When your users report that they see “an active directory domain controller for the domain could not be contacted” there could be a few different causes for this issue. Most likely, there aren’t any shenanigans happening, which makes this blog different from my usual writing. Users that can’t contact the Domain Controller are most likely having network or hardware issues. A good hacker wouldn’t want to call that kind of attention to their activity – unless they want to try to steal an administrator login ticket… anyway, this is most likely an easy fix.
Get the Free Pentesting Active
Directory Environments e-book
In this blog, we will go through the troubleshooting steps and fixes to resolve the “DC can’t be contacted” issue in Windows.
Check If Your Computer Has the Correct IP Address
Step one to troubleshoot the “unreachable DC” issue is to verify that the client has a valid IP address for the network.
The Windows command to print the current IP address and other relevant information is “ipconfig –all.” The output will look like this:
First, verify the IP address, does it look correct? If not, reboot the client to get a new IP address and refresh the network stack. If that doesn’t work you might have to go down the hardware rabbit hole, cause not being able to get a DHCP address could be a cable issue or a network card issue.
Once you have the IP address issues squared away, check that the client can ping the DC. From the command prompt enter “ping domain.com” where the domain is the domain you are trying to check.
You can also use the “tracert domain.com” command to see all the hops between the client and the DC – it should be very quick.
If the DC isn’t reachable from the client, and other clients don’t have the same problem, there could be a bad cable or hardware issue on the client or some device in between. Try a different network jack or use wireless to narrow down the problem.
You can use PowerShell to get the same results with different commands.
Display IP address: Get-NetIPConfiguration –All
Ping the DC: Test-NetConnection domainname
Trace the routes to the DC: Test-NetConnection –TraceRoute domainname
If none of those things work, it could be a configuration issue on the network (DC, DNS) that you need to check – keep reading.
Check If the DNS Zone of the Domain Controller Has an SRV Record
If you made it this far down in the troubleshooting of the “unreachable DC” issue, then you might need to fix your DNS configuration.
In DNS, there is a thing called an SRV record that defines specific services. The SRV record we need is the pointer to the DC, which lives in the Forward Lookup Zone -> domain -> _tcp folder. The entry is named _ldap.Here are a few commands you can run to retrieve this SRV record if you prefer that to the DNS Configuration GUI.
From the cmd prompt on the DC:
You should see the name of your DC in the output.
If you get a name that isn’t a proper DC, that explains why you are getting the “unreachable DC” error. The system is looking for the DC on the wrong computer. Update this SRV record to point to the correct computer.
Hopefully, one of these solutions helps you resolve the “unreachable DC” issue without having to replace any hardware. Usually, these issues are client-side network issues and easily diagnosed.
For more troubleshooting tips and tricks, check out Adam Bertram’s PowerShell and Active Directory Essentials course. It’s free, on-demand, and worth 3 CPE credits!
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.