Network Location Awareness Doesn’t Identify Domain

One small client has a Server 2012 R2 Essentials domain controller and a few Windows 7 desktops. It’s a wired, mostly gigabit network. Some desktops, especially those that have are behind a couple switches, often have problems confirming that they are on the domain, so they come up on the Public network, which messes up RDP connections.

The problem, of course, is that the Network Location Awareness (NLA) service can’t determine that the machine is on a domain, so it falls back to Public:

NLA 1

Several articles suggest changing the NLA service to “Automatic (Delayed Start)”. That’s has not been enough in this environment.

At least one article suggests restarting the NLA service. That doesn’t work because the Network List Service depends on the NLA service, and the Network List Service, for some reason, can’t be stopped.

The only sure way that I have found to force the NLA service to re-detect the domain is to stop and restart the network adapter. In fact I have script a RestartNetworkAdapter.cmd on many computers to do just that:

netsh interface set interface "Ethernet" disabled
netsh interface set interface "Ethernet" enabled
pause

Using a script allows doing this even when connected remotely, but it’s awkward and you have to customize the interface name for each PC.

Digging into NLA

Today I decided to dig into this further to see if I could come up with a better solution.

Then I found this TechNet blog article on how the NLA service works. The big news to me in that article is this:  “If the Connection Specific DNS Name matches the HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName registry key then the machine will attempt to contact a Domain Controller via LDAP.”

I checked that registry key and it in fact contained the correct value, let’s say “mydomain.local”.

But how/where is the Connection Specific DNS Name set? This article offers guidance:  you can set it in the adapter’s DNS properties.

NLA 2

Note that this can also be set in group policy:  Computer Configuration  Administrative Templates > Network  DNS Client > Connection-specific DNS suffix. When set in group policy, it overrides the value set in this dialog, but it is not displayed in this dialog.

By the way, the Primary DNS suffix for the computer is set in System Properties when you specify the computer name. When you click the More button, you’ll see this dialog:

NLA 5

You can also override that in group policy: Computer Configuration  Administrative Templates > Network  DNS Client > Primary DNS suffix. The Primary DNS Suffix defaults, sensibly, to the domain name. However the TechNet article cited above wants us to match Connection-specific adapter settings, hence the update above.

I had already set a fixed IP address for the primary DNS server, pointing to the domain controller. This is critical for all kinds of domain-based stuff (group policy, etc.). However I did not have “DNS suffix for this connection” filled in. I’d already seen (using ipconfig from a command prompt) that this machine is using both IPv4 and IPv6 to talk to the domain controller. So I added the “mydomain.local” string to both IPv4 and IPv6 profiles of the adapter. Voila! After a reboot, the machine immediately came up on with a Domain profile:

NLA 3

Well, that worked two times out of three. But still it sometimes comes up Public. Is there anything else I can do to help it be more reliable? The only other idea I have at this point is to make the NLA service dependent on having an active network connection. Can’t hurt, right? I ran the following from an administrative command prompt:

sc qtriggerinfo NlaSvc
sc triggerinfo NlaSvc start/networkon stop/networkoff
sc qtriggerinfo NlaSvc

NLA 4

Three more reboots and the machine has come up as Domain each time.

However on another machine, those two changes weren’t enough. Wait, this machine still had NLA service set to Automatic. After changing it to “Automatic (Delayed Start)”, this machine also rebooted directly to the Domain profile. To see Automatic (Delayed Start) from the command line, run:

sc qc NlaSvc
sc config NlaSvc start= delayed-auto
sc qc NlaSvc

Note that the space after the equal sign (=) is intentional and required.

TL;DR

To (hopefully) fix NLA issues:

1. Set the NLA service to “Automatic (Delayed Start)” and only when the network is available:

sc config NlaSvc start= delayed-auto
sc triggerinfo NlaSvc start/networkon stop/networkoff
sc qc NlaSvc
sc qtriggerinfo NlaSvc

2. Set the Connection Specific DNS Name to match the domain controller’s local domain. Run ncpa.cpl and do this in the iPv4 and IPv6 properties of the network adapter (see screen shots above). There might be a way to script this, but it would require enumerating network adapters, so I’ll just do it manually for now. Update:  this can be set in Group Policy. See above.

