ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows server monitoring dashboard displaying NETLOGON and Active Directory status in a professional data center environment
Event ID 5719ErrorNETLOGONWindows

Windows Event ID 5719 – NETLOGON: No Domain Controller Available

Event ID 5719 indicates that a domain-joined computer cannot contact any domain controller for authentication or directory services, causing authentication failures and domain connectivity issues.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5719NETLOGON 5 methods 12 min
Event Reference

What This Event Means

Event ID 5719 represents one of the most critical domain connectivity errors in Windows environments. When this event occurs, the NETLOGON service has exhausted all attempts to locate and communicate with domain controllers in the computer's configured domain. The service performs domain controller discovery using DNS SRV records, site topology information, and cached domain controller lists before generating this error.

The NETLOGON service maintains a secure channel with domain controllers for authentication, Group Policy processing, and directory queries. When this secure channel fails and cannot be reestablished, Event ID 5719 fires to alert administrators of the connectivity breakdown. This error cascades through multiple Windows subsystems, affecting user authentication, computer account validation, and domain-based services.

In Windows Server 2025 and Windows 11 24H2 environments, Microsoft has enhanced the domain controller discovery process with improved DNS caching, better site awareness, and more granular error reporting. However, the fundamental causes of Event ID 5719 remain consistent: network connectivity issues, DNS resolution failures, domain controller unavailability, or authentication protocol problems. The event message typically includes the domain name and may reference specific error codes that help pinpoint the root cause.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • DNS resolution failure preventing domain controller discovery via SRV records
  • Network connectivity issues blocking communication to domain controllers on required ports (88, 135, 389, 445, 464, 636, 3268, 3269)
  • All domain controllers in the site or domain are offline or unreachable
  • Firewall rules blocking Active Directory traffic between client and domain controllers
  • Time synchronization issues causing Kerberos authentication failures
  • Computer account password mismatch or corruption in Active Directory
  • Incorrect DNS server configuration pointing to non-authoritative DNS servers
  • Site topology misconfiguration preventing proper domain controller discovery
  • Domain controller overload or resource exhaustion preventing new connections
  • Network adapter or driver issues causing intermittent connectivity problems
Resolution Methods

Troubleshooting Steps

01

Verify DNS Configuration and Domain Controller Discovery

Start by verifying DNS configuration and testing domain controller discovery, as DNS issues cause the majority of Event ID 5719 occurrences.

  1. Open Command Prompt as administrator and test DNS resolution for domain controllers:
    nslookup -type=SRV _ldap._tcp.dc._msdcs.yourdomain.com
nslookup -type=A dc1.yourdomain.com
  2. Verify the computer can resolve domain controller names and SRV records. If DNS fails, check DNS server configuration:
    Get-DnsClientServerAddress -AddressFamily IPv4
Get-DnsClientCache | Where-Object {$_.Name -like "*yourdomain*"}
  3. Test network connectivity to domain controllers on required ports:
    Test-NetConnection -ComputerName dc1.yourdomain.com -Port 389
Test-NetConnection -ComputerName dc1.yourdomain.com -Port 88
Test-NetConnection -ComputerName dc1.yourdomain.com -Port 445
  4. If DNS resolution fails, configure correct DNS servers pointing to domain controllers or DNS servers hosting Active Directory zones.
  5. Flush DNS cache and restart the NETLOGON service:
    ipconfig /flushdns
net stop netlogon
net start netlogon
Pro tip: Use dcdiag /test:dns on domain controllers to verify DNS health and SRV record registration.
02

Check Network Connectivity and Firewall Rules

Investigate network connectivity issues and firewall configurations that may block Active Directory communication.

