx.gbl,
Fer <sarednabNOSPAM@terra.es> posted a question
Then Kevin replied below:
> Hi all
>
> Currently, I have 2 DC in a subdomain, both Global
> Catalog and DNS server, containing a forward lookup zone
> (AD integrated) subdomain.domain.corp delegated from
> parent domain and allowing dynamic updates. Both DNS
> clients point to itself. No replication problems,
> automatic and forced. Now the problem, when I run dcpromo
> in a new server (NEWDC) everything goes ok, but then,
> when I reboot NEWDC, error events appear, NETLOGON 5774,
> and replications fail, automatic a forced, KCC warning id
> 1265 and error 1311 appear in both domain controllers.
> Run dcdiag in NEWDC and fails in connectivity test.
> Reports below. Any suggestions?
> Thanks in advance.

Is the newdc pointing to the first DC as the preferred DNS then itself as
alternate?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
 
Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in
news:ueHTzSNcEHA.2468@TK2MSFTNGP09.phx.gbl:

> In news:ON6wC1KcEHA.644@tk2msftngp13.phx.gbl,
> Fer <sarednabNOSPAM@terra.es> posted a question
> Then Kevin replied below:
>> Hi all
>>
>> Currently, I have 2 DC in a subdomain, both Global
>> Catalog and DNS server, containing a forward lookup zone
>> (AD integrated) subdomain.domain.corp delegated from
>> parent domain and allowing dynamic updates. Both DNS
>> clients point to itself. No replication problems,
>> automatic and forced. Now the problem, when I run dcpromo
>> in a new server (NEWDC) everything goes ok, but then,
>> when I reboot NEWDC, error events appear, NETLOGON 5774,
>> and replications fail, automatic a forced, KCC warning id
>> 1265 and error 1311 appear in both domain controllers.
>> Run dcdiag in NEWDC and fails in connectivity test.
>> Reports below. Any suggestions?
>> Thanks in advance.
>
> Is the newdc pointing to the first DC as the preferred DNS then itself
> as alternate?
>
>

Kevin

Yes, it points to the PDC. There is no DNS server service running in
NEWDC. As alternate points to the other DC.

Thanks for reply.
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23h2VqEPcEHA.308@TK2MSFTNGP12.phx.gbl,
Fer <sarednabNOSPAM@terra.es> posted a question
Then Kevin replied below:

> Yes, it points to the PDC. There is no DNS server service
> running in NEWDC. As alternate points to the other DC.

Ok so this is a third DC in the child domain?

Did you run netdiag /fix?
Can you post the results from nediag /test:dns /v
And ipconfig /all


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
 
Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in
news:eQHRENPcEHA.3096@tk2msftngp13.phx.gbl:

> Ok so this is a third DC in the child domain?
>
> Did you run netdiag /fix?
> Can you post the results from nediag /test:dns /v
> And ipconfig /all
>
>

Yes, this is the third DC in the site, there are two more DC in other
sites in the same subdomain with the same problem, all of them
promoted to DC later than the two conflicting DCs, the only ones that
works ok.

netdiag /fix was run in all DC but did not fix the problem.

Now I can not post any test because I won't have access to DCs until
monday, but netdiag /test:dns failed too.

As soon as I have the results, they will be posted. I have used
static IP configuration.

Thanks.
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:Xns9530ADB2CCEC6sarednabNOSPAMterrae@207.46.248.16,
Fer <sarednabNOSPAM@terra.es> posted a question
Then Kevin replied below:
> Yes, this is the third DC in the site, there are two more
> DC in other sites in the same subdomain with the same
> problem, all of them promoted to DC later than the two
> conflicting DCs, the only ones that works ok.
>
> netdiag /fix was run in all DC but did not fix the
> problem.
>
> Now I can not post any test because I won't have access
> to DCs until monday, but netdiag /test:dns failed too.
>
> As soon as I have the results, they will be posted. I
> have used static IP configuration.

