DC and Member Servers not connected to "Domain Network"
-
Thursday, April 17, 2008 3:26 PMHello,
I've recently installed 4 Windows Server 2008. Two of them are DC and two of them are member servers with failover cluster. I've discovered casually that 3 of them doesn't "detect" the Domain Network.
All seems working OK but as these 3 servers doesn't are in the "Domain Network" some things doesn't work as expected. For example, firewall rules applied are not those of the domain profile but those of the public profile.
As explained here: http://technet2.microsoft.com/windowsserver2008/en/library/43bea15e-5d4c-4b81-a7e4-b17c2fe53d471033.mspx?mfr=true
"Domain. The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections. If those conditions are met then the domain network location type is automatically assigned. An administrator cannot manually assign this network location type."
How can we solve this problem?
Why these servers (2 member servers and 1 domain controller -the first one in the domain-) aren't connected to the "Domain Network" as expected?
All these servers has been installed in the same manner so the problem is not related to different configurations.
Any idea would be very appreciated.
Thanks.
All Replies
-
Wednesday, August 27, 2008 8:57 AMHi,
Hi,
windows use the IP address netwrok ID to determine which computers are within the domain network if your servers have two cards from differnt subnet it consider one of the as public , you can change the other to Private using Network and Sharing Center.- Edited by Hikmat Kanaan Wednesday, August 27, 2008 10:20 AM More coorect answer
-
Thursday, August 28, 2008 1:05 PM Hi , All
Finally after about 4 hours of research , I think this is the solution:
To be able to change you second adapter status to private network profile do the following:
1. If this is need for a stand alone server , run local security policy editor
2. select network list Manager Policies
3. At the right Side you can select & double click: Unidentified Networks
4. In the location type select Private , which means that all Unidentified networks will be consider as private profile network
5. you can also allow the user to change the Location profile
This will allow the system to keep settings after reboot
The same hold true if you used teh Domain Policy
Have fun
Hikmat Kanaan- Proposed As Answer by Hikmat Kanaan Wednesday, September 17, 2008 10:14 PM
-
Wednesday, September 17, 2008 5:07 PM Manel,
Windows Server 2008 only supports one firewall profile at a time. So if your computer has multiple NICs, each to a different network (domain, public, or private), then Windows automatically selects the profile that provides the most protection.
If a NIC is not connected to a LAN, or is not configured with a complete IP address configuration (including a default gateway address), then the network will not be identified at all, and will default to the "Public" profile. Hikmat's solution does allow you to change the default (from public to private), but of course that incurs some risk. A better solution is to ensure that all of the NICs are connected to live networks and properly configured so that they can be correctly identified.
I hope this helps!
Dave Bishop- Proposed As Answer by Dave BishopMicrosoft Employee Wednesday, September 17, 2008 5:07 PM
-
Wednesday, September 17, 2008 10:20 PMHi,
You can use my proposed solution of configuring the local policy to consider all unidentified cards as private , then you would need to modify your firewall rules to allow more of DC traffic through the Private profile.
because windows will use the most restrictive profile for firewall rules , you can either disable the firewall or modify the firewall private profile rules and enforce your server to consider non domain net card as private one.
I hope this will help.
Hikmat Kanaan Amman-Jordan MCSE -
Monday, January 12, 2009 4:59 PMHas anybody had any luck resolving the root problem here? i.e. Getting Server 2008 to identify the network connection as a "Domain Network"? I have a had a similar problem with dual nics on a 2008 Hyper-V box. On the host, there are two nics on two different subnets (a LAN and a internal subnet for the rack). Both connections are identified as Domain Networks, however on the guest OS (Server 2008 where both nics are passed through) the internal rack subnet defaults to "Public Network" with a status of "Unidentified network".
I'd rather not take the "private network" route. Any ideas on how to troubleshoot it?
