Thursday, February 7, 2013

Windows Server – Force Your Network Connection to Where it Belongs

What to do when Windows marks your network connection as Public when it is on the private LAN or marks it Private when it is on the public Internet. Click "Read more!" for some answers.

Microsoft uses Network Location Awareness (NLA) to determine if a network connection is on a public LAN, private LAN, or domain network. Often, it gets it wrong. The issue with wrong placement is that the firewall rules that get used are based on the connection’s location.

There are circumstances where the location can be corrected from within the "Network and Sharing Center". Often such changes do not survive a reboot or other network changes. You cannot use this method to move a connection to a less secure location (e.g. move Public to Private as Private usually has more relaxed firewall rules).

Below are steps you can take to help NLA properly recognize the connections location. The instructions are based on Windows 2008 R2 but they will work on other versions with little modification.


UPDATE: January 2019 (Windows 2012, Windows 8 and beyond)

The other sections of this article may still be pertinent to some, but Windows now provides easier ways to fix this issue.

You can use the local security policy to update a specific network connection (Computer Configuration/Windows Settings/Security Setting/Network List Manager Policies). But the easiest way is to use the following Powershell command.

  • Set-NetConnectionProfile -InterfaceAlias Ethernet2 -NetworkCategory Private
The above changes the connection named "Ethernet2" to use the "Private" policy. You can also set it to "Public". Be sure to replace "Ethernet2" with the name of the connection to be changed. Get the name from the Network Connections dialog or from the netsh command:
  • netsh interface ipv4 show interfaces


"Unidentified" Network – Move From Public to Private or Domain

If NLA can't determine a connections location, it names it "Unidentified" and marks the location as Public. It chooses Public because that is most secure and you wouldn’t want anything less if the connection is on the DMZ.

There are two easy ways to fix this. One uses the Local Security Policy to change the default location of unidentified networks. The second method uses a change to the network connection properties to give NLA the information it needs to properly place the location.

Using Local Security Policy

This should only be used if the computer will never have any connections on the Public LAN. Otherwise, you run the risk of having a less secure firewall profile applied to your public connection.

  1. Open "Local Security Policy".

  2. Click on "Network List Manager Policies" in the left pane. (This selection is buried in older versions of Windows.)

  3. Double-click on "Unidentified Networks" in the right pane.

  4. For computers that only exist on the private network, it is OK to set "Location type" to "private".

Using Network Connection Properties

This is not about adding a gateway IP as that doesn’t work properly on a multi-homed server. Instead we will be adding a DNS suffix so that NLA can properly locate the domain controller which is how it knows to mark the location as “Domain network”.

  1. Go to Network Connections (from the Network and Sharing Center, click on "Change adapter settings".)

  2. Go to the properties of one network connection marked as "Unidentified" but on the private LAN.

  3. Go to the properties for IPv4.

  4. Click the "Advanced..." button.

  5. Select the DNS tab.

  6. Enter your domain name into the text box for "DNS suffix for this connection:".

  7. Disable and then enable the connection to get NLA to re-identify the location.

After enabling the connection, the Status should change to the domain name and Network Category to "Domain network". Depending on your setup, it is likely that you only need to "fix" one connection to get all the related connections to see the domain.


Move From Private to Public

Usually, just setting the gateway IP on one of the public connections is enough to get NLA to set the location properly. If that doesn’t work, there are more drastic steps available. However, this is usually an indication of an improper and possibly unsecure network setup as NLA is seeing something that shouldn’t be there. For example, your domain controller should never be accessible on the public LAN.

There are two common ways to force NLA to mark a connection as public. One is to use a firewall rule to block NLA so that it has no choice but to use the default location. The other is to use the registry to disable NLA on the connection.

Using the Firewall

I haven’t tested this but the theory seems sound.

  1. Open "Windows Firewall with Advanced Security".

  2. Go to Outbound rules.

  3. Click on "New Rule…".

  4. Use these settings:
    Rule Type:Custom
    Program:Select "All programs" and then click on "Customize…". Select "Network Location Awareness" (short name is NlaSvc).
    Protocol and Ports:Protocol type = Any.
    Scope:Local IPs = Enter all your public IPs. Double-check for connections with multiple IPs.
    Action:Block
    Profile:All

  5. Once rule is enabled, disable and then enable the network connection to get NLA to re-identify the location.

Using the Registry

I have not had this work for me but my circumstance may be different from yours. Finding the correct connection number is a bit hit or miss as there are a lot more entries than you would expect.

  1. Run regedit

  2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

  3. Underneath you should see several keys labeled 0000, 0001, 0002 etc… Look through these and find the adapters where you want to disable NLA.

  4. For each of the adapters, add a new DWORD value named "*NdisDeviceType" and set it to 1 (make sure you get the * at the beginning of the name).


Getting Drastic

The location profiles are housed in the registry and it seems harmless to delete them and let Windows rebuild them. You will definitely want to backup the registry first and you will likely need to be connected to the server via KVM rather than remote (RDP). I will not take any responsibility if you choose this step as I am primarily putting this here for reference.

The location of the profiles is:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles


38 comments:

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

In my specific scenario, your firewall rule has worked.

Thank you,
Andrea.

Anonymous said...

Thank you, the first option worked flawlessly.

Unknown said...

