Hi Domic, thank you very much for your response. I will pick a time to do so and test out tomorrow. I will keep you posted :)
Thank you again, and have a good rest of the day!
Takami Chiro
Remove obsolete domain controller _ldap records in DNS because current version of Windows 11 PC cannot join domain
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 89%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETC%3C/text%3E%3C/svg%3E)
Takami Chiro
291
Reputation points
Hello everyone,
Good afternoon! Hope you can help.
There are 2 Windows 2022 DCs running in my domain. It is running in 2016 Forest and Domain function level.
Now we tried to add a new PC with a most current version of Windows 11. But get the following error (older version of Windows 11 are fine to join the domain though) :
#############################
The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomainname
The following domain controllers were identified by the query:
OLD_DC1a.JUVNTAPPS
OLD_DC2a.juvntapps
juv-dc02.juvntapps
juv-dc01.juvntapps
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are not running.
#############################
The PC failed to join the domain because of the OLD_DC1a and OLD_DC2a _ldap record according to the error. The two servers are no long in the network (note: I demoted one of them gracefully without any error while the other one could be done or left over by the old admin.)
When I do the nslookup, set type=all, and _ldap._tcp.dc._msdcs.juvntapps, on my working machine, I did see the obsolete records too. So I am not sure why the newer version of Windows would stop joining to the domain by looking into the wrong _ldap records while older version ran without any issue.
So I would like to remove the two old _ldap records from msdcs dc _tcp folder. Do you think it is safe to do so? Do you think if I need to do a clean up on other places? If I have problem with the records, I can just "remake" it.
Hope you can help! I appreciate it.
Takami Chiro
Windows for business | Windows Server | Directory services | Active Directory
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 33%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDV%3C/text%3E%3C/svg%3E)
Domic Vo 22,440 Reputation points Independent Advisor2025-08-26T20:46:14.91+00:00 Dear Mr. Chiro,
Based on your findings, it appears that the presence of obsolete SRV records for OLD_DC1a and OLD_DC2a in the
_ldap._tcp.dc._msdcs.juvntappszone is causing the domain join process to fail. While older versions of Windows may tolerate unreachable domain controllers during join operations, newer builds of Windows 11 enforce stricter validation, which can result in failure if invalid records are encountered.It is safe to remove the stale SRV records from DNS, especially if the associated domain controllers have been decommissioned. We recommend using DNS Manager to manually delete these entries and then running
ipconfig /flushdnson affected clients to clear cached results. Additionally, you may want to verify that corresponding Host (A) records and metadata in Active Directory Sites and Services have also been cleaned up to prevent replication or discovery issues.After cleanup, allow time for DNS replication across your environment and retry the domain join. If needed, you can recreate SRV records manually or trigger registration using
netlogonservice restarts on active domain controllers.I hope this helps. Just kindly tick Accept Answer that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
Best regards,
Domic Vo
-
Takami Chiro 291 Reputation points
2025-08-27T19:25:45.07+00:00 Hi Domic,
I have removed the two obsolete _ldap records as well as the _Keyberos. However, I still cannot join the domain. The Win11 version is 24H2...and I saw some other people also having the same issue.. I tried all those "potential solutions" but no luck.
Do you have any suggestions?
Thank you!
Takami Chiro
Sign in to comment -