Domain status error detected domain cannot be contacted

That’s Great bro . Ok now we can look at the other problem (i.e. to secure cross domain env.). but please, mark this query as answered

usually, we require a user that must have cross domain access and in this case the only thing we may have is the membership to a security group that holds the scope of Enterprise Admins or Enterprise Domain Admins (Global Level). for security purpose, we can encrypt its cross forest communication by enable AES Auth and with complex password. but «Delegation of Authority» would be difficult and may result in partial Two-way Trust once again.

let me re-check it on my side and then i’ll be able to answer it more confidently. but this is for sure that you have to compromise on above settings, still we can look for more secure way mentioned earlier in-case of password complexity and AES encryption (default behave you can find it to enable in user’s property pages).

Hope this would be helpful for your further.

Every IT admin managing machines in an Active Directory environment has been there. You try to add a computer to an Active Directory (AD) domain and get the dreaded “An Active Directory Domain Controller Could not be Contacted” error. In this article, learn the steps to diagnose (and solve) this problem for good.

Discover, report and prevent insecure Active Directory account passwords in your environment with Specops’ completely free Password Auditor Pro. Download it today!

This error is DNS-related. The main problem is that the computer has failed to find an appropriate SRV DNS record it needs to join the AD domain.

I’ve put together a few steps for you to follow to fix this error and get your computer joined to your domain.

Ensure You’re Using the Right DNS Servers

Before you get too far down a rabbit hole, first ensure you’re using the right DNS servers in the first place.

Active Directory and DNS have a special relationship. Domain controllers register specific records in DNS servers they know about. These live in the _ldap._tcp.dc.msdcs.<domainname> zone and help AD-joined devices find resources such as domain controllers. SRV records won’t exist in DNS servers that aren’t AD-integrated.

To resolve this issue, you need to be using either:

• An AD-integrated DNS server
• A DNS server that replicates records from an AD aware DNS server
• A DNS server that has forwarding set up to query either an AD-integrated DNS server or a DNS server with replicated records

To check that the DNS server you are using is one of the above, run the following command in a PowerShell session on an existing domain joined computer:

PS C:> Get-DnsClientServerAddress

InterfaceAlias               Interface Address ServerAddresses
                             Index     Family
--------------               --------- ------- ---------------
Ethernet                             9 IPv4    {10.0.0.101}
Ethernet                             9 IPv6    {}
Loopback Pseudo-Interface 1          1 IPv4    {}
Loopback Pseudo-Interface 1          1 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}

The responses you get under the ServerAddesses column are the DNS servers being used by that computer. If you don’t have another domain client to check, you will need to contact your network team for this information.

You can either use PowerShell’s Set-DnsClientServerAddress cmdlet to change the computer’s DNS client settings or via the IPv4 Properties dialog box for the network card of the computer. This is reached by going to Control Panel –> Network –> Internet –> Network Connections.

Once in the Network Connections window, right-click on the network card, choose Properties, choose Internet Protocol Version 4 (TCP/IPv4) and then click on Properties.

If the network uses Dynamic Host Configuration Protocol (DHCP), ensure the Obtain an IP address automatically and Obtain DNS server address automatically options are selected.

If your network doesn’t use DHCP then update the Preferred DNS server and Alternative DNS server values to the correct ones you obtained earlier.

Find the True Error

If you’ve confirmed your computer has the correct DNS servers then it’s time to jump in a little further.

When you attempt to join a computer to a domain, the error “An Active Directory Domain Controller Could not be Contacted” comes up but it’s not the “true” error message. You need to dive a little deeper.

You’ll notice in the error dialog a Details >> button. Click that. This will return more granular information allowing you to troubleshoot this error better.

You can select the contents of the text box to copy and paste into a text viewer, or you can find the same information in the C:windowsdebugdcdiag.txt file on that machine. This file is created by the Windows when the error occurs.

