Every IT admin managing machines in an Active Directory environment has been there. You try to add a computer to an Active Directory (AD) domain and get the dreaded “An Active Directory Domain Controller Could not be Contacted” error. In this article, learn the steps to diagnose (and solve) this problem for good.
A FREE read only tool that scans your AD and generates multiple interactive reports for you to measure the effectiveness of your password policies against a brute-force attack. Download Specops Password Auditor now!
This error is DNS-related. The main problem is that the computer has failed to find an appropriate SRV DNS record it needs to join the AD domain.
I’ve put together a few steps for you to follow to fix this error and get your computer joined to your domain.
Ensure You’re Using the Right DNS Servers
Before you get too far down a rabbit hole, first ensure you’re using the right DNS servers in the first place.
Active Directory and DNS have a special relationship. Domain controllers register specific records in DNS servers they know about. These live in the _ldap._tcp.dc.msdcs.<domainname> zone and help AD-joined devices find resources such as domain controllers. SRV records won’t exist in DNS servers that aren’t AD-integrated.
To resolve this issue, you need to be using either:
- An AD-integrated DNS server
- A DNS server that replicates records from an AD aware DNS server
- A DNS server that has forwarding set up to query either an AD-integrated DNS server or a DNS server with replicated records
To check that the DNS server you are using is one of the above, run the following command in a PowerShell session on an existing domain joined computer:
PS C:\> Get-DnsClientServerAddress
InterfaceAlias Interface Address ServerAddresses
Index Family
-------------- --------- ------- ---------------
Ethernet 9 IPv4 {10.0.0.101}
Ethernet 9 IPv6 {}
Loopback Pseudo-Interface 1 1 IPv4 {}
Loopback Pseudo-Interface 1 1 IPv6 {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}
The responses you get under the ServerAddesses column are the DNS servers being used by that computer. If you don’t have another domain client to check, you will need to contact your network team for this information.
You can either use PowerShell’s Set-DnsClientServerAddress
cmdlet to change the computer’s DNS client settings or via the IPv4 Properties dialog box for the network card of the computer. This is reached by going to Control Panel –> Network –> Internet –> Network Connections.
Once in the Network Connections window, right-click on the network card, choose Properties, choose Internet Protocol Version 4 (TCP/IPv4) and then click on Properties.
If the network uses Dynamic Host Configuration Protocol (DHCP), ensure the Obtain an IP address automatically and Obtain DNS server address automatically options are selected.
If your network doesn’t use DHCP then update the Preferred DNS server and Alternative DNS server values to the correct ones you obtained earlier.
Find the True Error
If you’ve confirmed your computer has the correct DNS servers then it’s time to jump in a little further.
When you attempt to join a computer to a domain, the error “An Active Directory Domain Controller Could not be Contacted” comes up but it’s not the “true” error message. You need to dive a little deeper.
You’ll notice in the error dialog a Details >> button. Click that. This will return more granular information allowing you to troubleshoot this error better.
You can select the contents of the text box to copy and paste into a text viewer, or you can find the same information in the C:\windows\debug\dcdiag.txt file on that machine. This file is created by the Windows when the error occurs.
The error text contains some key pieces of information. I’ve marked numbered and bolded each of these in the example below:
- The domain name the machine thinks you’ve asked it to join (1)
- The error code (2)
- The DNS query that was made (3)
- The DNS server(s) the machine queried (if any) (4)
Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you have received this information, which has been recorded in the file C:\windows\debug\dcdiag.txt.
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “carisbrookelabs.local”(1):
The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR) (2)The query was for the SRV record for _ldap._tcp.dc._msdcs.carisbrookelabs.local (3)
Common causes of this error include the following:
The DNS SRV records required to locate an AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when an AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:
8.8.4.4
8.8.8.8 (4)One or more of the following zones do not include delegation to its child zone: carisbrookelabs.local
local
. (the root zone)
0x0000267C DNS_ERROR_NO_DNS_SERVER
This error indicates that the DNS server could not be found to even attempt the query. It didn’t even get a chance. This is typically due to no network connectivity to the DNS server.
Note that you can join a computer without a network connection known as an offline domain join, but that is outside of the scope of this article.
Troubleshoot Your Network Connection
If you see this error message, you’ll need to start doing some network troubleshooting.
- Check that your network adapter is enabled and you can connect to other network resources.
