What's next?
Request a Demo
Get a Price Quote
This article provides a detailed analysis of the various scenarios that cause the ‘domain controller not reachable’ issue and provides potential solutions for rectifying the issue.
The following scenarios illustrate some common possibilities of the domain controller not being accessible:
This case highlights that the Securden application cannot connect to the Domain Controller, or the Domain Controller is currently unavailable. In such instances, first, verify the status of the Domain Controller to ensure it is functioning properly.
Alternatively, you can log in to Securden as a local user, navigate to Admin >> Active Directory Domains, and add a Secondary Domain Controller. This will allow users to authenticate until the Primary Domain Controller becomes accessible again.
To import the AD domain into Securden, you need to establish a connection to the domain controller. If the connection mode is non-SSL, ensure that port 389 is open to the PAM solution. To verify if the port is open, run the following command from the Securden server.
Steps to Use the Test-NetConnection (TNC) Command
1. Open Command Prompt or PowerShell as Administrator:
Right-click on either Command Prompt or PowerShell and select Run as administrator.
2. Run the TNC Command:
Execute the following command to test connectivity to the remote machine through port 389: Test-NetConnection -ComputerName <RemoteMachineIP> -Port 389
For example:
Test-NetConnection -ComputerName 192.168.1.10 -Port 389
3. Analyze the TNC Command Output:
Review the output to determine if port 389 is reachable. If the port is not reachable, verify firewall settings and network configurations to ensure that port 389 is open and accessible.
If the IP address of a domain controller is changed and the new IP is not updated, users may encounter authentication failures if their cached credentials do not correspond with the new IP address. This situation can hinder users from logging into their devices. In this case, log in to Securden as a local user and update the IP address to resolve the issue. Performing a DNS lookup, reviewing event logs, checking local IP configurations, and using Active Directory Sites and Services are some effective methods for verifying whether the domain controller's IP address has changed.
How to perform a DNS Lookup
To check if a domain controller's IP has changed, you can perform a DNS lookup on the domain controller's hostname.
Here's how to do it:
1. Find the Domain Controller's Hostname
Use nslookup to Check the Current IP Address
Verify Against Previous IP
Verify the connection used by Securden to communicate with the domain controller. If SSL mode is selected, ensure that the connectivity from Securden server to the domain controller is running through port 636.
If the connectivity from Securden server to domain controller is operating over SSL on port 636 and the issue continues, ensure that the CA-signed certificate for the domain controller has been uploaded to Securden.
The issue of the domain controller being unreachable will continue if the Domain Controller’s certificate has expired. You can check the expiry of a Domain Controller's certificate using Windows Microsoft Management Console (MMC), the command line, or PowerShell.
It is also essential to verify that the IP addresses of the secondary domain controllers are listed correctly in a proper comma-separated format. The port number on which the secondary server is running, and the CA-signed certificate of the secondary servers are also to be verified. This ensures that the system can correctly identify and communicate with the secondary domain controllers when the primary one is unavailable.
This issue may also occur if the domain controller has been migrated to a different machine, indicating that the entire instance of Active Directory Domain Services (AD DS) operating on one physical or virtual server has been transferred to another server. In this case, you will also need to verify the port number and CA-signed certificate for the domain controller that was relocated to a different machine. To verify whether the domain controller has been moved, you can check the server’s hostname, review the properties of the domain controller in the Active Directory Sites and Services console, perform DNS queries, and more.