Fix: Active Directory Domain Controller Could Not Be Contacted

In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domain Controller could not be contacted.

Active Directory Domain Controller Could Not Be Contacted Error: What Does It Looks Like?

A user or an administrator tries to join a new Windows workstation or server to the domain. To do this, open the System Properties on the workstation, and press Change settings > Change. Enter a new computer name, and select that this computer should be a member of a specified domain. Enter your AD domain FQDN name. After clicking on the OK button, you may receive an error:

An Active Directory Domain Controller (AD DC) for the domain “theitbros.com” could not be contacted.

Ensure that the domain name is typed correctly.

If the name is correct, click Details for troubleshooting information.

an active directory domain controller cannot be contacted

How to Fix AD Domain Controller Could Not Be Connected Error?

Here are some basic steps that should help you fix the domain controller connection error:

  1. Check your IP address and DNS settings;
  2. Check the Active Directory domain controller connectivity;
  3. Check DC Health (SRV DNS records, Netlogon, and Sysvol folders).

Let’s look at each of these steps in more detail.

Check the IP Settings and DNS Settings on Your Computer

Most often, this problem is related to the wrong IP or DNS settings on your computer.

Check IP Address

First, check if your computer has the correct IP address on the primary network interface. The IP address can be obtained from a DHCP server, or manually specified in the network adapter settings. You can view the current network settings of the computer using the command:

ipconfig /all

the system cannot contact a domain controller to service the authentication request

Make sure your computer’s IP address matches the network it’s on. Try to manually set a static IP address, or vice versa, get the correct address from the DHCP server (select Obtain IP address automatically in the properties of your network adapter).

an active directory domain controller for the domain could not be contacted

Check DNS Client Settings

Make sure your network adapter’s IP settings are set to your internal DNS servers. You can display the current DNS servers for your adapter using PowerShell:

DnsClientServerAddress

an active directory controller cannot be contacted

If the DNS server address is incorrect, change it manually or get settings from DHCP.

Make sure the DNS Client service is running using Get-Service cmdlet:

Get-Service dnscache

active directory domain controller could not be contacted

Open the hosts file (C:\Windows\System32\Drivers\etc\hosts) on the computer using notepad.exe or another text editor, and make sure there are no entries for your domain or domain controller names. If such entries exist, delete them.

You can display the contents of the hosts file with the command:

get-content C:\Windows\System32\Drivers\etc\hosts

an active directory domain controller (ad dc) for the domain could not be contacted

Then clear the DNS cache, and restart the service from the elevated command prompt:

ipconfig /flushdns

net stop dnscache && net start dnscache

Check if your computer can resolve the domain name to the correct IP address of the domain controller. Use the Resolve-DNSName cmdlet with the FQDN of your domain to which you are trying to join your workstation:

Resolve-DNSName theitbros.com

the specified domain controller cannot be contacted

The command should return one or more records of DNS servers.

Verify the Domain Controller Connectivity

Next, check if the domain controller is accessible from the client. Open a command prompt, and run the following commands:

ping your_domain_name.com

And:

tracert your_domain_name.com

Make sure your domain controller is responding and reachable.

the system cannot contact a domain controller to service

Note. In addition, it’s recommended to check the availability of the domain controller from other workstations on the same IP network.

If the DC is reachable, try to add the received IP address as a DNS server in the Advanced TCP/IP settings of your network connection.

  1. Open Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings;
  2. Select a network adapter that is connected to your corporate network, right-click on it, and select Properties;
    domain could not be contacted
  3. Select Internet Protocol Version 4 (TCP/IPv4), and click Properties;
  4. Press the Advanced button, and go to the DNS tab;
  5. On the DNS tab press Add, and enter the IP address of your DNS server (domain controller). Don’t use Public DNS IPs in preferred and alternative fields, like 8.8.8.8 (google) or 1.1.1.1 (cloudflare);
    the system cannot contact a domain controller
  6. Click OK (if several IP addresses are listed in the DNS server list, move the IP address of your DC to the top of the list);
    an active directory domain controller could not be contacted
  7. Save the changes and restart the workstation;
  8. Try to join your workstation to the AD domain.

