Error 5061 - Could not contact Domain Controller

Document ID : KB000044708
Last Modified Date : 14/02/2018
Show Technical Document Details


Error 5061 is produced by the Windows Agent target connector and has the corresponding error message "Could not contact domain controller." Internally this error is known as ERROR_COULD_NOT_RETRIEVE_DC. This particular error arises during either of the following two operations: (1) verifying credentials; (2) updating credentials (which may also incur a verify as part of the update).



The connector must identify and contact a Domain Controller to accomplish either operation. Depending on the connector's configuration the Domain Controller may be identified by (1) the Target Server; (2) a DNS query; (3) a list of "specified servers," i.e. Domain Controller addresses. The error only ever arises in the cases of (2) and (3). In the case of (1) the code assumes connectivity. In the case of (2) and (3) the connector determines connectivity by performing a "ping" operation on each Domain Controller that was identified. The connector chooses the first Domain Controller that it's able to successfully ping.

To accomplish the ping the connector first attempts a simple anonymous bind to the LDAP Directory Service Agent (DSA) on default port 389. If that attempt fails the connector then attempts a simple anonymous bind on default SSL port 636. If either attempt succeeds then the connectivity is confirmed; otherwise, Error 5061 (ERROR_COULD_NOT_RETRIEVE_DC) results. It is often the case that this ping operation is failing in the customer's environment. Debug logging from the connector could help confirm.

The customer should confirm the ability to perform simple anonymous binds from their Password Authority Server to their Domain Controller's default LDAP DSA ports 389 and 636. If the customer has configured "specified servers" then they should confirm network connectivity to said servers; likewise, if they've opted for a DNS query then they should confirm the ability to query said DNS server and that the list of Domain Controllers returned by their DNS is valid. The connector has debugging available to assist with troubleshooting the DNS query.

The Windows Agent connector uses legacy-style debug logging which means setting the log level in is insufficient. To activate logging create the subdirectory $CSPM_SERVER_HOME/cspmserver/config/targetapplications and then create a file at that location called "". Edit the file to include a single line of text as follows: "debug=true". Restart Password Authority (Tomcat) and then observe debug messages emitted into the Tomcat (catalina.out) log file.