active directory domain controller could not be contacted fix

Fix: Active Directory Domain Controller Could Not Be Contacted


In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domain Controller could not Be contacted.

What does Active Directory Domain Controller Could Not be Contacted Error Looks Like?

A user or an administrator tries to join a new Windows workstation to the domain. To do this, open the System Properties on the workstation, press Change settings > Change. Enter a new computer name and select that this computer should be a member of a specified domain. Enter your AD domain FQDN name. After clicking on the OK button, you may receive an error:

An Active Directory Domain Controller (AD DC) for the domain “theitbros.com” could not be contacted.
Ensure that the domain name is typed correctly.

If the name is correct, click Details for troubleshooting information.

an active directory domain controller for the domain could not be contacted

Click the Details button for more information about the error. In most cases, there you will see an error “DNS name does not exist” (error code 0x0000232B RCODE_NAME_ERROR).

Most often, this problem is related to wrong IP or DNS settings on your computer, DNS misconfiguration on the domain controller side or with firewall ports blocking.

First of all, check if your computer has the correct IP address of the network interface. The IP address can be obtained from a DHCP server or manually specified in the network adapter settings. The current network settings of the computer can be obtained using the command:

ipconfig /all

an active directory domain controller could not be contacted

Open the hosts file (C:\Windows\System32\Drivers\etc\hosts) on the computer using notepad.exe or another text editor and make sure that there are no entries for your domain or domain controller name. If such entries exist, delete them.

You can display the contents of the hosts file with the command:

get-content C:\Windows\System32\Drivers\etc\hosts

an active directory domain controller (ad dc) for the domain could not be contacted

Then clear the DNS cache and restart the service:

ipconfig /flushdns

net stop dnscache && net start dnscache

Next, check if the domain controller is accessible from the client. Open a command prompt and run the following commands:

ping your_domain_name.com

And

tracert your_domain_name.com

Make sure that your domain controller is responding and reachable.

an active directory domain controller cannot be contacted

Note. In addition, it is desirable to check the availability of the domain controller from other workstations on the same IP subnet.

If the DC is reachable, try to add the received IP address as a DNS server in the Advanced TCP/IP settings of your network connection.

  1. Open Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings;
  2. Select network adapter that is connected to your corporate network, right click on it and select Properties;
    active directory domain controller could not be contacted
  3. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties;
  4. Press Advanced button and go to the DNS tab;
  5. On the DNS tab press Add and enter the IP address of your DNS server (domain controller);
    an active directory domain cannot be contacted
  6. Click OK (if several IP addresses are listed in the DNS server list, move the IP address of your DC to the top of the list);
    an active directory controller cannot be contacted
  7. Save the changes and restart the workstation;
  8. Try to join your workstation to the AD domain.

Verify that access to the DNS service on the domain controller is not blocked by firewalls. The easiest way to check the availability of port 53 on a DC is to use PowerShell:

test-netconnection 192.168.1.11 -port 53I

In our example, TcpTestSucceeded: True means that the DNS service on the DC is accessible.

ad dc could not be contacted

Also, check if your computer can resolve the domain name to the correct IP address of the domain controller. Use the Resolve-DNSName cmdlet with the FQDN of your domain to which you are trying to join your workstation:

Resolve-DNSName theitbros.com

domain could not be contacted

The command should return one or more records for DNS servers.

Check If the DNS Zone of Domain Controller Has SRV Record

If the above method didn’t help, check if in the DNS zone of your domain controller there is an SRV record of the location of the DC.

Open an elevated Command prompt and run the following commands:

nslookup

set type=all

ldap._tcp.dc.msdcs.your_domain_name.com

Verify that the specified DNS server has SRV record in the following form:

ldap._tcp.dc._msdcs.your_domain_name.com SRV service location:

active directory domain controller for the domain could not be contacted

If the specified SRV record is missing, it means that your computer is configured to use a DNS server that does not have an SRV record with the location of the domain controller.

Verify that the domain controller is configured to use the same DNS server, or check if the replication to the DNS server that the client using is successful (use the repadmin tool to check replication status). Also, make sure that the DNS server allows dynamic updates.

Restart the Netlogon service on the domain controller with the command “net stop netlogon && net start netlogon” (or simply try to reboot the DC), it will register the necessary SRV records on the DNS server.

It is also recommended to verify if the domain controller has a network shared folder SYSVOL and NETLOGON (run the net share command on the closest DC).

domain controller could not be contacted

If the SYSVOL and NETLOGON directories are missing in the shares list:

  1. Check the IP and DNS settings on your DC (the domain controller shouldn’t receive an IP address from a DHCP server, use only a static IP address);
  2. Verify that the C:\Windows\SYSVOL\ domain directory contains Policies and Scripts folders;

an active directory domain controller

  1. If you did not migrate Sysvol replication from FRS to DFS, to replicate Sysvol from PDC to all DCs in the domain, you need to stop the File Replication Service (net stop NtFrs). Then run the regedit and go to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup change the value of BurFlags DWORD parameter to D4 (hex) on PDC and to D2 (hex) on all additional domain controllers. After that, start the service: net start NtFrs. And check that the directory \\ DCName \ SYSVOL appears and is accessible on the problem DC.

If you use domain controllers with Windows Server 2008 (or older), and you are trying to join to the domain Windows 10 1803 (or newer) or Windows Server 2019, you must enable SMBv1 protocol support on the client side (this protocol is disabled by default in the specified OS).

To enable SMBv1 support in Windows 10, then go to Control Panel > Programs > Turn Windows features on or off. Expand the node SMB 1.0/CIFS File Sharing Support, enable the SMB 1.0/CIFS Client option and save the changes.

domain controller cannot be contacted

Also, try to temporarily disable the built-in Windows Firewall and all third-party applications with antivirus/firewalls modules (Symantec, MacAfee, etc.) that can block network ports to access the domain controller. After disabling the firewalls, try to join the computer to the domain.

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In corporate segment one of the advantages of BitLocker Drive Encryption technology is the ability to store the Bitlocker recovery keys for encrypted ...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Comments
  1. Posted by MickyG
  2. Posted by Brus

Add Your Comment