Article ID: 980873 - View products that this article applies to.
You have a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2. When this computer is a member of a child domain, the computer cannot identify the network. This may cause the firewall on the computer to be set to the public profile.
Additionally, events that resemble the following are logged in the Applications event logs:
Note Error 0x54B indicates that the specified domain either does not exist or could not be contacted.
This issue occurs because the computer cannot connect to the primary domain controller (PDC) in the forest domain after the computer is joined to the child domain. The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey:
If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.
A similar issue is discussed in the Microsoft Knowledge Base article below:
(http://support.microsoft.com/kb/971198/ )Logoff from Windows Vista computer takes 5-10 minutes if there is no LDAP connectivity to forest root domain
To resolve this issue, use one of the following methods.
Method 1Configure the firewall devices not to block communications on UDP/TCP port 389. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/832017/ )Service overview and network port requirements for the Windows Server system
Method 2Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Method 3If it is sufficient to identify the network profile based on the child domain name, then mitigating the time taken by NLA during its aggressive retries might be the right approach.
To deploy a registry setting that changes the retry count used by NLA, follow these steps:
Article ID: 980873 - Last Review: March 22, 2010 - Revision: 2.0