Setting Network Locations in Server Core 2008 R2


  • Hi All,

    Couple of questions please

    1. Does anyone know have to change the Network Locations of NIC's in Server Core e.g. Domain, Public, Private? I guess going to be NETSH command but can't find anything...

    2. The reason I ask is because I have 2 NIC on a Windows 2008 Server Core R2. NIC1 is internet facing and NIC2 is internal. I want to set up NIC1 to be "PUBLIC" and NIC2 to be "PRIVATE". Then I am hoping in lockdown ports on NIC1 (PUBLIC) and Open ports up on NIC2 (PRIVATE) so I can still manage to server interally. Do you think this is possible?




    29 februarie 2012 13:18

Toate mesajele

  • Hi,
    Please check:
    set {ProfileType}
    Configures options for the profile associated with the specified network location type.
    Netsh Commands for Windows Firewall with Advanced Security
    By the way, as far as I know, if you want use two network adapters for different communication, you have to configure route for them.

    Vincent Hu

    TechNet Community Support

    5 martie 2012 12:31
  • Hi Vincent.  I don't think this answers what the OP is asking.  One can configure the options per profile type, but can you assign different profiles to different network adapters?  I think that is the question.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    5 martie 2012 12:37
  • Hi All,

    In the end I managed to remotely connect to the workgroup server (using matching local admin accounts) and use the Firewall MMC to configure the network profile on each NIC.




    • Propus ca răspuns de jason404 12 martie 2012 19:03
    • Anulare propunere ca răspuns de jason404 14 martie 2012 09:27
    5 martie 2012 12:58
  • Hi ECL.

    I have been monitoring the question, because when I first saw it, I scoured the web for an answer, and could not find one.

    My thinking is:  If you can do it with wf.msc, why not with netsh?

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    5 martie 2012 14:04
  • same here I googled for days :)
    5 martie 2012 14:09
  • I have enabled remote management of the 2008 R2 Server Core host (Server Manager and MMC), and I have connected to the remote server with Server Manager, but I cannot see anywhere in the Firewall section where I can change the network profile from Public to Domain.

    I could modify the Public profile to act like Domain, but isn't there a more elegant way?

    14 martie 2012 09:30
  • In the Public / Private or Domain profile tab in the state section click on customise and you can assign the nic's to the different profiles.

    14 martie 2012 09:44
  • Thanks for your reply, but are you sure that doesn't actually leave the firewall completely turned off for one interface? 

    What I was actually looking for was a way to keep one profile selected (Domain), as I have found that this remote server core DC sometimes switches to Public sometimes, which makes it impossible for it to work as a replica DC.

    netsh advfirewall show currentprofile

    Currently shows that the Domain profile is being used.

    If I deselect the WAN interface under Domain, both of them for Private, and deselect the VPN interface for Public, I suspect that the WAN interface will not actually have any firewall protection at all when the above netsh command shows that the Domain profile is active, or the VPN interface will have no firewall protection when the Public profile is active.

    I'll have to try the some thing out on a GUI version of Windows Server on a host with two interfaces to see is this is the case.

    14 martie 2012 17:02
  • the core server I am using is in a workgroup is using the public profile. As yours is in a domain it will use the domain. You can check to see which is really in use by enabling the firewall loging and check the logs in the c:\windows\system32\logfiles\firewall.

    15 martie 2012 13:37
  • I have the same problem.
    Does the core can't change network location?
    5 aprilie 2012 09:00
  • This attribute is not a property of the adapter or interface. Adapter or interface can be connected to different networks, this is obvious for Wi-Fi but is also true for wired Ethernet (just plug the cable to the hotel room socket to experience this).

    This attribute is a property of the "network signature", which is managed by the Network Location Awareness service. It identifies networks by things like the default gateway's MAC address and the DNS suffix provided by the DHCP server, creates a unique record for each such network and allows the user to set whether it is Public or Private. Then NLA pushes this setting down to the firewall.

    Now the solution:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged

     scan all subkeys here, and look at DefaultGatewayMac to find the proper one (Wi-Fi networks can have some other fields there, but I have some doubts in Wi-Fi on Server Core).

    In the proper subkey, find ProfileGuid.


    net stop nlasvc

    (this also stops netprofm)

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{profile guid}

    Category REG_DWORD 0 - public, 1 - private, edit this dword

    net start netprofm

    (this also starts nlasvc)

    To check the tweak was actually applied:

     netsh adv sh cur

    (should be Public before, Private after)

    There is also a PowerShell script for this - but PowerShell is not installed by default on Core, neither is its dependency of .NET 2.0

    • Editat de maxim__s 11 august 2012 02:20
    • Propus ca răspuns de jason404 11 august 2012 05:20
    11 august 2012 02:08
  • Have you got the link for the PowerShell script?  The Amazon EC2 Windows Server 2008 R2 Server Core AMI I have been using does have PowerShell installed by default.


    11 august 2012 05:23
  • Here is the Link:


    And that's the script:

    # Skip network location setting for pre-Vista operating systems
    if([environment]::OSVersion.version.Major -lt 6) { return }

    # Skip network location setting if local machine is joined to a domain.
    if(1,3,4,5 -contains (Get-WmiObject win32_computersystem).DomainRole) { return }

    # Get network connections
    $networkListManager = [Activator]::CreateInstance([Type]::GetTypeFromCLSID([Guid]"{DCB00C01-570F-4A9B-8D69-199FDBA5723B}"))
    $connections = $networkListManager.GetNetworkConnections()

    # Set network location to Private for all networks
    $connections | % {$_.GetNetwork().SetCategory(1)}

    • Editat de sbrutsch 1 ianuarie 2013 13:59
    • Propus ca răspuns de jason404 1 ianuarie 2013 16:47
    1 ianuarie 2013 13:58