Windows 11 Cannot Join Domain — How to Fix

Fix common issues preventing a Windows 11 PC from joining an Active Directory domain, including DNS, secure channel, and account limit errors.

5 min readUpdated March 29, 2026

Info

For cloud-managed environments, consider Microsoft Entra join instead of traditional domain join — see our Intune enrollment guide. Microsoft Entra join (cloud-only) is now the preferred approach for cloud-first organisations.

Overview

Joining a Windows 11 PC to an Active Directory domain should be straightforward, but it fails more often than you would expect. The most common error messages are:

"The specified domain either does not exist or could not be contacted"
"The join operation was not successful"
"Your computer could not be joined to the domain — the maximum number of computer accounts has been reached"
"Access is denied"

This guide covers every common cause and fix, ordered by likelihood.

Fix 1: DNS Configuration (Most Common)

The number one reason domain join fails is that the PC cannot find the domain controller because its DNS is pointing to the wrong server.

Check current DNS

powershell

ipconfig /all | findstr "DNS Servers"

The DNS server must point to a domain controller (or a DNS server that hosts the AD-integrated zone). If it points to 8.8.8.8, 1.1.1.1, or your ISP's DNS, domain join will fail.

Fix DNS

powershell

# Set DNS to the domain controller IP (replace with your DC's IP)
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "192.168.1.10","192.168.1.11"

Verify DNS resolution

powershell

# This must resolve to your domain controller(s)
nslookup corp.example.com

# SRV records must exist
nslookup -type=SRV _ldap._tcp.dc._msdcs.corp.example.com

If nslookup fails, DNS is the problem. Fix it before trying anything else.

Tip

On a DHCP network, configure the DHCP scope options to hand out domain controller IPs as DNS servers. This prevents the issue from recurring on new devices.

Fix 2: Network Connectivity

The PC must be able to reach the domain controller on the correct ports.

Test connectivity

powershell

# Test LDAP
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 389

# Test Kerberos
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 88

# Test DNS
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 53

# Test SMB (for Group Policy download)
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 445

All four tests must succeed. If any fail, check:

Firewall rules on the PC and DC
VPN connectivity (if joining remotely)
VLAN/subnet routing between the PC and DC

Fix 3: Computer Account Limit Reached

By default, authenticated users can join up to 10 computers to the domain. After that, you get "the maximum number of computer accounts has been reached."

Check the current limit

powershell

# Run on the domain controller
Get-ADDomain | Select-Object -ExpandProperty ms-DS-MachineAccountQuota

Fix — Pre-stage the computer account

Instead of increasing the limit (which is a security risk), pre-stage the computer account:

Open Active Directory Users and Computers on the DC
Navigate to the target OU
Right-click > New > Computer
Enter the computer name
On the PC, join the domain — it will use the pre-staged account

Alternatively, delegate domain join rights to a specific group:

powershell

# Grant a group the right to join computers to a specific OU
dsacls "OU=Workstations,DC=corp,DC=example,DC=com" /G "CORP\IT-Staff:CC;computer"

Fix 4: Secure Channel Broken (Rejoining)

If a PC was previously joined and its computer account password has expired (common after being off the network for 30+ days), you will see "the trust relationship between this workstation and the primary domain failed."

Fix without reimaging

powershell

# Run as local admin on the affected PC
# Remove from domain (use local admin credentials)
Remove-Computer -UnjoinDomainCredential (Get-Credential) -Force -Restart

# After reboot, rejoin the domain
Add-Computer -DomainName "corp.example.com" -Credential (Get-Credential) -OUPath "OU=Workstations,DC=corp,DC=example,DC=com" -Restart

Or reset the secure channel without removing/rejoining:

powershell

# Run as a domain user with rights to reset the computer account
Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Fix 5: Time Synchronisation

Kerberos authentication fails if the time difference between the PC and domain controller exceeds 5 minutes.

