Fix: Active Directory Domain Controller Could Not Be Contacted

2K

You may receive an “Active Directory Domain Controller could not be contacted” error when you try to join a Windows computer to an AD domain. This issue might occur if the IP/DNS settings on your device are incorrect, if there are problems with your domain controllers, or if the DNS zone in Active Directory is not configured properly. Let’s find and fix the issue causing the Active Directory connection error.

An Active Directory Domain Controller (AD DC) for the domain “theitbros.com” could not be contacted.
Ensure that the domain name is typed correctly.

If the name is correct, click Details for troubleshooting information.

How to Fix “AD Domain Controller Could Not Be Connected” Error

Here are some basic steps that should help you:

1. Check that the IP address and DNS settings on the client computer are correct;
2. Verify that your computer can locate and connect to the Active Directory domain controller over the network
3. Examine the health of the domain controller by verifying SRV DNS records, Netlogon, and Sysvol folders.

Let’s look at each of these steps in more detail.

Check the Network Settings on the Client Windows Computer

Step 1. Check the Client Machine IP Address

Ensure that your computer has the correct IP address configured on the network adapter. Your computer can get the IP address from a DHCP server, or you can set it manually in the network adapter settings. You can find out your current IP address using the command:

ipconfig /all

Attempt to set a static IP address manually (consult your system administrator for the required information), or alternatively, obtain the correct address from the DHCP server (select Obtain IP address automatically in the properties of your network adapter).

Run the ipconfig /release and then ipconfig /renew commands to get a new IP address from the DHCP server.

Step 2. Set the Domain Controller IP in the Client DNS Settings

A common issue affecting Active Directory connectivity is configuring an invalid (non-existent or public) primary DNS server IP address on the computer.

To check that your computer can resolve the DNS name of your AD domain, use the following PowerShell command

Resolve-DnsName theitbros.loc

Resolve-DnsName : theitbros.loc : DNS name does not exist

In this case, the computer can’t resolve the specified domain name.

Ensure that the IP addresses of your internal DNS servers are specified in the DNS settings in the network adapter settings on the client machine.

netsh interface ipv4 show dnsservers

In the network configuration of the client machine, either manually set the IP address of your domain controller as the preferred DNS server or allow it to be obtained automatically from your DHCP server (if available).

1. Open the Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings;
2. Open the properties of the network adapter connected to your corporate network;
   
3. Select Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced button, and go to the DNS tab;
4. On the DNS tab press Add, and enter the IP address of your DC. Don’t use public DNS IPs in your preferred and alternate servers (such as 8.8.8.8 or 1.1.1.1);
   
5. If there are multiple IP addresses in the DNS server list, prioritize your DC’s IP address by moving it to the top;
   
6. Save the changes and restart the workstation;
7. Try to join your workstation to the AD domain.

Then make sure the DNS Client service is running:

Get-Service dnscache

Ensure that there are no manually entered (static) entries in the hosts file for your domain or domain controller names.

get-content C:\Windows\System32\Drivers\etc\hosts

If there are any such entries, delete them.

Then clear the DNS cache on your computer:

ipconfig /flushdns

net stop dnscache && net start dnscache

Check that your computer can correctly resolve the domain name to the accurate IP address of the domain controller or domain:

Resolve-DNSName

The command should return one or more records of DNS servers.

Step 3. Check the Connectivity Between Client and Domain Controller

Next, check that the client workstation can access the domain controller. Run the command:

ping your_domain_name.com

Afterward, confirm that the client machine can locate the domain controller in the target domain:

nltest /dsgetdc:theitbros.com

If your computer successfully discovered the domain and domain controller, the command should return information about the domain, Active Directory sites and services running on the DC.

Hint. Another helpful guide that can help you troubleshoot DC connectivity over RPC is “1722 The RPC server is unavailable”.

Step 4. Firewall Ports Required Between Clients and Domain Controller

Verify that firewalls are not blocking the necessary ports essential for communication between the client computer and the AD domain controller.

Firstly, check that the DNS service (53 port) is accessible on the DC

Test-Netconnection 192.168.1.11 -port 53

TcpTestSucceeded: True

Also, try to temporarily disable the built-in Microsoft Defender Firewall, and any third-party applications with antivirus/firewalls modules (Symantec, McAfee, Windows Defender, etc.), that can block network ports to access the domain controller. After disabling the firewalls, try to join the computer to the domain.

