In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domain Controller could not Be contacted.
Active Directory Domain Controller Could Not Be Contacted Error: What Does It Looks Like and How to Fix It?
A user or an administrator tries to join a new Windows workstation to the domain. To do this, open the System Properties on the workstation, press Change settings > Change. Enter a new computer name, and select that this computer should be a member of a specified domain. Enter your AD domain FQDN name. After clicking on the OK button, you may receive an error:
An Active Directory Domain Controller (AD DC) for the domain “theitbros.com” could not be contacted.
Ensure that the domain name is typed correctly.
If the name is correct, click Details for troubleshooting information.
Click the Details button for more information about the error. In most cases, there you will see an error “DNS name does not exist” (error codes 0x0000232B RCODE_NAME_ERROR and 0x0000267C DNS_ERROR_NO_DNS_SERVER).
Check if the IP Settings on Your Computer Are Correct
Most often, this problem is related to wrong IP or DNS settings on your computer, DNS misconfiguration on the domain controller side, or with firewall ports blocking.
First of all, check if your computer has the correct IP address on the primary network interface. The IP address can be obtained from a DHCP server, or manually specified in the network adapter settings. The current network settings of the computer can be obtained using the command:
Open the hosts file (C:\Windows\System32\Drivers\etc\hosts) on the computer using notepad.exe or another text editor, and make sure there are no entries for your domain or domain controller name. If such entries exist, delete them.
You can display the contents of the hosts file with the command:
Then clear the DNS cache, and restart the service from the elevated command prompt:
ipconfig /flushdns net stop dnscache && net start dnscache
Next, check if the domain controller is accessible from the client. Open a command prompt, and run the following commands:
Make sure your domain controller is responding and reachable.
Note. In addition, it’s desirable to check the availability of the domain controller from other workstations on the same IP network.
If the DC is reachable, try to add the received IP address as a DNS server in the Advanced TCP/IP settings of your network connection.
- Open Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings;
- Select network adapter that is connected to your corporate network, right-click on it, and select Properties;
- Select Internet Protocol Version 4 (TCP/IPv4), and click Properties;
- Press the Advanced button, and go to the DNS tab;
- On the DNS tab press Add, and enter the IP address of your DNS server (domain controller);
- Click OK (if several IP addresses are listed in the DNS server list, move the IP address of your DC to the top of the list);
- Save the changes and restart the workstation;
- Try to join your workstation to the AD domain.
Verify that the access to the DNS service on the domain controller is not blocked by firewalls. The easiest way to check the availability of port 53 on a DC is to use PowerShell:
test-netconnection 192.168.1.11 -port 53
In our example, TcpTestSucceeded: True means that the DNS service on the DC is accessible.
Also, check if your computer can resolve the domain name to the correct IP address of the domain controller. Use the Resolve-DNSName cmdlet with the FQDN of your domain to which you are trying to join your workstation:
The command should return one or more records for DNS servers.
Also make sure the computer can contact the DNS server that hosts the DNS zone or can resolve DNS names in that domain. Make sure the correct DNS server is configured on this client as preferred and the client is connected to this server. Confirm you can find a domain and access the domain controller from the computer using the command:
If your computer successfully discovered the domain and domain controller, the command should return information about the domain, AD site, and services running on the DC:
Dom Guid: 4216f343-2949-21c3-8caa-6d7cbcdb1690
Dom Name: theitbros.com
Forest Name: theitbros.com
Dc Site Name: NY
Our Site Name: NY
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS
The command completed successfully
Hint. Another helpful guide that can help you troubleshooting DC connectivity over RPC is “The RPC Server is Unavailable”
Sometimes, you can find useful information about errors in joining a computer to an Active Directory domain in the Netsetup.log file. This log can be found here %windir%\debug\Netsetup.log. Carefully examine the errors in the Netsetup.log file, they may help you in finding the problem of not being able to connect to the Active Directory domain.
Also, try to temporarily disable the built-in Windows Firewall, and all third-party applications with antivirus/firewalls modules (Symantec, MacAfee, Windows Defender, etc.), that can block network ports to access the domain controller. After disabling the firewalls, try to join the computer to the domain.
Check the Replication and DNS SRV Records on the Domain Controller
If the above method didn’t help, check if in the DNS zone of your domain controller there is an SRV record of the location of the DC.
Open an elevated Command prompt, and run the following commands:
nslookup set type=all _ldap._tcp.dc.msdcs.your_domain_name.com
Verify that the specified DNS server has an SRV record in the following form:
_ldap._tcp.dc._msdcs.your_domain_name.com SRV service location:
If the specified SRV record is missing, it means your computer is configured to use a DNS server that does not have a correct SRV record with the location of the domain controller.
Verify that the domain controller is configured to use the same DNS server, or check if the replication on the DNS server that the client uses is successful (use the repadmin tool to check replication status). Also, make sure the DNS server allows dynamic updates.
Restart the Netlogon service on the domain controller with the command “net stop netlogon && net start netlogon” (or simply try to reboot the DC). On startup, it will try to register the necessary SRV records on the DNS server.
Also, you can re-register domain controller DNS records using the command:
Wait for a while for the records to appear in DNS and replicate across the domain.
It is also recommended to verify that the SYSVOL and NETLOGON network shared folder is created and accessible on the domain controller (run the net share command on the closest DC).
If the SYSVOL and NETLOGON directories are missing in the shares list:
- Check the IP and DNS settings on your DC (the domain controller shouldn’t receive an IP address from a DHCP server, use only a static IP address);
- Verify that the C:\Windows\SYSVOL domain directory contains Policies and Scripts folders;
- If you did not migrate Sysvol replication from FRS to DFS, to replicate Sysvol from PDC to all DCs in the domain, you need to stop the File Replication Service (net stop NtFrs). Then run the regedit and go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/RestoreProcess at Startup, here change the value of BurFlags DWORD parameter to D4 (hex) on PDC, and to D2 (hex) on all additional domain controllers. After that, start the service: net start NtFrs. And check if the directory DCName SYSVOL appears and accessible on the problem DC.
Accessing Legacy Domain Controllers Using the SMB v1 Protocol
If you use domain controllers with Windows Server 2008 (or older), and you are trying to join Windows 10 1803 (or newer) to the domain or Windows Server 2019, you must enable SMBv1 protocol support on the client-side (this protocol is disabled by default in the newer Windows OS). The client SMB1Protocol-Client allows your computer to access legacy servers.
To enable SMBv1 support in Windows 10, go to Control Panel > Programs > Turn Windows features on or off. Expand the node SMB 1.0/CIFS File Sharing Support, enable the SMB 1.0/CIFS Client option, and save the changes.
You can check SMB 1.0/CIFS Client protocol status on your Windows 10 computer using the PowerShell command:
Get-WindowsOptionalFeature -Online -FeatureName "SMB1Protocol-Client"
If the SMB1Client protocol status is Disabled, you can enable it using:
Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol-Client
On Windows 7/Vista clients you can detect the SMBv1 protocol state using the command:
sc.exe qc lanmanworkstation
If you need to enable SMB v1 Client on Windows 7/Windows Server 2008 R2, run:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi sc.exe config mrxsmb10 start= auto
- How to Fix PFN_LIST_CORRUPT Blue Screen of Death in Windows 10? - June 20, 2021
- How to Prevent/Allow Log on Locally via GPO? - June 19, 2021
- Deploying Local Administrator Password Solution (LAPS) in Active Directory - June 19, 2021