Check time difference

powershell

# On the PC
w32tm /stripchart /computer:dc01.corp.example.com /dataonly /samples:3

Fix

powershell

# Force time sync to the domain controller
w32tm /resync /force

If the PC is not yet domain-joined, manually set the time or configure NTP:

powershell

Set-Service -Name w32time -StartupType Automatic
Start-Service w32time
w32tm /config /manualpeerlist:"dc01.corp.example.com" /syncfromflags:manual /update
w32tm /resync

Fix 6: Windows 11 Edition

Windows 11 Home cannot join an Active Directory domain. This is a hard limitation — no workaround exists.

Check edition

powershell

(Get-CimInstance -ClassName Win32_OperatingSystem).Caption

If it reports "Windows 11 Home", the PC must be upgraded to Pro, Enterprise, or Education.

Upgrade from Home to Pro

Go to Settings > System > Activation
Click Change product key
Enter a Windows 11 Pro product key
Restart and attempt domain join again

Fix 7: IPv6 Issues

In some network configurations, IPv6 can interfere with domain join, especially if IPv6 DNS resolution returns incorrect results.

Temporary fix

Disable IPv6 on the network adapter:

powershell

Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6

Warning

Only disable IPv6 as a troubleshooting step. If domain join succeeds with IPv6 disabled, investigate your IPv6 DNS and routing configuration rather than leaving it permanently disabled.

Diagnostic Summary

Error Message	Likely Cause	First Fix
"The specified domain does not exist"	Wrong DNS servers	Set DNS to domain controller
"Maximum number of computer accounts"	10-machine limit	Pre-stage account or delegate rights
"Access is denied"	Insufficient permissions	Use a domain admin account or pre-stage
"Trust relationship failed"	Stale computer account	Reset secure channel or rejoin
"The RPC server is unavailable"	Network/firewall blocking	Test ports 88, 389, 445, 53
"The specified network name is no longer available"	SMB connectivity issue	Check port 445 and SMB signing settings

Windows 11Active DirectoryDomain JoinDNSTroubleshooting

GuidesHow to Enrol a Windows 11 Device in Microsoft IntuneStep-by-step guide to enrolling a Windows 11 PC in Microsoft Intune for device management, compliance policies, and app deployment.Read Coding & AutomationPowerShell: Bulk Rename Computers in Active Directory by Serial NumberAutomate the renaming of Active Directory computer objects using their hardware serial numbers with this production-ready PowerShell script.Read TroubleshootingBitLocker Recovery Key Not Found in Microsoft Entra ID — How to FixWhat to do when a BitLocker recovery key is not backed up to Microsoft Entra ID. Covers finding keys in alternative locations, forcing a backup, and preventing the issue.Read

Was this article helpful?

Troubleshooting

Windows 11 Cannot Join Domain — How to Fix

Fix common issues preventing a Windows 11 PC from joining an Active Directory domain, including DNS, secure channel, and account limit errors.

5 min readUpdated March 29, 2026

Info

Overview

Joining a Windows 11 PC to an Active Directory domain should be straightforward, but it fails more often than you would expect. The most common error messages are:

"The specified domain either does not exist or could not be contacted"
"The join operation was not successful"
"Your computer could not be joined to the domain — the maximum number of computer accounts has been reached"
"Access is denied"

This guide covers every common cause and fix, ordered by likelihood.

Fix 1: DNS Configuration (Most Common)

The number one reason domain join fails is that the PC cannot find the domain controller because its DNS is pointing to the wrong server.

Check current DNS

powershell

ipconfig /all | findstr "DNS Servers"

The DNS server must point to a domain controller (or a DNS server that hosts the AD-integrated zone). If it points to 8.8.8.8, 1.1.1.1, or your ISP's DNS, domain join will fail.

Fix DNS

powershell

# Set DNS to the domain controller IP (replace with your DC's IP)
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "192.168.1.10","192.168.1.11"

Verify DNS resolution

powershell

# This must resolve to your domain controller(s)
nslookup corp.example.com

# SRV records must exist
nslookup -type=SRV _ldap._tcp.dc._msdcs.corp.example.com

If nslookup fails, DNS is the problem. Fix it before trying anything else.

Tip

On a DHCP network, configure the DHCP scope options to hand out domain controller IPs as DNS servers. This prevents the issue from recurring on new devices.

