Fix ERROR_NO_WRITABLE_DC_FOUND (0X000021AD) on Windows
This error means your PC can't find a writable domain controller. Happens when DNS points to a read-only DC or network issues block write traffic. Here's how to fix it.
When This Error Shows Up
You're logging in, or trying to join a domain, and Windows throws up ERROR_NO_WRITABLE_DC_FOUND with code 0X000021AD. Usually happens after a site relocation, VPN connection, or when someone set up a read-only domain controller (RODC) in a remote office without a writeable one. I had a client last month whose remote branch had only an RODC—everyone's laptops couldn't authenticate after a network blip. Same error.
Root Cause in Plain English
Windows needs to talk to a domain controller that accepts writes—like password changes or group policy updates. If your DNS returns only read-only DCs, or if network routes block traffic to writeable ones, you get this error. The Domain Controller Locator (DCLocator) service uses SRV records in DNS to find DCs. If those records point to RODCs only, or if the writeable DC is unreachable, you're stuck.
The Fix: Step-by-Step
Step 1: Verify DNS Points to a Writeable DC
First, check what DNS your machine is using. Open Command Prompt as admin and run:
ipconfig /all | findstr "DNS"If it shows an RODC's IP (often in remote branches), you need to add or change DNS to a writeable DC. For example, if your writeable DC is at 192.168.1.10, set that as primary DNS.
Step 2: Force DC Discovery
Run nslookup to see which DCs Windows sees:
nslookup -type=SRV _ldap._tcp.dc._msdcs.yourdomain.comReplace yourdomain.com with your actual domain. If only RODCs show up, your DNS isn't advertising writeable DCs. You'll need to add SRV records for writeable DCs. Use a tool like dnscmd or the DNS console.
Step 3: Check Network Connectivity
Ping the writeable DC's IP. If it fails, there's a firewall or routing issue. Open ports 389 (LDAP) and 445 (SMB) between client and DC. Try:
Test-NetConnection -Port 389 If blocked, check Windows Firewall or your edge firewall.
Step 4: Use NetDiag or DCDiag
These tools can pinpoint DC locator problems. Run:
nltest /dsgetdc:yourdomain.comIf it returns "ERROR_NO_WRITABLE_DC_FOUND", you'll see which DCs were tried. Also run dcdiag /test:dsinteral /s:yourwriteableDC from a server to check DC health.
Step 5: Force Registration of DC Locator Records
On the writeable DC, restart the Netlogon service to re-register SRV records:
net stop netlogon && net start netlogonWait a few minutes for DNS propagation.
What to Check If It Still Fails
- Time sync: Kerberos requires time within 5 minutes. Check both client and DC time.
- Site configuration: In Active Directory Sites and Services, make sure the subnet for the client's IP is assigned to a site that has a writeable DC.
- RODC password replication: If you have an RODC, ensure password replication policy allows the user account that's failing—especially for cached passwords.
- VPN split tunneling: If remote, make sure the entire corporate network is routed through the VPN, not just specific subnets.
That last one bit a client of mine—only traffic to the file server was routed, but DC discovery packets were going over the internet. Misconfigured VPN client. Fixed with a routing change.
Was this solution helpful?