locked
Something (NLA Service?) Blocks Local Access to Server when Internet Firewall Goes Down RRS feed

  • Question

  • Recently a customer with a Server 2008 R2 Standard server has had some issues with their Internet firewall router.  Each time the router has issues, the local users can no longer access shares on the server.  They are on the same subnet and the users and server are attached to the same switch (separate from the firewall router).  There are no VLAN's and I'm 100% sure the server is plugged into the switch, not the router.  The users and the server are on the 192.168.1.0/24 subnet.  The server is the DC and also runs Hyper-V with one virtual server running.  The hardware is an HP DL380 G6 with two quad-core Xeon processors and 12GB RAM (3x2GB on each side).  Two of the four NIC's are disabled.  The third is dedicated to Hyper-V, and the 4th is for the server.  There are 3 other servers, all Windows Server 2003 Standard Edition x86.  When the router has its issue, the 2008 R2 server (FS2 at 192.168.1.50) can no longer ping any other local device and no other local device can ping it.  FS2 can ping its own IP 192.168.1.50, but no other address (local or otherwise) that I've tried.  I assume this is because of the NLA service, but I am obviously not 100% sure.  I could use any suggestions.  I am at the site today and will be able to test in about an hour from now; about 4:15 or 4:30 EST, so any suggestions would be appreciated.  I intend to try turning off the NLA service to see if that helps.  I already have the firewall disabled for domain, home/work, and public networks already.  If it is the NLA service, it would be nice to know what's going on.  I don't understand the need for the NLA service on a server, anyway.  It's not like we carry the server around to other networks like it's a laptop.  But, I digress.  Is there any harm in disabling the NLA service?  Any ideas what's going on?

    Thanks,
    Bob

    Thursday, December 30, 2010 8:35 PM

All replies

  • Hi Bob,

     

    Thanks for posing here.

     

    So based on yours description ,I understand that the topology like what I draw below:

     

    Internet --------Router-------switch----------clients and servers

     

    Issue server is a windows server 2008 R2 domain controller which mulithomed, also installed Hyper-V .

    If I am correct then mulithomed is the root cause of this issue , this is really not recommended and also could cause the issue you described.

    We also not recommend deploy domain controller and Hyper-V on one physical host.

     

    Please post the route table and ipconfig /all result here for further investigation.

     

    Meanwhile, you may take look the articles below:

     

    Active Directory communication fails on multihomed domain controllers

    http://support.microsoft.com/kb/272294

     

    Default Gateway Configuration for Multihomed Computers

    http://support.microsoft.com/kb/157025

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, December 31, 2010 6:31 AM
  • Hi Tiger, thanks for your response.  Your topology drawing is correct.  I don't believe that you would call this server mutli-homed.  The second active adapter is for Hyper-V servers only.  If you believe this is the problem, I will disable that and let the virtual servers share the physical server's network interface.  Below is the route print output.  As you can see from the interface list, it only sees one of the HP adapters:

    H:\>route print
    ===========================================================================
    Interface List
     17...d8 d3 85 ad 11 da ......HP NC382i DP Multifunction Gigabit Server Adapter
    #4
     1...........................Software Loopback Interface 1
     15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     19...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination    Netmask     Gateway    Interface Metric
         0.0.0.0     0.0.0.0   192.168.1.1   192.168.1.50  276
        127.0.0.0    255.0.0.0     On-link     127.0.0.1  306
        127.0.0.1 255.255.255.255     On-link     127.0.0.1  306
     127.255.255.255 255.255.255.255     On-link     127.0.0.1  306
       192.168.1.0  255.255.255.0     On-link   192.168.1.50  276
       192.168.1.50 255.255.255.255     On-link   192.168.1.50  276
      192.168.1.255 255.255.255.255     On-link   192.168.1.50  276
        224.0.0.0    240.0.0.0     On-link     127.0.0.1  306
        224.0.0.0    240.0.0.0     On-link   192.168.1.50  276
     255.255.255.255 255.255.255.255     On-link     127.0.0.1  306
     255.255.255.255 255.255.255.255     On-link   192.168.1.50  276
    ===========================================================================
    Persistent Routes:
     Network Address     Netmask Gateway Address Metric
         0.0.0.0     0.0.0.0   192.168.1.1 Default
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination   Gateway
     1  306 ::1/128         On-link
     1  306 ff00::/8         On-link
    ===========================================================================
    Persistent Routes:
     None

    Also, here is the ipconfig /all output:

    H:\>ipconfig /all
    
    Windows IP Configuration
    
      Host Name . . . . . . . . . . . . : FS2
      Primary Dns Suffix . . . . . . . : DA.<removed>.COM
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : DA.<removed>.COM
    
    Ethernet adapter Local Area Connection - Physical#1 - FS2:
    
      Connection-specific DNS Suffix . : da.<removed>.com
      Description . . . . . . . . . . . : HP NC382i DP Multifunction Gigabit Server
     Adapter #4
      Physical Address. . . . . . . . . : D8-D3-85-AD-11-DA
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      IPv4 Address. . . . . . . . . . . : 192.168.1.50(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.1.1
      DNS Servers . . . . . . . . . . . : 192.168.1.50
      NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.da.<removed>.com:
    
      Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix . : da.<removed>.com
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 9:
    
      Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
    
    H:\>

    I'm sorry to hear that Hyper-V is not recommended on a DC.  I don't see where I have choice now, though.  The customer wants to get down to a single physical server.  I guess I didn't research far enough, as I thought it made perfect sense to run the DC and Hyper-V on the same machine...which is also the main file and print server.  The virtual server in use now is a Terminal Services server and we plan to add two more which will both be IIS servers.