Thanks,
Kris -
Tuesday, January 13, 2009 7:02 AM
Hi,
Windows 2008 & Vista can only apply one Firewall profile per computer and it always the most secure one, so if you have an interface that is identified as public the public firewall profile is going to be applied to all your interfaces. The new version of windows 2008 R2 and windows 7, which are both in Beta status, will allow different profiles per different network adapters.Until we got them released you can do one of three options:
1. Use my previous solution to identify all networks as private and create the needed firewall rules for additional traffic
2. Create new firewall rules in the public profile that would allow your needed traffic to pass through all network interfaces ( this would weaken your security but it’s the only way to do it)
3. Turn off the firewall.
Hikmat Kanaan Amman-Jordan MCSE -
Tuesday, January 13, 2009 4:17 PMHi Hikmat,
Thanks for the reply! I guess I am confused why troubleshooting the underlying problem isn't an option? On one machine everything works great and both NICs are identified as "Domain Networks", and on another machine, one of the NICs shows up as "Unidentified Network". It seems to me that there is something that needs to be fixed.
The new features in 08 R2 and Win 7 sound interesting, but they too seem to be masking the actual problem... How do I get that one NIC to indentify correctly? It has the same IP settings as the machine that is working fine...
Is there any documentation that describes the steps the OS uses when identifiying the network? The close one I can find is: "Domain. Windows Vista and Windows Server 2008 automatically identify networks on which Windows can authenticate access to the domain controller for the domain to which the computer is joined in this category." It is joined to the DC and it can see the DC on the subnet in question so what gives?
Thanks,
Kris -
Thursday, October 20, 2011 6:21 AM
Hello Kris,
I believe this is the information you are looking for.
In your last post, you asked for some Documentation on, How OS detects which profile to apply ? Let me tell you that, this is all taken care by NLA ( Network Location Awareness ).
Whenever there’s a network change (say it receives a new IP address or sees a new default gateway or gets a new interface), a service called Network Location Awareness (NLA) detects the change. It builds a network profile—which includes information about existing interfaces, whether the computer authenticated to a domain controller, the gateway’s MAC address, and so on—and assigns it a GUID. NLA then notifies the firewall and the firewall applies the corresponding policy (there’s a policy defined for each of the three profiles.
This can give you better understanding.
http://technet.microsoft.com/en-us/library/cc753545(WS.10).aspx
Hope this helps :-)
Thanks,
Rahul
Regards, Rahul Saxena | Technical Lead | Microsoft Platforms Team | Microsoft Enterprise Platforms Support | -
Thursday, October 20, 2011 6:36 AM
Hello Manel,
Please try the following steps and it may help you to fix the issue.
1. Please check the NLA Service and try restarting it to see if it makes any difference
( Whenever there’s a network change (say it receives a new IP address or sees a new default gateway or gets a new interface), a service called Network Location Awareness (NLA) detects the change. It builds a network profile—which includes information about existing interfaces, whether the computer authenticated to a domain controller, the gateway’s MAC address, and so on—and assigns it a GUID. NLA then notifies the firewall and the firewall applies the corresponding policy (there’s a policy defined for each of the three profiles )
2. Can you also check the following services and try restarting them
# Link-Layer Topology Discovery Mapper I/O Driver
# Link-Layer Topology Discovery Responder3. Make sure that Server is pointing to correct DNS/DC. Try pointing this machine to some other DC and then see if it can detect the Domain Profile
4. Check the 3rd party services running on the Server ( Anti Virus )
5. Please make sure that you don't have multiple NICs enabled at the same time ( Incase of Windows Vista and Windows Server 2008 )
6. Make sure that we don't have NIC Teaming
7. Also, please update the NIC drivers
8. Check the Ghost Adapter entries in Device Manager and remove unnecessary GUIDs entries from TCP registry. ( must take the backup first )# set devmgr_show_ nonpresent_devices=1
9. Check the Firewall Profile Status to find which profile is active.# netsh advp show allp state
10. On a computer that is running Windows 7 or Windows Server 2008 R2, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter. On computers that are running Windows Vista or Windows Server 2008, then the Domain network location type is applied only when a domain controller can be detected on the networks attached to every network adapter.
http://technet.microsoft.com/en-us/library/cc753545(WS.10).aspx
Hope this helps :-)
Thanks,
Rahul
Regards, Rahul Saxena | Technical Lead | Microsoft Platforms Team | Microsoft Enterprise Platforms Support |
.png)