The error text contains some key pieces of information. I’ve marked numbered and bolded each of these in the example below:

• The domain name the machine thinks you’ve asked it to join (1)
• The error code (2)
• The DNS query that was made (3)
• The DNS server(s) the machine queried (if any) (4)

Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you have received this information, which has been recorded in the file C:windowsdebugdcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “carisbrookelabs.local”(1):

The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR) (2)

The query was for the SRV record for _ldap._tcp.dc._msdcs.carisbrookelabs.local (3)

Common causes of this error include the following:

The DNS SRV records required to locate an AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when an AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

8.8.4.4
8.8.8.8 (4)

One or more of the following zones do not include delegation to its child zone: carisbrookelabs.local

local
. (the root zone)

0x0000267C DNS_ERROR_NO_DNS_SERVER

This error indicates that the DNS server could not be found to even attempt the query. It didn’t even get a chance. This is typically due to no network connectivity to the DNS server.

Note that you can join a computer without a network connection known as an  offline domain join, but that is outside of the scope of this article.

Troubleshoot Your Network Connection

If you see this error message, you’ll need to start doing some network troubleshooting.

1. Check that your network adapter is enabled and you can connect to other network resources.
2. Check that you have an IP address and DNS servers configured.

You can check for an IP address and DNS servers by running ipconfig /all.

If you have an IP address and can reach other network resources, you’ll need to test your connection between the computer and the DNS server.

To do so, you can use ping and PowerShell’s Test-Connection cmdlet. Test connectivity to the DNS server(s) using either of these two utilities. If Internet Control Message Protocol (ICMP) traffic is allowed on the network, you should get a response. If there’s an error or time-out, you most likely have some sort of networking issue, such as routing. Talk to your networking team to resolve the issue, then try the join again.

Check DNS connectivity

If you’ve confirmed your network connection is working, you’ll next need to ensure your computer can connect via TCP/53 to the DNS server.

Try using the Resolve-DNSName PowerShell cmdlet with the FQDN of the domain you are trying to join. This should return one or more DNS server records:

PS C:> Resolve-DNSName carisbrookelabs.local


Name                                           Type   TTL   Section	IPAddress
----                                       	----   ---   -------	---------
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.103
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.102
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.101

If you get an error, then it is worth checking that there’s nothing blocking IP traffic on port 53 (the port used for DNS traffic) between your machine and the DNS servers.

You can do a simple check for connectivity on port 53 using the Test-NetConnection cmdlet (not to be confused with the Test-Connection cmdlet):

PS C:> Test-NetConnection -Port 53 -ComputerName <DNSSERVERHERE>
True

You will get a response of True if the connection succeeds, or False if it fails. A failure could be due to a network or host-based firewall on the DNS server.

0x0000232B RCODE_NAME_ERROR

This error means it was able to find the DNS server but the SRV record wasn’t found. This error requires a little more troubleshooting.

Ensure You’re Using the Domain FQDN

It seems simple, but verify that the name you typed matches the fully qualified domain name (FQDN) of the domain you are trying to join. This should only be a domain name, not a server name. For example, use carisbrookelabs.local and not WIN-3467RQTHJH5.carisbrookelabs.local.

If there’s any doubt, check the domain name of an existing domain client. You can find the appropriate domain name by running this PowerShell command on an existing domain client.

PS51> (Get-CimInstance Win32_ComputerSystem).Domain
carisbrookelabs.local

If you attempt to use the NETBIOS name (contoso) vs. the FQDN (contoso.local), the computer might find the domain but Windows will treat the name as an FQDN anyway.

If you type a NETBIOS name and don’t have a WINS infrastructure in place you will get the error we’re trying to fix. Always use a FQDN rather than a NETBIOS name.

Check DNS records

For this step you are going to use Resolve-DNSName again. This time using the exact DNS record that was not retrieved when you tried to join your machine to the domain. Copy and paste it from the dcdiag.txt file mentioned in the introduction, or the copy of the error text you took earlier. This will avoid any typos with underscores and dashes.