Update April 14, 2018

Unfortunately, all of these settings are still not always enough to get Network Location Awareness to detect the domain profile. I still frequently find myself restarting the network adapter to get it to re-detect the location. (On some machines, it is possible to to restart only the NLA service.)

If you run a remote monitoring tool, see this post for a script that will alert you when the profile is not what you expect: Script to Check Current Firewall Profile.

Update July 5, 2018 – Network Issues?

It occurred to me that this NLA issue could be a more general issue with the client not being able to contact the domain controller. On one machine with this issue, at startup, in the System event log, I have a NETLOGON 5719 error, “This computer was not able to set up a secure session with a domain controller….” I was reminded of an issue eight years ago relating to switch configuration:  Gigabit Switch Spanning Tree Causes Slow Logon.

It helped then to set ports connected directly to computers to Fast Link on the Dell switch. Unfortunately, that option is not available in the UI of the new UniFi switch. However as suggested in this Reddit thread, I was able to change the Spanning Tree priority to 8192 to identify the UniFi switch as the root switch. Alas, that alone was not enough to solve the NLA issue; the machine still comes up as Public most of the time.

Update February 5, 2019 – Startup Script

I’m now running the following script on affected machines to restart the NLA service. Copy and paste this as RestartNLAService.cmd, then add a Scheduled Task, Trigger as a Startup task with a 1-minute delay, Conditions limited to any Network connection being available. Use at your own risk!

@echo off
REM 01/21/2019

REM Restart the NLA service to force re-detecting that computer is on a domain. 
REM Unlike restarting the network adapter, this does not completely disconnect from network.
REM Can run this from a Scheduled Task at Startup.  Run as SYSTEM, 1 minute delay, only run 
REM if "Any Connection" available.

REM %0 is the name of the batch file. 
REM ~dp gives you the drive and path of the specified argument, with trailing \.
set ScriptPath=%~dp0
REM ~nx gives you the filename and extension only.
set ScriptName=%~nx0

REM Clever approach to redirect stdout and stderr for a group of commands
REM See http://stackoverflow.com/a/13400446/550712:
> "%ScriptPath%\RestartNLAService.log" 2>&1 (
    echo ========================
    echo Current firewall profile
    echo ========================
    netsh advfirewall monitor show currentprofile
    echo =======================
    echo Restart the NLA service 
    echo =======================
    echo Stop the Network Connected Devices, Network List, and Network Location Awareness services
    net stop ncdautosetup
    net stop netprofm
    net stop nlasvc
    echo Start the NLA service
    net start nlasvc
    echo Network Connected Devices and Network List services are Manual start, so will be started if needed
    echo.
    echo ========================
    echo Updated firewall profile
    echo ========================
    netsh advfirewall monitor show currentprofile
)
type "%ScriptPath%\RestartNLAService.log"

REM Do not put a PAUSE here, since this will run from a scheduled task

34 thoughts on “Network Location Awareness Doesn’t Identify Domain

  1. Andy Chrysler

    Anyone know how to hard code the server to domain network only. I am not worried about a server leaving my server room and landing up on a public wifi. This is a nightmare when dealing with Hyper-V.

  2. Mark Berry Post author

    Andy, I feel your pain. The constant fiddling to try to keep computers on the domain is annoying. If the main problem is that the Private and Public firewall profiles are blocking necessary services (RDP, SQL, whatever) when the computer does not know it is on the Domain, I guess you could change the Private and Public profiles to allow the necessary services. Maybe this is why some admins just disable Windows Firewall and rely on perimeter firewalls, but I’d rather not do that.