    Please let me know if you need any more information.  This problem happened again this morning.  I couldn't get it to happen while I was there the other day, but it seems to be consistent when I'm not there.

    Thanks!
    Bob

    Monday, January 3, 2011 6:38 PM
  • You don't think it's because their internal domain name ends in .com instead of something like .local or .home, do you?  I inherited it like this.  I'm not sure why it was done this way.

    Thanks,
    Bob

    Monday, January 3, 2011 6:40 PM
  • Hi bob,

     

    Yes, it is not recommended enable other roles with Hyper-V on a physical server:

     

    Hyper-V: Hyper-V should be the only enabled role

    http://technet.microsoft.com/en-us/library/ee941145(WS.10).aspx

     

    You could running domain controller in hyper-V but together.

     

    Running Domain Controllers in Hyper-V

    http://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx

     

    Based on your description “Two of the four NIC's are disabled.  The third is dedicated to Hyper-V, and the 4th is for the server. ” I was believed domain controller and hyper-v are running on one physical host with multihomed , anyway, thanks for your clarify.

     

    Is this issue still persist after networking modification?

    Pleae also remove the persistent default route: " 0.0.0.0 0.0.0.0 192.168.1.1 Default " .

    How client computers obtained IP address? Is this issue still occurred if hard code network settings? Like IP address and default gateway ?

    Have you also checked the route table on client computers?

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, January 4, 2011 11:15 AM
  • Hi Tiger,

    I did not add that persistent route.  This network is flat and this server has only one NIC enabled (at least it did until I added Hyper-V).  The only place I have set the gateway is on the server's NIC adapter configuration, so I guess Windows Server 2008 added that itself.  I just changed the Hyper-V config back to a shared network card with the host server, but it seems to me that it's messier than having a dedicated adapter for Hyper-V.  Now there's a new adapter showing on the host computer called Virtual Network (which is just what I named it - it's an External type in Hyper-V with "Allow management operating system to share this network adapter" checked).  And, there's now a second entry in the persistent routes table:

    H:\>route print
    ===========================================================================
    Interface List
     21...d8 d3 85 ad 11 da ......Microsoft Virtual Network Switch Adapter #2
      1...........................Software Loopback Interface 1
     15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
     19...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.50    261
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          192.168.1.0    255.255.255.0         On-link      192.168.1.50    261
         192.168.1.50  255.255.255.255         On-link      192.168.1.50    261
        192.168.1.255  255.255.255.255         On-link      192.168.1.50    261
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link      192.168.1.50    261
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link      192.168.1.50    261
    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      192.168.1.1  Default
              0.0.0.0          0.0.0.0      192.168.1.1     256
    ===========================================================================

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
      1    306 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

    H:\>


    As for your other questions: The router was the DHCP server until late last week.  Then I disabled that on the router and set it up (as yet another) role on FS2 server.  It didn't help, as they had the issue again yesterday. 

    I will set a client up for static IP/mask/gw and see if that helps.  Below is the ipconfig /all and route print from a client.  All look totally normal to me.

    H:\>ipconfig /all

    Windows IP Configuration

            Host Name . . . . . . . . . . . . : PC15
            Primary Dns Suffix  . . . . . . . : DA.<removed>.COM
            Node Type . . . . . . . . . . . . : Unknown
            IP Routing Enabled. . . . . . . . : No
            WINS Proxy Enabled. . . . . . . . : No
            DNS Suffix Search List. . . . . . : DA.<removed>.COM
                                                DA.<removed>.COM
                                                <removed>.COM

    Ethernet adapter Local Area Connection:

            Connection-specific DNS Suffix  . : DA.<removed>.COM
            Description . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C
    onnection
            Physical Address. . . . . . . . . : 00-1E-4F-E6-36-56
            Dhcp Enabled. . . . . . . . . . . : Yes
            Autoconfiguration Enabled . . . . : Yes
            IP Address. . . . . . . . . . . . : 192.168.1.150
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.1.1
            DHCP Server . . . . . . . . . . . : 192.168.1.50
            DNS Servers . . . . . . . . . . . : 192.168.1.50
            Lease Obtained. . . . . . . . . . : Monday, January 03, 2011 5:22:41 PM
            Lease Expires . . . . . . . . . . : Tuesday, January 11, 2011 5:22:41 PM


    H:\>

    H:\>route print
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 1e 4f e6 36 56 ...... Intel(R) 82566DM-2 Gigabit Network Connection -
    Packet Scheduler Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1   192.168.1.150       20
            127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
          192.168.1.0    255.255.255.0    192.168.1.150   192.168.1.150       20
        192.168.1.150  255.255.255.255        127.0.0.1       127.0.0.1       20
        192.168.1.255  255.255.255.255    192.168.1.150   192.168.1.150       20
            224.0.0.0        240.0.0.0    192.168.1.150   192.168.1.150       20
      255.255.255.255  255.255.255.255    192.168.1.150   192.168.1.150       1
    Default Gateway:       192.168.1.1
    ===========================================================================
    Persistent Routes:
      None

    H:\>


    So, the only change I've made for now is to change the Hyper-V network interface to not use a dedicated interface, but instead to share it with the host computer (FS2).  And, I will change a client PC to use static IP/mask/GW and see if she is able to still access the server when the issue happens.  I will let you know once it does.  I don't expect the static IP change to make a difference, as the server FS2 can't ping other static hosts (physical server FS1) during an incident. 

    Thanks,
    Bob

    Tuesday, January 4, 2011 3:30 PM