Table Of Contents
-
General Error description
-
Basic steps to investigate the issue
-
Verify that the IP Settings are Correct
-
Make sure the DNS Client Service is Running
-
Check the Host File for Domain Entries
-
Restart DNS Cache Service
-
Verify that the DC is Reachable from the Client
-
Verify the Domain Controller’s Accessibility using PowerShell
-
Append the IP Address as DNS Servers in the TCP/IP Settings
-
Make Sure you are using the Right DNS Servers
-
Connect to the Domain through Settings
-
Check If Firewall Is Not Blocking Port 53 on the DC
-
Verify if your Computer can Resolve the Domain Name of the DC
-
Verify Workstation can Contact the DNS Server that hosts the DNS Zone
-
Restart the Netlogon Service on the Domain Controller
-
Re-Register Domain Controller DNS Records
-
General Error description
Several times when I tried to join a new Windows workstation or server with the domain, I have encountered “An Active Directory Domain Controller (AD DC) for the domain “example.com” could not be contacted.”. It could be due to several reasons, from only an incorrect DNS server IP address to a more complex issue in several places to dig out. I will explain all the basic to advanced level steps to troubleshoot the issue in this blog.
To join a workstation or server operating system to a domain, follow the below steps.
- Open the System Properties on the computer by right clicking on “Start” button and pressing the SYSTEM link.
- On the system properties window, Press Change settings > Change.
- Enter a new system name and provide the domain you want to join this system with. Enter the FQDN (fully qualified domain name) of your AD (Active Directory) domain. You may see an error after pressing the OK button:
- Ensure that the domain name is typed correctly.
- Click Details for troubleshooting information.
Click on the Details button for more information regarding the error. In most cases you will see an error “DNS name does not exist”.
Verify that the IP Settings are Correct
Mostly, this problem is related to DNS settings or wrong IP address on your system, DNS misconfiguration on the domain controller side, or some ports blocked on firewall.
Make sure that network interface of your computer has the right IP address. The IP address can be explicitly defined in the network adapter settings or can be obtained from a DHCP server. The below command can be used to get the computer’s current network settings.
ipconfig /all
Make sure the DNS Client Service is Running
Using the Get-Service cmdlet, verify that the DNS Client service is up and running
Get-Service dnscache
Check the Host File for Domain Entries
Make that there are no entries for your domain or domain controller names in the hosts file located at (C:\Windows\System32\Drivers\etc\hosts) on the PC. Open the file using Notepad or another text editor. Delete any entries if they exist.
The command: will show you the contents of the host file.
get-content C:\Windows\System32\Drivers\etc\hosts
Restart DNS Cache Service
Open an elevated command prompt and use the below command to clear the DNS cache,
ipconfig /flushdns
By using the below command you can stop and restart the dnscache service on client computer.
net stop dnscache && net start dnscache
You can also use Service.msc console to look for “DNS Client” service and open its properties by right clicking on it. As shown below.
Then stop and restart the service on service properties dialog box.
Verify that the DC is Reachable from the Client
Next, determine whether the domain controller is reachable from the client. Run the following commands from a command prompt:
ping your_domain_name.com
And:
tracert your_domain_name.com
Make sure your domain controller is responding and reachable.
You should also verify the availability of domain controller from any other workstation on the same network.
If the client cannot access the DC and other clients are not having problems, there could be a problem with the client’s cable or hardware, or with a device in the middle to narrow down the problem, try a different network jack or go wireless.
Verify the Domain Controller’s Accessibility using PowerShell
PowerShell can also be used the verify the connectivity to domain controller using the below command-lets.
To Display IP address:
Get-NetIPConfiguration –All
To ping the DC:
Test-NetConnection domainname
Trace the routes to the DC:
Test-NetConnection –TraceRoute domainname
Append the IP Address as DNS Servers in the TCP/IP Settings
If the domain controller can be reached, try adding the obtained IP address to your network connection’s Advanced TCP/IP settings as a DNS server.
- Open Control Panel, Click on Network and Sharing Center, click on Change adapter settings.
- Right click on network adapter and select Properties.
- Right click on Internet Protocol Version 4 (TCP/IPv4), and click on Properties
- Click on the “Advanced” button, and click on the DNS tab.
- On the DNS tab, click on Add button, and provide the IP address of your DNS server (could be domain controllers too because most small organizations install DNS service on DCs (Domain Controller) as well).
- Click OK, if more than one IP addresses are listed in the DNS server list, move the IP address of your preferred one to the top of the list.
- Click OK twice on Internet Protocol Version 4 and on Ethernet Properties for saving changes, then restart the workstation or server for changes to take effect.