Check If the Domain Controller Connections Aren’t Blocked By the Firewall

Verify if the access to the DNS service on the domain controller is not blocked by firewalls. The easiest way to check the availability of port 53 on a DC is to use PowerShell:

Test-Netconnection 192.168.1.11 -port 53

In our example, TcpTestSucceeded: True means that the DNS service on the DC is accessible.

ad dc could not be contacted

Also, make sure the computer can contact the DNS server that hosts the DNS zone or can resolve DNS names in that domain. Make sure the correct DNS server is configured on this client as preferred and the client is connected to this server. Confirm you can find a domain and access the domain controller from the computer using the command:

nltest /dsgetdc:theitbros.com

an active directory could not be contacted

If your computer successfully discovered the domain and domain controller, the command should return information about the domain, AD site, and services running on the DC:

DC: \\DC01.theitbros.com

Address: \\192.168.1.15

Dom Guid: 4216f343-2949-21c3-8caa-6d7cbcdb1690

Dom Name: theitbros.com

Forest Name: theitbros.com

Dc Site Name: NY

Our Site Name: NY

Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS

The command completed successfully.

Hint. Another helpful guide that can help you troubleshoot DC connectivity over RPC is “The RPC Server is Unavailable”.

Also, try to temporarily disable the built-in Windows Firewall, and all third-party applications with antivirus/firewalls modules (Symantec, MacAfee, Windows Defender, etc.), that can block network ports to access the domain controller. After disabling the firewalls, try to join the computer to the domain.

Here is the minimum list of network protocols, ports, and services that must not be blocked in firewalls between a client and a domain controller to successfully join a device to the Active Directory domain:

  • UDP 53 — DNS traffic;
  • TCP and UDP 88 — Kerberos authentication;
  • UDP 123 — Windows Time Sync with DC;
  • TCP 135 — Remote Procedure Call RPC Locator;
  • TCP and UDP 139 — NetBIOS Session Service;
  • TCP and UDP 389 (LDAP, DC Locator, Net Logon) or TCP 636 (LDAP over SSL);
  • TCP 445 (SMB/CIFS, Net Logon);
  • TCP 49152-65535 — RPC ports, randomly allocated high TCP ports.

Check the DNS SRV Records on the Domain Controller

Check DNS Records on your DC

If the above method didn’t help, check if in the DNS zone of your domain controller there is an SRV record of the location of the DC.

Open an elevated Command prompt, and run the following commands:

nslookup

set type=all

_ldap._tcp.dc.msdcs.your_domain_name.com

Verify if the specified DNS server has an SRV record in the following form:

_ldap._tcp.dc._msdcs.your_domain_name.com SRV service location:

however no domain controllers could be contacted

If the specified SRV record is missing, it means your computer is configured to use a DNS server that does not have a correct SRV record with the location of the domain controller.

Update/Re-Register DNS SRV Records on DC

If you can’t change the DNS settings on your computer, you can manually add two records (SRV and A) to your existing DNS server which help you to resolve the domain controller’s IP address:

  • _ldap._tcp.dc.msdcs.your_domain_name.com — is an SRV resource record that points to the domain controller that hosts the ADDS role;
  • Resource A record that identifies the IP address for the DC listed in the _ldap._tcp.dc.msdcs.your_domain_name.com SRV resource record.

Restart the Netlogon service on the domain controller with the command:

net stop netlogon && net start netlogon

(or simply try to reboot the DC)

On startup, it will try to register the necessary SRV records on the DNS server.

Also, you can re-register domain controller DNS records using the command:

ipconfig /registerdns

Wait for a while for the records to appear in DNS and replicate across the domain.

Also, make sure the dynamic updates are allowed in your Windows DNS zone settings.

