Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 17, 2008 3:26 PM
Hello,
I've recently installed 4 Windows Server 2008. Two of them are DC and two of them are member servers with failover cluster. I've discovered casually that 3 of them doesn't "detect" the Domain Network.
All seems working OK but as these 3 servers doesn't are in the "Domain Network" some things doesn't work as expected. For example, firewall rules applied are not those of the domain profile but those of the public profile.
As explained here: http://technet2.microsoft.com/windowsserver2008/en/library/43bea15e-5d4c-4b81-a7e4-b17c2fe53d471033.mspx?mfr=true
"Domain. The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections. If those conditions are met then the domain network location type is automatically assigned. An administrator cannot manually assign this network location type."
How can we solve this problem?
Why these servers (2 member servers and 1 domain controller -the first one in the domain-) aren't connected to the "Domain Network" as expected?
All these servers has been installed in the same manner so the problem is not related to different configurations.
Any idea would be very appreciated.
Thanks.
All replies (16)
Wednesday, August 27, 2008 8:57 AM
Hi,
Hi,
windows use the IP address netwrok ID to determine which computers are within the domain network if your servers have two cards from differnt subnet it consider one of the as public , you can change the other to Private using Network and Sharing Center.
Thursday, August 28, 2008 1:05 PM | 1 vote
Hi , All
Finally after about 4 hours of research , I think this is the solution:
To be able to change you second adapter status to private network profile do the following:
- If this is need for a stand alone server , run local security policy editor
- select **network list Manager Policies
**3. At the right Side you can select & double click: **Unidentified Networks
**4. In the location type select Private , which means that all Unidentified networks will be consider as private profile network - you can also allow the user to change the Location profile
This will allow the system to keep settings after reboot
The same hold true if you used teh Domain Policy
Have fun
Hikmat Kanaan
Wednesday, September 17, 2008 5:07 PM | 2 votes
Manel,
Windows Server 2008 only supports one firewall profile at a time. So if your computer has multiple NICs, each to a different network (domain, public, or private), then Windows automatically selects the profile that provides the most protection.
If a NIC is not connected to a LAN, or is not configured with a complete IP address configuration (including a default gateway address), then the network will not be identified at all, and will default to the "Public" profile. Hikmat's solution does allow you to change the default (from public to private), but of course that incurs some risk. A better solution is to ensure that all of the NICs are connected to live networks and properly configured so that they can be correctly identified.
I hope this helps!
Dave Bishop
Wednesday, September 17, 2008 10:20 PM
Hi,
You can use my proposed solution of configuring the local policy to consider all unidentified cards as private , then you would need to modify your firewall rules to allow more of DC traffic through the Private profile.
because windows will use the most restrictive profile for firewall rules , you can either disable the firewall or modify the firewall private profile rules and enforce your server to consider non domain net card as private one.
I hope this will help.
Hikmat Kanaan Amman-Jordan MCSE
Monday, January 12, 2009 4:59 PM
Has anybody had any luck resolving the root problem here? i.e. Getting Server 2008 to identify the network connection as a "Domain Network"? I have a had a similar problem with dual nics on a 2008 Hyper-V box. On the host, there are two nics on two different subnets (a LAN and a internal subnet for the rack). Both connections are identified as Domain Networks, however on the guest OS (Server 2008 where both nics are passed through) the internal rack subnet defaults to "Public Network" with a status of "Unidentified network".
I'd rather not take the "private network" route. Any ideas on how to troubleshoot it?
Thanks,
Kris
Tuesday, January 13, 2009 7:02 AM
Hi,
Windows 2008 & Vista can only apply one Firewall profile per computer and it always the most secure one, so if you have an interface that is identified as public the public firewall profile is going to be applied to all your interfaces. The new version of windows 2008 R2 and windows 7, which are both in Beta status, will allow different profiles per different network adapters.
Until we got them released you can do one of three options:
1. Use my previous solution to identify all networks as private and create the needed firewall rules for additional traffic
2. Create new firewall rules in the public profile that would allow your needed traffic to pass through all network interfaces ( this would weaken your security but it’s the only way to do it)
3. Turn off the firewall.
Hikmat Kanaan Amman-Jordan MCSE
Tuesday, January 13, 2009 4:17 PM
Hi Hikmat,
Thanks for the reply! I guess I am confused why troubleshooting the underlying problem isn't an option? On one machine everything works great and both NICs are identified as "Domain Networks", and on another machine, one of the NICs shows up as "Unidentified Network". It seems to me that there is something that needs to be fixed.
