Inside Out Security Blog   /  

Active Directory Domain Controller (AD DC) Could Not Be Contacted [SOLVED]

Active Directory Domain Controller (AD DC) Could Not Be Contacted [SOLVED]


    When your users report that they see “an active directory domain controller for the domain could not be contacted” there could be a few different causes for this issue. Most likely, there aren’t any shenanigans happening, which makes this blog different from my usual writing. Users that can’t contact the Domain Controller are most likely having network or hardware issues. A good hacker wouldn’t want to call that kind of attention to their activity –  unless they want to try to steal an administrator login ticket… anyway, this is most likely an easy fix.

    active directory controller not contacted 1

    Get the Free Pentesting Active
    Directory Environments e-book

    In this blog, we will go through the troubleshooting steps and fixes to resolve the “DC can’t be contacted” issue in Windows.

    Check If Your Computer Has the Correct IP Address

    Step one to troubleshoot the “unreachable DC” issue is to verify that the client has a valid IP address for the network.

    The Windows command to print the current IP address and other relevant information is “ipconfig –all.” The output will look like this:

    active directory controller could not be contacted 2

    First, verify the IP address, does it look correct? If not, reboot the client to get a new IP address and refresh the network stack. If that doesn’t work you might have to go down the hardware rabbit hole, cause not being able to get a DHCP address could be a cable issue or a network card issue.

    Once you have the IP address issues squared away, check that the client can ping the DC. From the command prompt enter “ping” where the domain is the domain you are trying to check.

    ping domain

    You can also use the “tracert” command to see all the hops between the client and the DC – it should be very quick.

    tracert domain active directory controller

    If the DC isn’t reachable from the client, and other clients don’t have the same problem, there could be a bad cable or hardware issue on the client or some device in between. Try a different network jack or use wireless to narrow down the problem.

    You can use PowerShell to get the same results with different commands.

    Display IP address: Get-NetIPConfiguration –All

    display IP

    Ping the DC: Test-NetConnection domainname

    ping domain controller

    Trace the routes to the DC: Test-NetConnection –TraceRoute domainname

    trace routes DC

    If none of those things work, it could be a configuration issue on the network (DC, DNS) that you need to check – keep reading.

    Check If the DNS Zone of the Domain Controller Has an SRV Record

    If you made it this far down in the troubleshooting of the “unreachable DC” issue, then you might need to fix your DNS configuration.

    In DNS, there is a thing called an SRV record that defines specific services. The SRV record we need is the pointer to the DC, which lives in the Forward Lookup Zone -> domain -> _tcp folder. The entry is named _ldap.Here are a few commands you can run to retrieve this SRV record if you prefer that to the DNS Configuration GUI.

    From the cmd prompt on the DC:


    set type=all

    You should see the name of your DC in the output.

    You can also run the following PowerShell to see the same output from any machine on the network here.

    check for SRV

    If you get a name that isn’t a proper DC, that explains why you are getting the “unreachable DC” error. The system is looking for the DC on the wrong computer. Update this SRV record to point to the correct computer.

    active directory controller could not be contacted cheat sheet

    Hopefully, one of these solutions helps you resolve the “unreachable DC” issue without having to replace any hardware.  Usually, these issues are client-side network issues and easily diagnosed.

    For more troubleshooting tips and tricks, check out Adam Bertram’s PowerShell and Active Directory Essentials course. It’s free, on-demand, and worth 3 CPE credits!

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    We're Varonis.

    We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

    How it works