I have spent quite a bit of time researching this, and have come to the
conclusion that I'm missing something somewhere. I think the key to
resolving this is to find the "Bad key" noted in the error.
I;m not sure what this "Bad key" is but is this the entire event? Are there
any other events listed in the log?
Is the DHCP client service running?
Is the zone using "Secure updates only"?
If so if you set dynamic updates to "Yes" and restart the netlogon service
is it able to register the records?

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:e5Pu7rbcEHA.2520@TK2MSFTNGP12.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> asked for help and I
offered my suggestions below:
> I have spent quite a bit of time researching this, and have come to
> the conclusion that I'm missing something somewhere. I think the key
> to resolving this is to find the "Bad key" noted in the error.
> I;m not sure what this "Bad key" is but is this the entire event? Are
> there any other events listed in the log?
> Is the DHCP client service running?
> Is the zone using "Secure updates only"?
> If so if you set dynamic updates to "Yes" and restart the netlogon
> service is it able to register the records?
>

I've seen this come up after upgrading service packs. I've fixed it by
saving a copy of the zone, reinstalling DNS and re-creating the zone and
using my orginal zone files. Not sure why it occurs, and I don';t see it
occuring all the time, but just once in awhile.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
 
Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
news:O#TDDsrcEHA.2816@TK2MSFTNGP11.phx.gbl:

> In news:e5Pu7rbcEHA.2520@TK2MSFTNGP12.phx.gbl,
> Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> asked for help
> and I offered my suggestions below:
> I've seen this come up after upgrading service packs. I've fixed it by
> saving a copy of the zone, reinstalling DNS and re-creating the zone
> and using my orginal zone files. Not sure why it occurs, and I don';t
> see it occuring all the time, but just once in awhile.
>

Thanks for reply.

Servers were installed with a copy of W2000 CD SP4 integrated, but if it
looks like a similar failure, the same process should be successful.
Please, could you tell me how did you fixed it? more in detail, what
tools did you use? I am working with delegated subzones
(subdomain.domain.corp),must root domain admin delegate it again?, which
DC must I choose to make it? and, the most important, Is it a safe
procedure?

It could be a Kerberos Authentication Protocol or KDC failure?
 
Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in
news:e5Pu7rbcEHA.2520@TK2MSFTNGP12.phx.gbl:

> I have spent quite a bit of time researching this, and have come to
> the conclusion that I'm missing something somewhere. I think the key
> to resolving this is to find the "Bad key" noted in the error.
> I;m not sure what this "Bad key" is but is this the entire event? Are
> there any other events listed in the log?

Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1134
Date: 21/07/2004
Time: 14:32:31
User: N/A
Computer: NEWDC
Description:
The ntdsConnection object CN="dc001
CNF:22978f36-0632-4f26-9a17-5605feb7f215",CN=NTDS
Settings,CN=NEWDC,CN=Servers,CN=Site-
SITE,CN=Sites,CN=Configuration,DC=domain,DC=corp is configured for the
same source server as CN=dc001,CN=NTDS
Settings,CN=NEWDC,CN=Servers,CN=Site-
SITE,CN=Sites,CN=Configuration,DC=domain,DC=corp and will be ignored.
Please use the Active Directory Sites and Services tool to modify or
delete one of these objects.

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13562
Date: 27/07/2004
Time: 16:01:12
User: N/A
Computer: NEWDC
Description:
Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
NEWDC.subdomain.domain.corp for FRS replica set configuration
information.

The nTDSConnection object cn=dc001,cn=ntds
settings,cn=NEWDC,cn=servers,cn=site-
SITE,cn=sites,cn=configuration,dc=domain,dc=corp is conflicting with cn=
244c63b9-9043-4318-94ae-20d27ce6267d,cn=ntds
settings,cn=NEWDC,cn=servers,cn=site-
SITE,cn=sites,cn=configuration,dc=domain,dc=corp. Using cn=dc001,cn=ntds
settings,cn=NEWDC,cn=servers,cn=site-
SITE,cn=sites,cn=configuration,dc=domain,dc=corp



Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 11
Date: 26/07/2004
Time: 18:49:02
User: N/A
Computer: NEWDC
Description:
The NTP server \\dc002.subdomain.domain.corp didn't respond
Data:
0000: 46 27 00 00 F'..


