Domain status error detected domain cannot be contacted

I have established 2-way forest trust between existing forest containing view servers and everything and a second forest which hold some of the users. However it seems to not be working.   In the logs I see the following error: [ws_winauth] OpenObject could not bind to ...

That’s Great bro Smiley Happy. Ok now we can look at the other problem (i.e. to secure cross domain env.). but please, mark this query as answered Smiley Happy

usually, we require a user that must have cross domain access and in this case the only thing we may have is the membership to a security group that holds the scope of Enterprise Admins or Enterprise Domain Admins (Global Level). for security purpose, we can encrypt its cross forest communication by enable AES Auth and with complex password. but «Delegation of Authority» would be difficult and may result in partial Two-way Trust once again.

let me re-check it on my side and then i’ll be able to answer it more confidently. but this is for sure that you have to compromise on above settings, still we can look for more secure way mentioned earlier in-case of password complexity and AES encryption (default behave you can find it to enable in user’s property pages).

Hope this would be helpful for your further.


Posted by paulwalters2 2021-07-07T10:42:57Z

Good Morning All,

I am currently trying to set up a Lab using Horizon 8.2.0 but i have an issue. On the Dashboard under System Health, In the Domains section i am seeing the following:

Error  Domain status error detected. Domain cannot be contacted.

The server (Server 2016) is on the domain and can ping it. I’ve done a quick google but to no avail. Would really appreciate some guidance.

Thanks

Paul

8 Replies

  • How many DCs do you have ? Are the DC’s DNS servers IP round-robin ?

    Then did you use a DHCP server for the VDIs ? Are the DNS servers IPs set in ? Else check vCenter (VCSA) and the Composer server DNS as well ?


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Paul Walters

    I Have 1 DC. It is my DNS Server. No Round Robin.

    No VDIs installed yet. 

    Not sure what ‘DNS Servers IPs set in’ means exactly but if you’re asking if they’re static then yes.

    From the connection server i can ping the IP of the VCSA but not the name.

    No composer server.

    Hope that helps.


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Rod McGarrigle

    pure capsaicin

    VMware Expert

    • check
      360
      Best Answers
    • thumb_up
      999
      Helpful Votes

    Please share the error via a screenshot.

    Ensure all of your clients and servers use the DC as their DNS and NOTHING else, certainly no Google DNS.


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Paul Walters

    All server on the same domain using the same DNS server, i only have 1x DNS server

    Image: post content


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Rod McGarrigle

    pure capsaicin

    VMware Expert

    • check
      360
      Best Answers
    • thumb_up
      999
      Helpful Votes

    Just to confirm your server is using the DC for it’s DNS?

    You’ve used domain.com instead of the NetBIOS name?

    If you remove the domain and re-add it, do you get any further warnings?


    Was this post helpful?
    thumb_up
    thumb_down

  • Author Rod McGarrigle

    pure capsaicin

    VMware Expert

    • check
      360
      Best Answers
    • thumb_up
      999
      Helpful Votes

    The username and password you’re using to link the domain, has it expired, is it no longer valid, disabled etc?


    Was this post helpful?
    thumb_up
    thumb_down

  • Author spicehead-bk3ov

    Hi,

    You resolved it ?? Getting the same error.


    Was this post helpful?
    thumb_up
    thumb_down

  • Author spicehead-cuqh8

    AD DNS ip must setting you current ip address.


    Was this post helpful?
    thumb_up
    thumb_down

In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domain Controller could not be contacted.

Active Directory Domain Controller Could Not Be Contacted Error: What Does It Looks Like?

A user or an administrator tries to join a new Windows workstation/server to a domain. To do this, open the System Properties on the workstation, and press Change settings > Change. Enter a new computer name, and select that this computer should be a member of a specified domain. Enter your AD domain FQDN name. After clicking on the OK button, you may receive an error:

An Active Directory Domain Controller (AD DC) for the domain “theitbros.com” could not be contacted.

Ensure that the domain name is typed correctly.

If the name is correct, click Details for troubleshooting information.

an active directory domain controller cannot be contacted

How to Fix AD Domain Controller Could Not Be Connected Error?

Here are some basic steps that should help you fix the domain controller connection error:

  1. Check your IP address and DNS settings;
  2. Check the Active Directory domain controller connectivity;
  3. Check DC Health (SRV DNS records, Netlogon, and Sysvol folders).

Let’s look at each of these steps in more detail.

Check the IP Settings and DNS Settings on Your Computer

Most often, this problem is related to the wrong IP or DNS settings on your computer.

