Fix: Active Directory Domain Controller Could Not Be Contacted

1.8K

In this article, we’ll have a look at why you can’t join a new computer to the Active Directory domain with an error message Active Directory Domain Controller could not be contacted. The cause of this error can be either incorrect IP/DNS settings on client workstations, problems with the operation of domain controllers, or misconfigured zone DNS settings in AD. Let’s try to figure out how to troubleshoot the error, find the source of the problem, and fix the settings.

The problem can occur when a user or administrator tries to join a new Windows workstation/server to a domain. Typically, the following steps are taken to join a domain:

1. Open the System Properties on the workstation;
2. Press Change settings > Change;
3. Set a new computer name and select that this computer should be a member of a specified domain;
4. Enter your AD domain FQDN (Fully Qualified Domain Name)
5. Click OK

In some cases, you may receive an error message:

An Active Directory Domain Controller (AD DC) for the domain “theitbros.com” could not be contacted.
Ensure that the domain name is typed correctly.

If the local Active Directory domain name is correct, click Details for troubleshooting information.

How to Fix AD Domain Controller Could Not Be Connected Error?

Here are some basic steps that should help you fix the domain controller connection error:

1. Check the IP address and DNS settings of the client workstation;
2. Check the Active Directory domain controller connectivity;
3. Check DC Health (SRV DNS records, Netlogon, and Sysvol folders).

Let’s look at each of these steps in more detail.

Check the Network Settings on the Client Computer

Step 1. Check IP Address

The first thing to check is if your computer has the correct IP address on the primary network interface. The IP address can be obtained from a DHCP server, or manually specified in the network adapter settings. You can display IP address information by using the following command:

ipconfig /all

It will display the current IPv4 address of your computer.

Make sure your computer’s IP address matches the network it’s on. Try to manually set a static IP address (ask your system administrator for this information), or vice versa, get the correct address from the DHCP server (select Obtain IP address automatically in the properties of your network adapter).

You can also run an ipconfig /release and then an ipconfig /renew to attempt to pull a new IP address from the DHCP server.

Step 2. Check DNS Settings

An invalid (non-existent or public) DNS server setting assigned to the computer is a common problem when connecting to AD domain controllers.

Make sure that your computer is able to resolve the DNS name of your domain:

Test-NetConnection -TraceRoute theitbros.loc

In this case, the computer can’t resolve the specified domain name.

Make sure your internal DNS servers are set in the IP settings of your network adapter. You can display the current DNS servers for your adapter using PowerShell:

DnsClientServerAddress

You can set a new DNS configuration by changing it manually, or get the settings from DHCP in your network connection settings:

1. Open Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings;
2. Select a network adapter that is connected to your corporate network, right-click on it, and select Properties;
   
3. Select Internet Protocol Version 4 (TCP/IPv4), and click Properties;
4. Press the Advanced button, and go to the DNS tab;
5. On the DNS tab press Add, and enter the IP address of your DNS server (domain controller). Don’t use Public DNS IPs in preferred and alternative fields, like 8.8.8.8 (google) or 1.1.1.1 (cloudflare);
   
6. Click OK (if several IP addresses are listed in the DNS server list, move the IP address of your DC to the top of the list);
   
7. Save the changes and restart the workstation;
8. Try to join your workstation to the AD domain.

Then make sure the DNS Client service is running using Get-Service cmdlet:

Get-Service dnscache

Open the hosts file (C:\Windows\System32\Drivers\etc\hosts) using notepad.exe or another text editor, and make sure there are no entries for your domain or domain controller names. If such entries exist, delete them.

You can display the contents of the hosts file with the command:

get-content C:\Windows\System32\Drivers\etc\hosts

Then clear the DNS cache, and restart the service from the elevated command prompt:

ipconfig /flushdns

net stop dnscache && net start dnscache

Check if your computer can resolve the domain name to the correct IP address of the domain controller or domain. Use the Test-NetConnection cmdlet or the Resolve-DNSName cmdlet:

Resolve-DNSName theitbros.com

The command should return one or more records of DNS servers.

Step 3. Check the Domain Controller Connectivity

Next, check if the domain controller is accessible from the client. Open a command prompt, and run the following commands:

ping your_domain_name.com

Make sure your domain controller is responding and reachable.

Make sure that the client machine can locate the domain controller in the specified domain:

nltest /dsgetdc:theitbros.com

If your computer successfully discovered the domain and domain controller, the command should return information about the domain, Active Directory sites and services running on the DC:

DC: \\DC01.theitbros.com

Address: \\192.168.1.15

Dom Guid: 4216f343-2949-21c3-8caa-6d7cbcdb1690

Dom Name: theitbros.com

Forest Name: theitbros.com

Dc Site Name: NY

Our Site Name: NY Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS

The command completed successfully.

Hint. Another helpful guide that can help you troubleshoot DC connectivity over RPC is “1722 The RPC server is unavailable”.

