When you log in to a Windows 11/10 domain-joined machine and check out to join to the already mapped drive or a number of shopper workstations are unable to accurately authenticate to the server and fail with the error message The system cannot contact a domain controller to service the authentication request, then this publish supposed to make it easier to with options to the downside.
The system cannot contact a domain controller to service the authentication request. Please attempt once more later.
This error message often signifies the shopper machines can’t attain a domain controller for authentication and virtually all the time factors to incorrect DNS settings (DHCP not configured accurately or statically set incorrectly, i.e., mixing DC and non-DC DNS addresses) or routing points. This usually may very well be due to the following:
- The domain controller is offline due to upkeep or energy outage.
- Network points if the shopper gadget isn’t accurately configured to set up communication with a domain controller, or if there are points in the community.
- Host server points if a domain controller is a digital machine.
The system cannot contact a domain controller to service the authentication request
If you get the message The system cannot contact a domain controller to service the authentication request in the Enter community credentials dialog whenever you attempt to join or authenticate a shopper machine to a Windows server machine, then the options introduced under can assist you resolve the community authentication subject.
- Flush DNS
- Unjoin and rejoin the shopper machine to the domain
- Additional troubleshooting
Let’s see how these listed options apply to resolving the subject at hand.
Read: An authentication error has occurred (Code: 0x800706be)
1] Flush DNS
If The system cannot contact a domain controller to service the authentication request error happens, you possibly can first flush the DNS from the server and shopper machines, then restart the DNS server Service. Afterward, you possibly can examine the Event Logs and ensure no occasions have been logged.
Read: Your DNS Server could be unavailable in Windows 11/10
2] Unjoin and rejoin the shopper machine to the domain
There could be a number of causes why some machines is probably not ready to authenticate. It may very well be associated to AD token expiration throughout the time that was not ready to authenticate. This answer merely requires that you simply unjoin after which rejoin the affected shopper machines to the domain. So, this entails placing the shopper machines in a workgroup and rebooting, then eradicating the computer systems in AD and re-enroll them in the domain. As reported, you might after eradicating the machine from the domain, resetting the laptop account in AD, and making an attempt to rejoin the machine, you might get the following error message:
An Active Directory Domain Controller (AD DC) for the domain couldn’t be contacted.
In this case, in case you can efficiently ping the domain controller however cannot be part of the laptop, you possibly can refer to the options offered on this information to resolve the subject.
Read: How to delete Domain Profile in Windows
3] Additional troubleshooting
- If you’re experiencing this subject after resuming from hibernation, take a take a look at the community connection state by pointing the cursor at the Network icon in the system tray if the appeared tip doesn’t include your domain identify that’s the cause for the error. In this case, you possibly can disable and re-enable the community adapter in Device Manager or unplug it after which plug again the (in 10 seconds) community twine.
- For one cause or one other, Windows might have modified the Network Discovery or Sharing profile. In this case, you could have to go to the Network settings and alter to a DOMAIN from Public and permit visibility for machines, and so forth.
- Try pinging the server through laptop identify and see if the consequence returns with IPv6. If so, then it’s doubtless the IPv4 could be getting suppressed and that might trigger the subject. In this case, you possibly can attempt disabling IPv6 and proceed with IPv4 and see if that helps.
- Temporarily disable the safety software program program resembling antivirus or firewall (particularly from third-party distributors) in your system. Also, in case you have VPN software program put in and working, see if disabling or disconnecting from the service helps you on this case.
- Check to be sure that DNS in your domain controller has the _msdcs.domain.com ahead lookup zone and is populated with the varied SRV data. Run the dcdiag /e /i /c command on certainly one of your domain controllers and examine the output and search for DNS points which may be reported. The assessments executed by dcdiag embody sanity checks to ensure that _msdcs accommodates exactly the proper settings for the domain to work. If not, it is going to inform you what’s lacking so you possibly can take the vital actions.
I hope this helps!
Now learn: The specified domain both doesn’t exist or couldn’t be contacted
How do I troubleshoot AD authentication issues?
If you might be having AD authentication issues, as a part of the technique of troubleshooting Active Directory you are able to do the following:
- Run diagnostics on domain controllers.
- Test DNS for indicators of hassle.
- Run checks on Kerberos.
- Examine the domain controllers.
Active Directory makes use of Kerberos to authenticate communication on the domain. Therefore, your AD server should settle for this authentication sort as effectively. If Kerberos stops working, then the authentication course of breaks down.
How do I pressure Domain Controller authentication?
To pressure a shopper to validate its logon towards a particular domain controller, do the following:
- Open Registry Editor.
- Navigate to the path under:
- Create a New > DWORD worth with the identify NodeType and press ENTER.
- Double-click on the new worth and set it to 4 (this units the community to an M-mode/blended which implies it is going to carry out a broadcast earlier than querying identify servers for decision). By default, a system is 1 if no WINS servers are configured (B-node/broadcast) or 8 if not less than one WINS server is configured (H-node/queries identify decision first then broadcasts).
- Next, create (if it doesn’t exist) a New > DWORD with the identify EnableLMHOSTS worth and set its worth to 1.
- Close the registry editor.
- Reboot the machine.
Read: How to Disable NTLM Authentication in Windows Domain.