Every IT admin managing machines in an Active Directory environment has been there. You try to add a computer to an Active Directory (AD) domain and get the dreaded "An Active Directory Domain Controller Could not be Contacted" error. In this article, learn the steps to diagnose (and solve) this problem for good.

alt_text
An Active Directory Domain Controller Could not be Contacted

This error is DNS-related. The main problem is that the computer has failed to find an appropriate SRV DNS record it needs to join the AD domain.

I've put together a few steps for you to follow to fix this error and get your computer joined to your domain.

Ensure You're Using the Right DNS Servers

Before you get too far down a rabbit hole, first ensure you're using the right DNS servers in the first place.

Active Directory and DNS have a special relationship. Domain controllers register specific records in DNS servers they know about. These live in the _ldap._tcp.dc.msdcs.<domainname> zone and help AD-joined devices find resources such as domain controllers. SRV records won't exist in DNS servers that aren't AD-integrated.

To resolve this issue, you need to be using either:

  • An AD-integrated DNS server
  • A DNS server that replicates records from an AD aware DNS server
  • A DNS server that has forwarding set up to query either an AD-integrated DNS server or a DNS server with replicated records

To check that the DNS server you are using is one of the above, run the following command in a PowerShell session on an existing domain joined computer:

PS C:\> Get-DnsClientServerAddress

InterfaceAlias               Interface Address ServerAddresses
                             Index     Family
--------------               --------- ------- ---------------
Ethernet                             9 IPv4    {10.0.0.101}
Ethernet                             9 IPv6    {}
Loopback Pseudo-Interface 1          1 IPv4    {}
Loopback Pseudo-Interface 1          1 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}

The responses you get under the ServerAddesses column are the DNS servers being used by that computer. If you don’t have another domain client to check, you will need to contact your network team for this information.

You can either use PowerShell's Set-DnsClientServerAddress cmdlet to change the computer's DNS client settings or via the IPv4 Properties dialog box for the network card of the computer. This is reached by going to Control Panel --> Network --> Internet --> Network Connections.

Once in the Network Connections window, right-click on the network card, choose Properties, choose Internet Protocol Version 4 (TCP/IPv4) and then click on Properties.

alt_text
IPv4 properties dialog

If the network uses Dynamic Host Configuration Protocol (DHCP), ensure the Obtain an IP address automatically and Obtain DNS server address automatically options are selected.

If your network doesn’t use DHCP then update the Preferred DNS server and Alternative DNS server values to the correct ones you obtained earlier.

Find the True Error

If you've confirmed your computer has the correct DNS servers then it's time to jump in a little further.

When you attempt to join a computer to a domain, the error "An Active Directory Domain Controller Could not be Contacted" comes up but it's not the "true" error message. You need to dive a little deeper.

You'll notice in the error dialog a Details >> button. Click that. This will return more granular information allowing you to troubleshoot this error better.

alt_text
Expanded details view of the error dialog

You can select the contents of the text box to copy and paste into a text viewer, or you can find the same information in the C:\windows\debug\dcdiag.txt file on that machine. This file is created by the Windows when the error occurs.

The error text contains some key pieces of information. I've marked numbered and bolded each of these in the example below:

  • The domain name the machine thinks you've asked it to join (1)
  • The error code (2)
  • The DNS query that was made (3)
  • The DNS server(s) the machine queried (if any) (4)
Note: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you have received this information, which has been recorded in the file C:\windows\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "carisbrookelabs.local"(1):

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR) (2)

The query was for the SRV record for _ldap._tcp.dc._msdcs.carisbrookelabs.local (3)

Common causes of this error include the following:

The DNS SRV records required to locate an AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when an AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

8.8.4.4
8.8.8.8 (4)

One or more of the following zones do not include delegation to its child zone: carisbrookelabs.local

local
. (the root zone)

0x0000267C DNS_ERROR_NO_DNS_SERVER

This error indicates that the DNS server could not be found to even attempt the query. It didn't even get a chance. This is typically due to no network connectivity to the DNS server.

Note that you can join a computer without a network connection known as an  offline domain join, but that is outside of the scope of this article.

Troubleshoot Your Network Connection

If you see this error message, you'll need to start doing some network troubleshooting.

