Windows Firewall not recognizing Domain network on Windows 10

When you connect to a domain network or a corporate network, Windows Firewall switches to a domain profile. The profile applies to networks where the host system can authenticate with a domain controller. The other two profiles are private and public. Now, it may happen that when you log in to a domain, the Windows Firewall profile does not always switch to the domain. This usually happens when you use a third-party virtual private network (VPN) client to connect to a domain network. In this article, we will suggest a solution that will ensure that Windows Firewall switches the profile in this situation.

Windows Firewall does not recognize the domain network

Your Windows Firewall profile may not always switch to the domain when you use a third-party VPN client. The reason for the domain profile modification failure is the time lag of some third-party VPN clients. The delay occurs when the client adds the necessary routes to the domain network. VPNs change the IP address every time you switch to a new server or when you establish a new connection. As a permanent solution, Microsoft recommends that VPNs use callback APIs to add routes as soon as the VPN adapter arrives on Windows. These are the three APIs that a VPN should use for Windows.

• NotifyUnicastIpAddressChange: Alerts callers of any change to an IP address, including changes to the DAD status.
• NotifyIpInterfaceChange: Registers a reminder for notification of changes made to all IP interfaces.
• NotifyAddrChanget: Informs the user of address changes.

Workaround to switch the firewall to a domain profile

If your VPN doesn’t offer such features and you can’t switch to another VPN, here is a workaround. You or the IT administrator can choose to disable the negative cache to help the NLA service when it resumes domain detection.

If you need to create one of these keys, right-click one of the appropriate panes, then select New, then the type of keys. Here you need to right click on the right pane and then select a new DWORD.

Add or modify a negative cache period

Disable the negative domain discovery cache by adding the NegativeCachePeriod Registry key for the next subkey

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetLogonParameters

• Edit or create the following DWORD with the suggested value
  • Last name: NegativeCachePeriod
  • Type: REG_DWORD
  • Value data: 0

The default value for the negative cache is 45 seconds. Setting it to zero will disable caching.

Add or modify the TTL of the maximum negative cache

If the problem is still not resolved, the next step is to disable DNS caching. You can do this by adding the MaxNegativeCacheTtl registration key.

• Open the Registry Editor
• Go to the following path:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesDnscacheParameters

• Edit or create the following DWORD with the suggested value
  • Last name: MaxNegativeCacheTtl
  • Type: REG_DWORD
  • Value data: 0

The default value for the max negative cache is five seconds. When you set it to zero, this will disable caching.

I hope the workaround helped the Windows Firewall profile to switch to the domain profile when using a third-party VPN client. Unless your VPN client supports the callback API to notify changes, registry changes should help.