0XC00002A6

STATUS_DS_UNAVAILABLE 0XC00002A6: Domain Controller Fix

Server & Cloud Intermediate 👁 1 views 📅 May 28, 2026

Your app or service can't reach a domain controller. The fix is usually a DNS misconfiguration or a stale DC entry. Here's what to do.

You're staring at 0XC00002A6 and your server just told you it can't find a domain controller. Annoying as hell, especially when everything was working yesterday. Let's fix it.

The Real Fix: Check DNS First

What's actually happening here is that your machine is trying to locate a domain controller (DC) using DNS SRV records, and it's coming up empty. The directory service isn't unavailable — your machine just can't find it. The fix is almost always on the DNS side.

  1. Verify the DNS server your machine is using
    On the affected server, run ipconfig /all and check the DNS server IP. It must point to a DNS server that hosts the Active Directory zone for your domain. If it's pointing to itself and it's not a DC, or to 8.8.8.8, that's your problem.
  2. Test SRV record resolution
    Run this command from an elevated prompt:
    nslookup -type=SRV _ldap._tcp.dc._msdcs.yourdomain.com

    Replace yourdomain.com with your actual domain. If you get "server failed" or "non-existent domain", your DNS setup is broken. You should see at least one DC listed with its hostname and port 389.
  3. If no SRV records show up
    This means the DC hasn't registered itself, or the zone is corrupted. Log into a working DC (if you have one) and run:
    net stop netlogon && net start netlogon

    This forces the DC to re-register its SRV records.
  4. Still failing? Check the DC itself
    On the DC, run dcdiag /test:dns. Look for errors under "DNS test" or "Locator check". If you see "Warning: No DNS servers configured for this DC", add the DC's own IP as its primary DNS (yes, loopback is fine) and restart netlogon.

The reason step 3 works is that Netlogon service is what publishes SRV records into DNS. When a DC starts, Netlogon registers these records. If the service crashed or the registration failed, restarting it forces a fresh registration. You'll see the records appear within seconds after the service restarts.

Why This Error Happens

STATUS_DS_UNAVAILABLE (0XC00002A6) is the error code your application sees when it can't establish an LDAP connection to a domain controller. The root causes are narrow:

  • DNS misconfiguration — the machine can't resolve the DC's hostname or find SRV records
  • Network connectivity — firewalls blocking LDAP (port 389) or Kerberos (port 88)
  • Stale DC entries — a DC was decommissioned but its records linger in DNS
  • The machine itself is a DC and its own netlogon service is not running

I've seen this most often when someone demotes a DC without cleaning up DNS. The SRV records point to a server that no longer exists. Your machine tries to connect, gets nothing back, and throws 0XC00002A6.

Less Common Variations of the Same Issue

Variant 1: Multiple NICs or Wrong DNS Suffix

If your server has two network cards, DNS might be registering on the wrong adapter. Check ipconfig /all and make sure the DNS suffix is set correctly. If you see Connection-specific DNS Suffix as blank, run:

netsh interface ip set dns "Ethernet" static 192.168.1.10

Replace with your DC's IP and the correct adapter name.

Variant 2: Stale Kerberos Tickets

On a long-running service like SQL Server or Exchange, cached Kerberos tickets can go stale. The service tries to use an old ticket against a DC that's no longer reachable. You'll see 0XC00002A6 in the application log. Fix: restart the service or clear Kerberos tickets with klist purge.

Variant 3: Time Skew

Active Directory requires time sync within 5 minutes. If the affected server's clock is off by more than that, Kerberos authentication fails and you get this error. Sync with w32tm /resync. If that fails, reconfigure the time source:

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update

Variant 4: Service Running Under Wrong Credentials

A service like IIS or a custom .NET app might be configured to run as a domain account, but that account is locked or expired. The service can't authenticate to the DC. Check the service's Log On tab in Services.msc and verify the account is active.

Prevention

Two things will stop this from happening again:

  1. Always clean up DNS when demoting a DC. Use ntdsutil to remove metadata, then manually delete stale A records and SRV records from the DNS zone. Don't assume the demotion tool does this.
  2. Monitor DC availability with a simple script. Run this every 10 minutes on critical servers:
    nltest /dsgetdc:yourdomain.com

    If it returns anything other than "The command completed successfully", you'll know before a user reports it.
  3. Set your servers to use at least two DNS servers. Primary should be the nearest DC, secondary another DC. Don't put external DNS as secondary for domain-joined machines — it causes weird fallback behavior.

That's it. Fix the DNS, restart netlogon, and 0XC00002A6 goes away. Most people waste hours checking permissions and firewall rules when the real problem is a missing underscore in a SRV record.

Was this solution helpful?

STATUS_DS_UNAVAILABLE 0XC00002A6 directory service unavailable domain controller not found DNS SRV record Active Directory connectivity LDAP connection failure Windows Server authentication error DC locator failure network service startup failure server boot error domain join error Kerberos failure SYSVOL not accessible