> Is the DHCP client service running?
No

> Is the zone using "Secure updates only"?

No, dynamic updates

> If so if you set dynamic updates to "Yes" and restart the netlogon
> service is it able to register the records?

Even restarting the server, no
 
Archived from groups: microsoft.public.win2000.dns (More info?)

The DHCP Client service MUST BE RUNNING. There is no way around this,
othewise DNS resolution and registration will not work. Enable it and see
what happens. This service is tied into the DNS APIs for functionality
whether the machine is set with a static Ip or DHCP. Required service.
Please enable it and test it.

Ace


"Fer" <sarednabNOSPAM@terra.es> wrote in message
news:u$s1bBLdEHA.596@TK2MSFTNGP11.phx.gbl...
> "Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in
> news:e5Pu7rbcEHA.2520@TK2MSFTNGP12.phx.gbl:
>
> > I have spent quite a bit of time researching this, and have come to
> > the conclusion that I'm missing something somewhere. I think the key
> > to resolving this is to find the "Bad key" noted in the error.
> > I;m not sure what this "Bad key" is but is this the entire event? Are
> > there any other events listed in the log?
>
> Event Type: Warning
> Event Source: NTDS KCC
> Event Category: (1)
> Event ID: 1134
> Date: 21/07/2004
> Time: 14:32:31
> User: N/A
> Computer: NEWDC
> Description:
> The ntdsConnection object CN="dc001
> CNF:22978f36-0632-4f26-9a17-5605feb7f215",CN=NTDS
> Settings,CN=NEWDC,CN=Servers,CN=Site-
> SITE,CN=Sites,CN=Configuration,DC=domain,DC=corp is configured for the
> same source server as CN=dc001,CN=NTDS
> Settings,CN=NEWDC,CN=Servers,CN=Site-
> SITE,CN=Sites,CN=Configuration,DC=domain,DC=corp and will be ignored.
> Please use the Active Directory Sites and Services tool to modify or
> delete one of these objects.
>
> Event Type: Warning
> Event Source: NtFrs
> Event Category: None
> Event ID: 13562
> Date: 27/07/2004
> Time: 16:01:12
> User: N/A
> Computer: NEWDC
> Description:
> Following is the summary of warnings and errors encountered by File
> Replication Service while polling the Domain Controller
> NEWDC.subdomain.domain.corp for FRS replica set configuration
> information.
>
> The nTDSConnection object cn=dc001,cn=ntds
> settings,cn=NEWDC,cn=servers,cn=site-
> SITE,cn=sites,cn=configuration,dc=domain,dc=corp is conflicting with cn=
> 244c63b9-9043-4318-94ae-20d27ce6267d,cn=ntds
> settings,cn=NEWDC,cn=servers,cn=site-
> SITE,cn=sites,cn=configuration,dc=domain,dc=corp. Using cn=dc001,cn=ntds
> settings,cn=NEWDC,cn=servers,cn=site-
> SITE,cn=sites,cn=configuration,dc=domain,dc=corp
>
>
>
> Event Type: Warning
> Event Source: w32time
> Event Category: None
> Event ID: 11
> Date: 26/07/2004
> Time: 18:49:02
> User: N/A
> Computer: NEWDC
> Description:
> The NTP server \\dc002.subdomain.domain.corp didn't respond
> Data:
> 0000: 46 27 00 00 F'..
>
>
> > Is the DHCP client service running?
> No
>
> > Is the zone using "Secure updates only"?
>
> No, dynamic updates
>
> > If so if you set dynamic updates to "Yes" and restart the netlogon
> > service is it able to register the records?
>
> Even restarting the server, no
>
 
Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]" <firstnamelastname@hotmail.com> wrote in
news:uPYNyqLdEHA.2908@TK2MSFTNGP10.phx.gbl:

> The DHCP Client service MUST BE RUNNING. There is no way around this,
> othewise DNS resolution and registration will not work. Enable it and see
> what happens. This service is tied into the DNS APIs for functionality
> whether the machine is set with a static Ip or DHCP. Required service.
> Please enable it and test it.
>
> Ace
>
>

Sorry, I was trying to say that there was not DHCP server running, that all
ip address were static. But I have never tested if it was enabled, I think
it must be enabled by default. I'll check it.

