Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Active Directory Domain Controller (AD DC) Could Not Be Contacted [SOLVED]

Sometimes clients report an error “An Active Directory Domain Controller (AD DC) for the domain could not be contacted.” Read on to learn how to troubleshoot and resolve this issue.
Michael Buckbee
2 min read
Published March 29, 2020
Last updated February 24, 2022

When your users report that they see “an active directory domain controller for the domain could not be contacted” there could be a few different causes for this issue. Most likely, there aren’t any shenanigans happening, which makes this blog different from my usual writing. Users that can’t contact the Domain Controller are most likely having network or hardware issues. A good hacker wouldn’t want to call that kind of attention to their activity –  unless they want to try to steal an administrator login ticket… anyway, this is most likely an easy fix.

active directory controller not contacted 1

Get the Free Pentesting Active
Directory Environments e-book

In this blog, we will go through the troubleshooting steps and fixes to resolve the “DC can’t be contacted” issue in Windows.

Check If Your Computer Has the Correct IP Address

Step one to troubleshoot the “unreachable DC” issue is to verify that the client has a valid IP address for the network.

The Windows command to print the current IP address and other relevant information is “ipconfig –all.” The output will look like this:

active directory controller could not be contacted 2

First, verify the IP address, does it look correct? If not, reboot the client to get a new IP address and refresh the network stack. If that doesn’t work you might have to go down the hardware rabbit hole, cause not being able to get a DHCP address could be a cable issue or a network card issue.

Once you have the IP address issues squared away, check that the client can ping the DC. From the command prompt enter “ping domain.com” where the domain is the domain you are trying to check.

ping domain

You can also use the “tracert domain.com” command to see all the hops between the client and the DC – it should be very quick.

tracert domain active directory controller

If the DC isn’t reachable from the client, and other clients don’t have the same problem, there could be a bad cable or hardware issue on the client or some device in between. Try a different network jack or use wireless to narrow down the problem.

You can use PowerShell to get the same results with different commands.

Display IP address: Get-NetIPConfiguration –All

display IP

Ping the DC: Test-NetConnection domainname

ping domain controller

Trace the routes to the DC: Test-NetConnection –TraceRoute domainname

trace routes DC

If none of those things work, it could be a configuration issue on the network (DC, DNS) that you need to check – keep reading.

Check If the DNS Zone of the Domain Controller Has an SRV Record

If you made it this far down in the troubleshooting of the “unreachable DC” issue, then you might need to fix your DNS configuration.

In DNS, there is a thing called an SRV record that defines specific services. The SRV record we need is the pointer to the DC, which lives in the Forward Lookup Zone -> domain -> _tcp folder. The entry is named _ldap.Here are a few commands you can run to retrieve this SRV record if you prefer that to the DNS Configuration GUI.

From the cmd prompt on the DC:

nslookup

set type=all

ldap._tcp.dc.msdcs.your_domain_name.com

You should see the name of your DC in the output.

You can also run the following PowerShell to see the same output from any machine on the network here.

check for SRV

If you get a name that isn’t a proper DC, that explains why you are getting the “unreachable DC” error. The system is looking for the DC on the wrong computer. Update this SRV record to point to the correct computer.

active directory controller could not be contacted cheat sheet

Hopefully, one of these solutions helps you resolve the “unreachable DC” issue without having to replace any hardware.  Usually, these issues are client-side network issues and easily diagnosed.

For more troubleshooting tips and tricks, check out Adam Bertram’s PowerShell and Active Directory Essentials course. It’s free, on-demand, and worth 3 CPE credits!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-a-domain-controller,-when-is-it-needed-+-set-up
What is a Domain Controller, When is it Needed + Set Up
Domain controllers are common targets of attackers. Learn how to protect and secure your domain controllers to prevent data breaches.
exchange-vulnerability:-how-to-detect-domain-admin-privilege-escalation
Exchange Vulnerability: How to Detect Domain Admin Privilege Escalation
Researchers recently uncovered a vulnerability in Exchange that allows any domain user to obtain Domain admin privileges that allow them to compromise AD and connected hosts. Here’s how the attack...
risks-of-renaming-your-domain-in-active-directory
Risks of Renaming Your Domain in Active Directory
As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there…
5-fsmo-roles-in-active-directory
5 FSMO Roles in Active Directory
FSMO roles give you confidence that your domain will be able to perform the primary functions of authenticating users and permissions. Learn more today.