Comment la stratégie de groupe sait-elle quand le sous-système réseau est prêt ?

Windows Server & IT Pro Active Directory & Entra ID
,
1

I’m trying to troubleshoot some group policy startup processing issues on domain joined, remote computers that establish a Zscaler/VPN connection at startup and before logon. This causes a short delay in domain connectivity that is not typically present when the machine is physically on the network.

I’ve set a couple of GPOs:

  • Always wait for the network at computer startup and logon

  • Specify startup policy processing wait time = 60 seconds

This results in the following type of event log entries:

Group Policy waited for 17031 milliseconds for the network subsystem
at computer boot.

However, sometimes that number hits 60000 milliseconds which coincides with my GPOs. So, essentially, sometimes GPO detects the “network subsystem” is available, and other times it doesn’t. Yet, it always successfully downloads GPOs and applies them after this time.

To try to determine how Group Policy determines network availability, I targeted the netlogon service debug logs thinking that DC discovery and connectivity was coming in to play. But, netlogon indicates successful session setup with a DC at times that do not coincide with the group policy event log entry. For instance, when GP waits 60 seconds, netlogon has already indicated successful connections to domain controllers well before that. Other times when GP waits less than 60 seconds, netlogon has still not completed a successful session to a DC.

How does Group Policy determine when the network subsystem is available?

Source : Server Fault

2

Well, I think we’ll have to guess a bit because this is not well documented…

First, let’s take a look at the GPSvc debug logs:

Enable Group Policy Service (GPSvc) logging

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics

DWORD value: GPSvcDebugLevel set to 30002 (Hexadecimal)

and search for Connectivity in the log file. This will give an insight about what’s happening.

In this log file, we can also see:
CoCreateInstance for INetworkListManager succeeded

So, I think it’s safe to assume that the Network List Manager is used to determine the status of the networks available on the computer. Most importantly, Network List Manager can send notifications to various system components about changes in network connectivity.

Network List Manager can also tell if we are connected to a Domain network.

That being said, I think you may find useful informations in the NlaSvc logs too (Network Location Awareness, related to Network List Manager):

In the Event Viewer → View → Show analytic and debug logs. Then:

Applications and Service logs → Microsoft → Windows → NlaSvc → Diagnostic (right click to Enable this log) and see if you can find useful bits in there. You should be able to see if NLA was able to find a Domain (DsGetDcName).

How does Group Policy determine when the network subsystem is available?

My guess is that the Group Policy Service listens for notifications sent by Network List Manager when Network connectivity changes (network cable plugged/unplugged, Net adapter enabled/disabled, received an IP address, …), I think Network List Manager / NLA are the ones doing the job to determine if the network provides domain connectivity.