  3. Paul Griffiths

    Hi Mark. I work at an NHS trust and have exactly the same issue you write about here. Have tested around 5000 pcs so far and have 650 that are displaying “identifiying network” continuously. While it doesn’t stop the majority of our systems RDP and AD are disabled. We still have not found a permanent fix for this although I seriously think there is a DNS server issue going on. I would love to hear from you if you ever find the fix for this. We use a mixture of win 7 and 10. Regards paul

  4. Mark Berry Post author

    @Paul, wow that’s a lot of PCs! I still have no solution. Let us know if you find one! Have you tried opening a Microsoft support case?

  5. Paul Griffiths

    I would love our server and network team to take ownership of it but you know the score. There’s nothing ever wrong with the network or servers!!!! I will let you know if we find a fix.

  6. PT

    For Intel network adapters you can try to set “Wait for link” to ON.

  7. Mark Berry Post author

    PT, thanks for the suggestion. I have one machine that always has this problem. I suspect it has to do with distance from the main switch and maybe a cheap dumb switch or two in the run. Unfortunately, changing Wait for link from “Auto detect” to “On” did not help. Here for reference is the page describing “Advanced Settings for Intel® Ethernet Adapters”: https://www.intel.com/content/www/us/en/support/articles/000005593/network-and-i-o/ethernet-products.html .

  8. TW

    I also have this problem. I’ve spent the last 2 months trying different remedies, and still haven’t found a solution. There is only one DC in this environment now (the 2008 DC was decommissioned), and with the NIC profile set to public or private, domain functions are not being performed.
    Even with the firewall completely off, and delayed start for NLA on, it hasn’t made a difference.

  9. Luis Fernando

    Hello, I had the same problem until a few days ago until I finally came up with the solution.
    It would simply be enough for the computer to PING TO THE DOMAIN (ping mydomain.int) every time it boots until the answer is correct and then restart the NLASVC (Network Location Awareness) service.

    This can be done by GPO with a startup script, or with a program in the start menu or with a scheduled task… as preferred.
    my script is a cmd file

    @echo OFF
    :REPEAT
    timeout /t 2 /nobreak
    ping -n 1 -w 1000 MYDOMAIN.INT
    IF %ERRORLEVEL% == 0 goto RESTARTNLA
    @echo. %date%-%time% MYDOMAIN.INT is offline >> c:\PingLog.txt
    goto REPEAT

    :RESTARTNLA
    @echo. %date%-%time% MYDOMAIN.INT is online >> c:\PingLog.txt
    sc config netprofm start= disabled
    sc stop netprofm
    timeout /t 10 /nobreak
    sc config nlasvc start= disabled
    sc stop nlasvc
    timeout /t 10 /nobreak
    sc config netprofm start= demand
    sc config nlasvc start= auto
    sc start netprofm

    I hope it’s helpful.

  10. Mark Berry Post author

    Thank you Luis. I’m curious, how often do you find that the domain is not pingable when the client starts up, and for how long? (as shown in your PingLog.txt file) It doesn’t make sense to me that the domain, i.e. the domain controller, would not be pingable as soon as the network card is active. Although I guess by pinging “mydomain.local” instead of an IP address, that is also confirming that DNS is resolving from the domain…

  11. Salih

    Same problem here. All the servers are showing unidentified network unless restart the NLA. Is there any hotfix from Microsoft on this?

  12. Mark Berry Post author

    Salih – I’m not aware of a fix. The problem seems widespread and has gone on for years. I’ve scheduled an automated task to run after startup (after a 1-minute delay, I believe) that restarts the NLA service. Usually that is enough to get the machine back on the domain.

  13. Paul Griffiths

    I’ve implemented this script at my NHS trust for the past 2 weeks.

    First reports are looking very promissing, gone from 700 machines down to 40, but checking the pcs that are still affected shoes they are on domain firewall profile so think the reporting tool I use is getting the info before the script completes.

    Thankyou everyone for their contributions,

    Regards

    Paul

  14. Mark Berry Post author

    I’ve copied the script that I’m using to the end of the article. Output is saved to a text file in the script folder for debugging. It includes commands to print the current firewall profile before and after restarting the NLA service.

