No Domain Controller Authenticating Users — Total AD Authentication Outage
When no Domain Controller in the environment can authenticate or authorize users, all domain-joined logins fail with 'No logon servers available' errors, and AD-dependent applications cease to function. Root causes span DC unavailability, DNS resolution failure, Netlogon service outage, Kerberos time skew, firewall port blockage, broken secure channels, account lockouts, SYSVOL unavailability, and trust relationship failures. Resolution requires systematically restoring DC reachability, DNS SRV record resolution, Netlogon service health, time synchronization, firewall access to AD ports, and validating secure channel and account state.
Indicators
- Users unable to log in to any domain-joined machine — 'There are currently no logon servers available to service the logon request'
- Applications relying on Active Directory authentication fail domain-wide
- Event ID 5719 (Netlogon: No DC available) logged on client machines
- Event ID 6702 or 5722 in System log on DCs indicating Netlogon failures
- Group Policy fails to apply at login for all users
- Domain-joined computers report as disconnected from the domain
- nltest /dsgetdc:<domain> returns 'ERROR_NO_SUCH_DOMAIN' or 'ERROR_NO_LOGON_SERVERS'
- Slow or completely failed LDAP/Kerberos service responses
- Kerberos Event ID 4771 (pre-authentication failed) or 4776 (NTLM auth failure) in Security log
- Trust relationship errors: 'The trust relationship between this workstation and the primary domain failed'
- SYSVOL or NETLOGON share unavailable on DC
- Replication failures between domain controllers surfaced in Event Viewer Directory Service log
Likely causes
- All Domain Controllers are offline, crashed, or otherwise unreachable
- DNS misconfiguration or DNS server failure preventing clients from locating DC SRV records (_ldap._tcp, _kerberos._tcp)
- Netlogon service stopped or crashed on all Domain Controllers simultaneously
- Network connectivity failure between client subnet(s) and DC subnet(s)
- Kerberos time skew exceeding 5 minutes between clients, DCs, and the PDC Emulator
- Active Directory database (ntds.dit) corruption rendering all DCs unable to service requests
- Firewall rule change blocking AD-required ports (TCP/UDP 88, 135, 389, 445, 464, 636, 3268, 49152–65535)
- PDC Emulator FSMO role holder down or unreachable, causing cascading authentication failures
- Broken or expired secure channel between workstation/member server and DC (computer account password mismatch)
- Locked or disabled computer or user accounts in Active Directory
- Expired or corrupted Kerberos tickets on client
- Domain trust relationship failure between domains or forests
- SYSVOL or NETLOGON share unavailable on DC
Diagnostic steps
-
From a client machine, run 'nltest /dsgetdc:<domain_name>' to determine whether any DC can be located. Note the specific error code returned (e.g., ERROR_NO_LOGON_SERVERS).Establishes whether any DC is locatable and surfaces the error class for subsequent targeted diagnosis.
-
Run 'ping <DC_hostname>' and 'ping <DC_IP>' for each known DC to confirm basic ICMP reachability. If all fail, escalate to network infrastructure checks immediately.Confirms basic network-layer reachability to DCs and distinguishes name resolution failures from full network outages.
-
Verify DNS SRV record resolution from a client: 'nslookup -type=SRV _ldap._tcp.<domain_name>' and 'nslookup -type=SRV _kerberos._tcp.<domain_name>'. Missing or incorrect records confirm a DNS root cause.Validates that DC locator SRV records are published and resolvable; their absence points to DNS as the primary failure.
-
Check the Netlogon service status on each DC: 'sc query netlogon'. If stopped, restart with 'net start netlogon' and review the Netlogon.log at %SystemRoot%\debug\netlogon.log for errors.Confirms Netlogon is running on each DC; a stopped service prevents DC locator and authentication from functioning.
-
On any accessible DC, run 'dcdiag /test:netlogons /test:services /test:replications /v' to assess DC health, replication state, and service availability.Provides targeted DC health assessment across the most authentication-critical test categories.
-
Check time synchronization on all DCs and clients: 'w32tm /query /status'. Ensure no machine deviates more than 5 minutes from the PDC Emulator. Run 'w32tm /resync /force' on drifted machines.Identifies Kerberos-breaking time skew, which silently blocks all Kerberos authentication when it exceeds 5 minutes.
-
Review Event Viewer on each DC under Windows Logs > System and Security. Focus on Event IDs 5719, 5722, 6702 (Netlogon) and 4771, 4776 (Kerberos/NTLM auth failures).Surfaces specific error event IDs that narrow root cause to Netlogon, Kerberos, or NTLM failure categories.
-
Test AD port reachability from a client to a DC using 'portqry -n <DC_IP> -e 88' (Kerberos), 'portqry -n <DC_IP> -e 389' (LDAP), and 'portqry -n <DC_IP> -e 445' (SMB/Netlogon). Blocked ports indicate a firewall change.Isolates firewall-based port blockage as a cause when DC is reachable by ICMP but AD protocols are filtered.
-
Run 'repadmin /showrepl' and 'repadmin /replsummary' on any accessible DC to identify AD replication failures that may have left DCs in an inconsistent state.Identifies replication errors that cause authentication data inconsistency across DCs.
