Error Description
When trying to join a new Windows workstation or server to an Active Directory (AD) domain, sometimes the following error occurs: “An Active Directory Domain Controller (AD DC) for the domain ‘domainname’ could not be contacted.”
This can happen for several reasons, ranging from a simple incorrect DNS server IP address to a much more complex issue. In this guide, we will look at the steps needed to troubleshoot this problem, from the simplest to the most complex.
When the Error Occurs
The error can be displayed when you attempt to join a workstation or server to a domain. Here are the steps that lead up to the error:
- Right-click on the Start button and select System:
- On the next screen, choose System Info and then click Change settings:
- In the System Properties window, click the Change button
- Enter the name of the new computer and specify which domain you want to join it to, being sure to enter the FQDN (fully qualified domain name) of the domain.
- Click OK. This is when the error might be displayed:
Initial Troubleshooting Steps
- The first thing to check is that the domain name has been typed correctly
- If that’s not the problem, click Details to get information about the error
The following sections explain the steps needed to take to get to the root of the problem. In most cases, the issue is related to one of the following: incorrect DNS settings or a wrong IP address on your system, DNS misconfiguration on the domain controller (DC) side, or ports that are blocked on the firewall.
If you do not know the root of the problem, then proceed through these troubleshooting options in order. However, if you have an idea of what the problem might be then, proceed directly to the step that you think is likely to solve the problem.
Verify that the IP Settings are Correct
Make sure that the network interface of your computer has the right IP address. The IP address can be explicitly defined in the network adapter settings or can be obtained from a DHCP server. To get the computer’s current network settings, use the command:
ipconfig /all
Make sure the DNS Client Service is Running
Next, check whether the DNS client service is up and running using the command:
Get-Service dnscache
Check the Host File for Domain Entries
- Make sure that there are no entries for your domain or domain controller names in the hosts file located at C:\Windows\System32\Drivers\etc\hosts on the PC. Open the file with Notepad or any other text editor. If there are any entries for your domain or DC names, delete them.
- To view the contents of the hosts file on the PC, use this command:
get-content C:\Windows\System32\Drivers\etc\hosts
Restart the DNS Cache Service
- Open an elevated command prompt and clear the DNS cache using this command:
ipconfig /flushdns
- Then stop and restart the dnscache service using this command:
net stop dnscache && net start dnscache - Alternatively, you can use the Service.msc console. Right-click on DNS Client to open its properties dialog:
- Click use the Stop and Start buttons to stop and restart the service
Check whether the DC is Reachable from the Client
- To determine whether the domain controller is reachable from the client, first run the following commands from a command prompt:
ping your_domain_name.com
- Then run this command:
tracert your_domain_name.com
- You should also check the availability of the DC from another workstation on the same network. If your client cannot access the DC but other clients can, there could be a problem with your client’s cable or hardware, or with a device in the middle. To narrow down the problem, try a different network jack or go wireless.
Check the DC’s Accessibility using PowerShell
Alternatively, you can use the following PowerShell cmdlets to check the connectivity to the DC.
- To display the IP address:
Get-NetIPConfiguration –All
- To ping the DC:
Test-NetConnection domainname
- To trace the routes to the DC:
Test-NetConnection –TraceRoute domainname
Add the DNS server to the TCP/IP settings of your Network Adapter
If the domain controller can be reached, try adding the IP address of your DNS server to your network adapter’s Advanced TCP/IP settings.
- Open Control Panel, click Network and Sharing Center, and then click Change adapter settings:
- Right-click on the network adapter and select Properties.
- Right-click on Internet Protocol Version 4 (TCP/IPv4) and choose Properties.
- Click the Advanced button and go to the DNS tab.
- On the DNS tab, click the Add button, provide the IP address of your DNS server and click OK. (Note that the DNS server might be a DC, especially if it’s a small organization.)
- If multiple IP addresses are listed, use the arrow buttons to move your preferred one to the top of the list. Then click OK.
- Click OK again to save your changes.
- Restart the workstation or server so the changes will take effect, and try again to join the workstation or server to the Active Directory domain.