  1. Test comprehensive network connectivity to domain controllers using PowerShell:
    $DCs = @('dc1.yourdomain.com', 'dc2.yourdomain.com')
$Ports = @(53, 88, 135, 389, 445, 464, 636, 3268, 3269)
foreach ($DC in $DCs) {
    foreach ($Port in $Ports) {
        $Result = Test-NetConnection -ComputerName $DC -Port $Port -WarningAction SilentlyContinue
        Write-Output "$DC`:$Port - $($Result.TcpTestSucceeded)"
    }
}
  2. Check Windows Firewall rules that might block Active Directory traffic:
    Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Active Directory*" -or $_.DisplayName -like "*Kerberos*"} | Select-Object DisplayName, Enabled, Direction
  3. Verify network adapter configuration and disable any VPN connections that might interfere:
    Get-NetAdapter | Where-Object {$_.Status -eq "Up"}
Get-VpnConnection
  4. Check routing table for conflicting routes:
    route print
  5. If using Windows Firewall, temporarily disable it for testing (re-enable after testing):
    Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Warning: Only disable Windows Firewall temporarily for testing. Re-enable it immediately after troubleshooting.
03

Validate Time Synchronization and Kerberos Authentication

Time synchronization issues frequently cause Event ID 5719 as Kerberos authentication requires synchronized clocks within 5 minutes by default.

  1. Check current time synchronization status and compare with domain controllers:
    w32tm /query /status
w32tm /query /peers
  2. Test time difference with domain controllers:
    $DCs = @('dc1.yourdomain.com', 'dc2.yourdomain.com')
foreach ($DC in $DCs) {
    $DCTime = (Get-Date ([System.Net.NetworkInformation.Ping]::new().Send($DC).RoundtripTime))
    $LocalTime = Get-Date
    $TimeDiff = ($DCTime - $LocalTime).TotalSeconds
    Write-Output "$DC time difference: $TimeDiff seconds"
}
  3. Force time synchronization with domain hierarchy:
    w32tm /resync /force
  4. Check Kerberos ticket cache and clear if corrupted:
    klist
klist purge
  5. Test Kerberos authentication to domain controllers:
    Test-ComputerSecureChannel -Server dc1.yourdomain.com -Verbose
  6. If time sync fails, manually configure NTP servers in registry:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "NtpServer" -Value "dc1.yourdomain.com,0x1"
04

Reset Computer Account and Secure Channel

Computer account issues or secure channel corruption can cause persistent Event ID 5719 errors requiring account reset.

  1. Test the current secure channel relationship:
    Test-ComputerSecureChannel -Verbose
  2. Check computer account status in Event Viewer:Event ViewerWindows LogsSystem, filter for Event ID 5722, 5723, and 5805
  3. Attempt to repair the secure channel:
    Test-ComputerSecureChannel -Repair -Verbose
  4. If repair fails, reset the computer account password using PowerShell:
    Reset-ComputerMachinePassword -Server dc1.yourdomain.com -Credential (Get-Credential)
  5. Alternative method using NETDOM command:
    netdom resetpwd /server:dc1.yourdomain.com /userd:domain\administrator /passwordd:*
  6. Restart the computer after successful password reset to establish new secure channel
  7. Verify the secure channel is working:
    Test-ComputerSecureChannel -Verbose
nltest /sc_query:yourdomain.com
Pro tip: Use nltest /sc_reset:yourdomain.com as an alternative method to reset the secure channel without rebooting.
05

Advanced Troubleshooting with NETLOGON Logging

Enable detailed NETLOGON logging to capture comprehensive diagnostic information for complex Event ID 5719 scenarios.

  1. Enable NETLOGON debug logging in the registry:
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "DBFlag" -Value 0x2080FFFF -PropertyType DWord -Force
  2. Restart the NETLOGON service to activate logging:
    net stop netlogon
net start netlogon
  3. Monitor the NETLOGON debug log file:
    Get-Content C:\Windows\debug\netlogon.log -Tail 50 -Wait
  4. Reproduce the issue and analyze log entries for domain controller discovery failures, authentication errors, or DNS resolution problems
  5. Use NLTEST to perform comprehensive domain controller diagnostics:
    nltest /dsgetdc:yourdomain.com /force
nltest /dclist:yourdomain.com
nltest /trusted_domains
  6. Check site configuration and domain controller location:
    nltest /dsgetsite
nltest /dnsgetdc:yourdomain.com
  7. After troubleshooting, disable debug logging to prevent log file growth:
    Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -Name "DBFlag"
  8. Restart NETLOGON service to apply changes:
    net stop netlogon
net start netlogon
Warning: NETLOGON debug logging generates large files quickly. Disable it after troubleshooting to prevent disk space issues.

