No Domain Controller Authenticating Users — Total AD Authentication Outage

Indicators

• Users unable to log in to any domain-joined machine — 'There are currently no logon servers available to service the logon request'
• Applications relying on Active Directory authentication fail domain-wide
• Event ID 5719 (Netlogon: No DC available) logged on client machines
• Event ID 6702 or 5722 in System log on DCs indicating Netlogon failures
• Group Policy fails to apply at login for all users
• Domain-joined computers report as disconnected from the domain
• nltest /dsgetdc:<domain> returns 'ERROR_NO_SUCH_DOMAIN' or 'ERROR_NO_LOGON_SERVERS'
• Slow or completely failed LDAP/Kerberos service responses
• Kerberos Event ID 4771 (pre-authentication failed) or 4776 (NTLM auth failure) in Security log

Likely causes

• All Domain Controllers are offline, crashed, or otherwise unreachable
• DNS misconfiguration or DNS server failure preventing clients from locating DC SRV records (_ldap._tcp, _kerberos._tcp)
• Netlogon service stopped or crashed on all Domain Controllers simultaneously
• Network connectivity failure between client subnet(s) and DC subnet(s)
• Kerberos time skew exceeding 5 minutes between clients, DCs, and the PDC Emulator
• Active Directory database (ntds.dit) corruption rendering all DCs unable to service requests
• Firewall rule change blocking AD-required ports (TCP/UDP 88, 135, 389, 445, 464, 636, 3268, 49152–65535)
• PDC Emulator FSMO role holder down or unreachable, causing cascading authentication failures

Diagnostic steps

1. From a client machine, run 'nltest /dsgetdc:<domain_name>' to determine whether any DC can be located. Note the specific error code returned (e.g., ERROR_NO_LOGON_SERVERS).
2. Run 'ping <DC_hostname>' and 'ping <DC_IP>' for each known DC to confirm basic ICMP reachability. If all fail, escalate to network infrastructure checks immediately.
3. Verify DNS SRV record resolution from a client: 'nslookup -type=SRV _ldap._tcp.<domain_name>' and 'nslookup -type=SRV _kerberos._tcp.<domain_name>'. Missing or incorrect records confirm a DNS root cause.
4. Check the Netlogon service status on each DC: 'sc query netlogon'. If stopped, restart with 'net start netlogon' and review the Netlogon.log at %SystemRoot%\debug\netlogon.log for errors.
5. On any accessible DC, run 'dcdiag /test:netlogons /test:services /test:replications /v' to assess DC health, replication state, and service availability.
6. Check time synchronization on all DCs and clients: 'w32tm /query /status'. Ensure no machine deviates more than 5 minutes from the PDC Emulator. Run 'w32tm /resync /force' on drifted machines.
7. Review Event Viewer on each DC under Windows Logs > System and Security. Focus on Event IDs 5719, 5722, 6702 (Netlogon) and 4771, 4776 (Kerberos/NTLM auth failures).
8. Test AD port reachability from a client to a DC using 'portqry -n <DC_IP> -e 88' (Kerberos), 'portqry -n <DC_IP> -e 389' (LDAP), and 'portqry -n <DC_IP> -e 445' (SMB/Netlogon). Blocked ports indicate a firewall change.
9. Run 'repadmin /showrepl' and 'repadmin /replsummary' on any accessible DC to identify AD replication failures that may have left DCs in an inconsistent state.
10. Identify the PDC Emulator FSMO role holder with 'netdom query fsmo'. Confirm it is online and reachable. If not, prepare to seize the role to an available DC.

Resolution path

• Confirm at least one DC is online and reachable on the network; power on or restore any offline DCs immediately.
• Restart the Netlogon service on all DCs ('net start netlogon') and confirm it reaches Running state.
• Repair DNS so that DC SRV records (_ldap._tcp, _kerberos._tcp) resolve correctly from client machines; restart the DNS Server service on DC-hosted DNS if required.
• Correct time synchronization on all DCs and clients so that no machine exceeds a 5-minute skew from the PDC Emulator ('w32tm /resync /force').
• Open or restore required firewall rules for AD ports: TCP/UDP 88 (Kerberos), TCP 135 (RPC endpoint mapper), TCP/UDP 389 (LDAP), TCP 445 (SMB), TCP/UDP 464 (Kpasswd), TCP 636 (LDAPS), TCP 3268 (GC), TCP 49152–65535 (RPC dynamic range).
• Resolve any AD replication errors identified by repadmin; force synchronization with 'repadmin /syncall /AdeP' once DCs are reachable.
• If the PDC Emulator FSMO role holder remains unavailable, seize the role to a healthy DC using 'ntdsutil' (follow fsmo-role-seizure KB procedure).
• Restart the Kerberos Key Distribution Center (KDC) service on each DC ('Restart-Service kdc') if Kerberos-specific authentication failures persist after other fixes.
• Validate resolution by running 'nltest /dsgetdc:<domain_name>' from a client and confirming a DC is returned, then test a domain user login.

Prevention

• Deploy a minimum of two Domain Controllers per physical site to eliminate single points of failure for authentication.
• Host DNS on Domain Controllers and configure clients with multiple DNS server addresses pointing to separate DCs.
• Configure a correct NTP hierarchy: PDC Emulator syncs to an external reliable time source; all other DCs and clients sync to the PDC Emulator.
• Monitor DC health continuously using SCOM, Nagios, or a dedicated AD monitoring tool with alerting on critical Event IDs (5719, 5722, 6702, 4771).
• Implement change control for firewall rules that could affect AD port availability; test AD authentication after any firewall change.
• Schedule weekly automated replication health checks with repadmin and alert on any failures.
• Test FSMO role failover procedures periodically and document the role-seizure runbook so it is available during a P1 outage.
• Maintain up-to-date AD backups (System State) on each DC and verify restore procedures at least quarterly.

Tools

• nltest.exe
• dcdiag.exe
• repadmin.exe
• nslookup
• w32tm.exe
• portqry.exe
• netdom.exe
• Event Viewer (eventvwr.msc)
• Active Directory Users and Computers (ADUC)
• Services.msc
• netstat

References

• Troubleshooting Domain Controller Locator Issues
• Netlogon Event IDs and Troubleshooting
• Active Directory Replication Troubleshooting
• Kerberos Authentication Troubleshooting Guidance