T The Triage ManualTechnical Guides for IT Emergencies
P1 · Active Directory

No Domain Controller Authenticating Users — Total AD Authentication Outage

When no Domain Controller in the environment can authenticate or authorize users, all domain-joined logins fail with 'No logon servers available' errors, and AD-dependent applications cease to function. Root causes span DC unavailability, DNS resolution failure, Netlogon service outage, Kerberos time skew, firewall port blockage, broken secure channels, account lockouts, SYSVOL unavailability, and trust relationship failures. Resolution requires systematically restoring DC reachability, DNS SRV record resolution, Netlogon service health, time synchronization, firewall access to AD ports, and validating secure channel and account state.

Indicators

Likely causes

Diagnostic steps

  1. From a client machine, run 'nltest /dsgetdc:<domain_name>' to determine whether any DC can be located. Note the specific error code returned (e.g., ERROR_NO_LOGON_SERVERS).
    Establishes whether any DC is locatable and surfaces the error class for subsequent targeted diagnosis.
  2. Run 'ping <DC_hostname>' and 'ping <DC_IP>' for each known DC to confirm basic ICMP reachability. If all fail, escalate to network infrastructure checks immediately.
    Confirms basic network-layer reachability to DCs and distinguishes name resolution failures from full network outages.
  3. Verify DNS SRV record resolution from a client: 'nslookup -type=SRV _ldap._tcp.<domain_name>' and 'nslookup -type=SRV _kerberos._tcp.<domain_name>'. Missing or incorrect records confirm a DNS root cause.
    Validates that DC locator SRV records are published and resolvable; their absence points to DNS as the primary failure.
  4. Check the Netlogon service status on each DC: 'sc query netlogon'. If stopped, restart with 'net start netlogon' and review the Netlogon.log at %SystemRoot%\debug\netlogon.log for errors.
    Confirms Netlogon is running on each DC; a stopped service prevents DC locator and authentication from functioning.
  5. On any accessible DC, run 'dcdiag /test:netlogons /test:services /test:replications /v' to assess DC health, replication state, and service availability.
    Provides targeted DC health assessment across the most authentication-critical test categories.
  6. Check time synchronization on all DCs and clients: 'w32tm /query /status'. Ensure no machine deviates more than 5 minutes from the PDC Emulator. Run 'w32tm /resync /force' on drifted machines.
    Identifies Kerberos-breaking time skew, which silently blocks all Kerberos authentication when it exceeds 5 minutes.
  7. Review Event Viewer on each DC under Windows Logs > System and Security. Focus on Event IDs 5719, 5722, 6702 (Netlogon) and 4771, 4776 (Kerberos/NTLM auth failures).
    Surfaces specific error event IDs that narrow root cause to Netlogon, Kerberos, or NTLM failure categories.
  8. Test AD port reachability from a client to a DC using 'portqry -n <DC_IP> -e 88' (Kerberos), 'portqry -n <DC_IP> -e 389' (LDAP), and 'portqry -n <DC_IP> -e 445' (SMB/Netlogon). Blocked ports indicate a firewall change.
    Isolates firewall-based port blockage as a cause when DC is reachable by ICMP but AD protocols are filtered.
  9. Run 'repadmin /showrepl' and 'repadmin /replsummary' on any accessible DC to identify AD replication failures that may have left DCs in an inconsistent state.
    Identifies replication errors that cause authentication data inconsistency across DCs.
  10. Identify the PDC Emulator FSMO role holder with 'netdom query fsmo'. Confirm it is online and reachable. If not, prepare to seize the role to an available DC.
    PDC Emulator is authoritative for time sync and password changes; its unavailability cascades into authentication failures.
  11. Verify the secure channel between the affected workstation and the domain: 'nltest /sc_verify:<domain_name>'. A failure here confirms a broken machine account secure channel as the root cause.
    Isolates secure channel breakage as distinct from DC-wide or DNS/Kerberos failures.
  12. Run 'klist purge' on an affected client to flush cached Kerberos tickets, then attempt authentication again. If authentication succeeds after purge, corrupted or expired tickets were the cause.
    Rules out stale/corrupted Kerberos ticket cache as the authentication failure source.
  13. Check whether the NETLOGON and SYSVOL shares are accessible on each DC: 'net view \\<DC_hostname>'. Confirm both shares are present. If missing, check DFSR health with 'dfsrdiag SyncNow'.
    Confirms SYSVOL/NETLOGON availability, which is required for Group Policy and domain authentication support.
  14. Check for locked or disabled user and computer accounts in ADUC or via PowerShell: 'Search-ADAccount -LockedOut' and 'Search-ADAccount -AccountDisabled'. Correlate with affected users/machines.
    Identifies account-level causes that appear as authentication failures but do not indicate DC or infrastructure issues.

Resolution path

Prevention

Tools

References

Active DirectoryDomain ControllerAuthenticationNetlogonKerberosLDAPDNSFSMOAD ReplicationTime SynchronizationWindows ServerP1OutageSecure ChannelSYSVOLDFSRAccount LockoutTrust RelationshipAD DS