Your command should look something like this:

PS C:> Resolve-DNSName _ldap._tcp.dc._msdcs.carisbrookelabs.local


Name                    	Type TTL   Section	PrimaryServer           	NameAdministrator       	SerialNumber
----                    	---- ---   -------	-------------           	-----------------       	------------
_msdcs.carisbrookelabs.loca SOA  3600  Authority  WIN-3467RQTHJH5.carisbrooke hostmaster.carisbrookelabs. 419
l                                             	labs.local              	local

Want to quickly check your Active Directory for leaked passwords? Specops has a tool that does so for free and generates a nice report as well.

If you get DNS name does not exist as the response to this command, then your issue is with DNS.

• Ensure you’re using the correct DNS server
• Ensure the relevant records have not been deleted

If you get a positive response to Resolve-DNSName _msdcs.<domainname> but get a DNS name does not exist from Resolve-DNSName _ldap._tcp.dc._msdcs.<domainname>, then the records are missing.

Re-register your domain controller’s DNS records using the command ipconfig /registerdns on each DC. It may take a few minutes for the records to appear.

Once you can confirm the presence of the required DNS record(s) using Resolve-DNSName then you should be good to go.

Summary

In this article, you’ve learned some steps to try when troubleshooting the error “An Active Directory Domain Controller Could not be Contacted”. It’s impossible to cover every single scenario in an article like this, but I hope the process works for you and gets you on the right path!

Further Reading

• DNS and AD DS on Microsoft Docs
• Test-Connection: Ping Remote Hosts the PowerShell Way
• Resolve-DNSName cmdlet on Microsoft Docs
• Using The PowerShell Test-NetConnection Cmdlet on Windows

Did you encounter the ‘An Active Directory Domain Controller for the domain could not be contacted’ error? Most of the users experience this problem while they want to add another Windows Workstation to a particular domain. This problem basically occurs when you want to add another Windows workstation to a domain. If we analyze its causes, we can conclude that there are two major reasons behind this error- DNS misconfiguration and DNS malfunctioning. Can we get this problem solved? Yes, there are ways to get this error fixed and add another Windows workstations to a domain.

To add another Windows Workstations, you need to follow the below-mentioned steps:

1. Right-click on This PC and select Properties to open System Properties. 

2. A system properties window will open up. Click on Change Settings in the right corner under computer name, domain and workgroup settings.

3. New system properties will pop up. Click on Change button as shown below:

4. Click on the domain option then Add the domain name to connect and click OK. Once you will click OK, you will see this error:

“An Active Directory Domain Controller (AD DC) for the domain “123xyz.com” could not be contacted”.

Here in this section, we will discuss the factors of this error in detail:

• DNS misconfiguration: The primary cause of this error is DNS misconfiguration. However, the good news is that it can be easily re-configured so that you can get this error fixed.
• DNS services: Another major cause of this error could be malfunctioned DNS services. There is a solution to this problem, just restart the services.

How to fix this error?

Now we will discuss various methods and associated steps to fix this error. We got to know what this error means and how it occurs. Now we will get to know how to fix this error.

Method 1: Add New DNS Configuration

As we noticed the major factor of this error is DNS configuration, therefore if we add new DNS, this might solve our problem. To do this, you need to first log on to your system through which you want to add another workstation. Thereafter, you need to follow the below-mentioned steps accordingly:

1. In the Start Menu Search bar type and search for control panel then click on Control Panel from the search result.

2. Navigate to the Network & Internet then click on Network and Sharing Center to open.

3.  Click on the Network you are using “WiFi or Ethernet”.

4. A Status Properties will pop-up, Click on the Properties option.

5. Choose Internet Protocol Version 4 (TCP/IPv4) from the list and click on Properties.

6. In the Internet Protocol Version 4 (TCP/IPv4) Properties window click on the Advanced button.

7. Switch to the DNS tab and type in the IP address of your domain controller in the server address box as shown below. Click on Add then tap on the OK button.

