NLA fails to identify domain network

Fábián Gábor 26

Dear Forum members,

I am stuck a bit with a following issue:

We have several sites which are all connected with VPN to the HQ. We have DC-s on each sites but the PDC is located at the HQ. When there is VPN connection and the PDC is reachable everything is fine. NLA identifies as its supposed to. Problem evolves when for whatever reason there is no VPN connection at all. In this case even if we have DCs locally + exchange servers the NLA fails to authenticate which basically causes the whole site to fail to be working as there is no domain authentication so no fileshare, no printing no outlook.
I learned that a so called LDAP UDP ping is supposed to be operating with the PDC so NLA works correctly only if its reachable but is there any workaround to bypath this? I mean as a site having a DC I should be able to authenticate and use services which are on my site. Is it the expected and normal behavior or am I missing something here? if this is supposed to work like this then its a huge bottleneck ://
Environment is Windows server 2016 + windows 10 LTSC
thanks

Accepted answer

Dave Patrick 426.1K Reputation points MVP

2022-05-16T13:30:57.827+00:00

Looks like it should have worked. Something else might be broken. Please run;

Dcdiag /v /c /d /e /s:%computername% >C:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\dc3.txt
ipconfig /all > C:\problemmember.txt

then put unzipped text files up on OneDrive and share a link.
Please sign in to rate this answer.
Fábián Gábor 26 Reputation points

2022-05-16T14:16:31.063+00:00

I made some progress finally.
So the binary key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests is the one which caches the network name for the domain network.
I removed the key, then disconnected the VPN, restarted my ws and magically I have the network name from my own DC.

Unfortunately with exchange 2016 and lots of universal sec groups we still need communication with the PDC and the root forest but at least the site is working, there is name resolution, fileshare access and printing through print servers work.
Thanks for your efforts. Appreciate it anyways!

Dave Patrick 426.1K Reputation points MVP

2022-05-16T14:36:37.093+00:00

Glad to hear, please don't forget to close up the thread by

Fábián Gábor 26 Reputation points

2022-05-17T08:28:45.127+00:00

Sorry for my dumb question, but how can I close the thread? Normally I am not this retarded and I even contacted the Spanish guy called "manual" and it says click the gear icon and select close but if I click on the gear icon there is no such option :(

Dave Patrick 426.1K Reputation points MVP

2022-05-17T12:43:51.36+00:00

You can close up the thread by
Sign in to comment

5 additional answers

Dave Patrick 426.1K Reputation points MVP

2022-05-16T13:15:19.623+00:00
What the result of (using your local DC?)

Test-NetConnection -ComputerName "192.168.49.65" -Port 389 -InformationLevel "Detailed"
Please sign in to rate this answer.
Fábián Gábor 26 Reputation points

2022-05-16T13:28:21.183+00:00

ComputerName : a.b.c.local
RemoteAddress : 10.11.20.6
RemotePort : 389
NameResolutionResults : 10.11.20.6
MatchingIPsecRules :
NetworkIsolationContext : Private Network
InterfaceAlias : Ethernet
SourceAddress : 10.11.20.107
NetRoute (NextHop) : 0.0.0.0
TcpTestSucceeded : True
Sign in to comment