Check the Domain Controller Health

Perform a health check on your domain controllers and replication according to the following guides:

It is also recommended to verify if the SYSVOL and NETLOGON network shared folders are created and accessible on the domain controller (run the net share command on the closest DC).

unable to contact active directory to verify claim types

If the SYSVOL and NETLOGON directories are missing in the shares list:

  1. Check the IP and DNS settings on your DC (the domain controller shouldn’t receive an IP address from a DHCP server, use only a static IP address);
  2. Verify if the C:\Windows\SYSVOL domain directory contains Policies and Scripts folders;
    domain controller could not be contacted
  3. If you did not migrate Sysvol replication from FRS to DFS, to replicate Sysvol from PDC to all DCs in the domain, you need to stop the File Replication Service (net stop NtFrs). Then run the Regedit and go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/RestoreProcess at Startup, here change the value of BurFlags DWORD parameter to D4 (hex) on PDC, and to D2 (hex) on all additional domain controllers. After that, start the service:
    net start NtFrs

And check if the directory DCName SYSVOL appears and is accessible on the problem DC.

Troubleshooting Error “an Active Directory Domain Controller Could not be Contacted”

If none of the above methods helped you to fix the problem, you need to move to more advanced troubleshooting. Note that the Details button is available in the error message.

Click the Details button for more information about the error. In most cases, there you will see an error “DNS name does not exist” or one of the following error codes 0x0000232B RCODE_NAME_ERROR, 0x0000267C DNS_ERROR_NO_DNS_SERVER, and 0x00002746 WSAECONNRESET).

however no domain controllers could be contacted.

For example:

The domain name “DOMAIN_NAME” might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “DOMAIN_NAME”:

The error was: “DNS name does not exist.”

(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.DOMAIN_NAME

Common causes of this error include the following:

– The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

xx.xx.xx.xx

xx.xx.xx.xx

– One or more of the following zones do not include delegation to its child
zone:

Domain_name
local
.. (the root zone)

Open the text file C:\windows\debug\dcdiag.txt on the user’s computer. Carefully study the latest errors in this file. Perhaps they will point you in the right direction.

unable to contact active directory to access or verify claim types

Most often, you can face such errors in the dcdiag.txt file:

  • 0x0000232B — RCODE_NAME_ERROR (“DNS name does not exist”) – your computer cannot find the SRV record on the DNS server. Make sure your computer’s DNS settings are set to the IP address of your domain controller. Check SRV records on DC;
  • 0x0000267C — DNS_ERROR_NO_DNS_SERVER (“No DNS Servers configured for local system”). In this case, it is recommended to check your IP and DNS settings, and network connectivity;
  • 0x00002746 — WSAECONNRESET (“An existing connection was forcibly closed by the remote host”) — check the network connectivity and firewall rules. Try to restart the DNS service on the DC, or reboot the host completely.

Sometimes, in the Netsetup.log file, you can find useful information about errors in joining a computer to an Active Directory domain. It is Windows clients log the details of the domain join operation. This log can be found here %windir%\debug\Netsetup.log. Carefully examine the errors in the Netsetup.log file, they may help you in finding the problem of not being able to connect to the Active Directory domain.

The most typical errors are:

  • An attempt to resolve the DNS name of a DC in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain;
  • An operation was attempted on a nonexistent network connection — restart the computer, make sure that you type the DNS name and not the NetBIOS name;
  • Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again — reboot your device;
  • Network name cannot be found — make sure your computer can access the DNS server hosting the domain’s DNS zone;
  • No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept — remove all mapped drives and reboot the computer.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

7 comments

  1. You are missing some _ underscores in commands above I think
    _ldap._tcp.dc._msdcs.your_domain_name.com

    This stumped me for a while!!

    1. I thought this too. My server only had the records WITH underscores which did not work. I added the records WITHOUT underscores and it started working again. A Windows 10 update on the clients caused it to stop working, but I never figured out which one. So I now have the records both ways.

  2. Most of the issue on connecting AD was windows 10 update.
    After more than a months finding a solution, finally! Issue fixed! thank you very much!
    **only windows 10 update by default this features was disabled.
    Its works!
    “To enable SMBv1 support in Windows 10, then go to Control Panel > Programs > Turn Windows features on or off. Expand the node SMB 1.0/CIFS File Sharing Support, enable the SMB 1.0/CIFS Client option and save the changes.”

  3. With Windows 10 and previous, you only had to type in the domain name and it assumed .com.
    I’m finding with Windows 11 that it wants the .com, as in, domainname.com when adding a computer to the domain.

    Likely because you can now have .net, etc

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.