8. Close all the windows and restart your system.

Now again try to add another Windows Workstation, it may work.

Also Read: Fix DLL Not Found or Missing on your Windows Computer

Method 2: Restart DNS Service

If the above method didn’t work in order to resolve the Active Directory Domain Controller Could Not Be Contacted error, then it could

If the above method did not fix the error, it could be possible that the cause of the error was not DNS misconfiguration. Another problem could be the malfunctioning of DNS service. It has been noted that some users experience this error due to DNS service not functioning properly on your system. Again, we have the solution to this problem as well. Follow the given steps systematically to fix the error by restarting DNS service:

1. Press Windows Key + R to open Run then type ‘services.msc’ and press Enter.

2. A Services Window will open, locate DNS Client service. Right-click on DNS Client and select Restart.

Note: If you find no restart option and unable to restart it from this method, you do not need to worry. You just need to open an elevated Command Prompt on your system.

3. Type the following command and press Enter:

net stop dnscache

5. To start it again, type:

net start dnscache

This way you can restart your DNS service. Once you are done with the steps, try joining the domain again.

Also Read: WiFi doesn’t have a valid IP configuration error? 10 Ways to Fix it!

Method 3: Connect Using Windows Settings

If you are still struggling to connect the domain then don’t worry as we can connect the domain you want and add your workstation using Windows Settings app. Usually, users connect their workstations to a domain using System properties. Nevertheless, you can connect to the domain by following the below-mentioned steps:

1. Press Windows Key + I to open Settings, then click on Accounts option.

2. Click on the ‘Access work or school’ tab in the left panel. Tap on the Connect option.

3. A Setup window will open, click on ‘Join this device to a local Active Directory Domain’ link at the bottom.

4. Type the domain name with the .local name (xxx.local) and save this setting.

5. Enter the admin password when prompt then reboot the system.

Recommended:

• Fix the Trust Relationship Between This Workstation and the Primary Domain Failed
• How to set up a VPN on Windows 10
• Fix MoUSO Core Worker Process in Windows 10

Hopefully, the above-mentioned methods will help you fix Active Directory Domain Controller Could Not Be Contacted error. But if you still have queries regarding this tutorial then feel free to ask them in the comment section.

/ March 20, 2019/ VMware Horizon

Horizon 7.8 Authentication can not proceed (Domain Name is invalid)
*DefaultDomain*

After upgrading my VMware Horizon environment from 7.7 to 7.8. The following error message appears while trying to logged in with the Horizon Client:
Authentication can not proceed (Domain Name is invalid)

Within Horizon version 7.8 there are several new security improvements regarding the domain list and the feature “Logon as current user“
By default started at version 7.8 Domains will not be listed while accessing the environment from the Horizon client. This result that users cannot logged-in without manually giving the company domain or sub-domain.

To solve this problem, there are three options;

1 The user will need to provide a UPN (Testuser@domain.nl)
2 Enable option “Hide domain list in client user interface” (Testuser@domain.nl or domaintestuser)
3 Enable option “Send domain list” ( domains are listed, user can select the domain)

The third option is a new property within the administrator console. Before Horizon 7.8, this was a default setting. The administrator was in the lead to choose if the domains must be listed.

How to change?

Within the administrator console

• unfold “View Configuration”
• Select “Global Settings”
• Under General, select Edit

Enable “send domain list”

After enabling the “send domain list” users can select the correct domain within the horizon client.

#Note after upgrading the horizon client to version 5.0.0 build-12606690. the user is able to logged in with the UPN domainusername and username@domain.com

Optional you can hide specific domains with the command vdadmin -n. for the full list i refer to https://docs.vmware.com/en/VMware-Horizon-7/7.8/horizon-administration/GUID-3E9924EC-1554-43E5-A812-84F9711909A5.html