Step 4. Check that access to the domain controller isn’t blocked by the firewall

The easiest way to check the availability of port 53 on a DC is to use PowerShell:

Test-Netconnection 192.168.1.11 -port 53

In our example, TcpTestSucceeded: True means that the DNS service on the DC is accessible.

Also, try to temporarily disable the built-in Microsoft Defender Firewall, and all third-party applications with antivirus/firewalls modules (Symantec, MacAfee, Windows Defender, etc.), that can block network ports to access the domain controller. After disabling the firewalls, try to join the computer to the domain.

Here is the minimum list of network protocols, ports, and services that must not be blocked in firewalls between a client and a domain controller for a device to successfully join the Active Directory domain:

• UDP 53 — DNS traffic;
• TCP and UDP 88 — Kerberos authentication;
• UDP 123 — Windows Sync time with Domain Controller;
• TCP 135 — Remote Procedure Call RPC Locator;
• TCP and UDP 139 — NetBIOS Session Service;
• TCP and UDP 389 (LDAP, DC Locator, Net Logon) or TCP 636 (LDAP over SSL);
• TCP 445 (SMB/CIFS, Net Logon);
• TCP 49152-65535 — RPC ports, randomly allocated high TCP ports.

Check the DNS Settings on the Domain Controller

If all the previous checks have failed to resolve the connection error to the domain controller, and you are experiencing similar problems on other devices, you need to check the DNS zone configuration in Active Directory.

Step 1. Check the DNS SRV Records on Active Directly

Check that there is an SRV record (DNS server record) for the location of the DC in your AD DNS zone.

Run the following commands:

nslookup

set type=all

_ldap._tcp.dc.msdcs.your_domain_name.com

Verify if the specified DNS server has an SRV record in the following form:

_ldap._tcp.dc._msdcs.your_domain_name.com SRV service location:

If the specified SRV record is missing, this means that your DNS server does not have a correct SRV record with the location of the domain controller.

Step 2. Update/Re-Register DNS SRV Records on DC

You can manually add two records (SRV and A) to your existing DNS server which help you to resolve the domain controller’s IP address:

• ldap.tcp.dc.msdcs.your_domain_name.com — is an SRV resource record that points to the domain controller that hosts the ADDS role;
• Resource A record that identifies the IP address for the DC listed in the ldap.tcp.dc.msdcs.your_domain_name.com SRV resource record.

Restart the Netlogon service on the DC with the command:

net stop netlogon && net start netlogon

(or simply try to reboot the DC)

DC will attempt to register the necessary SRV records in DNS on startup.

Also, you can re-register domain controller DNS records using the command:

ipconfig /registerdns

Wait for a while for the records to appear in the DNS and replicate across the domain.

Also, make sure the dynamic updates are allowed in your Windows DNS zone settings.

Step 3. Check the Domain Controller Health

Perform a health check on your domain controllers and replication according to the following guides:

• How to check the Active Directory health?
• Check the AD Replication using the Repadmin command. With an AD Integrated DNS server configuration, DNS is replicated with AD DS replication.

It is also recommended to verify if the SYSVOL and NETLOGON network shared folders are created and accessible on the domain controller (run the net share command on the closest DC).

Troubleshooting Error “Active Directory Domain Controller Could not be Contacted”

If none of the above methods helped you to fix the problem, you need to move to more advanced troubleshooting. Note that the Details button is available in the error message.

Click the Details button for more information about the error. In most cases, there you will see an error “DNS name does not exist” or one of the following error codes 0x0000232B RCODE_NAME_ERROR, 0x0000267C DNS_ERROR_NO_DNS_SERVER, and 0x00002746 WSAECONNRESET).

Open the text file C:\Windows\debug\dcdiag.txt on the user’s computer. Carefully study the latest errors in this file. Perhaps they will point you in the right direction.

Most often, you can face such errors in the dcdiag.txt file:

• 0x0000232B — RCODE_NAME_ERROR (“DNS name does not exist”) – your computer cannot find the SRV record on the DNS server. Make sure your computer’s DNS settings are set to the IP address of your domain controller. Check the SRV records on the DC;
• 0x0000267C — DNS_ERROR_NO_DNS_SERVER (“No DNS Servers configured for local system”). In this case, it is recommended to check your IP and DNS settings, and network connectivity;
• 0x00002746 — WSAECONNRESET (“An existing connection was forcibly closed by the remote host”) — check the network connectivity and firewall rules. Try to restart the DNS service on the DC, or reboot the host completely.

Also check the error details of the domain join operation in the windir%\debug\Netsetup.log file.

The most typical errors are:

• An attempt to resolve the DNS name of a DC in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain;
• An operation was attempted on a nonexistent network connection — restart the computer, make sure that you type the DNS name and not the NetBIOS name;
• Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again — reboot your device;
• The network name cannot be found — make sure your computer can access the DNS server hosting the domain’s DNS zone;
• No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept — remove all mapped drives and reboot the computer.

There are many reasons for the Active Directory Domain controller could not be contacted error message. As we have discussed, it generally comes down to general TCP/IP connectivity issues or DNS issues on the client side, resulting in problems connecting to and joining the local Active Directory domain.