I am trying to resolve why two PCs loaded with Vista SP1 in our IT department as test machines keep wrongly reporting the network connection.The network has Win2K, Win2003, and 2 new Win2008 DCs. The main roles are located on the Win2003 server. There are around 100 users on the network using a mixture of Win2K and XP Pro desktops. All systems are fully patched and the network infrastructure is a mixture of Dell and 3com switches. 2 of the DCs are the DHCP servers, the DNS entries point to the DCs and the DCs have forwarding entries to the Watchguard firewall/Cisco routers that interface with the internet.By this I mean that when the PC is restarted it correctly recognises the network as being a Domain Network. Then at some time later (usually a few hours) I notice that the status has altered to Domain Network, local access only, despite the fact that the internet IS ACCESSIBLE evidenced by web browsing and other connectivity still working.On other occasions it wrongly reports that the connection is a "Private" connection despite no alterations having been made to either network connection, nor the domain infrastructure. In these circumstances the PC can still access all the network assets, and the internet successfully. IE it is just the operating system that is getting confused about the network status.I wish to discover what measurements the operating system is making in order to reach its decision as to the type of network connected. Without this I do not have any chance of altering parameters in my network to ensure that Vista correctly recognises it as a valid domain at all times, not just part of the time.Whenever Vista has these aberations, a restart will rectify matters for a few hours/a day, but eventually one or the other of the issues reported above will arise. I just want to find out what would be triggering this response from Vista.Thanks for any comments.Chris

Hi, I will share the following information which related to how Windows Vista decide the following network status domain, private, and public. Windows Vista defines three network profiles: domain, private, and public. When the computer is domain-joined and has successfully logged into the domain, the computer automatically applies the domain profileyou never get to make this choice on your own. When the computer is connected to an internal network that lacks a domain (like a home or small office network), you (or an administrator) should apply the private profile. Finally, when the computer is directly connected to the Internet, you should apply the public profile. Windows Vista decides where to place your computer by a service called Network Location Awareness (NLA). It builds a network profilewhich includes information about existing interfaces, whether the computer authenticated to a domain controller, the gateways MAC address, and so onand assigns it a GUID. NLA then notifies the firewall and the firewall applies the corresponding policy (theres a policy defined for each of the three profiles). If this is a new interface that the computer hasnt seen before and NLA didnt choose the domain profile, then youll see a dialog box that asks you to indicate what kind of network youre connecting to. Heres a rundown of the NLA decision tree: 1. Examine all connected networks. 2. Is any interface connected to a network classified as public? If yes, set the computers profile to public and exit. 3. Is any interface connected to a network classified as private? If yes, set computers profile to private and exit. 4. Do all interfaces see a domain controller and did the computer successfully log on? If yes, set computers profile to domain and exit. 5. Else set computers profile to public. The goal is to select the most restrictive profile possible. There are two obvious side effects, however. First, if your computers Ethernet port is connected to your corpnet and its wireless NIC is connected to the Starbucks downstairs, the computer will select the public profile, not the domain profile. Second, if your computer is directly connected to the Internet (in the public profile) or is connected to your home LAN (in the private profile) and you make a VPN connection to your corpnet, your computer will remain in the public or private profile. What might this mean? The firewalls policy for the domain profile includes rules for remote assistance, remote administration, file and print sharing, and so on. If you rely on these rules in order to get to a client remotely, you wont be able to if the client has chosen some other profile. But dont despairyou can write firewall rules to allow whatever inbound connections you need and then apply them only to VPN connections. Now you can still administer your clients over the VPN even when they arent in the domain profile. It is important to mention in this context that only one profile can be active at a time on Windows Vista. If there are two network interfaces live in the system and one of them is on the domain while the other is on a public network, the public firewall profile will be applied to both. The most restrictive profile will always be used. As you might guess, the public profile is more restrictive than the private profile, and the private profile is more restrictive than the domain profile. So beware that the outbound SMB blocking rule can break much traffic over VPN connections. Generally, the symptom of the connection shows local access only is related to the feature NCSI of Vista; I would also provide you the following related information: Network Connectivity Status Indicator (NCSI) is a new Windows Vista feature. It is designed to be responsive to network conditions, so it examines the connectivity of a network in a variety of ways. One test failed, NCSI may report a error, even if the networking actually can be accessed fully. For example, NCSI tests connectivity by trying to connect to http://www.msftncsi.com/ncsi.txt, a simple Website that exists only to support the functionality of NCSI. Please try to visit the following website, you should see Microsoft NCSI. http://www.msftncsi.com/ncsi.txt For more information about NCSI, please refer to the following document: Appendix K: Network Connectivity Status Indicator and Resulting Internet Communication in Windows Vista http://technet.microsoft.com/en-us/library/cc766017.aspx Regarding our issue, since the Windows Vista computer is in a domain, the computer may be have difficulties on accessing the http://www.msftncsi.com/ncsi.txt due to the specific network environment and settings. Thus, it may show local access only, but the Internet connection works. Since you can log on the domain with no issues and the Internet connection works fine, we can simply ignore the issue. Thanks. Nicholas Li - MSFT Nicholas Li - MSFT