Here is the minimum list of network protocols and ports that must be opened in firewalls between a client and a domain controller for a device to successfully join the Active Directory domain:

• UDP 53 — DNS traffic;
• TCP and UDP 88 — Kerberos authentication;
• UDP 123 — Windows Sync time with Domain Controller;
• TCP 135 — Remote Procedure Call RPC Locator;
• TCP and UDP 139 — NetBIOS Session Service;
• TCP and UDP 389 (LDAP, DC Locator, Net Logon) or TCP 636 (LDAP over SSL);
• TCP 445 – (SMB/CIFS, Net Logon);
• TCP 49152-65535 — RPC ports, randomly allocated high TCP ports.

Check the DNS Settings on the Domain Controller

If the earlier checks have not resolved the connection error to the domain controller, and similar issues persist on other devices, it’s crucial to inspect the DNS configuration in Active Directory.

Step 1. Check the DNS SRV Records on Active Directory

Verify the presence of an SRV (Service) record for your domain controller in the Active Directory DNS zone.

Run the commands:

nslookup

set type=all

_ldap._tcp.dc.msdcs.your_domain_name.com

Check that the specified DNS server has an SRV record of the following form:

_ldap._tcp.dc._msdcs.your_domain_name.com SRV service location:

If the specified SRV record is missing, this means that your DNS server does not have a correct SRV record with the location of the domain controller.

Step 2. Update DNS SRV Records in Active Directory

You can manually add two records (SRV and A) to your existing DNS server which help clients to resolve the domain controller’s IP address:

• ldap.tcp.dc.msdcs.your_domain_name.com — is an SRV resource record that points to the domain controller;
• Resource A record that identifies the IP address for the DC listed in the ldap.tcp.dc.msdcs.your_domain_name.com SRV resource record.

Restart the Netlogon service on the DC with the command (or simply try to reboot the DC):

net stop netlogon && net start netlogon

DC will attempt to register the necessary SRV records in DNS.

Also, you can re-register domain controller DNS records using the command:

ipconfig /registerdns

Be patient for a while to allow the records to appear in the DNS and replicate across the domain.

Step 3. Check the Domain Controller Health

Perform a health check on your domain controllers and replication according to the following guides:

• How to check the Active Directory health?
• Check the AD Replication using the Repadmin command.

Confirm that the SYSVOL and NETLOGON network shared folders are both created and accessible on the domain controller. You can use the “net share” command on the nearest domain controller to check this.

Troubleshooting “Active Directory Domain Controller Could not be Contacted” Error

If none of the previous methods have resolved the issue, it’s time to proceed with more advanced troubleshooting steps. Note that the error message includes a Details button. Click on it to access additional information about the error.

The most common error codes you can face here are:

• 0x0000232B — RCODE_NAME_ERROR (“DNS name does not exist”) – If your computer is unable to locate the SRV record on the DNS server, ensure that the IP address of your domain controller is correctly set in your computer’s DNS settings. Additionally, inspect the SRV records on the domain controller.
• 0x0000267C — DNS_ERROR_NO_DNS_SERVER (“No DNS Servers configured for local system”). Check the client’s IP and DNS settings and network connectivity;
• 0x00002746 — WSAECONNRESET (“An existing connection was forcibly closed by the remote host”) — Examine the network connectivity and firewall rules. Attempt to restart the DNS service on the domain controller, or consider rebooting the server.

Open the text file C:\Windows\debug\dcdiag.txt on the user’s computer Thoroughly review the most recent errors in this file as they may provide valuable insights and guide you in the right direction.

Also check the error details of the domain join operation in the windir%\debug\Netsetup.log file. Common errors you may encounter here include:

• An attempt to resolve the DNS name of a DC in the domain being joined has failed. Confirm that the client can successfully resolve the DNS name of the target AD domain;
• An operation was attempted on a nonexistent network connection — restart the computer, make sure that you type the DNS name and not the NetBIOS name;
• Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again — reboot client workstation;
• The network name cannot be found — make sure your computer can access the DNS server hosting the domain’s DNS zone;
• No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept — remove all mapped network drives and then restart the computer.

Indeed, there are various reasons why the “Active Directory domain controller could not be contacted” error message may occur. It could be due to issues with DNS settings, network connectivity problems, firewall configurations, or domain controller misconfigurations. Thoroughly investigating each aspect and addressing the specific issue encountered is key to resolving this error.