OryisiRobert-3472 avatar image
3 Votes"
OryisiRobert-3472 asked JohnPeachey-4880 commented

Network location awareness not detecting domain network from offsite location

The issue occurred after we started migrating our offsite workstations to Win 10. After joining computers to domain, computers show unidentified network connection instead of domain network connection. Computer is located at offsite location and was migrating to Win 10. NLA is working normally when it was still Win 7 workstation.

Registry workaround was applied and computer was able to detect Domain network connection, but there are times when connection will be set to unidentified network. NLA service startup has been set to Automatic (Delayed Start).

Thanks in advance.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
4 Votes"
SunnyQi-MSFT answered JohnPeachey-4880 commented


Thanks for posting in Q&A platform.

After machine reboots, before NIC adapter initializes, NLASVC would attempt detection of domain, if the detection was failed, then this information will be cached and even though NIC gets initialized, the machine still apply the cached information and hence machine detects unidentified network.

Please try to modify the following registry keys to see if the issue can be resolved:

First, disable Domain Discovery negative cache by adding the NegativeCachePeriod registry key to following subkey:

Name: N*egativeCachePeriod
Value Data:
0* (default value: 45 seconds; set to 0 to disable caching)

If issue doesn’t resolve, furtherly disable DNS negative cache by adding the MaxNegativeCacheTtl registry key to the following subkey:

Name: MaxNegativeCacheTtl
Value Data: 0 (default value: 5 seconds; set to 0 to disable caching)

Note: This registry key disables the Domain detection negative cache. NLA normally detect Domain multiple times at network setup (triggered by route change, IP address change etc). But if the first time detection failed with negative result (such as ERROR_NO_SUCH_DOMAIN), this negative result gets cached in netlogon, and will be reused in next time NLA domain discovery.

There is also another registry key we need add:


Add a DWORD parameter :AlwaysExpectDomainController

Set value to:1

Note: This registry key alters the behavior when NLA retries domain detection.

Best Regards,

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your response Sunny. Actually we have applied the first two options before I posted this question. It worked for a while, and then the connection was detected to unidentified network again. I have tried to add the 3rd registry key as you recommended, it works now. I will keep monitoring and keep you posted. Thank you for your support.

1 Vote 1 ·

Is this still working for you? I'm having the same issue.

EDIT: I've rolled out all three registry keys above to a small subset of my users with success so far. None of them have experienced the issue again. And most importantly none of them seem to have any new issues despite the complete lack of documentation on AlwaysExpectDomainController.

0 Votes 0 ·

Thank you so much for this solution! I have been trying to resolve this frustrating issue on multiple computers in multiple domains, and it's especially difficult with remote users using a VPN connection to the domain. I have talked to many experts who say this is an issue with Windows Firewall and that specifying a DNS suffix will work, but this solution (I just added all 3 registry keys the first try) finally worked.

For anyone else looking at this problem, this should be especially helpful for VPN users and remote workers because this directly addresses the issue of no domain connection at logon.

0 Votes 0 ·

Sunny Qi
You have answered a question that has been plaguing servers for over a decade
I thank you so much
Never have heard of the key AlwaysExpectDomainController
Cannot wait to try it out
Thanks again

0 Votes 0 ·

Thanks Sunny, I am another person who is extremely grateful for a working solution after nearly 2 days of trying to get to the bottom of it.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered Shane-6631 commented

Computer is located at offsite location

How are you connecting to the domain? When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

--please don't forget to Accept as answer if the reply is helpful--

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

is this UDP or TCP 389

0 Votes 0 ·

Late answer, but in my case: This primarily affects users connecting to the domain via SSL VPN connections. So there may be several minutes (or hours) between the time they log onto Windows and when they connect to the domain.

This SSL VPN client creates a virtual NIC that shows as "disconnected" before the connection, so I would have assumed that connecting to the VPN causes that virtual NIC to "connect" and would go through the same NLA process as connecting a physical LAN cable. But in a small but not insignificant number of cases, the network connection will hang at "identifying network"

So it is not detected as a domain network, AND Windows never prompts the user to select the network type either. (This is in my experience anyway, I'm not the original poster)

Sunny Qi's answer above helped me, but my supervisor also does not like the idea of having to set registry keys to assume a domain network since all of our users are remote and usually aren't connected to the domain. Another solution I have found for this is to restart the NLA and Network List Service in Services (which usually also requires me to stop the process first, which is annoying). This can be done on an as-needed basis.

0 Votes 0 ·
NamCt-4642 avatar image
1 Vote"
NamCt-4642 answered Shane-6631 commented

Question for Sunny,

Is is possible to have more details on what the registry key : AlwaysExpectDomainController = 1 is changing in the Nlasvc behavoir ? I have not found any other reference to this key other than your reference to it.


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey I had the exact same question. Here's what I got from another rep in a support request:

AlwaysExpectDomainController is for the device to send continuously the SRV query requesting the LDAP to the domain controller until it gets an answer.

0 Votes 0 ·

I have tried this on my own computer, as well as several clients' machines, and I don't know the answer exactly but here is my experience. When I join a new network for the first time, it takes slightly longer (only a few seconds) to detect the network type and prompt me to select Private vs. Public. So I think there is a timeout for how long Windows will try to contact the Domain Controller before it gives up and assumes there isn't one.

The experience to my end users seems minimal, but has helped immensely for the machines that constantly had issues detecting the DC even when I had the domain name manually appended in the DNS settings.

0 Votes 0 ·
PatrickLOUBET-3793 avatar image
0 Votes"
PatrickLOUBET-3793 answered Shane-6631 commented

Omg ! The only exact answer, among a thousand posts, to a question driving me crazy until we switched to Global Protect VPN.
Thanks a lot Sunny.
Isn't there a way for you Microsoft guys to widely publish that info ? I am sure a lot of IT admins around the world are getting bald with this :-)
Best regards

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I came back to this recently after googling this issue, and at the very least this thread is now one of the first few Google results. Make sure to upvote Sunny's answer, if MS never makes this a knowledge article at least this will be a top search result.

0 Votes 0 ·