  15. Mark Berry Post author

    @Salih, I reviewed the Spanning Tree issue near the end of the article, under “Update July 5, 2018 – Network Issues.” Unfortunately, even if that is related, UniFi switches don’t seem to have a Fast or Edge setting per port; you can only identify the (R)STP priority for the whole switch, or disable it altogether.

    I just found this thread that indicates it may be possible to disable spanning tree by port:

    https://community.ubnt.com/t5/EdgeSwitch/STP-enabled-or-disabled/td-p/2037061

    That might work on a UniFi switch too, though it would require custom config changes to make it persistent.

    Also, I was seeing this on a virtual server running on the same Hyper-V switch as the virtual domain controller. I don’t see a spanning tree option on the Hyper-V Virtual Switch Manager…

  16. Artie

    My problem was on a 2019 DC with NIC teaming enabled ,found that by running the following in a power shell script, that disables and then enables IPv6 works. I used task scheduler to run at startup with 1 min delay running at highest privilege. I also checked the option to run only when any network connection is available under Conditions tab. Just disabling IVp6 does not work, wondering if setting static IPv6 would help, will try on my next server

    Disable-NetAdapterBinding -Name “*” -ComponentID ms_tcpip6

    Enable-NetAdapterBinding -Name “*” -ComponentID ms_tcpip6

  17. Owen

    We also had a similiar issue.
    We tried all of the above without any success. One colleague notified us that the Direct Access certificate expired over the Weekend.

    We generated a new certificate and this resolved the issue.

    PS: I am new to the firm I do not know why clients are connecting from internal LAN with the certificate.
    So if anyone has tried everything, check your Direct Access Server if the certifcate has not expired…

  18. STP

    Thanks for the help posted here. It save me a lot of time, but it still took over a week for me to stumble across something that stopped our 2016 server AD DC from using Public Profile.

    In our case it was a unnecesary setting (for an DC) that I found buried in System properties. If you go to the Settings for computer name , click change (ignore the ominous warning about changing Domain Controller names which actually contradicts the setting to be changed), Click the more button, and there appears the culprit, at least in our case, “Change primary DNS suffix when domain membership changes”. Ours was checked. I unchecked and rebooted (3 times so far) and now it recognizes the domain profile.

  19. Mark Berry Post author

    STP, not sure how you did that; when I checked a DC, the button to change the computer name is grayed out. But it sounds like your goal was different. Here I want to make sure that domain-joined desktops NEVER use a Public or Private profile but rather always the Domain profile.

  20. Arnel

    None of the fixes I found online worked for my situation. I have Windows Server 2019 Data Center with NIC Teaming on Hyper-V host. Installed a Hyper-V VM also Server 2019 Data Center and made it a domain controller. Found that it would not show mydomain.local in network connections, it would always show as Private. Restarting NLASVC would make it domain but every restart it would go back to Private. The only thing that worked for me was to make DNS and NTDS a dependency for NLASVC using below command and now every restart shows mydomain.local.

    run sc config nlasvc depend=NSI/RpcSs/TcpIp/Dhcp/Eventlog/DNS/NTDS from CMD (use sc.exe if you’re running it in PowerShell).

    If you want to double-check the existing dependencies before adding DNS and NTDS, use sc qc nlasvc

  21. Mike P

    For me it was OWEN’s suggestion of the expired Direct Access certificate (thanks OWEN!). DA clients use both the AD connection and the web probe host on the DA server to check if they are on the local network – if the cert has expired that test fails so it thinks it’s not connected locally…

  22. Mark Berry Post author

    @Mike P – in your Application event log, do you have Microsoft-Windows-CertificateServicesClient-AutoEnrollment warning 64 for that certificate (before you fixed it)? I don’t use Direct Access, but I do monitor that event on other certs and take it as an “early warning” of expiration. “Certificate for local system with Thumbprint f5 ad 0b aa 1a d5 6c d1 20 72 5b 1c 42 6c 30 ad 92 ef 21 b0 is about to expire or already expired.” The only downside to monitoring these events is that the warnings start appearing at 90% of the certificate’s lifetime, so 20-year certs expiring in 2020 started throwing warnings in 2018. More useful on certificates with shorter lifespans.

