Test Connectivity to an Active Directory Domain Controller from a PC

To test connectivity to an Active Directory domain controller (DC) from a Windows PC you can use several methods, which this article will outline.

In most cases, domain-joined computers have established connections to at least one Active Directory DC, and if there are no errors in that computer’s event log, then you may safely assume that AD connectivity functions correctly.

However, in some cases, the testing computers are not members of the tested Active Directory domain, as they are either part of a stand-alone network or are located in some DMZ that prohibits connectivity to the DCs. In other scenarios, the testing computers may already be members of one AD domain, but the test has to be done to another different AD domain, just for testing purposes.
Note: The purpose of this article is not to provide troubleshooting steps to AD-related issues, nor to AD-joined computers that fail to contact their DCs or lost the secure channel with their DCs. The purpose of this article is to give you tips on how to verify that you can successfully connect to a DC from a specific computer, even if it is not domain joined.

🎬 Watch This Week in IT.


Tools to Test Connectivity from a Windows PC to a DC

There are several tools and methods you can use to test connectivity to an Active Directory DC. Here a few tools you should consider using:

Active Directory (AD) Explorer

This is a tool created by Sysinternals, which is now a part of Microsoft. It’s a stand-alone tool that’s useful for querying AD and performing various tasks. The official Microsoft description states:
“Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute.”
In the context of this article, AD Explorer is also useful for AD connectivity tests.
Download AD Explorer
Once you’ve downloaded the Microsoft Sysinternals AD Explorer tool, simply run the ADExplorer.exe file.
Type in the name of the DC you want to connect to and the credentials you want to bind with.
Note: If you provide credentials for a user that has Domain Admin or Enterprise Admin rights, then you will be able to perform actions on the AD tree. This means that one wrong move and you may render your AD useless. Take caution, and best use a user account that has read-only permissions to the AD tree.

Sysinternals Active Directory (AD) Explorer

Sysinternals Active Directory (AD) Explorer. (Image: Daniel Petri)

You can also use several built-in tools that are a part of the Windows OS. However, these tools require that you have the AD-DS Role administration tools. More on that in a moment.

LDP.EXE

LDP.EXE is a GUI tool that acts as a Lightweight Directory Access Protocol (LDAP) client, which lets you perform connect, bind, search, modify, add or delete operations against AD. LDP is used to view objects stored in AD along with their metadata, and attributes. [LDP.EXE is available in Windows Server 2012–2025 and can be installed via RSAT on Windows 10/11]
After you run LDP you want to connect to DC:

Using LDP.EXE to text connectivity to an Active Directory DC

Using LDP.EXE to text connectivity to an Active Directory DC. (Image: Daniel Petri)

Next, you need to bind as user. If you’ve already logged on to the machine with the proper credentials, then you can use “Bind as currently logged on user.”

Using LDP.EXE to text connectivity to an Active Directory DC - Bind as User

Using LDP.EXE to text connectivity to an Active Directory DC – Bind as User. (Image: Daniel Petri)

How do we get these tools? The answer depends on the version of your operating system. If you’re using Windows Server 2012/R2, then they are already included in the OS image, and all you need to do is to activate them by enabling the AD-DS management tools.

Warning: Be careful when trying to enable the AD-DS management tools. Some users may not notice the difference, but if you add the AD-DS Role you will actually configure this server to be a domain controller (well, part of the way, there is an additional step you need to do, but even so, you don’t want this to happen by mistake). You must add the AD-DS management tools that are part of the Remote Server Administration Tools (RSAT) feature, and not the role!
To install the tools on Windows Server 2012/R2:
User Server Manager > Manager > Add Roles and Features

Installing the RSAT tools on Windows Server 2012 R2

Installing the RSAT tools on Windows Server 2012 R2. (Image: Daniel Petri)

On desktop OSs such as Windows 7/8/8.1 you need to download the RSAT package from Microsoft and install it on the machine.  [Note: On Windows 10 version 1809 and later, and Windows 11, RSAT is included as an optional feature and can be installed via “Settings > Apps > Optional Features” or with PowerShell.]
To install tools on Windows 7:
Download Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) from Official Microsoft Download Center.
To install tools on Windows 8:
Download Remote Server Administration Tools for Windows 8 from Official Microsoft Download Center.
To install tools on Windows 8.1:
Download Remote Server Administration Tools for Windows 8.1 from Official Microsoft Download Center.

PortQry

The PortQry utility is a command line utility that you can use to help troubleshoot TCP/IP connectivity issues. It was originally located in the Windows Server 2003 Support Tools, but you can download a new version of the PortQry Command Line Port Scanner from the Official Microsoft Download Center.
You can also download the GUI version of PortQry from the Official Microsoft Download Center.
First, remember that there are several ports that are required when you connect to a Active Directory Domain Controller.
TCP 88 (Kerberos)
TCP 135 (RPC)
TCP 389 (LDAP)
TCP 445 (CIFS)
TCP 3268 (Global Catalog)
And others.
We can use it for our testing purposes:

​ portqry -n <DC_name> -e 389 -p tcp

This is an example output for the above command:

Output from the PORTQRY.EXE command

Output from the PORTQRY.EXE command. (Image: Daniel Petri)


And here is the same example when using the GUI version:

Output from PORTQRY.EXE - GUI

Output from the GUI variant of PORTQRY.EXE. (Image: Daniel Petri)

FAQs

How can I test Active Directory connectivity in a multi-forest environment without compromising security?

To test AD connectivity across multiple forests, use dedicated test accounts with limited permissions, implement cross-forest trust settings, and utilize network monitoring tools like Wireshark to verify connection flows while maintaining security protocols.

What are the best practices for testing Active Directory connectivity during a site failover scenario?

During site failover testing, ensure proper replication monitoring, verify DNS settings, perform test AD connectivity from multiple locations, and maintain detailed logs of connection attempts and response times while following your disaster recovery protocol.

How often should Active Directory connectivity testing be performed in an enterprise environment?

Enterprise environments should conduct comprehensive AD connectivity tests at least quarterly, with automated daily connectivity checks, weekly port availability scans, and monthly authentication validation to ensure optimal performance.

What are the common firewall configurations that can affect Active Directory connectivity testing?

When testing AD connectivity through firewalls, ensure proper configuration of stateful inspection, verify Network Address Translation (NAT) settings, and confirm that all required AD ports are correctly configured in both directions.

How can I automate Active Directory connectivity testing in a cloud-hybrid environment?

Implement PowerShell scripts for automated AD connectivity testing, utilize cloud monitoring services, set up scheduled connection health checks, and configure alerts for any connectivity issues between on-premises and cloud AD infrastructure.