Hi there,
since we moved our vpn connection to Palo Alto ( Global Protect ), we have sometimes a issue on our W10 clients. The vpn connections get sometimes the status “public” and not “domain network”, like it should. With public profile the users couldn´t access shares, got problems with inhouse applications etc. It´s a pain in the ass, which we couldn´t solve.
Our workaround is to reinstall the software, or change the networkprofile in the registry. It´s annoying as hell. We already get support from a Palo Alto support guy, which couldn´t sovle the problem.
I bet our dns server could be the reason for this problem. I am not sure, how could i find the origin of the problem.
How does Windows 10 create the status of a network connection, and how could a dns server have influence on this problem?
Sorry for my bad english, not a native speaker.
Cheers
You don’t have to re-install the software. You can restart the “Network Location Awareness” service to trigger a re-identification of the networks. You can also use PowerShell to set the network type for specific adapters, which is what I would use (as there is no way that the VPN connection will ever be anything but the domain network).
Typically the network location awareness service checks the DNS suffix of the client that was supplied by the DHCP server. If that matches the registry key “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName” then it assumes it is connected to a domain network. (I am not able to confirm this).
My guess is that the DHCP configuring the VPN adapter isn’t providing that suffix; Regardless of how Windows checks if it matches the domain name it absolutely needs to be set.
In addition, the Network Location Awareness service starts automatically and might try to detect the network connectivity of the VPN adapter before it got a DHCP response. In theory NLA should re-check on every connection state but there might be a weird scenario where that doesn’t get triggered. Some people suggest setting the NLA service start type to “delayed”, although I’m not a fan of that.
As mentioned earlier I would set the connection type manually via PowerShell. That has basically no side effects and is very easy to accomplish.
Does the VPN push out DNS servers with Active Directory’s records, and only servers with those records?
Are the clients obeying those settings.
Long story short:
We found out it´s a problem of the ISP, especially with the firmware of the routers. The ISP ( Vodafone ) will release soon a update for the firmware.
It helped to change the MTU value of the vpn client connection to 1300. As soon we set the new MTU value, and reconnect the network will correctly recognized.