Check IP Address

First, check if your computer has the correct IP address on the primary network interface. The IP address can be obtained from a DHCP server, or manually specified in the network adapter settings. You can view the current network settings of the computer using the command:

ipconfig /all

the system cannot contact a domain controller to service the authentication request

Make sure your computer’s IP address matches the network it’s on. Try to manually set a static IP address, or vice versa, get the correct address from the DHCP server (select Obtain IP address automatically in the properties of your network adapter).

an active directory domain controller for the domain could not be contacted

Check DNS Client Settings

Make sure your network adapter’s IP settings are set to your internal DNS servers. You can display the current DNS servers for your adapter using PowerShell:

DnsClientServerAddress

an active directory controller cannot be contacted

If the DNS server address is incorrect, change it manually or get settings from DHCP.

Make sure the DNS Client service is running using Get-Service cmdlet:

Get-Service dnscache

active directory domain controller could not be contacted

Open the hosts file (C:WindowsSystem32Driversetchosts) on the computer using notepad.exe or another text editor, and make sure there are no entries for your domain or domain controller names. If such entries exist, delete them.

You can display the contents of the hosts file with the command:

get-content C:WindowsSystem32Driversetchosts

an active directory domain controller (ad dc) for the domain could not be contacted

Then clear the DNS cache, and restart the service from the elevated command prompt:

ipconfig /flushdns

net stop dnscache && net start dnscache

Check if your computer can resolve the domain name to the correct IP address of the domain controller. Use the Resolve-DNSName cmdlet with the FQDN of your domain to which you are trying to join your workstation:

Resolve-DNSName theitbros.com

the specified domain controller cannot be contacted

The command should return one or more records of DNS servers.

Verify the Domain Controller Connectivity

Next, check if the domain controller is accessible from the client. Open a command prompt, and run the following commands:

ping your_domain_name.com

And:

tracert your_domain_name.com

Make sure your domain controller is responding and reachable.

the system cannot contact a domain controller to service

Note. In addition, it’s recommended to check the availability of the domain controller from other workstations on the same IP network.

If the DC is reachable, try to add the received IP address as a DNS server in the Advanced TCP/IP settings of your network connection.

  1. Open Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings;
  2. Select a network adapter that is connected to your corporate network, right-click on it, and select Properties;
    domain could not be contacted
  3. Select Internet Protocol Version 4 (TCP/IPv4), and click Properties;
  4. Press the Advanced button, and go to the DNS tab;
  5. On the DNS tab press Add, and enter the IP address of your DNS server (domain controller). Don’t use Public DNS IPs in preferred and alternative fields, like 8.8.8.8 (google) or 1.1.1.1 (cloudflare);
    the system cannot contact a domain controller
  6. Click OK (if several IP addresses are listed in the DNS server list, move the IP address of your DC to the top of the list);
    an active directory domain controller could not be contacted
  7. Save the changes and restart the workstation;
  8. Try to join your workstation to the AD domain.

Check If the Domain Controller Connections Aren’t Blocked By the Firewall

Verify if the access to the DNS service on the domain controller is not blocked by firewalls. The easiest way to check the availability of port 53 on a DC is to use PowerShell:

Test-Netconnection 192.168.1.11 -port 53

In our example, TcpTestSucceeded: True means that the DNS service on the DC is accessible.

ad dc could not be contacted

Also, make sure the computer can contact the DNS server that hosts the DNS zone or can resolve DNS names in that domain. Make sure the correct DNS server is configured on this client as preferred and the client is connected to this server. Confirm you can find a domain and access the domain controller from the computer using the command:

nltest /dsgetdc:theitbros.com

an active directory could not be contacted

If your computer successfully discovered the domain and domain controller, the command should return information about the domain, Active Directory sites and services running on the DC:

DC: \DC01.theitbros.com

Address: \192.168.1.15

Dom Guid: 4216f343-2949-21c3-8caa-6d7cbcdb1690

Dom Name: theitbros.com

Forest Name: theitbros.com

Dc Site Name: NY

Our Site Name: NY

Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS

The command completed successfully.

Hint. Another helpful guide that can help you troubleshoot DC connectivity over RPC is “1722 The RPC server is unavailable”.

Also, try to temporarily disable the built-in Windows Firewall, and all third-party applications with antivirus/firewalls modules (Symantec, MacAfee, Windows Defender, etc.), that can block network ports to access the domain controller. After disabling the firewalls, try to join the computer to the domain.

Here is the minimum list of network protocols, ports, and services that must not be blocked in firewalls between a client and a domain controller to successfully join a device to the Active Directory domain:

  • UDP 53 — DNS traffic;
  • TCP and UDP 88 — Kerberos authentication;
  • UDP 123 — Windows Sync time with Domain Controller;
  • TCP 135 — Remote Procedure Call RPC Locator;
  • TCP and UDP 139 — NetBIOS Session Service;
  • TCP and UDP 389 (LDAP, DC Locator, Net Logon) or TCP 636 (LDAP over SSL);
  • TCP 445 (SMB/CIFS, Net Logon);
  • TCP 49152-65535 — RPC ports, randomly allocated high TCP ports.

