NLA stuck on Identifying...
The issue I've been encountering with the nearly permanent Identifying... status hasn't been resolved by any of the other fixes I've seen for similar problems and I'm just about out of things to check. Here's what I'm dealing with... I have an image for my workstations that I apply, and it joins the domain during sysprep. It gets to the point where I can finally log on, the network connection is active with an IP, group policy is applied, and I can log on as a domain user with no problems. The Network and Sharing Center shows that I am connected to the Internet, but the network location still sits at Identifying... Since it defaults to the public firewall config in this state, I can't pass much network traffic. It will sit in this state for anywhere from 20 minutes to days before it finally detects that I am on the domain network. Once this happens, and itwrites all those settings into the registry for the network signature, it never has a problem again. I have already tried the following: DhcpConnForceBroadcastFlag reg setting Turning off the Windows Firewall via group policy so that it can't be blocking anything before identifying the domain network Adding an entry to the hosts file with the IP address of a DC of the root domain and the DNS name of the root domain My best guess at this point is that maybe something is being blocked by the firewall between me and the root domain (we are a child domain on a seperate network), but since we aren't encountering any other problems accessing the root domain I don't know what else I can check for. I've also tried digging for information on what exactly NLA is checking for to identify networks so that I could troubleshoot from that angle, but I have found nothing. Please help!
December 10th, 2008 1:11am

Hi, I understand that the network connection status is always Identifying. The computer joins the domain and you can log on it with no issues, however, it takes many time to indentify the network status. You have tried the following: 1. Add the DhcpConnForceBroadcastFlag key to the registry. 2. Disable the Windows Firewall. 3. Add the entries related to the current domain to the host file. Given this situation, please try to reinstall or upgrade your NIC drivers to check if it helps. (Note: please log on as administrator when you try to do this.) Generally, the symptom of that the Identifying takes a long time is related to the feature NCSI of Vista; and I would like to share the following information with you. Network Connectivity Status Indicator (NCSI) is a new Windows Vista feature. It is designed to be responsive to network conditions, so it examines the connectivity of a network in a variety of ways. One test failed, NCSI may report a error, even if the networking actually can be accessed fully. For example, NCSI tests connectivity by trying to connect to http://www.msftncsi.com/ncsi.txt, a simple Website that exists only to support the functionality of NCSI. Please try to visit the following website, you should see Microsoft NCSI. http://www.msftncsi.com/ncsi.txt For more information about NCSI, please refer to the following document: Appendix K: Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista http://technet.microsoft.com/en-us/library/cc766017.aspx Regarding this issue, since the Windows Vista computer is in a domain, the computer may be have difficulties on accessing the http://www.msftncsi.com/ncsi.txt due to the specific network environment and settings. Thus, it will stay at Identifying for a long time. Since you can log on the domain with no issues and the Internet connection works fine, we can simply ignore the issue. Thanks. Nicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2008 2:56pm

Thank you for your reply. I had issues checking back during the forum transition to the new site, and I ended up forgetting about my post until today after joining another Vista machine to the domain. Regarding your first suggestion of the NIC driver, I always update the NIC driver to the most current when I install Windows. This issue is not restricted to one particular computer or NIC, it has occurred on every machine I install Vista on and join to our domain, with my image or a clean install. I have also tried with VMs running on Hyper-V. Thank you for the insight on what NCSI is doing, I appreciate the information. I did try the NCSI site on a machine I just installed Vista on that is sitting and chugging away on Identifying... as I write this. The website loaded without issue instantly. The document you reference doesn't make any mention of what, if any, checks it makes to determine connectivity to a domain network so it doesn't give me much insight into my issue as all the Internet checks work perfectly. As much as I would like to ignore this issue, it is causing secondary problems that I forgot to mention in my original post. Group policy does seem to be applying properly, but if I try to run gpupdate it will sit and never finish the first time. Subsequent attempts usually workwithout issue. My primary problem is that while sitting in the Identifying state... Windows will not shut down or log off gracefully unless it has been running for 30+ minutes. Explorer will close and I get to stare at the desktop for all of eternity; the Logging off... message never appears. I have to force the computer down in order to restart. Once the domain network is finally picked upthis behavior disappears. I would appreciate any additional insight you can give me.
January 23rd, 2009 10:56pm

Additionally, it is very disruptive to the deployment process to have the firewall stuck on the Public profile for long periods of time. I could really use some further suggestions or steps to locate the problem.
Free Windows Admin Tool Kit Click here and download it now
February 19th, 2009 7:30pm

