The connector must identify and contact a Domain Controller to accomplish either operation. Depending on the connector's configuration the Domain Controller may be identified by (1) the Target Server; (2) a DNS query; (3) a list of "specified servers," i.e. Domain Controller addresses. The error only ever arises in the cases of (2) and (3). In the case of (1) the code assumes connectivity. In the case of (2) and (3) the connector determines connectivity by performing a "ping" operation on each Domain Controller that was identified. The connector chooses the first Domain Controller that it's able to successfully ping.
To accomplish the ping the connector first attempts a simple anonymous bind to the LDAP Directory Service Agent (DSA) on default port 389. If that attempt fails the connector then attempts a simple anonymous bind on default SSL port 636. If either attempt succeeds then the connectivity is confirmed; otherwise, Error 5061 (ERROR_COULD_NOT_RETRIEVE_DC) results.
The Windows Proxy connector uses legacy-style debug logging. To activate logging create the subdirectory $CSPM_SERVER_HOME/cspmserver/config/targetapplications and then create a file at that location called "windows.properties". Edit the file to include a single line of text as follows: "debug=true". Also set the tomcat loglevel to INFO in $CSPM_SERVER_HOME/cspmserver/config/systemConfiguration.properties. Restart Password Authority (Tomcat) and then observe debug messages emitted into the Tomcat (catalina.out) log file on UNIX, or stdout on Windows.