When a user logs on to a Windows computer that is joined to an Active Directory domain, they may see the following error message:
There are currently no logon servers available to service the logon request.
This message says that none of the AD domain controllers (LogonServer) is available from this computer to authenticate the user. The problem can be related either to the client device itself or to a global problem with the health of domain controllers or Active Directory.
Let’s take a look at the common causes of this error and ways to fix it.
- Make sure that your computer is connected to your LAN. Unplug and plug back the network cable (if you are using Ethernet) or reboot your Wi-Fi hotspot;
- Try to log on to the computer with a local administrator account. You may use either the built-in administrator account or an additional administrator account (created manually or using Microsoft LAPS). If you don’t know the local administrator password, you can reset it. You can also try to log on a computer with a domain user account who logged on to this computer earlier. By default, Windows stores the credentials of the last 10 user accounts in the local cache (cached domain credentials). This is configured using the Group Policy option Interactive logon: Number of previous logons to cache (in case domain controller is not available) under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. You can get the number of users whose credentials are cached on the computer from the registry using PowerShell:
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon").CachedLogonsCount
If the value of this parameter is equal to 0, it means that a domain user will not be able to log on to the computer if there are no available domain controllers or the computer is not connected to the corporate network.
- Make sure that Windows sees the network adapters;
- Check that your computer has received the correct IP address from your DHCP server using
ipconfig /allor PowerShell:
Get-NetIPConfiguration. Reset the network settings using the commands below:
netsh winsock reset
netsh int ip reset
- If your DHCP server is not available, the computer will receive an IP address 169.254.x.x. Renew the IP address:
ipconfig /release & ipconfig /renew. If the computer doesn’t get the IP address, you may try to specify the IP address and DNS servers manually;
- Verify that the DNS client, DHCP client, and NetLogon services are running on the computer. Restart the services using PowerShell:
Get-Service Dhcp, Dnscache, Netlogon | Restart-Service
- Check if the DNS servers specified in the settings of your network adapters are available:
nslookup -> your_domain_name. Check that you get a response from the correct DNS server. If the DNS servers are not available, make sure that access to them is not blocked by your firewall (UDP Port 53). You can check UDP port connectivity using the portquery tool:
PortQry.exe –n your_dns_server -p both -e 53
Check if there are static DNS entries in the hosts file:
Get-Content $env:SystemRoot\System32\Drivers\etc\hosts. Remove the records you do not need from the file.
- Trace the route to your DNS server:
- Try to find the domain controller in DNS:
nltest /dnsgetdc:woshub.com. Make sure that the client can find the domain controller using search:
- Try to switch to another AD domain controller (logon server) in Windows:
If a lot of users are impacted by the DC connectivity issue, you need to check the domain controllers and AD status.
- Check the domain controller and AD replication health;
- Check the W32Time (NTP) service and time on your DCs and clients. It must not differ more than by 5 minutes;
- Verify that Windows Defender Firewall policy rules on the domain controllers are not blocking inbound traffic from your clients;
- Make sure that the netlogon service is running on the DC. Check if SYSVOL and NETLOGON administrative shares are available:
net share(you may have problems with sysvol and netlogon shares after restoring Active Directory from a backup);
- If you have recently decommissioned a domain controller, make sure that it was removed correctly;
- Check for SRV records for AD domain controllers in DNS (https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created). If the DC records have been removed, this will cause problems for clients to find the domain controller and establish a secure channel (trust relationship).
In this article, I have tried to describe typical troubleshooting steps to understand why Windows logon servers might not be available from the client’s computer.