Check the DNS SRV Records on the Domain Controller

Check DNS Records on your DC

If the above method didn’t help, check if in the DNS zone of your domain controller there is an SRV record of the location of the DC.

Open an elevated Command prompt, and run the following commands:

nslookup

set type=all

_ldap._tcp.dc.msdcs.your_domain_name.com

Verify if the specified DNS server has an SRV record in the following form:

_ldap._tcp.dc._msdcs.your_domain_name.com SRV service location:

however no domain controllers could be contacted

If the specified SRV record is missing, it means your computer is configured to use a DNS server that does not have a correct SRV record with the location of the domain controller.

Update/Re-Register DNS SRV Records on DC

If you can’t change the DNS settings on your computer, you can manually add two records (SRV and A) to your existing DNS server which help you to resolve the domain controller’s IP address:

  • _ldap._tcp.dc.msdcs.your_domain_name.com — is an SRV resource record that points to the domain controller that hosts the ADDS role;
  • Resource A record that identifies the IP address for the DC listed in the _ldap._tcp.dc.msdcs.your_domain_name.com SRV resource record.

Restart the Netlogon service on the domain controller with the command:

net stop netlogon && net start netlogon

(or simply try to reboot the DC)

On startup, it will try to register the necessary SRV records on the DNS server.

Also, you can re-register domain controller DNS records using the command:

ipconfig /registerdns

Wait for a while for the records to appear in DNS and replicate across the domain.

Also, make sure the dynamic updates are allowed in your Windows DNS zone settings.

Check the Domain Controller Health

Perform a health check on your domain controllers and replication according to the following guides:

  • How to check Active Directory health?
  • Check AD Replication using the Repadmin command.

It is also recommended to verify if the SYSVOL and NETLOGON network shared folders are created and accessible on the domain controller (run the net share command on the closest DC).

unable to contact active directory to verify claim types

If the SYSVOL and NETLOGON directories are missing in the shares list:

  1. Check the IP and DNS settings on your DC (the domain controller shouldn’t receive an IP address from a DHCP server, use only a static IP address);
  2. Verify if the C:WindowsSYSVOL domain directory contains Policies and Scripts folders;
    domain controller could not be contacted
  3. If you did not migrate Sysvol replication from FRS to DFS, to replicate Sysvol from PDC to all DCs in the domain, you need to stop the File Replication Service (net stop NtFrs). Then run the Regedit and go to the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup, here change the value of BurFlags DWORD parameter to D4 (hex) on PDC, and to D2 (hex) on all additional domain controllers. After that, start the service:
    net start NtFrs

And check if the directory DCName SYSVOL appears and is accessible on the problem DC.

Troubleshooting Error “an Active Directory Domain Controller Could not be Contacted”

If none of the above methods helped you to fix the problem, you need to move to more advanced troubleshooting. Note that the Details button is available in the error message.

Click the Details button for more information about the error. In most cases, there you will see an error “DNS name does not exist” or one of the following error codes 0x0000232B RCODE_NAME_ERROR, 0x0000267C DNS_ERROR_NO_DNS_SERVER, and 0x00002746 WSAECONNRESET).

however no domain controllers could be contacted.

For example:

The domain name “DOMAIN_NAME” might be a NetBIOS domain name. If this is the case, verify that the domain name is properly registered with WINS.

If you are certain that the name is not a NetBIOS domain name, then the following information can help you troubleshoot your DNS configuration.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “DOMAIN_NAME”:

The error was: “DNS name does not exist.”

(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.DOMAIN_NAME

Common causes of this error include the following:

– The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

xx.xx.xx.xx

xx.xx.xx.xx

– One or more of the following zones do not include delegation to its child
zone:

Domain_name
local
.. (the root zone)

Open the text file C:windowsdebugdcdiag.txt on the user’s computer. Carefully study the latest errors in this file. Perhaps they will point you in the right direction.

unable to contact active directory to access or verify claim types

Most often, you can face such errors in the dcdiag.txt file:

  • 0x0000232B — RCODE_NAME_ERROR (“DNS name does not exist”) – your computer cannot find the SRV record on the DNS server. Make sure your computer’s DNS settings are set to the IP address of your domain controller. Check SRV records on DC;
  • 0x0000267C — DNS_ERROR_NO_DNS_SERVER (“No DNS Servers configured for local system”). In this case, it is recommended to check your IP and DNS settings, and network connectivity;
  • 0x00002746 — WSAECONNRESET (“An existing connection was forcibly closed by the remote host”) — check the network connectivity and firewall rules. Try to restart the DNS service on the DC, or reboot the host completely.

