An Active Directory domain Controller (AD DC) for the domain could not be contacted how to fix
Every IT admin managing machines in an Active Directory environment has been there. You try to add a computer to an Active Directory (AD) domain and get the dreaded “An Active Directory Domain Controller Could not be Contacted” error. In this article, learn the steps to diagnose (and solve) this problem for good. Show
An Active Directory Domain Controller Could not be Contacted This error is DNS-related. The main problem is that the computer has failed to find an appropriate SRV DNS record it needs to join the AD domain. I’ve put together a few steps for you to follow to fix this error and get your computer joined to your domain.
Ensure You’re Using the Right DNS ServersBefore you get too far down a rabbit hole, first ensure you’re using the right DNS servers in the first place. Active Directory and DNS have a special relationship. Domain controllers register specific records in DNS servers they know about. These live in the _ldap._tcp.dc.msdcs. To resolve this issue, you need to be using either:
To check that the DNS server you are using is one of the above, run the following command in a PowerShell session on an existing domain joined computer:
The responses you get under the ServerAddesses column are the DNS servers being used by that computer. If you don’t have another domain client to check, you will need to contact your network team for this information. You can either use PowerShell’s Once in the Network Connections window, right-click on the network card, choose Properties, choose Internet Protocol Version 4 (TCP/IPv4) and then click on Properties. IPv4 properties dialogIf the network uses Dynamic Host Configuration Protocol (DHCP), ensure the Obtain an IP address automatically and Obtain DNS server address automatically options are selected. If your network doesn’t use DHCP then update the Preferred DNS server and Alternative DNS server values to the correct ones you obtained earlier. Find the True ErrorIf you’ve confirmed your computer has the correct DNS servers then it’s time to jump in a little further. When you attempt to join a computer to a domain, the error “An Active Directory Domain Controller Could not be Contacted” comes up but it’s not the “true” error message. You need to dive a little deeper. You’ll notice in the error dialog a Details >> button. Click that. This will return more granular information allowing you to troubleshoot this error better. Expanded details view of the error dialogYou can select the contents of the text box to copy and paste into a text viewer, or you can find the same information in the C:\windows\debug\dcdiag.txt file on that machine. This file is created by the Windows when the error occurs. The error text contains some key pieces of information. I’ve marked numbered and bolded each of these in the example below:
0x0000267C DNS_ERROR_NO_DNS_SERVERThis error indicates that the DNS server could not be found to even attempt the query. It didn’t even get a chance. This is typically due to no network connectivity to the DNS server.
Troubleshoot Your Network ConnectionIf you see this error message, you’ll need to start doing some network troubleshooting.
You can check for an IP address and DNS servers by running If you have an IP address and can reach other network resources, you’ll need to test your connection between the computer and the DNS server. To do so, you can use Check DNS connectivityIf you’ve confirmed your network connection is working, you’ll next need to ensure your computer can connect via TCP/53 to the DNS server. Try using the
If you get an error, then it is worth checking that there’s nothing blocking IP traffic on port 53 (the port used for DNS traffic) between your machine and the DNS servers. You can do a
simple check for connectivity on port 53 using the
You will get a response of True if the connection succeeds, or False if it fails. A failure could be due to a network or host-based firewall on the DNS server. 0x0000232B RCODE_NAME_ERRORThis error means it was able to find the DNS server but the SRV record wasn’t found. This error requires a little more troubleshooting. Ensure You’re Using the Domain FQDNIt seems simple, but verify that the name you typed matches the fully qualified domain name (FQDN) of the domain you are trying to join. This should only be a domain name, not a server name. For example, use carisbrookelabs.local and not WIN-3467RQTHJH5.carisbrookelabs.local. If there’s any doubt, check the domain name of an existing domain client. You can find the appropriate domain name by running this PowerShell command on an existing domain client.
If you attempt to use the NETBIOS name (contoso) vs. the FQDN (contoso.local), the computer might find the domain but Windows will treat the name as an FQDN anyway. If you type a NETBIOS name and don’t have a WINS infrastructure in place you will get the error we’re trying to fix. Always use a FQDN rather than a NETBIOS name. Typing an FQDN in the Computer/Domain Changes dialogCheck DNS recordsFor this step you are going to use Your command should look something like this:
If you get DNS name does not exist as the response to this command, then your issue is with DNS.
If you get a positive response to Re-register your domain controller’s DNS records using the command Once you can confirm the presence of the required DNS record(s) using SummaryIn this article, you’ve learned some steps to try when troubleshooting the error “An Active Directory Domain Controller Could not be Contacted”. It’s impossible to cover every single scenario in an article like this, but I hope the process works for you and gets you on the right path! Further Reading
What is Active Directory domain controller AD DC?A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software.
What means DC in Active Directory?A domain controller is a type of server that processes requests for authentication from users within a computer domain. Domain controllers are most commonly used in Windows Active Directory (AD) domains but are also used with other types of identity management systems.
|