-
Identify the PDC Emulator FSMO role holder with 'netdom query fsmo'. Confirm it is online and reachable. If not, prepare to seize the role to an available DC.PDC Emulator is authoritative for time sync and password changes; its unavailability cascades into authentication failures.
-
Verify the secure channel between the affected workstation and the domain: 'nltest /sc_verify:<domain_name>'. A failure here confirms a broken machine account secure channel as the root cause.Isolates secure channel breakage as distinct from DC-wide or DNS/Kerberos failures.
-
Run 'klist purge' on an affected client to flush cached Kerberos tickets, then attempt authentication again. If authentication succeeds after purge, corrupted or expired tickets were the cause.Rules out stale/corrupted Kerberos ticket cache as the authentication failure source.
-
Check whether the NETLOGON and SYSVOL shares are accessible on each DC: 'net view \\<DC_hostname>'. Confirm both shares are present. If missing, check DFSR health with 'dfsrdiag SyncNow'.Confirms SYSVOL/NETLOGON availability, which is required for Group Policy and domain authentication support.
-
Check for locked or disabled user and computer accounts in ADUC or via PowerShell: 'Search-ADAccount -LockedOut' and 'Search-ADAccount -AccountDisabled'. Correlate with affected users/machines.Identifies account-level causes that appear as authentication failures but do not indicate DC or infrastructure issues.
Resolution path
- Confirm at least one DC is online and reachable on the network; power on or restore any offline DCs immediately.
- Restart the Netlogon service on all DCs ('net start netlogon') and confirm it reaches Running state.
- Repair DNS so that DC SRV records (_ldap._tcp, _kerberos._tcp) resolve correctly from client machines; restart the DNS Server service on DC-hosted DNS if required.
- Correct time synchronization on all DCs and clients so that no machine exceeds a 5-minute skew from the PDC Emulator ('w32tm /resync /force').
- Open or restore required firewall rules for AD ports: TCP/UDP 88 (Kerberos), TCP 135 (RPC endpoint mapper), TCP/UDP 389 (LDAP), TCP 445 (SMB), TCP/UDP 464 (Kpasswd), TCP 636 (LDAPS), TCP 3268 (GC), TCP 49152–65535 (RPC dynamic range).
- Resolve any AD replication errors identified by repadmin; force synchronization with 'repadmin /syncall /AdeP' once DCs are reachable.
- If the PDC Emulator FSMO role holder remains unavailable, seize the role to a healthy DC using 'ntdsutil' (follow fsmo-role-seizure KB procedure).
- Restart the Kerberos Key Distribution Center (KDC) service on each DC ('Restart-Service kdc') if Kerberos-specific authentication failures persist after other fixes.
- If the secure channel is broken, reset it using 'netdom resetpwd /server:<DC_name> /userd:<domain\admin> /passwordd:*' or via PowerShell: 'Test-ComputerSecureChannel -Repair -Credential (Get-Credential)'. If the machine cannot rejoin, unjoin and rejoin the domain.
- If NETLOGON or SYSVOL shares are missing on a DC, restart the Netlogon service ('net stop netlogon && net start netlogon') and verify DFSR/SYSVOL replication health using 'dfsrdiag SyncNow'.
- If user or computer accounts are locked or disabled, unlock via ADUC or PowerShell: 'Unlock-ADAccount -Identity <username>' or 'Enable-ADAccount -Identity <computername$>'.
- Flush stale or corrupted Kerberos tickets on affected clients with 'klist purge' before retesting authentication.
- Validate resolution by running 'nltest /dsgetdc:<domain_name>' from a client and confirming a DC is returned, 'nltest /sc_verify:<domain_name>' returns 'Secure channel to <DC> is good', 'dcdiag /test:all' passes, and a domain user can log in successfully.
Prevention
- Deploy a minimum of two Domain Controllers per physical site to eliminate single points of failure for authentication.
- Host DNS on Domain Controllers and configure clients with multiple DNS server addresses pointing to separate DCs.
- Configure a correct NTP hierarchy: PDC Emulator syncs to an external reliable time source; all other DCs and clients sync to the PDC Emulator.
- Monitor DC health continuously using SCOM, Nagios, or a dedicated AD monitoring tool with alerting on critical Event IDs (5719, 5722, 6702, 4771).
- Implement change control for firewall rules that could affect AD port availability; test AD authentication after any firewall change.
- Schedule weekly automated replication health checks with repadmin and alert on any failures.
- Test FSMO role failover procedures periodically and document the role-seizure runbook so it is available during a P1 outage.
- Maintain up-to-date AD backups (System State) on each DC and verify restore procedures at least quarterly.
- Implement account lockout monitoring and alerting to detect brute-force attacks or misconfigurations causing mass lockouts that trigger authentication failures.
- Monitor SYSVOL replication health (DFSR) continuously and alert on DFSR backlog or share unavailability on any DC.
Tools
- nltest.exe
- dcdiag.exe
- repadmin.exe
- nslookup
- w32tm.exe
- portqry.exe
- netdom.exe
- Event Viewer (eventvwr.msc)
- Active Directory Users and Computers (ADUC)
- Services.msc
- netstat
- klist.exe
- dfsrdiag.exe
- PowerShell AD module (Test-ComputerSecureChannel, Unlock-ADAccount, Get-ADDomainController, Search-ADAccount)