Fix: Active Directory Domain Controller Could Not Be Contacted

6.7K

This guide explains how to troubleshoot and fix this domain controller connectivity issue.

Contents

Toggle

• What does it mean An Active Directory Domain Controller could not be contacted?
• Troubleshooting AD Domain Controller Connectivity
• Check the Network Connectivity to the AD Domain Controller from Client
  • What does the error “An Active Directory Domain Controller could not be contacted” mean?
  • What are the most common error codes when joining a domain?
  • What DNS settings are required to join a domain?
  • How do I check if ports are open to the DC?
  • What if DNS SRV records are missing for the domain?

What does it mean An Active Directory Domain Controller could not be contacted?

When trying to join a Windows computer to an AD domain, you may receive the error “An Active Directory Domain Controller could not be contacted“. The client may be unable to connect to the domain controller due to incorrect network settings (IP, DNS or firewall) or a domain controller failure.

Troubleshooting AD Domain Controller Connectivity

When a computer joining the Active Directory, it should discover and connect to the domain controller (DC). The error occurs if the client is unable to connect the DC:

An Active Directory Domain Controller (AD DC) for the domain “theitbros.com” could not be contacted. Ensure that the domain name is typed correctly.

Click the Details button to view the detailed error description. The most common errors are:

• 0x0000232B — RCODE_NAME_ERROR (“DNS name does not exist”).
• 0x0000267C — DNS_ERROR_NO_DNS_SERVER (“No DNS Servers configured for local system”).
• 0x00002746 — WSAECONNRESET (“An existing connection was forcibly closed by the remote host”).
• 0x000005B4 — ERROR_TIMEOUT (“This operation returned because the timeout period expired”). The DNS servers used by this computer for name resolution are not responding.

Here are the basic checks you should perform to troubleshoot the issue:

1. Make sure you’ve not mistyped in Active Directory domain name;
2. Check the client IP and DNS settings;
3. Verify the network connectivity to the DC;
4. Check the DC health.

Check the Network Connectivity to the AD Domain Controller from Client

The client Windows machine can connect the Active Directory if it has properly configured IP address and preferred DNS server set. Open the PowerShell console to perform basic network connection troubleshooting.

Try to resolve the Active Directory domain name to an IP address:

Resolve-DnsName theitbros.loc

If the “DNS name does not exist” error occurs, check the DNS server IP addresses set on the computer. List the client DNS configuration using the command:

Get-DnsClientServerAddress

The IP address of one of the AD domain controllers must be specified as the DNS server in this list on the client computer. If the public (such as 8.8.8.8 or 1.1.1.1) or non-existent DNS server IP is specified here, change the preferred DNS server in the network adapter properties (ncpa.cpl > Network Adapter Properties > IPv4 Properties > Manually set your DC’s IP address as preferred DNS).

Ensure that there are no manually entered (static) entries in the hosts file for your domain or domain controller names. If there are any such entries, delete them.

get-content C:\Windows\System32\Drivers\etc\hosts

Then clear the DNS resolver cache on the computer:

ipconfig /flushdns

Check you can ping the DC by an IP address:

ping 192.168.158.100

If the destination IP is unreachable, check that the computer’s IP address belongs to your AD network:

• If the computer obtains network configuration from a DHCP server, try to renew the IP settings with the commands: ipconfig /release ipconfig /renew
• If you have a static IP address, contact your network administrator to check your current configuration.

After configuring the client’s network settings correctly, make sure you are able to resolve the AD name.

Resolve-DnsName theitbros.loc

Ping the domain:

ping theitbros.loc

And discover the AD services in the domain (according the Active Directory sites and services configuration):

nltest /dsgetdc:theitbros.loc

In some cases, firewalls can block the communication ports between the client computer and the DC. To successfully join the Active Directory domain, the following network ports must be opened in the firewall.

• UDP 53 — DNS traffic;
• TCP and UDP 88 — Kerberos authentication;
• UDP 123 — Windows Sync time with Domain Controller;
• TCP 135 — Remote Procedure Call RPC Locator;
• TCP and UDP 139 — NetBIOS Session Service;
• TCP and UDP 389 (LDAP, DC Locator, Net Logon) or TCP 636 (LDAP over SSL);
• TCP 445 – (SMB/CIFS, Net Logon);
• TCP 49152-65535 — RPC ports, randomly allocated high TCP ports.

You can use PowerShell to check for open ports. For example, check for open DNS service port 53

Test-Netconnection 192.168.1.11 -port 53

TcpTestSucceeded: True

Hint. Another helpful guide that can help you troubleshoot DC connectivity over RPC is “1722 The RPC server is unavailable”.

Check for Service DNS Records in Active Directory

If the previous checks haven’t resolved the connection error to the domain controller, and similar issues persist on other devices, it’s crucial to inspect the DNS configuration in Active Directory.

Clients discover the AD controllers using the special SRV records in the Active Directory DNS zone. If such SRV records are missing, the client will not be able to contact the DC.

Run the following commands to query the LDAP SRV record:

nslookup set type=all _ldap._tcp.dc.msdcs.your_domain_name.com

Check that the specified DNS server has an SRV record of the following form:

_ldap._tcp.dc._msdcs.your_domain_name.com SRV service location:

The following two DNS records (SRV and A) used clients to discover the domain controller’s IP address:

• _ldap._tcp.dc._msdcs.your_domain_name.com — is an SRV resource record that points to the domain controller;
• Resource A record that identifies the IP address for the DC listed in the _ldap.tcp.dc._msdcs.your_domain_name.com SRV resource record.

You can recreate the DNS record manually using the DNS manager snap-in (dnsmgmt.msc) or run the following command on the DC to recreate SRV and A records automatically:

net stop netlogon && net start netlogon ipconfig /registerdns

Be patient for a while to allow the records to appear in the DNS and replicate across the domain.

Then check the AD health using the dcdiag command:

dcdiag /a /q

Resolve any AD errors you’ve found. After that, you can try to join the Windows workstation to the domain.

What does the error “An Active Directory Domain Controller could not be contacted” mean?

This error indicates that a Windows computer cannot connect to the domain controller (DC). It usually happens due to incorrect DNS or IP settings, firewall restrictions, or domain controller failures.

What are the most common error codes when joining a domain?

Common errors include:

• 0x0000232B — DNS name does not exist
• 0x0000267C — No DNS server configured
• 0x00002746 — Connection reset by remote host
• 0x000005B4 — DNS servers not responding (timeout)

What DNS settings are required to join a domain?

The client must use the domain controller’s IP address as its preferred DNS server. Public DNS servers like 8.8.8.8 should not be used for domain resolution.

How do I check if ports are open to the DC?

Use PowerShell, for example:

Test-NetConnection <DC_IP> -Port 53

What if DNS SRV records are missing for the domain?

Active Directory clients use SRV records to locate DCs. If they’re missing, recreate them by running these commands on the DC:

net stop netlogon && net start netlogonipconfig /registerdns Active Directoryerrorsfixes