Check whether you’re using the Right DNS Servers
Before you go any further, double-check that you are using the correct DNS servers. Specifically, the DNS servers that DCs are aware of are used to register records that help AD-connected devices locate resources like DCs. DNS servers that are not AD-integrated do not have these records.
Also, make sure you are using one of the following:
- A DNS server with Active Directory integration
- A DNS server that replicates records from another DNS server that is aware of Active Directory
- A DNS server configured to query either an AD-integrated DNS server or a DNS server with duplicated records via forwarding
To check that your DNS server is one of these, use the PowerShell cmdlet shown below in a PowerShell session on a domain-joined PC.
Note: if you don’t have another domain client to use, you will need to contact your network staff
Get-DnsClientServerAddress
The DNS servers used by the computer running the cmdlet are listed in the ServerAddesses column.
Option 1: Update the Computer’s DNS Client Settings
If you need to update the computer’s DNS client settings, you can use the following cmdlet:
Set-DnsClientServerAddress
Alternatively, you can use the IPv4 Properties dialog box for the computer’s network card:
Go to Control Panel, Network, Internet, Network Connections. Then right-click on the network card, select Properties and then Internet Protocol Version 4 (TCP/IPv4), and then Properties. Review the settings:
If the network supports Dynamic Host Configuration Protocol (DHCP), ensure that both the Obtain an IP address automatically and Obtain DNS server address automatically boxes are checked.
If your network does not use DHCP, change the values for Preferred DNS server and Alternative DNS server to the ones you found previously (when you ran the Set-DnsClientServerAddress cmdlet).
Option 2: Connect to the Domain through Windows Settings
Another option is to connect to the domain through Windows Settings:
- Press the Windows + I keys on your keyboard to open the Window Settings window
- Click Accounts
- In the left menu, click Access work or school. Then click Connect
- At the bottom of the Microsoft account window, click Join this device to a local Active Directory domain
- Provide a valid, contactable domain name and click Next
- Then, provide a domain account to use for joining this workstation to a domain. This account must have the permissions to join a workstation to a domain. Click OK
- If you do not get an error, your workstation is now joined with the domain. On the next screen, provide a user account for this PC and then click Next
- Click Restart so your changes will take effect
Check whether a Firewall is blocking port 53 on the DC
- Check whether the DNS service on the DC is being blocked by a firewall. To see whether port 53 is available on the DC, use this cmdlet:
test-netconnection 172.168.5.160 -port 53 - Check the value of “TcpTestSucceeded”. A value of “True” as shown below indicates that the DNS service on the DC is operational.
Check whether your Computer can resolve the Domain Name of the DC
- Next, check whether the workstation can accurately resolve the domain name to the DC’s IP address. Use the fully qualified domain name of the domain to which you are trying to join your workstation with the Resolve-DNSName cmdlet, as shown here:
Resolve-DNSName fabrikam.local
This command should return one or more DNS server records.
Check whether the Workstation can Contact the DNS server that hosts the DNS zone
Next, check whether:
- The computer can communicate with the DNS server that hosts the DNS zone or resolves DNS names for the domain.
- The DNS server for the client is configured correctly and that it is connected to it.
- You can find a domain and connect to the DC from your computer.
- To get the domain and DC information, along with the IP address, use the following cmdlet:
nltest /dsgetdc:fabrikam.local
If the command completes successfully, it will return information similar to the following:
DC: \\FRGC1.fabrikam.local
Address: \\10.20.6.41
Dom Guid: c64586c9-2c18-4fc4-9fe1-18f2a262d90d
Dom Name: fabrikam.local
Forest Name: fabrikam.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10
The command completed successfully
Restart the Netlogon Service on the Domain Controller
- Restart the Netlogon service on the DC using this command:
net stop netlogon && net start netlogon - Alternatively, simply reboot the DC.
- When the server restarts, it will try to register the necessary SRV records on the DNS server.
Re-register the DC’s DNS records
- Re-register the DC’s DNS records by running this command:
ipconfig /registerdns - Wait for the records to arrive in the DNS and for them to propagate across the domain.
How Lepide can help with Active Directory Auditing
Active Directory auditing tool from Lepide enables you to easily audit, monitor and set alerts for everything that is happening to your Active Directory, all from a single platform. It provides all the critical information you need in a way that’s readable, understandable, and actionable.