Sometimes, in the Netsetup.log file, you can find useful information about errors in joining a computer to an Active Directory domain. It is Windows clients log the details of the domain join operation. This log can be found here %windir%debugNetsetup.log. Carefully examine the errors in the Netsetup.log file, they may help you in finding the problem of not being able to connect to the Active Directory domain.

The most typical errors are:

  • An attempt to resolve the DNS name of a DC in the domain being joined has failed. Please verify this client is configured to reach a DNS server that can resolve DNS names in the target domain;
  • An operation was attempted on a nonexistent network connection — restart the computer, make sure that you type the DNS name and not the NetBIOS name;
  • Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again — reboot your device;
  • Network name cannot be found — make sure your computer can access the DNS server hosting the domain’s DNS zone;
  • No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept — remove all mapped drives and reboot the computer.
  • About
  • Latest Posts

I enjoy technology and developing websites. Since 2012 I’m running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.


  • Remove From My Forums
  • Question

  • Hi,

    I built a server 2019 domain controller. I successfully promoted the server to domain controller. I also built a windows 10 computer to use as a workstation. 

    When I try to join the windows 10 computer to the domain I get error :

    «An Active Directory Domain controller (AD DC) for the domain «domain» could not be contacted.»

    DNS was successfully queried for service location (SRV) resource record used to locate a domain controller for domain «domain»:

    The query was fo SRV record _ldap._tcp.dc._msdcs.domain.com

    The following domain controllers were identified by the query:

    (no Active Directory Domain Controllers found)

    However no domain controllers could be contacted.

    Please advice I am trying to build a lap on my laptop and I am using public wifi for connection.

    Thanks,

    Senait

Answers

  • Domain controller and problem member must have the static ip address of DC listed for DNS and no others such as router or public DNS


    Regards, Dave Patrick ….
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided «AS IS» with no warranties or guarantees, and confers no rights.

    • Marked as answer by

      Thursday, March 19, 2020 7:03 PM

  • Hello Senait,

    Thank you for posting in our TechNet forum.

    As Dave and Marcin mentioned, we had better set a static IP address for the DC and we had better add DNS role in the DC, so the DC is also a DNS server.

    For example, in my lab,

    1. Here is the IP address of my DC and the DC is also a DNS server (domain name is b.local).

    2. Here is a member server in b.local domain.
    We should set the IP of the DNS server (that is domian controller’s IP address) as Preferred DNS server of this server.

    3. Then we can try to join the client to the domain again.

    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact
    tnmff@microsoft.com.

    • Edited by
      Daisy ZhouMicrosoft contingent staff
      Monday, March 16, 2020 2:47 AM
    • Marked as answer by
      senizkibret
      Thursday, March 19, 2020 7:02 PM

  • You have to use a DNS server which is hosting the zone corresponding to the namespace used internally by your AD. Typically, this is the DNS server installed directly on the domain controller which relies on AD-integrated zones.

    As Dave has pointed out:

    1) assign static IP address to your DC

    2) point the computer you are trying to join to the DC as its primary and only DNS server

    hth
    Marcin

    • Marked as answer by
      senizkibret
      Thursday, March 19, 2020 7:03 PM

  • That isn’t possible to do. Member must be able to contact internal DNS server on your domain.


    Regards, Dave Patrick ….
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided «AS IS» with no warranties or guarantees, and confers no rights.

    • Marked as answer by
      senizkibret
      Thursday, March 19, 2020 7:03 PM

Every IT admin managing machines in an Active Directory environment has been there. You try to add a computer to an Active Directory (AD) domain and get the dreaded “An Active Directory Domain Controller Could not be Contacted” error. In this article, learn the steps to diagnose (and solve) this problem for good.

Discover, report and prevent insecure Active Directory account passwords in your environment with Specops’ completely free Password Auditor Pro. Download it today!

An Active Directory Domain Controller Could not be Contacted
An Active Directory Domain Controller Could not be Contacted

This error is DNS-related. The main problem is that the computer has failed to find an appropriate SRV DNS record it needs to join the AD domain.

I’ve put together a few steps for you to follow to fix this error and get your computer joined to your domain.

Ensure You’re Using the Right DNS Servers

Before you get too far down a rabbit hole, first ensure you’re using the right DNS servers in the first place.

Active Directory and DNS have a special relationship. Domain controllers register specific records in DNS servers they know about. These live in the _ldap._tcp.dc.msdcs.<domainname> zone and help AD-joined devices find resources such as domain controllers. SRV records won’t exist in DNS servers that aren’t AD-integrated.