The new features in 08 R2 and Win 7 sound interesting, but they too seem to be masking the actual problem... How do I get that one NIC to indentify correctly? It has the same IP settings as the machine that is working fine...
Is there any documentation that describes the steps the OS uses when identifiying the network? The close one I can find is: "Domain. Windows Vista and Windows Server 2008 automatically identify networks on which Windows can authenticate access to the domain controller for the domain to which the computer is joined in this category." It is joined to the DC and it can see the DC on the subnet in question so what gives?
Thanks,
Kris
Thursday, October 20, 2011 6:21 AM
Hello Kris,
I believe this is the information you are looking for.
In your last post, you asked for some Documentation on, How OS detects which profile to apply ? Let me tell you that, this is all taken care by NLA ( Network Location Awareness ).
Whenever there’s a network change (say it receives a new IP address or sees a new default gateway or gets a new interface), a service called Network Location Awareness (NLA) detects the change. It builds a network profile—which includes information about existing interfaces, whether the computer authenticated to a domain controller, the gateway’s MAC address, and so on—and assigns it a GUID. NLA then notifies the firewall and the firewall applies the corresponding policy (there’s a policy defined for each of the three profiles.
This can give you better understanding.
http://technet.microsoft.com/en-us/library/cc753545(WS.10).aspx
Hope this helps :-)
Thanks,
Rahul
Regards, Rahul Saxena | Technical Lead | Microsoft Platforms Team | Microsoft Enterprise Platforms Support |
Thursday, October 20, 2011 6:36 AM
Hello Manel,
Please try the following steps and it may help you to fix the issue.
1. Please check the NLA Service and try restarting it to see if it makes any difference
( Whenever there’s a network change (say it receives a new IP address or sees a new default gateway or gets a new interface), a service called Network Location Awareness (NLA) detects the change. It builds a network profile—which includes information about existing interfaces, whether the computer authenticated to a domain controller, the gateway’s MAC address, and so on—and assigns it a GUID. NLA then notifies the firewall and the firewall applies the corresponding policy (there’s a policy defined for each of the three profiles )
2. Can you also check the following services and try restarting them
# Link-Layer Topology Discovery Mapper I/O Driver
# Link-Layer Topology Discovery Responder
3. Make sure that Server is pointing to correct DNS/DC. Try pointing this machine to some other DC and then see if it can detect the Domain Profile
4. Check the 3rd party services running on the Server ( Anti Virus )
5. Please make sure that you don't have multiple NICs enabled at the same time ( Incase of Windows Vista and Windows Server 2008 )
6. Make sure that we don't have NIC Teaming
7. Also, please update the NIC drivers
8. Check the Ghost Adapter entries in Device Manager and remove unnecessary GUIDs entries from TCP registry. ( must take the backup first )
# set devmgr_show_ nonpresent_devices=1
- Check the Firewall Profile Status to find which profile is active.
# netsh advp show allp state
10. On a computer that is running Windows 7 or Windows Server 2008 R2, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter. On computers that are running Windows Vista or Windows Server 2008, then the Domain network location type is applied only when a domain controller can be detected on the networks attached to every network adapter.
http://technet.microsoft.com/en-us/library/cc753545(WS.10).aspx
Hope this helps :-)
Thanks,
Rahul
Regards, Rahul Saxena | Technical Lead | Microsoft Platforms Team | Microsoft Enterprise Platforms Support |
Monday, July 22, 2013 5:20 PM
i know this is very long time........................
i got this too but i just did rejoin the server 08 r2, and rebooted... boom! it got back to domain network instead of work/private network as in my case... thanks!
Monday, November 14, 2016 2:42 PM | 1 vote
Hello all,
If you are coming to this page in the year 2016, there is a much easier fix for this.
The problem is that your DC has fallen off of the domain for whatever reason or whatever an update did (still trying to determine which one). So far, the commonality with the servers I have seen do this (across multiple different domains) is that they are virtual. Not sure if that is the key, but of three I have dealt with, they have all been virtual.
So, because you cannot simply rejoin a domain controller to a domain, you need to reset its password with Active Directory. Hopefully you are in a multiple DC environment, as that is what I have luckily run across. Here are the steps. You need to be on the console of your server to do this.
