Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, June 16, 2020 8:57 PM
Greetings,
I have built a small OFFLINE test environment running Windows Server 2016 and Windows 10 (1909). I have 2 domain controllers running off of a Cisco Switch and 10 Clients connected to the same switch. The network is statically set flat network with IP addresses of 192.168.1.x. There is not default gateway as there is no router and the network is all statically set and flat.
The 2 domain controllers see that they are on the domain and are using the Domain Firewall profile. I just built this domain and added computers to it so all the GPOs applied are the Default Domain Policy and the Default Domain Controller Policy. When I join clients to the domain and put in the address they restart once and show they are on the domain. When I restart them again they show up as unidentified network. It gives me events like 8015:
"The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:"
On that same client I can do an "Echo %logonserver%" and it shows the DCs. If I do an NSLOOKUP it shows my DCs as well as any other network computer I want to type in. I can ping the DCs which are the DNS servers.
If I go to my DNS server I can see all the computers on the network and I have also a Reverse lookup zone setup as well.
But for some reason I am getting on EVERY SINGLE COMPUTER "UNIDENTIFIED NETWORK". Sometimes when I let them sit for maybe 20 minutes they will kick over to Domain profile but that is only a sometimes. They will sit FOREVER on Unidentified network and I can't get them off unidentified network. I have tried a full network reset on the clients and still nothing. When I join the domain or join the IP range it doesn't see it as a new network profile and ask if I want to allow network discovery.
I am getting events like 1014, 8015, 129, and 1067 all having to say that reaching the DC or the DNS has timed out even though it can be pinged and accessed. I have disabled/enabled the network port and nothing. I have restarted the NLAsvc and nothing. The computer is stuck on Unidentified Network.
What should I do? I need to get these machines back on the Domain Profile.
All replies (13)
Friday, June 19, 2020 1:03 AM ✅Answered
Thanks to CherryZhang. The way to fix this as the enable PortFast on the Cisco switch. More information found here.
https://www.mcbsys.com/blog/2010/02/gigabit-switch-spanning-tree-causes-slow-logon/
Wednesday, June 17, 2020 8:47 AM
Hi,
Sorry to reply to you now.
Based on my research, the issue may be occurred by Network Location Awareness (NLA),which is used for discover the domain name.
There could be some reasons for why the NLA couldn't find the domain name, so it is shown as "Unidentified Network".
I will give you probable suggestion about this issue.
Do you have a custom firewall on the top of the Windows Firewall? The NLA service call the DsGetDCName function to know if a domain is reachable and set the Windows firewall profile to domain. So anything preventing those connections from happening (TCP/UDP 53 for DNS, UDP 389 for cLDAP) might affect the profile detection.
This is the official link for reference:
Meanwhile, there is a blog about why Network Location Awareness Doesn’t Identify Domain:
https://www.mcbsys.com/blog/2018/03/network-location-awareness-doesnt-identify-domain/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Hope these can do some help for you.
Best regard
Cherry
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, June 17, 2020 4:31 PM
Hi Cherry! Thanks for the reply.
I do not have a secondary firewall installed. It just Windows Firewall. Am I wrong in thinking that the computers will use the default firewall rules which includes the DNS firewall rules it should see the LDAP and DNS? This is how it has worked in the past.
As far as I can tell all those firewall rules in the first link are set on the server already. Should they be working? In fact I even turned the firewall off on the server and I still get the issue on the client. It almost seems like a bug.
I have even updated the computers and the servers to the latest servicing stack and Cumulative update for 2020-06.
Wednesday, June 17, 2020 4:37 PM
Hello,
Can you submit and IPconfig /all of the DC server and workstation? You set the DNS server manually on the workstation using the DC's IP address? If it works after 20 minutes this is usually DNS not working and resolution is done with NetBIOS.
Have you tried to add a simple router to the network to test if the problem goes away? maybe use RRAS to test if the issue goes away if the gateway IP is filled in?
Miguel Fra
Falcon IT Services
https://www.falconitservices.com
Wednesday, June 17, 2020 5:06 PM
Is it possible the Cisco switch is causing the issue?
Wednesday, June 17, 2020 7:24 PM
Hello,
Can you submit and IPconfig /all of the DC server and workstation? You set the DNS server manually on the workstation using the DC's IP address? If it works after 20 minutes this is usually DNS not working and resolution is done with NetBIOS.
Have you tried to add a simple router to the network to test if the problem goes away? maybe use RRAS to test if the issue goes away if the gateway IP is filled in?
Miguel Fra
Falcon IT Services
https://www.falconitservices.com
Security policy won't let me post full logs but I can say that I set the addresses manually.
Example
Domain Controller:
IP: 192.168.1.1
Subnet: 255.255.255.0
Default Gateway: 0.0.0.0
DNS: 127.0.0.1
Workstation:
IP: 192.168.1.50
Subnet: 255.255.255.0
Default Gateway: 0.0.0.0
DNS: 192.168.1.1
Sometimes it work after 20 minutes but mote times not. I cannot put a router on this system as I don't have any and we don't use them since all our networks are static.
As far as default gateway is concerned, I tried putting the DC as the default gateway a few ties. It changed the network to "Network". When I restarted it showed up as "Unidentified network" then when I removed the default gateway and its showed up as the Domain network. I restarted again and it is back to "Unidentified Network."
Confused? You bet I am
Wednesday, June 17, 2020 8:04 PM
Hello, yes it's weird. My guess is it has to do with routing. That's the only thing unusual about this network setup. Most TCP/IP networks have layer 3 routing of some sort. I would set up RRAS on the Windows server, it's quick and easy and will turn the server into a router, so no need to add or buy hardware. This way you can eliminate the routing as the cause.
Miguel Fra
Falcon IT Services
https://www.falconitservices.com
Wednesday, June 17, 2020 9:07 PM
Hello, yes it's weird. My guess is it has to do with routing. That's the only thing unusual about this network setup. Most TCP/IP networks have layer 3 routing of some sort. I would set up RRAS on the Windows server, it's quick and easy and will turn the server into a router, so no need to add or buy hardware. This way you can eliminate the routing as the cause.
Miguel Fra
Falcon IT Services
https://www.falconitservices.com
Does RRAS not normally run automatically on all the computers. I don't see a separate role for that.
Wednesday, June 17, 2020 11:03 PM
Could this also be caused by the PortFast function of Spanning Tree not enabled on Cisco switch?
Thursday, June 18, 2020 1:16 AM
RRAS is a role you would add on the server. Can be installed from GUI management add roles or using PS command:
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Basically it's a router, with NAT and VPN but runs on the server. Run the wizard for RRAS so that the server is the gateway/router.
Miguel Fra
Falcon IT Services
https://www.falconitservices.com
Thursday, June 18, 2020 6:47 AM
Hi,
Would you please try to change the NLA startup type from the default setting of Automatic and now set it to Automatic (Delayed Start).
This will still allow the service to run at startup but allow a little more time for the domain to authenticate before the service checks for the network location.
Best regards,
Cherry
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, June 18, 2020 4:26 PM
I have never had to do this before for any of our networks that are setup the same way. I doubt this is the problem.
Friday, June 19, 2020 5:56 AM | 1 vote
Hi,
It's glad to see that the issue was fixed and sorry for didn't help you. Meanwhile, thanks for your efforts you have put into this case. This may do some favor to others who have occurred the same situation as you.
Best regards,
Cherry
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].