question

LorenzoMarcantonio-0173 avatar image
0 Votes"
LorenzoMarcantonio-0173 asked BergDerrick commented

Troubles with NCSI - Windows 10 doesn't even probe the addresses

I have a mixed Win7/Win10 AD domain. Access to internet is via proxy, configured via WPAD, and everything is fine…
For making NCSI work I added the corresponding rules and it works perfectly on Win7. I know that the latest Win10 have another address and URL for checking, however there is a strange behaviour:

  • Win 10 says "ad.domain.xxx domain, no internet connection" (or something like that, it's an italian language version) in the tooltip (this is the issue because skype and other things don't work if it says so)

  • Everything works fine (except things depending on the NCSI)

  • I reckon that passive monitoring will never trigger since being proxied it will never reach the 8 hop count required

  • I did a full wireshark capture of the machine IP, it downloads the WPAD configuration, does stuff with ldap and the domain but I see no DNS queries after the domain, WPAD and ISATAP ones. We don't have isapad deployed. Neither IPv6, for that (Italy still has no good IPv6 infrastructure)

  • On the web ports (80, 443 and the proxy port) I see request for WPAD, the various data.microsoft.com things, and some XML stuff with the domain controller (no idea); nothing trying to go out to the test site, either directly or thru the proxy

I did a full network reset with no success. At least two different machines have the problem and on one of these there is no antivirus installed (the other one uses kaspersky, if it helps). I tried linking a GPO with the NCSI 'corporate' options (DNS probe, website probe) but nothing happens (seems that nlasvc for some reason decides to not do the probes)

On the registry side: in currentcontrolset/services/nlasvc/parameters I have enableactiveprobing to 1 (I read that sometimes that get wrong).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies has an empty string… is that right? I vaguely remember that ``something else'' should set the proxy here, but I didn't find any documentation. Could be that an issue?

Next thing I'll try to remove the machines from the domain to see if there is some unknown GPO that could disturb the service. Any other idea?

The release is a 2004-19041. Thanks in advance for any suggestion






windows-10-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryNebbett avatar image
0 Votes"
GaryNebbett answered BergDerrick commented

Hello @LorenzoMarcantonio-0173

One thing that you could try is to use Event Tracing for Windows (ETW) to trace what is happening and then analyse the captured data (or post a link here so that we can help).

One way of starting the trace would be to issue the command:

netsh trace start scenario=NetConnection tracefile=noint.etl

Now reproduce the problem (disconnect and then reconnect the client from the network) and then stop the trace with a command like:

netsh trace stop.

Here is an example of the sort of information that can be found in the trace file:

44152-image.png

Gary



image.png (86.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey Gary,

What Event Viewer are you using in that picture?

0 Votes 0 ·
LorenzoMarcantonio-0173 avatar image
0 Votes"
LorenzoMarcantonio-0173 answered

I actually ``solved'' without needing a trace. Quotation marks are needed because I simple removed an rejoined the domain.
Two very long restarts later it started working on both affected machines.
No idea of what happened… probably some domain things got stuck or whatever.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.