- Check that you have an IP address and DNS servers configured.
You can check for an IP address and DNS servers by running ipconfig /all
.
If you have an IP address and can reach other network resources, you’ll need to test your connection between the computer and the DNS server.
To do so, you can use ping
and PowerShell’s Test-Connection
cmdlet. Test connectivity to the DNS server(s) using either of these two utilities. If Internet Control Message Protocol (ICMP) traffic is allowed on the network, you should get a response. If there’s an error or time-out, you most likely have some sort of networking issue, such as routing. Talk to your networking team to resolve the issue, then try the join again.
Check DNS connectivity
If you’ve confirmed your network connection is working, you’ll next need to ensure your computer can connect via TCP/53 to the DNS server.
Try using the Resolve-DNSName
PowerShell cmdlet with the FQDN of the domain you are trying to join. This should return one or more DNS server records:
PS C:\> Resolve-DNSName carisbrookelabs.local
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
carisbrookelabs.local A 600 Answer 10.0.0.103
carisbrookelabs.local A 600 Answer 10.0.0.102
carisbrookelabs.local A 600 Answer 10.0.0.101
If you get an error, then it is worth checking that there’s nothing blocking IP traffic on port 53 (the port used for DNS traffic) between your machine and the DNS servers.
You can do a simple check for connectivity on port 53 using the Test-NetConnection
cmdlet (not to be confused with the Test-Connection
cmdlet):
PS C:\> Test-NetConnection -Port 53 -ComputerName <DNSSERVERHERE>
True
You will get a response of True if the connection succeeds, or False if it fails. A failure could be due to a network or host-based firewall on the DNS server.
0x0000232B RCODE_NAME_ERROR
This error means it was able to find the DNS server but the SRV record wasn’t found. This error requires a little more troubleshooting.
Ensure You’re Using the Domain FQDN
It seems simple, but verify that the name you typed matches the fully qualified domain name (FQDN) of the domain you are trying to join. This should only be a domain name, not a server name. For example, use carisbrookelabs.local and not WIN-3467RQTHJH5.carisbrookelabs.local.
If there’s any doubt, check the domain name of an existing domain client. You can find the appropriate domain name by running this PowerShell command on an existing domain client.
PS51> (Get-CimInstance Win32_ComputerSystem).Domain
carisbrookelabs.local
If you attempt to use the NETBIOS name (contoso) vs. the FQDN (contoso.local), the computer might find the domain but Windows will treat the name as an FQDN anyway.
If you type a NETBIOS name and don’t have a WINS infrastructure in place you will get the error we’re trying to fix. Always use a FQDN rather than a NETBIOS name.
Check DNS records
For this step you are going to use Resolve-DNSName
again. This time using the exact DNS record that was not retrieved when you tried to join your machine to the domain. Copy and paste it from the dcdiag.txt file mentioned in the introduction, or the copy of the error text you took earlier. This will avoid any typos with underscores and dashes.
Your command should look something like this:
PS C:\> Resolve-DNSName _ldap._tcp.dc._msdcs.carisbrookelabs.local
Name Type TTL Section PrimaryServer NameAdministrator SerialNumber
---- ---- --- ------- ------------- ----------------- ------------
_msdcs.carisbrookelabs.loca SOA 3600 Authority WIN-3467RQTHJH5.carisbrooke hostmaster.carisbrookelabs. 419
l labs.local local
Use the free Specops Password Auditor tool to scan your Active Directory and identify password-related vulnerabilities, including over 930 million known compromised passwords. Download Today!
If you get DNS name does not exist as the response to this command, then your issue is with DNS.
- Ensure you’re using the correct DNS server
- Ensure the relevant records have not been deleted
If you get a positive response to Resolve-DNSName _msdcs.<domainname>
but get a DNS name does not exist from Resolve-DNSName _ldap._tcp.dc._msdcs.<domainname>
, then the records are missing.
Re-register your domain controller’s DNS records using the command ipconfig /registerdns
on each DC. It may take a few minutes for the records to appear.
Once you can confirm the presence of the required DNS record(s) using Resolve-DNSName
then you should be good to go.
Summary
In this article, you’ve learned some steps to try when troubleshooting the error “An Active Directory Domain Controller Could not be Contacted”. It’s impossible to cover every single scenario in an article like this, but I hope the process works for you and gets you on the right path!