Azure domain controller lost connection with local domain controller

Use standard domain controller connectivity and DC locator troubleshooting on both the Azure DC and the affected site DC.

1. Verify basic network connectivity
   1. From the Azure DC, run ipconfig /all and confirm:
      • Correct IP, subnet, default gateway.
      • DNS servers point only to internal AD DNS servers, not public DNS.
   2. From the Azure DC, ping the affected site DC by:
      • IP address.
      • Hostname.
      • FQDN.
   3. From the affected site DC, do the same tests back to the Azure DC.
   4. If ping fails in either direction, check site-to-site VPN, NSGs, firewalls, and routing between Azure and that specific site.
2. Check ports and firewalls
   1. Use PortQry (from a management machine or the Azure DC) against the affected site DC FQDN and query Domains and Trusts services, focusing on UDP/389 (LDAP) and UDP/53 (DNS).
   2. Ensure all required AD ports (especially LDAP 389/636, Kerberos 88, DNS 53, RPC 135, and dynamic RPC range) are allowed between the Azure DC and that site DC.
   3. If any port is blocked only for that site, fix firewall/NSG rules.
3. Validate DNS and DC locator
   1. On the Azure DC, run:

            nslookup <SiteDC_FQDN>
            nslookup guid._msdcs.<forest_root_domain>
      

      Confirm both resolve to the correct IPs.
   2. If nslookup fails for the site DC or GUID records, on the affected DC:
      • Run ipconfig /registerdns.
      • Restart the Netlogon service to re-register SRV records.
   3. On the Azure DC, run:

            nltest /dsgetdc:<DomainName> /force /kdc
      

      Confirm the affected site DC appears as an available DC or at least that a DC is discoverable.
4. Run health checks on both DCs
   1. On both the Azure DC and the affected site DC, run:

            dcdiag /v > dcdiag.txt
      

      Review for DNS, Netlogon, replication, or locator errors.
   2. If the affected DC is suspected to have issues, enable Netlogon debug logging on it:

            nltest /dbflag:0x2000ffff
      

      Then review %windir%\Debug\Netlogon.log for locator and authentication errors.
5. Check replication and quarantine state
   1. In Active Directory Sites and Services, verify:
      • The Azure DC and the affected site DC are in correct sites and subnets.
      • Replication connections exist between the site and the Azure DC (directly or via hub DCs).
   2. If the affected DC is quarantined (not replicating with others):
      • On that DC, run:

                repadmin /options <ServerName> -DISABLE_INBOUND_REPL
                repadmin /options <ServerName> -DISABLE_OUTBOUND_REPL
        

      • If needed, create a new replication connection to another DC in the same site.
6. Use LDP/LDAP to verify connectivity
   1. From a management machine or the Azure DC, use Ldp.exe to connect and bind to the affected site DC.
   2. If LDAP bind fails, focus on network/firewall and DNS between Azure and that site.
7. If still unresolved
   1. Capture traffic with a network monitor (for example, Wireshark) between the Azure DC and the affected site DC to see where packets are dropped.
   2. Check system, Directory Service, DNS, and NETLOGON event logs on both DCs for errors related to DC locator, Kerberos, or replication.

These steps will isolate whether the issue is network/firewall, DNS/DC locator, or a health/replication problem specific to that site DC.

References:

• Troubleshoot domain controller location issues in Windows
• Event ID 5719, Error 1311, or Error 1355 - Domain controller or domain not found
• Microsoft Entra Connect Health Alert Catalog
• DNS Server becomes an island when a domain controller points to itself for the _msdcs.ForestDnsName domain
• Troubleshoot DirectAccess Server console: domain controller and Kerberos
• Troubleshoot setting the entry point domain controller