A computer cannot identify the network when the computer is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2, and is a member of a child domain

Article translations Article translations
Article ID: 980873 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

You have a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2. When this computer is a member of a child domain, the computer cannot identify the network. This may cause the firewall on the computer to be set to the public profile.

Additionally, events that resemble the following are logged in the Applications event logs:

Source: Microsoft-Windows-NetworkProfile
Event ID: 4001
Task Category: Wait for Identification
Level: Information Keywords: (35184372088832)
User: LOCAL SERVICE
Computer: Computer name
Description:
Entered State: Identifying Network Interface Guid: {61287808-a4a5-4da5-8189-0e2a8de5d075}

Source: Microsoft-Windows-NetworkProfile
Event ID: 10000
Task Category: None
Level: Information
Keywords: (35184372088832)
User: LOCAL SERVICE
Computer: Computer name
Description: Network Connected
Name: Identifying...
Desc: Identifying...
Type: Unmanaged
State: Connected
Category: Public


Source: Microsoft-Windows-NlaSvc
Event ID: 4333
Task Category: DsGetDcName(RootDomainGuid)
Level: Error
Keywords: (4),(2)
User: NETWORK SERVICE
Computer: Computer name
Description:
DsGetDcName(DS_IS_DNS_NAME) for root domain GUID failed with error 0x54B


Note Error 0x54B indicates that the specified domain either does not exist or could not be contacted.

CAUSE

This issue occurs because the computer cannot connect to the primary domain controller (PDC) in the forest domain after the computer is joined to the child domain. The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests
If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.

A similar issue is discussed in the Microsoft Knowledge Base article below:
971198 Logoff from Windows Vista computer takes 5-10 minutes if there is no LDAP connectivity to forest root domain

RESOLUTION

To resolve this issue, use one of the following methods.

Method 1

Configure the firewall devices not to block communications on UDP/TCP port 389. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
832017 Service overview and network port requirements for the Windows Server system

Method 2

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Configure one computer in the child domain to connect to the PDC from the root domain.
  2. Restart the computer. The computer should now be able to identify the network. Also, the profile on the firewall will be set to the domain profile.
  3. Export the following registry subkey as a file to a shared location in the domain:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests
  4. Import the registry subkey that you exported in step 3 to the other computers that cannot connect to the PDC from the domain forest.
  5. Restart the computer. The computer should now be able to identify the network and the profile on the firewall will be set to the domain profile.

Method 3

If it is sufficient to identify the network profile based on the child domain name, then mitigating the time taken by NLA during its aggressive retries might be the right approach.

To deploy a registry setting that changes the retry count used by NLA, follow these steps:
  1. Create a new registry key that matches the forest root domain under the path:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\
  2. In the newly created registry key for the name of the forest root domain, add the two registry values below:
    • Failures REG_DWORD with a value of 1
    • Successes REG_DWORD with a value of 0
    This will cause NLA to go to its lowest retry count and should result in identification lasting for just a couple of minutes.

Properties

Article ID: 980873 - Last Review: March 22, 2010 - Revision: 2.0
APPLIES TO
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
Keywords: 
kbtshoot kbexpertiseinter kbsurveynew kbprb KB980873

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com