To resolve this issue, you need to be using either:

  • An AD-integrated DNS server
  • A DNS server that replicates records from an AD aware DNS server
  • A DNS server that has forwarding set up to query either an AD-integrated DNS server or a DNS server with replicated records

To check that the DNS server you are using is one of the above, run the following command in a PowerShell session on an existing domain joined computer:

PS C:> Get-DnsClientServerAddress

InterfaceAlias               Interface Address ServerAddresses
                             Index     Family
--------------               --------- ------- ---------------
Ethernet                             9 IPv4    {10.0.0.101}
Ethernet                             9 IPv6    {}
Loopback Pseudo-Interface 1          1 IPv4    {}
Loopback Pseudo-Interface 1          1 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}

The responses you get under the ServerAddesses column are the DNS servers being used by that computer. If you don’t have another domain client to check, you will need to contact your network team for this information.

You can either use PowerShell’s Set-DnsClientServerAddress cmdlet to change the computer’s DNS client settings or via the IPv4 Properties dialog box for the network card of the computer. This is reached by going to Control Panel –> Network –> Internet –> Network Connections.

Once in the Network Connections window, right-click on the network card, choose Properties, choose Internet Protocol Version 4 (TCP/IPv4) and then click on Properties.

IPv4 properties dialog
IPv4 properties dialog

If the network uses Dynamic Host Configuration Protocol (DHCP), ensure the Obtain an IP address automatically and Obtain DNS server address automatically options are selected.

If your network doesn’t use DHCP then update the Preferred DNS server and Alternative DNS server values to the correct ones you obtained earlier.

Find the True Error

If you’ve confirmed your computer has the correct DNS servers then it’s time to jump in a little further.

When you attempt to join a computer to a domain, the error “An Active Directory Domain Controller Could not be Contacted” comes up but it’s not the “true” error message. You need to dive a little deeper.

You’ll notice in the error dialog a Details >> button. Click that. This will return more granular information allowing you to troubleshoot this error better.

Expanded details view of the error dialog
Expanded details view of the error dialog

You can select the contents of the text box to copy and paste into a text viewer, or you can find the same information in the C:windowsdebugdcdiag.txt file on that machine. This file is created by the Windows when the error occurs.

The error text contains some key pieces of information. I’ve marked numbered and bolded each of these in the example below:

  • The domain name the machine thinks you’ve asked it to join (1)
  • The error code (2)
  • The DNS query that was made (3)
  • The DNS server(s) the machine queried (if any) (4)

Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you have received this information, which has been recorded in the file C:windowsdebugdcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “carisbrookelabs.local”(1):

The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR) (2)

The query was for the SRV record for _ldap._tcp.dc._msdcs.carisbrookelabs.local (3)

Common causes of this error include the following:

The DNS SRV records required to locate an AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when an AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

8.8.4.4
8.8.8.8 (4)

One or more of the following zones do not include delegation to its child zone: carisbrookelabs.local

local
. (the root zone)

0x0000267C DNS_ERROR_NO_DNS_SERVER

This error indicates that the DNS server could not be found to even attempt the query. It didn’t even get a chance. This is typically due to no network connectivity to the DNS server.

Note that you can join a computer without a network connection known as an  offline domain join, but that is outside of the scope of this article.

Troubleshoot Your Network Connection

If you see this error message, you’ll need to start doing some network troubleshooting.

  1. Check that your network adapter is enabled and you can connect to other network resources.
  2. Check that you have an IP address and DNS servers configured.

You can check for an IP address and DNS servers by running ipconfig /all.

If you have an IP address and can reach other network resources, you’ll need to test your connection between the computer and the DNS server.

To do so, you can use ping and PowerShell’s Test-Connection cmdlet. Test connectivity to the DNS server(s) using either of these two utilities. If Internet Control Message Protocol (ICMP) traffic is allowed on the network, you should get a response. If there’s an error or time-out, you most likely have some sort of networking issue, such as routing. Talk to your networking team to resolve the issue, then try the join again.

Check DNS connectivity

If you’ve confirmed your network connection is working, you’ll next need to ensure your computer can connect via TCP/53 to the DNS server.

Try using the Resolve-DNSName PowerShell cmdlet with the FQDN of the domain you are trying to join. This should return one or more DNS server records:

PS C:> Resolve-DNSName carisbrookelabs.local


Name                                           Type   TTL   Section	IPAddress
----                                       	----   ---   -------	---------
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.103
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.102
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.101

If you get an error, then it is worth checking that there’s nothing blocking IP traffic on port 53 (the port used for DNS traffic) between your machine and the DNS servers.

You can do a simple check for connectivity on port 53 using the Test-NetConnection cmdlet (not to be confused with the Test-Connection cmdlet):

PS C:> Test-NetConnection -Port 53 -ComputerName <DNSSERVERHERE>
True

You will get a response of True if the connection succeeds, or False if it fails. A failure could be due to a network or host-based firewall on the DNS server.

0x0000232B RCODE_NAME_ERROR

This error means it was able to find the DNS server but the SRV record wasn’t found. This error requires a little more troubleshooting.

