How do I troubleshoot the domain controller location process?

Computers that are unable to locate a domain controller for their domain won't be able to log on and won't be able to process user logons. Troubleshooting the domain controller location process is a key part of solving many logon problems.

Symptoms

Symptoms of a client's inability to locate a domain controller include an inability to log on to the domain and an inability to process user logons. You might also see System and Security event log messages indicating that a domain controller for the appropriate domain could not be found.

Verification

To determine the cause of the problem, follow these steps:

  1. Verify that the computer has the correct IP configuration for its subnet, including IP address, DNS server, and default gateway. To do so, open a command-line window and run
    ipconfig /all
    to display the configured information. If the configuration is wrong, correct it.
  2. Use the Ping utility to verify network connectivity to the configured default gateway, DNS server, and at least one domain controller in the local site. If you cannot verify connectivity, troubleshoot and correct the problem.
  3. Run
    netdiag /v
    to report on any problems with Windows' networking components. Correct any error conditions that are reported by using Netdiag /fix or by manually correcting the problem.
  4. Run
    nltest /dsgetdc:domainname
    replacing domainname with the name of the domain that you are trying to log on to. This command verifies that a domain controller can be located. Nltest is included in Support Tools.
  5. Use the Nslookup tool to verify that DNS contains the proper records to locate a domain controller. If either of the following tests fail to return records with the proper host names and IP addresses, restart your domain controllers to force them to register with DNS (also ensure that DNS is configured to accept dynamic updates and can accept service resource (SRV) records):
    nslookup fully-qualified-server-name
    where fully-qualified-server-name is the complete DNS name of a known domain controller, such as dc1.mydomain.com
    nslookup guid._msdcs.rootdomain
    where rootdomain is the complete DNS name of the root domain, such as mydomain.com
  6. On your domain controllers, run
    dcdiag /v
    to check for many common domain controller problems. Correct any error conditions that are reported.

Corrective Action

Assuming that your client computer has a proper network configuration and is otherwise able to connect to a domain controller (using ping, for example), the problem is most likely in your DNS resource records, or your domain controller is not functioning properly.

If DNS does not contain the proper records, restart a domain controller. Doing so should reregister the domain controller in DNS; if it fails to do so, then either DNS is at fault or that particular domain controller has failed. Verify that other domain controllers can register with DNS. If they cannot, replace your DNS server. If they can, the original domain controller has failed and might need to be removed from the network.

If DNS contains the proper records, but a domain controller continues to not respond to client requests, restart the domain controller. If doing so fails to correct the problem, you will most likely need to demote the domain controller to a member server, then reinstall Active Directory by re-promoting the server.

Note that very few client-side conditions exist other than basic network misconfiguration that prevents a client from locating a domain controller. Most of the problems are in the DNS server or with a domain controller that fails to respond to a client's initial requests.