Hi, Thank you for updating. Based on my research, I would like to suggest the following: 1. Please refer to the following Knowledge Base to troubleshoot this issue: http://support.microsoft.com/default.aspx/kb/928233 2. We can manually assign a static IP address on the computer according to the IP rules of the domain to check the issue. 3. Please perform a Clean Boot to check if the issue was caused by software conflict. How to troubleshoot a problem by performing a clean boot in Windows Vista http://support.microsoft.com/kb/929135 If it is possible, please try to plug the computer to another network jack see if it works. Please also let me know if other Windows Vista computers in this domain have this sort of issue. Thanks. Nicholas Li - MSFT
February 20th, 2009 11:14am

Thank you for the further suggestions. I'd like to reiterate that network access is not an issue. It can get an IP address, join the domain, process domain logons, and access the Internet without issue. 1. As stated in my original post, I already tried the DhcpConnEnableBcastFlag registry setting. There was no change in behavior.2. I configured a freshly imaged machine to use a static IP along with the proper DNS, WINS and gateway. After10 minutes, it was still sitting on Identifying...3. On the same machine as mentioned above, I tried the 'clean boot'. No changes. This problem also occurs on a clean install of Vista that is joined to the domain immediately after install, no software or driver installs. Incidentally, it also occurs on Windows 7 Beta 1.I have about 10 machines deployed now, and each one has had this problem. After the domain network is finally identified for the first time, the issue persists after a reboot, but not for nearly as long as the first time around. It usually takes 5-20 minutes for the domain network to be identified, even after I deploy the machine to its final place of use. The primary concern I have after the machine is deployed is that during the Identifying phase, the firewall is set to the public profile, so it's difficult to work on the machines remotely. Also, during the same time period after the system starts, I am unable to restart the machine or log off a user. Explorer goes away and it sits at the desktop background. The log off doesn't trigger.Is there any specific information you can give me as to what Windows does to determine that it is connected to a domain network? I performed a capture with Wireshark to see if there was anything that stood out, but there was not. Most of the traffic originating from that computer was NetBIOS lookups for isatap.dnsSuffix.com and SSDP packets from UPnP.
Free Windows Admin Tool Kit Click here and download it now
March 26th, 2009 9:40pm

Something interesting surfaced now that we're deploying some Server 2008 machines. We're seeing event ID 13from CertificateServicesClient-CertEnroll: Certificate enrollment for Local system failed to enroll for a Machine certificate from <server in the root domain>\Issuing CA for<root domain>(The RPC server is unavailable. 0x800706ba (WIN32: 1722)). I imagine this is probably caused by the firewall between our networks, but could this be the cause of my headaches?
April 1st, 2009 8:12pm

Actually that's not right - it's NLA (Network Location Awareness service), not NCSI, that determines the signature of the network. NCSI is part of NLA, but it's only used for detecting whether or not you are connected to the Internet. Unfortunately NLA has to carry out certain operations in a secure manner, and that can take some time in some situations - I'm sorry that's not more helpful, but I don't know the internals of NLA (I do know the internals of NCSI).
Free Windows Admin Tool Kit Click here and download it now
April 16th, 2009 1:42pm

I managed to figure this out on my own. I accidentally stumbled across this KB article: http://support.microsoft.com/default.aspx/kb/971198. The powers that be refuse to open LDAP in the firewall, but while plugged into their network I was able to get the necessary registry key and everything is peachy.
June 10th, 2009 7:31pm

I have been experiencing this same issue with new images being stuck on identifying. It seems to slow down our deployment because I'm not sure that the machines are getting group policy, nor can we remotely administer them via Dameware...because they don't seem to be registered on the network/domain. Have you been able to come up with any other solutions?
Free Windows Admin Tool Kit Click here and download it now
July 14th, 2009 1:33am

sorry I clicked on the wrong button.Here is what I proposeMaybe you tried this already but have you enabled Network Discovery? We had issues with our systems not allowing users access to the internet for ~30 minutes after logon. Initially adding them (PCs) to the ad group to grant internet access resolved the issue, then it started to happen on XP so I had to dig more and found that when I turned on network discovery on WIN7, removed the system from our Internet access group and rebooted all was well. I am not too keen on the NCSI fix though. We will be allowing the parent site unauthenticated proxy access to resolve this for XP systems though.
January 8th, 2010 11:08pm

Through our support channels, I was able to get a ticket opened with Microsoft to assist us with this. What we ended up doing is more of a work-around, but it does the trick, none the less. Here is the path in the registry that we exported from a machine that had our domain listed in the Network and Sharing Center and then imported on a machine after sysprep and right before we captured the image: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetOnce we did this, our imaged machines 'detect' the domain usually after the first reboot. The Microsoft tech said that this was a work-around, but that maybe our settings needed a 'kick' to get the whole domain discovery going. I'm part of a government agency and we don't have a lot of things that we can change in the build that we're given, so we have to figure it out and move on. Thank you for the suggestions though, the forum posts here pointed me in the right direction.
Free Windows Admin Tool Kit Click here and download it now
January 22nd, 2010 6:13pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics