NLA fails to identify domain network

Fábián Gábor 26 Reputation points
2022-05-13T07:25:53.447+00:00

Dear Forum members,

I am stuck a bit with a following issue:

We have several sites which are all connected with VPN to the HQ. We have DC-s on each sites but the PDC is located at the HQ. When there is VPN connection and the PDC is reachable everything is fine. NLA identifies as its supposed to. Problem evolves when for whatever reason there is no VPN connection at all. In this case even if we have DCs locally + exchange servers the NLA fails to authenticate which basically causes the whole site to fail to be working as there is no domain authentication so no fileshare, no printing no outlook.
I learned that a so called LDAP UDP ping is supposed to be operating with the PDC so NLA works correctly only if its reachable but is there any workaround to bypath this? I mean as a site having a DC I should be able to authenticate and use services which are on my site. Is it the expected and normal behavior or am I missing something here? if this is supposed to work like this then its a huge bottleneck ://
Environment is Windows server 2016 + windows 10 LTSC
thanks

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,081 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,819 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,266 questions
0 comments
Accepted answer
  1. Dave Patrick 426K Reputation points MVP
    2022-05-16T13:30:57.827+00:00

    Looks like it should have worked. Something else might be broken. Please run;

    Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
    repadmin /showrepl >C:\repl.txt
    ipconfig /all > C:\dc1.txt
    ipconfig /all > C:\dc2.txt
    ipconfig /all > C:\dc3.txt
    ipconfig /all > C:\problemmember.txt

    then put unzipped text files up on OneDrive and share a link.

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. rr-4098 1,111 Reputation points
    2022-05-13T14:28:55.493+00:00

    Is a DNS suffix defined for the clients? The following article is old but does have some helpful information.. https://www.mcbsys.com/blog/2018/03/network-location-awareness-doesnt-identify-domain/

    Digging into NLA
    Today I decided to dig into this further to see if I could come up with a better solution.

    Then I found this TechNet blog article on how the NLA service works. The big news to me in that article is this: “If the Connection Specific DNS Name matches the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry key then the machine will attempt to contact a Domain Controller via LDAP.”

  2. Dave Patrick 426K Reputation points MVP
    2022-05-13T14:47:43.353+00:00

    This one should sort it.
    https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/firewall-profile-not-switch-to-domain

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments
  3. Fábián Gábor 26 Reputation points
    2022-05-13T15:23:49.887+00:00

    Thanks for looking into my issue. I think I was not clear enough with the setup I have. VPN is not initiated by the clients. We have a Cisco router so a site2site or DMVPN is in place constantly. Router is the default gw.
    Latency can not be an issue. The clients are all connected to local LAN.
    DNS suffix has been set however I haven't checked the registry yet will do on Monday.
    Is it a normal behavior that the network connection is named as the root domain? So let's say it's whatever local however the sites are subdomains and named like a.whateve.local
    Shall I see a.whatever.local or whatever.local?
    Thanks for your efforts anyways.

  4. rr-4098 1,111 Reputation points
    2022-05-16T12:26:14.227+00:00

    I am not an expert on NLA, but if you remove the network cable it is then "off the network", so wouldn't it make sense the network profile changes?????..... If you need to set the firewall profile to a specific profile, you could use a GP to set it.

    Just a thought..........