当您连接到域网络或公司网络时,Windows 防火墙(Windows Firewall)会切换到域配置文件。该配置文件适用于主机系统可以向域控制器进行身份验证的网络。其他两个配置文件是私有的和公共的。现在可能会发生这样的情况,当您连接到域时,Windows 防火墙(Windows Firewall)配置文件并不总是切换到域(Domain)。它通常发生在您使用第三方虚拟专用网络(third-party virtual private network)( VPN ) 客户端连接到域网络时。在这篇文章中,我们将提供一个解决方案,确保Windows 防火墙(Windows Firewall)在这种情况下切换配置文件。
Windows 防火墙(Windows Firewall)无法识别域(Domain)网络
当您使用第三方VPN客户端时,您的Windows 防火墙(Windows Firewall)配置文件可能并不总是切换到域。更改域配置文件失败的原因是某些第三方VPN客户端的时间滞后。当客户端将必要的路由添加到域网络时会发生延迟。每次您切换到新服务器或建立新连接时,VPN都会更改 IP 地址。(VPNs)作为永久解决方案,Microsoft建议VPN适配器在(VPNs)VPN适配器到达Windows后立即使用回调API(APIs)添加路由。这是三个APIVPN应该用于Windows。
- NotifyUnicastIpAddressChange:提醒呼叫者任何 IP 地址的任何更改,包括DAD状态的更改。
- NotifyIpInterfaceChange:注册回调以通知所有 IP 接口的更改。
- NotifyAddrChanget:通知用户地址更改。
将防火墙切换到域配置文件的解决方法(Workaround to switch Firewall to Domain Profile)
如果您的VPN不提供此类功能,并且您无法切换到其他VPN,那么这里有一个解决方法。您或 IT 管理员可以选择禁用负缓存以在NLA服务重试域检测时提供帮助。
如果您需要创建这些键中的任何一个,请右键单击任何相应的窗格,然后选择新建,然后选择键的类型。在这里,您需要右键单击右窗格,然后选择 new DWORD。
添加或更改负缓存期(Add or change Negative Cache Period)
通过将NegativeCachePeriod注册表项添加到以下子项来禁用域发现负缓存(Domain Discovery)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
- 使用建议的值更改或创建以下DWORD
- 名称:NegativeCachePeriod
- 类型: REG_DWORD
- 数值数据: 0
负缓存的默认值为 45 秒。将其设置为零将禁用缓存。
添加或更改最大负缓存 TTL(Add or change the Max Negative Cache TTL)
如果问题仍未解决,下一步是禁用DNS缓存。您可以通过添加 MaxNegativeCacheTtl注册表项来实现此目的。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- 使用建议的值更改或创建以下DWORD
- 名称: MaxNegativeCacheTtl
- 类型: REG_DWORD
- 数值数据: 0
最大负缓存的默认值为 5 秒。当您将其设置为零时,(,)它将禁用缓存。
我希望解决方法有助于Windows 防火墙(Windows Firewall)配置文件在您使用第三方VPN客户端时切换到域(Domain)配置文件。除非您的VPN客户端支持回调API来通知更改,否则注册表(Registry)更改应该会有所帮助。
Windows Firewall not recognizing Domain network on Windows 10
Whеn you connect to a domаin network or a compаny network, then Windows Firewall switches to a domain profile. The profile applies to networks where the host system can authenticate to a domain controller. The other two profiles are private and public. Now it may so happen that when you connect to a domain, the Windows Firewall profile does not always switch to Domain. It usually occurs when you are using a third-party virtual private network (VPN) client to connect to a domain network. In this post, we will offer a solution that will make sure the Windows Firewall switches the profile in this situation.
Windows Firewall not recognizing Domain network
It may happen that your Windows Firewall profile does not always switch to Domain when you use a third-party VPN client. The reason behind the failure in changing to domain profile is the time lag in some third-party VPN clients. The delay occurs when the client adds the necessary routes to the domain network. VPNs change the IP address every time you switch to a new server or when you make a new connection. As a permanent solution, Microsoft recommends that the VPNs use callback APIs to add routes as soon as the VPN adapter arrives at Windows. These are the three API that a VPN should use for Windows.
- NotifyUnicastIpAddressChange: Alerts callers of any changes to any IP address, including changes in DAD state.
- NotifyIpInterfaceChange: Registers a callback for notification of changes to all IP interfaces.
- NotifyAddrChanget: Notifies the user about address changes.
Workaround to switch Firewall to Domain Profile
If your VPN doesn’t offer such features, and you cannot switch to a different VPN, then here is a workaround. You or the IT admin can choose to disable negative cache to help the NLA service when it retries domain detection.
If you need to create any of these keys, right-click on any the appropriate pane, and select new and then the type of keys. Here you need right-click on the right pane and then select new DWORD.
Add or change Negative Cache Period
Disable Domain Discovery negative cache by adding the NegativeCachePeriod registry key to the following subkey
- Open Registry Editor and navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
- Change or create the following DWORD with the suggested value
- Name: NegativeCachePeriod
- Type: REG_DWORD
- Value Data: 0
The default value of the negative cache is 45 seconds. Setting it to zero will disable caching.
Add or change the Max Negative Cache TTL
If the issue is still not resolved, the next step is to disable DNS caching. You can achieve this by adding the MaxNegativeCacheTtl registry key.
- Open Registry Editor
- Navigate to the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- Change or create the following DWORD with the suggested value
- Name: MaxNegativeCacheTtl
- Type: REG_DWORD
- Value Data: 0
The default value of the max negative cache is five seconds. When you set it to zero, it will disable caching.
I hope the workaround helped Windows Firewall profile to switch to Domain profile when you use a third-party VPN client. Unless your VPN client supports the callback API to notify about change, the Registry changes should help.