- Now try again to join the workstation or server to Active Directory domain.
Make Sure you are using the Right DNS Servers
Before you go too deep down the rabbit hole, double-check that you are using the correct DNS servers.
DNS and Active Directory have a unique relationship. DNS servers that domain controllers are aware of are used to register certain records. These are in the _ldap. tcp.dc.msdcs.domainname> zone and assist AD-connected devices in locating resources like domain controllers. DNS servers that are not AD-integrated will not have SRV entries.
To overcome this problem, you should use either:
- A DNS server with Active Directory integration
- A DNS server which replicates records from another DNS server that is aware of Active Directory.
- A DNS server configured to query an AD-integrated DNS server or a DNS server with duplicated records via forwarding.
Use the following command-let in a PowerShell session on an existing domain joined PC to verify that the DNS server you are using is one of the above.
Get-DnsClientServerAddress
The DNS servers used by that computer are listed in the ServerAddesses column of the answers. If you don’t have another domain client to verify, you will need to contact your network staff.
To update the computer’s DNS client settings, use PowerShell’s Set-DnsClientServerAddress cmmandlet or the IPv4 Properties dialogue box for the computer’s network card. Go to Control Panel –> Network –> Internet –> Network Connections to find this.
Right-click on the network card in the Network Connections box, select Properties, then Internet Protocol Version 4 (TCP/IPv4), and then Properties.
Ensure that the Obtain an IP address automatically and Obtain DNS server address automatically options are chosen if the network supports Dynamic Host Configuration Protocol (DHCP).
If your network does not use DHCP, change the values for Preferred DNS server and Alternative DNS server to the ones you found previously.
Connect to the Domain through Settings
Connecting to the domain through Windows Settings is another option for resolving the issue.
- For opening the Settings window, press the Windows and I keys on your keyboard.
- Click on “Accounts” to open account settings In the Settings window.
- Select “Access work or school“ on the left side, When the Accounts settings window appears on your screen.
- Click on “Connect” to begin the process to join the workstation with domain.
- In the Microsoft Account window, in the bottom portion of the window, click on “Join this device to a local Active Directory domain“.
- Provide a valid contactable domain name, as shown below, and click Next.
- Next, provide a domain account to use for joining this workstation to a domain. This account must have the permissions to join a workstation to a domain. Click OK.
- If you do not get any error and proceed to the next screen, it means that your workstation is joined with the domain. Provide the info of a domain account for this PC. Click Next.
- You will be presented with the Restart option. It also gives you the option to restart later, but you should restart the workstation for the changes to take effect.
Check If Firewall Is Not Blocking Port 53 on the DC
Check to verify if the DNS service on the domain controller is being blocked by firewalls. PowerShell is the quickest approach to verify if port 53 is available on a DC.
test-netconnection 172.168.5.160 -port 53
TcpTestSucceeded: True in our example indicates that the DNS service on the DC is operational.
Verify if your Computer can Resolve the Domain Name of the DC
Also, check if the workstation can resolve the domain name to the domain controller’s accurate IP address. Use the fully qualified domain name of the domain to which you are trying to join your workstation with the Resolve-DNSName cmdlet.
Resolve-DNSName fabrikam.local
One or more DNS server records should be returned by this command.
Verify Workstation can Contact the DNS Server that hosts the DNS Zone
Be sure that computer can communicate with the DNS server that hosts the DNS zone or resolve DNS names for the domain. Check that DNS server for this client is configured correctly and that it is connected to it. Confirm that you can find a domain and use the command to connect to the domain controller from your computer.
For example, use the following cmdlet to get the domain and domain controller information along with the IP address:
nltest /dsgetdc:fabrikam.local
If your workstation has successfully received the domain and domain controller, the command should return information about the domain, Active Directory site and services running on the Domain Controller.
DC: \\FRGC1.fabrikam.local
Address: \\10.20.6.41
Dom Guid: c64586c9-2c18-4fc4-9fe1-18f2a262d90d
Dom Name: fabrikam.local
Forest Name: fabrikam.local
Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9 DS_10
The command completed successfully
Restart the Netlogon Service on the Domain Controller
With the following command, restart the Netlogon service on the domain controller
net stop netlogon && net start netlogon
(or simply try to reboot the Domain Controller)
it will try to register the necessary SRV records on the DNS server on startup.
Re-Register Domain Controller DNS Records
You can also use the command to re-register domain controller DNS records.
ipconfig /registerdns
Wait for the records to arrive in DNS and for them to propagate across the domain.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.