Fix 2: Network Connectivity

The PC must be able to reach the domain controller on the correct ports.

Test connectivity

powershell

# Test LDAP
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 389

# Test Kerberos
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 88

# Test DNS
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 53

# Test SMB (for Group Policy download)
Test-NetConnection -ComputerName "dc01.corp.example.com" -Port 445

All four tests must succeed. If any fail, check:

Firewall rules on the PC and DC
VPN connectivity (if joining remotely)
VLAN/subnet routing between the PC and DC

Fix 3: Computer Account Limit Reached

By default, authenticated users can join up to 10 computers to the domain. After that, you get "the maximum number of computer accounts has been reached."

Check the current limit

powershell

# Run on the domain controller
Get-ADDomain | Select-Object -ExpandProperty ms-DS-MachineAccountQuota

Fix — Pre-stage the computer account

Instead of increasing the limit (which is a security risk), pre-stage the computer account:

Open Active Directory Users and Computers on the DC
Navigate to the target OU
Right-click > New > Computer
Enter the computer name
On the PC, join the domain — it will use the pre-staged account

Alternatively, delegate domain join rights to a specific group:

powershell

# Grant a group the right to join computers to a specific OU
dsacls "OU=Workstations,DC=corp,DC=example,DC=com" /G "CORP\IT-Staff:CC;computer"

Fix 4: Secure Channel Broken (Rejoining)

Fix without reimaging

powershell

# Run as local admin on the affected PC
# Remove from domain (use local admin credentials)
Remove-Computer -UnjoinDomainCredential (Get-Credential) -Force -Restart

# After reboot, rejoin the domain
Add-Computer -DomainName "corp.example.com" -Credential (Get-Credential) -OUPath "OU=Workstations,DC=corp,DC=example,DC=com" -Restart

Or reset the secure channel without removing/rejoining:

powershell

# Run as a domain user with rights to reset the computer account
Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

Fix 5: Time Synchronisation

Kerberos authentication fails if the time difference between the PC and domain controller exceeds 5 minutes.

Check time difference

powershell

# On the PC
w32tm /stripchart /computer:dc01.corp.example.com /dataonly /samples:3

Fix

powershell

# Force time sync to the domain controller
w32tm /resync /force

If the PC is not yet domain-joined, manually set the time or configure NTP:

powershell

Set-Service -Name w32time -StartupType Automatic
Start-Service w32time
w32tm /config /manualpeerlist:"dc01.corp.example.com" /syncfromflags:manual /update
w32tm /resync

Fix 6: Windows 11 Edition

Windows 11 Home cannot join an Active Directory domain. This is a hard limitation — no workaround exists.

Check edition

powershell

(Get-CimInstance -ClassName Win32_OperatingSystem).Caption

If it reports "Windows 11 Home", the PC must be upgraded to Pro, Enterprise, or Education.

Upgrade from Home to Pro

Go to Settings > System > Activation
Click Change product key
Enter a Windows 11 Pro product key
Restart and attempt domain join again

Fix 7: IPv6 Issues

In some network configurations, IPv6 can interfere with domain join, especially if IPv6 DNS resolution returns incorrect results.

Temporary fix

Disable IPv6 on the network adapter:

powershell

Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6

Warning

Only disable IPv6 as a troubleshooting step. If domain join succeeds with IPv6 disabled, investigate your IPv6 DNS and routing configuration rather than leaving it permanently disabled.

Diagnostic Summary

Error Message	Likely Cause	First Fix
"The specified domain does not exist"	Wrong DNS servers	Set DNS to domain controller
"Maximum number of computer accounts"	10-machine limit	Pre-stage account or delegate rights
"Access is denied"	Insufficient permissions	Use a domain admin account or pre-stage
"Trust relationship failed"	Stale computer account	Reset secure channel or rejoin
"The RPC server is unavailable"	Network/firewall blocking	Test ports 88, 389, 445, 53
"The specified network name is no longer available"	SMB connectivity issue	Check port 445 and SMB signing settings

Windows 11Active DirectoryDomain JoinDNSTroubleshooting

Was this article helpful?

Related Articles

Related Articles