  23. Mike P

    @Mark Berry – yes, there were EventID 64 entries in the Application log, plus I’ve now also found in the Applications and Services Logs->Microsoft->Windows->CertificateServicesClient-Lifecycle-System->Operational log multiple Event 1003 ‘A certificate is about to expire. Please refer to the “Details” section for more information.’ followed by a 1002 ‘A certificate has expired. Please refer to the “Details” section for more information.’ when it expired last week. It’s a 2 year cert so started warning early Feb.

  24. Alex

    Hi,

    Same problem here on my VMs on my Hyper-V Host all running 2012R2. Nothing worked to fix that permanently.

    Best solution I found is to run a scheduled task at boot on every VM with 1 min delay and repeat every 15 mins that runs that powershell line :

    if (Get-NetConnectionProfile -NetworkCategory DomainAuthenticated) {exit} else {(net stop netprofm) -and (net stop nlasvc) -and (net start nlasvc)}

    It tests if the network type is domain, if not it restarts both the network list and network location awareness services. Workaround is working perfectly for me.

  25. Cody

    Hi just wanted to add in this is the best coverage I’ve seen of this issue so far.

    I have a bunch of 2012/2016 Hyper-V VMs in a lab which keep resetting to non-domain connections. I’ve run through all the same troubleshooting steps and now am going to have to go to the dependencies (or run script to restart service on start) thing.

    What a PITA that Microsoft haven’t covered this properly.

  26. Mark Berry Post author

    Cody, glad you’re finding this thread useful.

    Has anyone tested disabling spanning tree in their switch at the port level? I wonder if the faster negotiation would allow the network to resolve in time to detect the domain the first time.

  27. Duber

    I have this problem reproduced both on the physical server and on the vmware virtual machine with clean installed windows server 2019. Only the use of the sc config command helps me permanently. Seems to be bug WS 2019 (1809).

  28. Sean

    One thing that seems to work: Walk over to the server after it’s already booted up. Unplug the network cable for about 5 seconds. Plug it back in.

    Annoying, for sure, but a lot easier than Googling this every few months and finding that the issue is still not universally resolved.

  29. Shane

    I tried all the above. Nothing worked, but while I was testing, I had to remove a seconary IP from the interface. I noticed that if I add or remove a second IP, the interfaces refreshes as a domain interface. So I made a batch script :

    netsh int ip add “interface name” some-secondary-ip-addres some-netmask
    TIMEOUT 10
    netsh int ip delete “interface name” some-secondary-ip-addres some-netmask

    I then added a task schedule for it at startup

    this works for my particular instance of this problem.

  30. Jmac

    For what it’s worth, On a brand new server 2019 VM in HyperV, on a hyperv host that no other vm was having this issue, we resolved this issue by removing the vm nic competely from the vm in hyperv settings, and adding a new one, then re-setting the static ip and dns. Seems to have done the trick.
    We also had NLA set to auto-delayed, so unsure if that played a part or not, but did nothing to help the issue before we replaced the vm nic.

  31. Paul

    I am having the same issue, but with a twist. I am unable to reset my NLASVC, because it will also restart Network List Service (netprofm), which will always get stuck in stopping. I am then forced to restart my server. If i try to stop Netprofm by PID, I will get an “access Denied” error 98% of the time.

  32. Alex

    Hey guys,

    In the meatime I found another solution that seems to work way better !

    Just put your NLASVC service in delayed startup and tada your problem is fixed :)

    Work for me with the script I put above running behind to act like a failsafe and everything is fine now. For the info, I had the issue on 10 of the 150 serveurs I manage and these 2 solutions (delayed mode + script) has been working like a charm for a few weeks now :)

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.