locked
Setting NIC profile from Domain to Public RRS feed

  • Question

  • Hi,

    Our freshly installed server 2016 has 2 NIC's: one connected to a private network, one directly connected to the internet. I've noticed the firewall is applying the domain profile to both NICs, exposing AD, SMB, CIFS, ... all to the public WAN. We all know what kind of security risk this is.

    I've tried this in PowerShell already: 

    Set-NetConnectionProfile -InterfaceIndex 13 -NetworkCategory Public

    Which returns with an error, saying it can't be manually changed from from DomainAuthenticated.

    I've tried demoting and removing the entire freshly installed AD on our freshly installed Windows Server 2016 aswell, yet at step 1 (removing AD Certificate Services) it returns with an error 0x80073701. As far as i could figure, this means corrupted system files (yes, on a complete freshly installed Windows Server. A round of applause for Windows Update).

    I've tried running sfc /scannow, which tells me that it found corrupted files and repaired them (over and over again). I've tried running dism /online /cleanup-image /restorehealth Which returns every time Error 14: Not enough storage available. Yet the system has 150 GB free and 16 GB RAM (of which only 25% is in use). None of these commands worked.

    I'm running out of options now. I've already configured a firewall rule that blocks all ports below 1024 with exceptions for other crucial applications, but this is obviously a terrible solution. Telling my customer once again that their entire server must be reinstalled completely (I'm not even gonna bring up what Dell has done) is not option anymore (budget, time, ...). I've tried contacting Microsoft Server Support aswell, where i get a foreigner with a strange accent, demanding money (the great MS recession of 2014 ofcourse). Does anyone have any ideas?

    Thanks in advance


    Friday, July 6, 2018 1:43 PM

All replies

  • Hi,

    Thanks for your question.

    Based on my experience, we need to allow users to change the domain PC’s network location and its name via GPO “Network List Manager Policies as below. Then gpupdate /force to apply to domain PCs.


    Furthermore, we could try another powershell command after above GPO.

    $Profile = Get-NetConnectionProfile -InterfaceAlias Ethernet_name
    $Profile.NetworkCategory = "Public"
    Set-NetConnectionProfile -InputObject $Profile
    https://docs.microsoft.com/en-us/powershell/module/netconnection/set-netconnectionprofile?view=win10-ps


    Besides, we also could change the network type by Windows registry key.

    KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\

    For more information about this topic, please refer to the following thread,

    https://www.itechtics.com/change-network-type-windows-10/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regarding how to resolve the error 0x80073701, please try the following blog to see if it could be fixed.

    https://blogs.technet.microsoft.com/asiasupp/2011/06/19/how-to-resolve-the-error-0x80073701error_sxs_assembly_missing-when-you-are-installing-a-service-pack-or-update/

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 9, 2018 8:06 AM
  • Hi,

    How are things going on? Was your issue resolved?

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 11, 2018 2:40 PM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Sunday, July 15, 2018 1:31 PM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 18, 2018 2:41 PM
  • Hello, we have a Windows Server 2019 VM for which we tried to do the same as above; run RRAS and AD on the same server.

    For testing, I created a fresh VM and it detected the NICs correctly.  One with "Domain Profile" and the second as a public NIC with a "Network" profile.  HOWEVER during testing I found that if I disabled and re-enabled the NICs, NLA would cause the Public NIC to now detect as a Domain NIC; once done there was no going back. 

    I tried the steps above and various other steps from people with the same problem around the internet however nothing seems to work.  Basically it appears that there is no way to force a NIC profile from a Domain to Public profile.  My assumption here is that since the GPO options for a domain profile do NOT provide the options as indicated in your picture above to allow for changes, they thereby override the "All Networks" permissions.  Hence the reason why powershell changes also fail with a permissions issue with Set-NetConnectionProfile.

    I also tried removing, RRAS, same.

    Then I removed DNS from the AD server since a lot of the focus of NLA appears to be based on access to the AD DNS server however no change.  Along the same lines, removed NIC DNS suffix registration/etc, same.

    Full network reset, no change...  in fact, after the restart it still listed both NICs with a Domain profile after the restart and NO IP info.

    At this point, only AD remained.

    By simply removing AD from the VM, the network cards immediately listed properly without any additional adjustment.

    Disable/enable, settings stuck.

    Follow-up testing, Public NIC allows for adjustment to “Private”, still no allowance on the domain NIC, which is properly detected as a domain profile, to be adjusted; back to my GPO comment above.

    Bottom line, I think that this is a very serious problem because Admins could be taken off guard if the configuration was initially considered a Public Network and changed without notice.  Moreover, as you can see from my testing above, I was able to install the server with AD and RRAS initially with the NICs properly listed in the public and domain profiles, however simply disabling and re-enabling them sends you into this spiral.

    Lastly, even after removing the VM from the domain, I could still not change the domain profile NIC settings.  I had to remove the DNS suffix for that NIC for it to consider it non-domain and thereby adjustable.

    BTW:  Those that want to force a Private NIC to Domain Profile, that's how you do it.  Simply put the DNS suffix in the NIC.  The catch is that the AD DNS server needs to be accessible, I tried it with just putting garbage in there and NLA was at least smart enough to know the difference.

    Saturday, January 4, 2020 9:57 PM