STATUS_DOMAIN_CTRLR_CONFIG_ERROR (0xC000015E) Fix
Domain controller has bad config. Usually a DNS issue or stale AD metadata. Start with DNS check, then move to metadata cleanup.
The 30-Second Fix: DNS Check
This error almost always starts with DNS. Don't waste time on anything else until you verify the domain controller can find itself and other DCs.
- Open a command prompt as Administrator.
- Run
nslookup %computername%— replace %computername% with the actual DC hostname. - Run
nslookup— example:nslookup contoso.com. - Check that both return the correct IP address of the DC. If they don't, your DNS is broken.
If nslookup fails, go to the network adapter settings and set the preferred DNS server to point to another DC or itself. For a single DC environment, set it to 127.0.0.1 (loopback). Then flush DNS: ipconfig /flushdns and ipconfig /registerdns. Reboot the Netlogon service: net stop netlogon && net start netlogon.
Still seeing the error? Move to the next step.
The 5-Minute Fix: Check AD Replication and Time Sync
If DNS is clean, the culprit is often a replication failure or clock skew. Run these diagnostics:
repadmin /replsummary
w32tm /query /status
repadmin /replsummary will show any replication errors. If you see failures, note the source and destination DCs. Common causes: a DC that's been offline too long, or a lingering tombstoned object.
For time sync: the error 0xC000015E can pop up when the DC's clock is off by more than 5 minutes from the PDC emulator. Run w32tm /query /status and check the source. If it's not syncing, reconfigure manually:
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /update
net stop w32time && net start w32time
w32tm /resync
If replication shows errors like ERROR_DS_DRA_BAD_DN or ERROR_DS_DRA_INTERNAL_ERROR, you've got a deeper metadata issue. That's the next level.
The 15+ Minute Fix: Metadata Cleanup and NTDS Reset
When DNS and replication are fine but the error persists, the DC has a stale or corrupted configuration object in Active Directory. This happens when a DC is demoted improperly or an old server object lingers.
Step 1: Force Remove the DC from AD
On a working DC (or the PDC emulator), open Active Directory Users and Computers. Navigate to Domain Controllers OU. Find the problem DC, right-click, select Delete. Check This Domain Controller is permanently offline and cannot be demoted.
Step 2: Clean Up Metadata via Command Line
Open an elevated command prompt on a working DC. Run ntdsutil:
ntdsutil
metadata cleanup
connections
connect to server
quit
select operation target
list domains
select domain 0
list sites
select site 0
list servers in site
select server
quit
remove selected server
Confirm the removal. Then type quit twice to exit.
Step 3: Delete the NTDS Settings Object
If the above fails, you can manually delete the NTDS Settings object via ADSI Edit. This is risky — don't do it unless you're sure.
- Open ADSI Edit (install via Server Manager if missing).
- Connect to Configuration partition.
- Navigate to
CN=Configuration, CN=Services, CN=Windows NT, CN=Directory Service, CN=., CN=Servers, CN= - Delete the CN=NTDS Settings object.
Warning: Deleting the wrong object can break AD. Double-check you're on the right DC. Backup first if you can.
Step 4: Reboot and Recheck
After cleanup, reboot the problem DC. Run dcdiag /v and look for any lingering errors. The 0xC000015E should be gone.
When None of This Works
If you're still stuck, check for a corrupted System State backup restore. Sometimes a restore from a bad backup brings back a stale DC object. In that case, you'll need to do a non-authoritative restore of the AD database — that's a full forest recovery scenario. But that's rare. 9 times out of 10, it's DNS or a stale DC metadata.
One more thing: check the NETLOGON and SYSTEM event logs for event IDs 5774, 5805, or 1925. Those will point you to the exact source of the misconfiguration.
Was this solution helpful?