Ensure You’re Using the Domain FQDN

It seems simple, but verify that the name you typed matches the fully qualified domain name (FQDN) of the domain you are trying to join. This should only be a domain name, not a server name. For example, use carisbrookelabs.local and not WIN-3467RQTHJH5.carisbrookelabs.local.

If there’s any doubt, check the domain name of an existing domain client. You can find the appropriate domain name by running this PowerShell command on an existing domain client.

PS51> (Get-CimInstance Win32_ComputerSystem).Domain
carisbrookelabs.local

If you attempt to use the NETBIOS name (contoso) vs. the FQDN (contoso.local), the computer might find the domain but Windows will treat the name as an FQDN anyway.

If you type a NETBIOS name and don’t have a WINS infrastructure in place you will get the error we’re trying to fix. Always use a FQDN rather than a NETBIOS name.

Typing an FQDN in the Computer/Domain Changes dialog
Typing an FQDN in the Computer/Domain Changes dialog

Check DNS records

For this step you are going to use Resolve-DNSName again. This time using the exact DNS record that was not retrieved when you tried to join your machine to the domain. Copy and paste it from the dcdiag.txt file mentioned in the introduction, or the copy of the error text you took earlier. This will avoid any typos with underscores and dashes.

Your command should look something like this:

PS C:> Resolve-DNSName _ldap._tcp.dc._msdcs.carisbrookelabs.local


Name                    	Type TTL   Section	PrimaryServer           	NameAdministrator       	SerialNumber
----                    	---- ---   -------	-------------           	-----------------       	------------
_msdcs.carisbrookelabs.loca SOA  3600  Authority  WIN-3467RQTHJH5.carisbrooke hostmaster.carisbrookelabs. 419
l                                             	labs.local              	local

Want to quickly check your Active Directory for leaked passwords? Specops has a tool that does so for free and generates a nice report as well.

If you get DNS name does not exist as the response to this command, then your issue is with DNS.

  • Ensure you’re using the correct DNS server
  • Ensure the relevant records have not been deleted

If you get a positive response to Resolve-DNSName _msdcs.<domainname> but get a DNS name does not exist from Resolve-DNSName _ldap._tcp.dc._msdcs.<domainname>, then the records are missing.

Re-register your domain controller’s DNS records using the command ipconfig /registerdns on each DC. It may take a few minutes for the records to appear.

Once you can confirm the presence of the required DNS record(s) using Resolve-DNSName then you should be good to go.

Summary

In this article, you’ve learned some steps to try when troubleshooting the error “An Active Directory Domain Controller Could not be Contacted”. It’s impossible to cover every single scenario in an article like this, but I hope the process works for you and gets you on the right path!

Further Reading

  • DNS and AD DS on Microsoft Docs
  • Test-Connection: Ping Remote Hosts the PowerShell Way
  • Resolve-DNSName cmdlet on Microsoft Docs
  • Using The PowerShell Test-NetConnection Cmdlet on Windows

Fix Active Directory Domain Controller Could Not Be Contacted Error

Did you encounter the ‘An Active Directory Domain Controller for the domain could not be contacted’ error? Most of the users experience this problem while they want to add another Windows Workstation to a particular domain. This problem basically occurs when you want to add another Windows workstation to a domain. If we analyze its causes, we can conclude that there are two major reasons behind this error- DNS misconfiguration and DNS malfunctioning. Can we get this problem solved? Yes, there are ways to get this error fixed and add another Windows workstations to a domain.

Fix Active Directory Domain Controller Could Not Be Contacted Error

To add another Windows Workstations, you need to follow the below-mentioned steps:

1. Right-click on This PC and select Properties to open System Properties. 

This PC properties

2. A system properties window will open up. Click on Change Settings in the right corner under computer name, domain and workgroup settings.

Click on Change Settings under Computer name, domain, and workgroup settings

3. New system properties will pop up. Click on Change button as shown below:

Click on Change button under System Properties

4. Click on the domain option then Add the domain name to connect and click OK. Once you will click OK, you will see this error:

“An Active Directory Domain Controller (AD DC) for the domain “123xyz.com” could not be contacted”.

Click on the domain option then Add the domain name

Here in this section, we will discuss the factors of this error in detail:

  • DNS misconfiguration: The primary cause of this error is DNS misconfiguration. However, the good news is that it can be easily re-configured so that you can get this error fixed.
  • DNS services: Another major cause of this error could be malfunctioned DNS services. There is a solution to this problem, just restart the services.

Contents

  • Fix Active Directory Domain Controller Could Not Be Contacted Error
  • Method 1: Add New DNS Configuration
  • Method 2: Restart DNS Service
  • Method 3: Connect Using Windows Settings

How to fix this error?

