Setting Network Locations in Server Core 2008 R2


  • Hi All,

    Couple of questions please

    1. Does anyone know have to change the Network Locations of NIC's in Server Core e.g. Domain, Public, Private? I guess going to be NETSH command but can't find anything...

    2. The reason I ask is because I have 2 NIC on a Windows 2008 Server Core R2. NIC1 is internet facing and NIC2 is internal. I want to set up NIC1 to be "PUBLIC" and NIC2 to be "PRIVATE". Then I am hoping in lockdown ports on NIC1 (PUBLIC) and Open ports up on NIC2 (PRIVATE) so I can still manage to server interally. Do you think this is possible?




    2012년 2월 29일 수요일 오후 1:18

모든 응답

  • Hi,
    Please check:
    set {ProfileType}
    Configures options for the profile associated with the specified network location type.
    Netsh Commands for Windows Firewall with Advanced Security
    By the way, as far as I know, if you want use two network adapters for different communication, you have to configure route for them.

    Vincent Hu

    TechNet Community Support

    2012년 3월 5일 월요일 오후 12:31
  • Hi Vincent.  I don't think this answers what the OP is asking.  One can configure the options per profile type, but can you assign different profiles to different network adapters?  I think that is the question.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    2012년 3월 5일 월요일 오후 12:37
  • Hi All,

    In the end I managed to remotely connect to the workgroup server (using matching local admin accounts) and use the Firewall MMC to configure the network profile on each NIC.




    • 답변으로 제안됨 jason404 2012년 3월 12일 월요일 오후 7:03
    • 답변으로 제안 취소됨 jason404 2012년 3월 14일 수요일 오전 9:27
    2012년 3월 5일 월요일 오후 12:58
  • Hi ECL.

    I have been monitoring the question, because when I first saw it, I scoured the web for an answer, and could not find one.

    My thinking is:  If you can do it with wf.msc, why not with netsh?

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    2012년 3월 5일 월요일 오후 2:04
  • same here I googled for days :)
    2012년 3월 5일 월요일 오후 2:09
  • I have enabled remote management of the 2008 R2 Server Core host (Server Manager and MMC), and I have connected to the remote server with Server Manager, but I cannot see anywhere in the Firewall section where I can change the network profile from Public to Domain.

    I could modify the Public profile to act like Domain, but isn't there a more elegant way?

    2012년 3월 14일 수요일 오전 9:30
  • In the Public / Private or Domain profile tab in the state section click on customise and you can assign the nic's to the different profiles.

    2012년 3월 14일 수요일 오전 9:44
  • Thanks for your reply, but are you sure that doesn't actually leave the firewall completely turned off for one interface? 

    What I was actually looking for was a way to keep one profile selected (Domain), as I have found that this remote server core DC sometimes switches to Public sometimes, which makes it impossible for it to work as a replica DC.

    netsh advfirewall show currentprofile

    Currently shows that the Domain profile is being used.

    If I deselect the WAN interface under Domain, both of them for Private, and deselect the VPN interface for Public, I suspect that the WAN interface will not actually have any firewall protection at all when the above netsh command shows that the Domain profile is active, or the VPN interface will have no firewall protection when the Public profile is active.

    I'll have to try the some thing out on a GUI version of Windows Server on a host with two interfaces to see is this is the case.

    2012년 3월 14일 수요일 오후 5:02
  • the core server I am using is in a workgroup is using the public profile. As yours is in a domain it will use the domain. You can check to see which is really in use by enabling the firewall loging and check the logs in the c:\windows\system32\logfiles\firewall.

    2012년 3월 15일 목요일 오후 1:37
  • I have the same problem.
    Does the core can't change network location?
    • 편집됨 i_the oNe ee,1,o1ve_ 2012년 4월 5일 목요일 오전 9:02
    • 답변으로 제안됨 maxim__s 2012년 8월 11일 토요일 오전 2:00
    • 답변으로 제안 취소됨 maxim__s 2012년 8월 11일 토요일 오전 2:00
    2012년 4월 5일 목요일 오전 9:00
  • This attribute is not a property of the adapter or interface. Adapter or interface can be connected to different networks, this is obvious for Wi-Fi but is also true for wired Ethernet (just plug the cable to the hotel room socket to experience this).

    This attribute is a property of the "network signature", which is managed by the Network Location Awareness service. It identifies networks by things like the default gateway's MAC address and the DNS suffix provided by the DHCP server, creates a unique record for each such network and allows the user to set whether it is Public or Private. Then NLA pushes this setting down to the firewall.

    Now the solution:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

     scan all subkeys here, and look at DefaultGatewayMac to find the proper one (Wi-Fi networks can have some other fields there, but I have some doubts in Wi-Fi on Server Core).

    In the proper subkey, find ProfileGuid.


    net stop nlasvc

    (this also stops netprofm)

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{profile guid}

    Category REG_DWORD 0 - public, 1 - private, edit this dword

    net start netprofm

    (this also starts nlasvc)

    To check the tweak was actually applied:

     netsh adv sh cur

    (should be Public before, Private after)

    There is also a PowerShell script for this - but PowerShell is not installed by default on Core, neither is its dependency of .NET 2.0

    • 편집됨 maxim__s 2012년 8월 11일 토요일 오전 2:20
    • 답변으로 제안됨 jason404 2012년 8월 11일 토요일 오전 5:20
    2012년 8월 11일 토요일 오전 2:08
  • Have you got the link for the PowerShell script?  The Amazon EC2 Windows Server 2008 R2 Server Core AMI I have been using does have PowerShell installed by default.


    2012년 8월 11일 토요일 오전 5:23
  • Here is the Link:


    And that's the script:

    # Skip network location setting for pre-Vista operating systems
    if([environment]::OSVersion.version.Major -lt 6) { return }

    # Skip network location setting if local machine is joined to a domain.
    if(1,3,4,5 -contains (Get-WmiObject win32_computersystem).DomainRole) { return }

    # Get network connections
    $networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))
    $connections = $networkListManager.GetNetworkConnections()

    # Set network location to Private for all networks
    $connections | % {$_.GetNetwork().SetCategory(1)}

    • 편집됨 sbrutsch 2013년 1월 1일 화요일 오후 1:59
    • 답변으로 제안됨 jason404 2013년 1월 1일 화요일 오후 4:47
    2013년 1월 1일 화요일 오후 1:58