Overview

Event ID 5719 from the NETLOGON service fires when a domain-joined Windows computer cannot establish communication with any available domain controller in its configured domain. This critical error prevents users from authenticating against Active Directory, accessing domain resources, and performing Group Policy updates. The event typically appears in the System log during startup, user logon attempts, or when existing Kerberos tickets expire and require renewal.

This event commonly occurs in environments with network connectivity issues, DNS resolution problems, or domain controller availability issues. When 5719 fires, users experience authentication failures, cannot access network shares requiring domain credentials, and Group Policy processing fails. The computer essentially operates in a disconnected state from the domain infrastructure.

Modern Windows versions in 2026 include enhanced domain controller discovery mechanisms and improved error reporting, but Event ID 5719 remains a critical indicator of domain connectivity failures that require immediate investigation. The event often correlates with DNS issues, firewall blocking, or actual domain controller outages affecting business operations.

Frequently Asked Questions

What does Event ID 5719 mean and why is it critical?+
Event ID 5719 indicates that the NETLOGON service cannot contact any domain controller in the configured domain. This is critical because it prevents user authentication, Group Policy processing, and access to domain resources. When this event occurs, the computer essentially operates in a disconnected state from Active Directory, causing authentication failures and preventing users from accessing network resources that require domain credentials.
How do I quickly identify if DNS is causing Event ID 5719?+
Test DNS resolution for domain controller SRV records using 'nslookup -type=SRV _ldap._tcp.dc._msdcs.yourdomain.com'. If this fails or returns no results, DNS is likely the cause. Also verify that your computer's DNS servers point to domain controllers or DNS servers hosting Active Directory zones. Use 'Get-DnsClientServerAddress' to check current DNS configuration and ensure it includes domain controller IP addresses.
Can time synchronization issues cause Event ID 5719?+
Yes, time synchronization problems frequently cause Event ID 5719. Kerberos authentication requires computer clocks to be synchronized within 5 minutes (default). If the time difference exceeds this threshold, authentication fails and the computer cannot establish secure channels with domain controllers. Use 'w32tm /query /status' to check time sync and 'w32tm /resync /force' to force synchronization with the domain time hierarchy.
What network ports must be open for domain controller communication?+
Domain controllers require multiple ports for different services: DNS (53), Kerberos (88), RPC Endpoint Mapper (135), LDAP (389), SMB (445), Kerberos Password Change (464), LDAPS (636), Global Catalog (3268), and Global Catalog SSL (3269). Use 'Test-NetConnection' to verify connectivity on these ports. Firewalls blocking any of these ports can cause Event ID 5719, especially ports 88 (Kerberos) and 389 (LDAP) which are essential for authentication.
How do I reset a corrupted computer account causing Event ID 5719?+
First test the secure channel with 'Test-ComputerSecureChannel -Verbose'. If it fails, attempt repair with 'Test-ComputerSecureChannel -Repair'. For persistent issues, reset the computer account password using 'Reset-ComputerMachinePassword -Server dc1.yourdomain.com -Credential (Get-Credential)' or 'netdom resetpwd'. After successful reset, restart the computer to establish a new secure channel and verify with 'Test-ComputerSecureChannel' again.
Documentation

References (1)

1
Microsoft Learn - Troubleshoot NETLOGON Event ID 5719Official Microsoft troubleshooting guide for NETLOGON Event ID 5719 with detailed resolution steps and diagnostic procedures.https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-netlogon-event-id-5719
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5719#netlogon#domain-controller

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...