Now we will discuss various methods and associated steps to fix this error. We got to know what this error means and how it occurs. Now we will get to know how to fix this error.

Method 1: Add New DNS Configuration

As we noticed the major factor of this error is DNS configuration, therefore if we add new DNS, this might solve our problem. To do this, you need to first log on to your system through which you want to add another workstation. Thereafter, you need to follow the below-mentioned steps accordingly:

1. In the Start Menu Search bar type and search for control panel then click on Control Panel from the search result.

Click on the Search icon on the bottom left corner of the screen then type control panel. Click on it to open.

2. Navigate to the Network & Internet then click on Network and Sharing Center to open.

Click on Network and Sharing Center

3.  Click on the Network you are using “WiFi or Ethernet”.

Click on the Network you are using WiFi or Ethernet.

4. A Status Properties will pop-up, Click on the Properties option.

A Status Properties will pop-up, Click on the Properties option.

5. Choose Internet Protocol Version 4 (TCP/IPv4) from the list and click on Properties.

choose Internet Protocol Version 4 (TCPIPv4) from the list and click on Properties.

6. In the Internet Protocol Version 4 (TCP/IPv4) Properties window click on the Advanced button.

In the Internet Protocol Version 4 (TCPIPv4) Properties window click on the Advanced section then switch to the DNS tab.

7. Switch to the DNS tab and type in the IP address of your domain controller in the server address box as shown below. Click on Add then tap on the OK button.

Switch to the DNS tab and type in the IP address of your domain controller in the server address box

8. Close all the windows and restart your system.

Now again try to add another Windows Workstation, it may work.

Also Read: Fix DLL Not Found or Missing on your Windows Computer

Method 2: Restart DNS Service

If the above method didn’t work in order to resolve the Active Directory Domain Controller Could Not Be Contacted error, then it could

If the above method did not fix the error, it could be possible that the cause of the error was not DNS misconfiguration. Another problem could be the malfunctioning of DNS service. It has been noted that some users experience this error due to DNS service not functioning properly on your system. Again, we have the solution to this problem as well. Follow the given steps systematically to fix the error by restarting DNS service:

1. Press Windows Key + R to open Run then type ‘services.msc’ and press Enter.

Press Windows + R and type services.msc and hit Enter

2. A Services Window will open, locate DNS Client service. Right-click on DNS Client and select Restart.

A Services Window will open, locate DNS Client service.

Note: If you find no restart option and unable to restart it from this method, you do not need to worry. You just need to open an elevated Command Prompt on your system.

3. Type the following command and press Enter:

net stop dnscache

net stop dnscache service

5. To start it again, type:

net start dnscache

net start dnscache service

This way you can restart your DNS service. Once you are done with the steps, try joining the domain again.

Also Read: WiFi doesn’t have a valid IP configuration error? 10 Ways to Fix it!

Method 3: Connect Using Windows Settings

If you are still struggling to connect the domain then don’t worry as we can connect the domain you want and add your workstation using Windows Settings app. Usually, users connect their workstations to a domain using System properties. Nevertheless, you can connect to the domain by following the below-mentioned steps:

1. Press Windows Key + I to open Settings, then click on Accounts option.

Press Windows Key + I to open settings, click on Accounts option.

2. Click on the ‘Access work or school’ tab in the left panel. Tap on the Connect option.

Click on the ‘Access work or school’ tab in the left panel...

3. A Setup window will open, click on ‘Join this device to a local Active Directory Domain’ link at the bottom.

A Set-Up Window will open, click on ‘Join this device to a local Active Directory Domain’ at the bottom.

4. Type the domain name with the .local name (xxx.local) and save this setting.

5. Enter the admin password when prompt then reboot the system.

Recommended:

  • Fix the Trust Relationship Between This Workstation and the Primary Domain Failed
  • How to set up a VPN on Windows 10
  • Fix MoUSO Core Worker Process in Windows 10

Hopefully, the above-mentioned methods will help you fix Active Directory Domain Controller Could Not Be Contacted error. But if you still have queries regarding this tutorial then feel free to ask them in the comment section.

The error ‘An Active Directory Domain Controller for the domain could not be contacted’ often occurs due to your DNS misconfiguration in which case you will have to change it. Users have reported that when they try to add another Windows Workstation to a domain, they are presented with the following error message.

An Active Directory Domain Controller for the Domain Could Not be Contacted

When you click on the Details button to know more about the error, it will tell you that the DNS name does not exist along with an error code. If you have come across the ‘An Active Directory Domain Controller for the domain could not be contacted’ error on Windows 10, this article will help you resolve it. In case you are quite bugged about the error message, follow the workarounds provided down below to circumvent the issue.

What causes the ‘An Active Directory Domain Controller for the domain could not be contacted’ Error on Windows 10?

