Windows Servers Think They're on Private or Public Network Instead of Domain

Joshua Martin

3 min read
Windows Servers Think They're on Private or Public Network Instead of Domain
Photo by Meriç Dağlı / Unsplash

Do you have a Windows environment?

Are you one of us ancient dinosaurs who still have on-prem servers running Active Directory? You may, on occasion, run into an issue where your servers seem to believe they are on a Private or Public network, instead of the Domain network. This can happen for a variety of reasons; Ours I believe is a combination of very aggressive firewall rules & the fact that our servers reboot every night so Proxmox Backup Server can create backups, and they don't always come back up in an ideal order. For many people, it seems it may just be a matter of Windows being Windows. In any case, there are a few things that can be done to remedy this.

Full disclosure: There may be some security implications to this depending on your environment. Use your best judgement. I am just some guy on the internet after all. All of the following fixes should be applied to the afflicted server(s).

1) Set an explicit DNS Suffix

This is the first relevant setting. We're explicitly setting a DNS suffix for our network connection. Open Control Panel, then click Network and Internet, then Network Connections. Now Right-Click on your network adapter and click Properties.

Click on Internet Protocol Version 4 if it isn't selected already, then click Properties.

In the window that opens, click Advanced

In the third window that opens, find the DNS suffix for this connection: box.
Enter your domain's FQDN in this box. (e.g. bad.example.org)

Click OK, then OK, then OK again. Great job.

2) Configure the NlaSvc

The Network Location Awareness service is the service that decides where your computer is (supposedly). We can tweak it directly a bit to make it behave more reliably.
First, open a Command Prompt Window as Administrator...

Run the following command to set the NlaSvc to Delayed Start (So it runs on startup still, just not immediately):

sc config NlaSvc start= delayed-auto

Now run the following command to set the NlaSvc to be dependent on the NetLogon service, meaning NlaSvc will not run until NetLogon does. (NetLogon is what connects everything to the domain):

sc config NlaSvc depend= NSI/RpcSs/TcpIP/Dhcp/Eventlog/Netlogon

3) Registry Tweak - AlwaysExpectDomainController

This one's easy. We can add a registry entry called AlwaysExpectDomainController that, outside of the obvious, does the following:

‘AlwaysExpectDomainController is for the device to send continuously the SRV query requesting the LDAP to the domain controller until it gets an answer.'”

Assuming you are exclusively using LDAPS and not plain unencrypted LDAP, your servers don't leave and wander off somewhere else, and your network security is decent, this shouldn't have any nasty security implications as far as I can tell, but again, use your best judgement. I am just some guy on the internet.

In that same Command Prompt Window, run the following to add that registry entry:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters /v AlwaysExpectDomainController /t REG_DWORD /d 1

You will need to reboot

...to apply most of this. It took care of the issue for me. Best of luck!

Read more