  1. Check that your network adapter is enabled and you can connect to other network resources.
  2. Check that you have an IP address and DNS servers configured.

You can check for an IP address and DNS servers by running ipconfig /all.

If you have an IP address and can reach other network resources, you'll need to test your connection between the computer and the DNS server.

To do so, you can use ping and PowerShell's Test-Connection cmdlet. Test connectivity to the DNS server(s) using either of these two utilities. If Internet Control Message Protocol (ICMP) traffic is allowed on the network, you should get a response. If there's an error or time-out, you most likely have some sort of networking issue, such as routing. Talk to your networking team to resolve the issue, then try the join again.

Check DNS connectivity

If you've confirmed your network connection is working, you'll next need to ensure your computer can connect via TCP/53 to the DNS server.

Try using the Resolve-DNSName PowerShell cmdlet with the FQDN of the domain you are trying to join. This should return one or more DNS server records:

PS C:\> Resolve-DNSName carisbrookelabs.local


Name                                           Type   TTL   Section	IPAddress
----                                       	----   ---   -------	---------
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.103
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.102
carisbrookelabs.local                      	A  	600   Answer 	10.0.0.101

If you get an error, then it is worth checking that there's nothing blocking IP traffic on port 53 (the port used for DNS traffic) between your machine and the DNS servers.

You can do a simple check for connectivity on port 53 using the Test-NetConnection cmdlet (not to be confused with the Test-Connection cmdlet):

PS C:\> Test-NetConnection -Port 53 -ComputerName <DNSSERVERHERE>
True

You will get a response of True if the connection succeeds, or False if it fails. A failure could be due to a network or host-based firewall on the DNS server.

0x0000232B RCODE_NAME_ERROR

This error means it was able to find the DNS server but the SRV record wasn't found. This error requires a little more troubleshooting.

Ensure You're Using the Domain FQDN

It seems simple, but verify that the name you typed matches the fully qualified domain name (FQDN) of the domain you are trying to join. This should only be a domain name, not a server name. For example, use carisbrookelabs.local and not WIN-3467RQTHJH5.carisbrookelabs.local.

If there’s any doubt, check the domain name of an existing domain client. You can find the appropriate domain name by running this PowerShell command on an existing domain client.

PS51> (Get-CimInstance Win32_ComputerSystem).Domain
carisbrookelabs.local

If you attempt to use the NETBIOS name (contoso) vs. the FQDN (contoso.local), the computer might find the domain but Windows will treat the name as an FQDN anyway.

If you type a NETBIOS name and don’t have a WINS infrastructure in place you will get the error we’re trying to fix. Always use a FQDN rather than a NETBIOS name.

alt_text
Typing an FQDN in the Computer/Domain Changes dialog

Check DNS records

For this step you are going to use Resolve-DNSName again. This time using the exact DNS record that was not retrieved when you tried to join your machine to the domain. Copy and paste it from the dcdiag.txt file mentioned in the introduction, or the copy of the error text you took earlier. This will avoid any typos with underscores and dashes.

Your command should look something like this:

PS C:\> Resolve-DNSName _ldap._tcp.dc._msdcs.carisbrookelabs.local


Name                    	Type TTL   Section	PrimaryServer           	NameAdministrator       	SerialNumber
----                    	---- ---   -------	-------------           	-----------------       	------------
_msdcs.carisbrookelabs.loca SOA  3600  Authority  WIN-3467RQTHJH5.carisbrooke hostmaster.carisbrookelabs. 419
l                                             	labs.local              	local

If you get DNS name does not exist as the response to this command, then your issue is with DNS.

  • Ensure you're using the correct DNS server
  • Ensure the relevant records have not been deleted

If you get a positive response to Resolve-DNSName _msdcs.<domainname> but get a DNS name does not exist from Resolve-DNSName _ldap._tcp.dc._msdcs.<domainname>, then the records are missing.

Re-register your domain controller's DNS records using the command ipconfig /registerdns on each DC. It may take a few minutes for the records to appear.

Once you can confirm the presence of the required DNS record(s) using Resolve-DNSName then you should be good to go.

Summary

In this article, you've learned some steps to try when troubleshooting the error "An Active Directory Domain Controller Could not be Contacted". It's impossible to cover every single scenario in an article like this, but I hope the process works for you and gets you on the right path!

Further Reading