After looking into the matter, we have discovered that the issue is often due to the following factors  —

  • DNS misconfiguration: As we mentioned above, the primary cause of the error is your DNS misconfiguration. The DNS setting can be easily re-configured to fix the issue.
  • DNS services: In some cases, the error can also generate due to a malfunctioning DNS service. Restarting the service seems to fix the issue.

Now, to fix your issue, please follow the solutions down below. As always, we recommend following it in the same order as provided down below.

Solution 1: Add New DNS Configuration

Since the primary cause of the issue is DNS configuration, adding a new DNS configuration in accordance to your domain should fix the issue. To do this, first, you will have to log on to the system that you are trying to add. Afterward, following the instructions down below:

  1. Go the Network and Sharing Center settings by going to the Control Panel and searching for Network and Sharing Center.
    Network and Sharing Center
  2. In front of the Network you are using, click ‘Ethernet’.
  3. Once the new window pops up, go to Properties.
  4. From the list, highlight Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
    Ethernet Properties
  5. Click Advanced and then switch to the DNS tab.
  6. Under ‘DNS server addresses’, click Add and then type in the IP of your Domain Controller in the window.
    Adding DNS Address
  7. Hit OK on the all the Windows that you have opened and then reboot your system.
  8. Try joining the domain again.

Solution 2: Restarting DNS Service

In some certain scenarios, the error message pops up due to your DNS services not working properly. This issue can be easily resolved by simply restarting the services. Here’s how to do it:

  1. Press Windows Key + R to open Run.
  2. Type in ‘services.msc’ and then press Enter.
  3. From the list of services, locate DNS Client service.
    DNS Client Service
  4. Right-click on it and select Restart.
  5. If you are unable to restart the service, just open an elevated command prompt by pressing Windows Key + X and selecting Command Prompt (Admin) from the list.
  6. Type in the following command and press Enter:
    net stop dnscache

    Stopping DNS Service
  7. To start it again, type in:
    net start dnscache

    Starting DNS Service
  8. Once done, try joining the domain.

Solution 3: Connecting using the Settings Window

Finally, you can also resolve your issue by connecting to the domain using a different method. Generally, users connect a system to a domain using the system properties. However, you can also connect to the domain using the following method:

  1. In the Cortana search bar, type in Sign in options and then open it up.
  2. Switch to the ‘Access work or school’ tab.
  3. Click on Connect.
  4. A new window will pop up, click on ‘Join this device to a local Active Directory Domain’.
    Setting Up Device
  5. Type in the domain name. Make sure that you type in the domain name along with the .local (xxxxx.local).
  6. Afterward, it will ask for the administrator and password.
  7. Enter the credentials and then restart your system.

Photo of Kevin Arrows

Kevin Arrows

Kevin is a dynamic and self-motivated information technology professional, with a Thorough knowledge of all facets pertaining to network infrastructure design, implementation and administration. Superior record of delivering simultaneous large-scale mission critical projects on time and under budget.

/ March 20, 2019/ VMware Horizon

Horizon 7.8 Authentication can not proceed (Domain Name is invalid)
*DefaultDomain*

After upgrading my VMware Horizon environment from 7.7 to 7.8. The following error message appears while trying to logged in with the Horizon Client:
Authentication can not proceed (Domain Name is invalid)

Within Horizon version 7.8 there are several new security improvements regarding the domain list and the feature “Logon as current user“
By default started at version 7.8 Domains will not be listed while accessing the environment from the Horizon client. This result that users cannot logged-in without manually giving the company domain or sub-domain.

To solve this problem, there are three options;

1 The user will need to provide a UPN (Testuser@domain.nl)
2 Enable option “Hide domain list in client user interface” (Testuser@domain.nl or domaintestuser)
3 Enable option “Send domain list” ( domains are listed, user can select the domain)

The third option is a new property within the administrator console. Before Horizon 7.8, this was a default setting. The administrator was in the lead to choose if the domains must be listed.

How to change?

Within the administrator console

  • unfold “View Configuration”
  • Select “Global Settings”
  • Under General, select Edit

Enable “send domain list”

After enabling the “send domain list” users can select the correct domain within the horizon client.

#Note after upgrading the horizon client to version 5.0.0 build-12606690. the user is able to logged in with the UPN domainusername and username@domain.com

Optional you can hide specific domains with the command vdadmin -n. for the full list i refer to https://docs.vmware.com/en/VMware-Horizon-7/7.8/horizon-administration/GUID-3E9924EC-1554-43E5-A812-84F9711909A5.html

Понравилась статья? Поделить с друзьями:
  • Dom invalid character error
  • Dolphin emulator error
  • Doh server connection error ssl internal error
  • Doh server connection error ssl handshake timed out 6
  • Doh server connection error ssl handshake failed unable to get certificate crl 6