question

FbinGbor-0514 avatar image
0 Votes"
FbinGbor-0514 asked DSPatrick commented

NLA fails to identify domain network

Dear Forum members,

I am stuck a bit with a following issue:

We have several sites which are all connected with VPN to the HQ. We have DC-s on each sites but the PDC is located at the HQ. When there is VPN connection and the PDC is reachable everything is fine. NLA identifies as its supposed to. Problem evolves when for whatever reason there is no VPN connection at all. In this case even if we have DCs locally + exchange servers the NLA fails to authenticate which basically causes the whole site to fail to be working as there is no domain authentication so no fileshare, no printing no outlook.
I learned that a so called LDAP UDP ping is supposed to be operating with the PDC so NLA works correctly only if its reachable but is there any workaround to bypath this? I mean as a site having a DC I should be able to authenticate and use services which are on my site. Is it the expected and normal behavior or am I missing something here? if this is supposed to work like this then its a huge bottleneck ://
Environment is Windows server 2016 + windows 10 LTSC
thanks

windows-serverwindows-active-directorywindows-10-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

Looks like it should have worked. Something else might be broken. Please run;

Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\dc3.txt
ipconfig /all > C:\problemmember.txt

then put unzipped text files up on OneDrive and share a link.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I made some progress finally.
So the binary key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests is the one which caches the network name for the domain network.
I removed the key, then disconnected the VPN, restarted my ws and magically I have the network name from my own DC.

Unfortunately with exchange 2016 and lots of universal sec groups we still need communication with the PDC and the root forest but at least the site is working, there is name resolution, fileshare access and printing through print servers work.
Thanks for your efforts. Appreciate it anyways!

0 Votes 0 ·

Glad to hear, please don't forget to close up the thread by 145510-image.png




0 Votes 0 ·

Sorry for my dumb question, but how can I close the thread? Normally I am not this retarded and I even contacted the Spanish guy called "manual" and it says click the gear icon and select close but if I click on the gear icon there is no such option :(

0 Votes 0 ·
Show more comments
rr-4098 avatar image
0 Votes"
rr-4098 answered FbinGbor-0514 commented

Is a DNS suffix defined for the clients? The following article is old but does have some helpful information.. https://www.mcbsys.com/blog/2018/03/network-location-awareness-doesnt-identify-domain/

Digging into NLA
Today I decided to dig into this further to see if I could come up with a better solution.

Then I found this TechNet blog article on how the NLA service works. The big news to me in that article is this: “If the Connection Specific DNS Name matches the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry key then the machine will attempt to contact a Domain Controller via LDAP.”

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I also found this one. Suffis has been set however I haven't checked the registry yet. Will do on Monday
DC is absolutely reachable as its connected to the same local LAN.

0 Votes 0 ·

I checked, seems valid. So it correlates with my DC. So still if there is no VPN and PDC is unreachable then local authentication is on the site becomes unavailable with the DC-s.
When there is VPN network is identified as xxx.local The site itself is named A.XXX.LOCAL!

Any more recommendation?

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

This one should sort it.
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/firewall-profile-not-switch-to-domain

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FbinGbor-0514 avatar image
0 Votes"
FbinGbor-0514 answered FbinGbor-0514 edited

Thanks for looking into my issue. I think I was not clear enough with the setup I have. VPN is not initiated by the clients. We have a Cisco router so a site2site or DMVPN is in place constantly. Router is the default gw.
Latency can not be an issue. The clients are all connected to local LAN.
DNS suffix has been set however I haven't checked the registry yet will do on Monday.
Is it a normal behavior that the network connection is named as the root domain? So let's say it's whatever local however the sites are subdomains and named like a.whateve.local
Shall I see a.whatever.local or whatever.local?
Thanks for your efforts anyways.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Regardless, I'd try the regedits mentioned here.
https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/firewall-profile-not-switch-to-domain

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·

Fair enough. I will do so and will get back to you on Monday.
Cheers

0 Votes 0 ·

Sounds good.


0 Votes 0 ·
Show more comments
rr-4098 avatar image
0 Votes"
rr-4098 answered FbinGbor-0514 commented

I am not an expert on NLA, but if you remove the network cable it is then "off the network", so wouldn't it make sense the network profile changes?????..... If you need to set the firewall profile to a specific profile, you could use a GP to set it.

Just a thought..........

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Removing the cable means, cutting VPN connection between the branch office and the HQ. LAN connection is still available. Kinda figured it out that its the expected behavior unfortunately, as NLA expects a connection to the PDC anyway. As its located at the HQ, branch will fail.

1 Vote 1 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered FbinGbor-0514 commented

What the result of (using your local DC?)

 Test-NetConnection -ComputerName "192.168.49.65" -Port 389 -InformationLevel "Detailed"


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ComputerName : a.b.c.local
RemoteAddress : 10.11.20.6
RemotePort : 389
NameResolutionResults : 10.11.20.6
MatchingIPsecRules :
NetworkIsolationContext : Private Network
InterfaceAlias : Ethernet
SourceAddress : 10.11.20.107
NetRoute (NextHop) : 0.0.0.0
TcpTestSucceeded : True

0 Votes 0 ·