Thanks.
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:ewDbf7LdEHA.4004@TK2MSFTNGP10.phx.gbl,
Fer <sarednabNOSPAM@terra.es> asked for help and I offered my suggestions
below:
> Sorry, I was trying to say that there was not DHCP server running,
> that all ip address were static. But I have never tested if it was
> enabled, I think it must be enabled by default. I'll check it.
>
> Thanks.

Ok, no prob? Just go into the Services console and see if its started, then
test to see if replication will work and if the errors disappear.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:OKG7cwKdEHA.1764@TK2MSFTNGP10.phx.gbl,
Fer <sarednabNOSPAM@terra.es> asked for help and I offered my suggestions
below:
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
> news:O#TDDsrcEHA.2816@TK2MSFTNGP11.phx.gbl:
>
>> In news:e5Pu7rbcEHA.2520@TK2MSFTNGP12.phx.gbl,
>> Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> asked for help
>> and I offered my suggestions below:
>> I've seen this come up after upgrading service packs. I've fixed it
>> by saving a copy of the zone, reinstalling DNS and re-creating the
>> zone and using my orginal zone files. Not sure why it occurs, and I
>> don';t see it occuring all the time, but just once in awhile.
>>
>
> Thanks for reply.
>
> Servers were installed with a copy of W2000 CD SP4 integrated, but if
> it looks like a similar failure, the same process should be
> successful. Please, could you tell me how did you fixed it? more in
> detail, what tools did you use? I am working with delegated subzones
> (subdomain.domain.corp),must root domain admin delegate it again?,
> which DC must I choose to make it? and, the most important, Is it a
> safe procedure?
>
> It could be a Kerberos Authentication Protocol or KDC failure?

Well, what I did was changed the zone on one of the DC/DNS servers to a
Primary zone.
Then I saved a copy of the domainname.dns file from system32\dns folder.
Then I removed DNS off this machine from Add/Remove - WIndows components.
Then I went to the other machine and deleted the zone.
THen went back to the first machine and reinstalled DNS.
Then I recreated the zone, and made it AD Integrated.
Then I went back to the other machine and created the zone and made it AD
Integrated.
Errors were gone.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
 
Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
news:ObEp#lQdEHA.3864@TK2MSFTNGP10.phx.gbl:


> Ok, no prob? Just go into the Services console and see if its started,
> then test to see if replication will work and if the errors disappear.
>


The DHCP client service is started as I supposed. I must try another
solution.

Thanks.
 
Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
news:#3ea7oQdEHA.1656@TK2MSFTNGP09.phx.gbl:

> Well, what I did was changed the zone on one of the DC/DNS servers to
> a Primary zone.
> Then I saved a copy of the domainname.dns file from system32\dns
> folder. Then I removed DNS off this machine from Add/Remove - WIndows
> components. Then I went to the other machine and deleted the zone.
> THen went back to the first machine and reinstalled DNS.
> Then I recreated the zone, and made it AD Integrated.
> Then I went back to the other machine and created the zone and made it
> AD Integrated.
> Errors were gone.
>

Ok, I´ll try this procedure, but I have doubts about the fact of
deleting a subzone with delegated management from root domain zone, what
do you think about? Must enterprise administrator delegate it again?

Thanks.
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23ryyPqidEHA.1152@TK2MSFTNGP09.phx.gbl,
Fer <sarednabNOSPAM@terra.es> asked for help and I offered my suggestions
below:
> Ok, I´ll try this procedure, but I have doubts about the fact of
> deleting a subzone with delegated management from root domain zone,
> what do you think about? Must enterprise administrator delegate it
> again?
>
> Thanks.

Its really no harm since you;re recreating the zone. If you had a
delegation, yes, it needs to be recreated, but its only a couple steps. Let
us know how you make out.



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================