Run Powershell as Administrator
Type this command:
Reset-ComputerMachinePassword -server {name of other domain controller}Disable NIC that says Public or PrivateEnable NICIt should now read Domain NetwwrkRebootThat is all.
Cory Chase
Friday, December 16, 2016 7:09 PM
Cory,
Thanks for your post, I am currently experiencing this now (Dec 16, 2016). Impacted servers are all virtual so far, and also Server 2012 R2 (but I'm getting reports of Windows10 and 08 R2), and the issue surfaced post reboot after applying KB3205400, KB3205401, KB3205404 (KB3209498 and KB890830 were also applied but I don't think the cause).
Symptom is loss of RDP and some other apps. Upon review of Windows Firewall the Domain Network and Private Network show as Not connected; only Guest or Public Networks is connected. This forces the Public Network Firewall rules which are more restrictive and blocks functionality. Turning off the Public Firewall restores functionality.
So your statement is that the Domain Controller has fallen off the network and those steps should be run on the DC?
I have rebooted the domain controllers without the change and they appear to be operating as normal, but the impact on the member server has not changed.
I am now looking to implement your change on the domain controller...
Monday, August 21, 2017 10:49 AM
I'm experiencing a similar problem with 2012R2. After recent update, I have lost RDP connectivity, and the Firewall control panel shows Domain and Private networks "not connected". But in my case this is a sole AD/DC, not a VM, and it still seems to work as a DC/DHCP/DNS server for the LAN, even though the LAN is listed as "Guest or Public" by the firewall.
There is only one NIC, a pair of bridged 1Gb ethernet links connected to the same LAN, configured correctly with IP, subnet and gateway, and pointing to itself for DNS. NIC drivers are up to date. The problem has persisted through several reboots.
I understand I can manually set the LAN to be Private, which should bring my RDP access back - but I'd like to know why this server doesn't recognise the network as Domain, since that would be the logical position for a sole DC! I've read the article linked above, which says :
"The domain network location type is detected when the local computer is a
member of an Active Directory domain, and the local computer can
authenticate to a domain controller for that domain through one of its
network connections."
But what happens when the local computer is the sole DC - can it authenticate itself, and thus recognise its own network as a Domain type?
Grateful for any wisdom or ideas.
Thanks, Nik
Friday, September 22, 2017 11:54 AM
I've run into this twice now. Once a simple reboot fixed it, the second time it was corrected by disabling IPv6 on the adapter. It's unfortunate, but I've run into several issue throughout the years that have been caused by the default configuration of IPv6..
Wednesday, November 29, 2017 3:28 AM | 2 votes
I can confirm that disabling IPv6 fixed the problem for me too. No reboot was required but the command does disconnect the network adapter for a few seconds so keep that in mind if working remotely.
[C3N1]: PS C:\> Get-NetAdapter "vEthernet (Management)" | Get-NetConnectionProfile
Name : Network
InterfaceAlias : vEthernet (Management)
InterfaceIndex : 11
NetworkCategory : Public
IPv4Connectivity : LocalNetwork
IPv6Connectivity : NoTraffic
[C3N1]: PS C:\> Get-NetAdapter "vEthernet (Management)" | Disable-NetAdapterBinding -ComponentID ms_tcpip6
[C3N1]: PS C:\>
WARNING: The network connection to C3N1 has been interrupted. Attempting to reconnect for up to 4 minutes...
WARNING: Attempting to reconnect to C3N1 ...
WARNING: The network connection to C3N1 has been restored.
[C3N1]: PS C:\>
[C3N1]: PS C:\> Get-NetAdapter "vEthernet (Management)" | Get-NetConnectionProfile
Name : pof.com.au 2
InterfaceAlias : vEthernet (Management)
InterfaceIndex : 11
NetworkCategory : DomainAuthenticated
IPv4Connectivity : LocalNetwork
IPv6Connectivity : NoTraffic
I will note however that afterwards I re-enabled IPv6 on this adapter and it was still set to DomainAuthenticated. So perhaps it was just the toggling off/on that made the difference.
Friday, April 27, 2018 7:11 AM
Hi,
It is kinda funny that I fix it doing the opposite, I had IPv6 disabled and since a monthly patch update my DC had this problem, when I enabled ipV6 it automatically joined the Domain network :/