I'm having trouble forcing my adapter to "Domain", and under the Group Policy Editor the closest I can find is "Private" but that isn't the same as domain. I've removed, re-added, done everything I can find in the registry. I can get it to go to Unauthorized, or or detect and create a whole slew of new connections... but I can't Force it to be "Domain".

Evan Barr said...

@Sheldon: Are you logged into the domain on the server you are trying to fix?

Unknown said...

@Evan: Yeah, Actually I'm trying to fix one Windows 7 workstation. It's the only computer with a problem out of the hundred or so on our domain. I've removed it, re-added it. For just some reason NLA fails or doesn't like the response it gets from LDAP or something.

The symptom was noticed when it was reported that the system failed to be administered remotely by WMI, -- the firewall rules were open for that in the domain zone but not public or private... That was when it was noticed that "Local Area Connection" was showing "Network 2" rather than "domain.com"... Every registry tweak I have tried has either created more networks, unidentified networks, or "domain.com (Unauthenticated)" networks, which are all public by default or prompt you to choose home, work, or park-bench... I can Force it to just always make any connection "private" instead of public but that doesn't really get me where I need to be.

And the computer talks to the domain just fine, domain user accounts authenticate and have the right privileges and can get to domain shares and all that.

For something that seems like it should be simple... "Allow it through and put it there anyway"...it seems to be unreachable.

Evan Barr said...

@sheldon: In Local Security Policy..NLM Policies, domain is not a choice since, here, domain is just a type of private network. If you have more than one nic, disable all but one for now. Check the IP that is set for the gateway.

Another tact to take is to consider the issue with the computer authenticating on the domain. The computer account maybe out of sync with AD. For this, leave the domain again and then delete the computer account from AD. Then rejoin. Make sure the time on the pc is correct first since that is a requirement for authentication.

Anonymous said...

If anyone makes it this far down the page---I had this issue where my network was classified as work but would take the home/private network profile. This forced the firewall to apply changes I didn't want (specifically it blocked file and printer sharing).

I fixed it by looking at network properties,specifically the DNS servers I had assigned. Instead of getting them from DHCP, I had manually assigned public DNS servers from Google. When I switched them to be assigned by DNS, my network profile went back to domain and all is good now.

Hope this helps someone else out.

polishpaul said...

The DNS Suffix workaround no longer works. I recently had a machine ignore a bunch of firewall rules after a reboot after patches. :(

Anonymous said...

Here the same, on various 2008 R2 servers in the last few days, we had this issue indeed. Domain changing to unknown. I can change it to Private, but not to domain. AAAAAH many application became unavailable. Microsoft fix this!!! Or let us force a NIC to Domain!

Unknown said...

Same issue with both 2012 and 2008 servers.

Anonymous said...

Strange The DNS Suffix workaround works flawlessly for me.
In my case the Windows server 2012 R2 VM, that initially got the Public Network profile, does not belong to the domain.
Adding the DNS suffix was exactly the correct solution. It is now recognized as a Private Network.

David Auth said...

Duh, this did the trick today, after some windows updates apparently broke it on a couple of my servers?? Anyway, I also found this - http://myitforum.com/cs2/blogs/brandonlinton/archive/2010/07/03/configure-dns-suffix-for-this-connection-script.aspx. Not sure if it requires admin privileges (seems likely), but it worked for me. Thanks, Evan!

Anonymous said...

The DNS suffix trick worked for me.....on Win 7 Pro SP1 domain member.

Anonymous said...

Thanks the DNS suffix did the trick!! Archie

Weekend Yachtsman said...

Lifesaver!

Thank you.

Unknown said...

Thank you, the 2nd option worked perfectly for me

minneapplemick said...

User Powershell...

PS C:\WINDOWS\system32> Get-NetConnectionProfile


Name : FrostyMustDie
InterfaceAlias : Wi-Fi
InterfaceIndex : 7
NetworkCategory : Public
IPv4Connectivity : Internet
IPv6Connectivity : NoTraffic


PS C:\WINDOWS\system32> Set-NetConnectionProfile -name "FrostyMustDie" -NetworkCategory private
PS C:\WINDOWS\system32> Get-NetConnectionProfile


Name : FrostyMustDie
InterfaceAlias : Wi-Fi
InterfaceIndex : 7
NetworkCategory : Private
IPv4Connectivity : Internet
IPv6Connectivity : NoTraffic

Anonymous said...

I had this issue, and I don't know why but the machine was failing to resolve the IP address for the DC (lets say dc.mydomain.org). I could query the dns servers from any other machine asking for the A record for dc.mydomain.org and it would resolve, but on the trouble machine it would fail. So, I got around this by adding an entry to the HOSTS file to get this IP resolved without having to go through the DNS.

Anonymous said...

dns suffix worked

Anonymous said...

ran into a similar issue. I have a hyper-v host with five nics. one to rdp into the host, the other four are for wan and lan functionality. The issue I had is when I configured the switch manager to use a nic I had the cable plugged into the wrong switch, for instance I was using a lan configured nic on a wan switch, so naturally I got the unidentified/no internet message. What I had to do was go into the details of each nic and find the adapter name and match that to the correct virtual adapter. It should be noted that the nics were named nic1, nic2 ... within the network sharing in CP. it's when you go into the details of the nic that you find that actual name of the nic. just an FYI

Unknown said...

i am using a server as virtual machine, just for course work, i.e 1 server, 2 clients in virtual enviroment on home pc. is there a way i can get the server to communicate on the host LAN and also internal with the client pc´s. the clients only have internal communication. would appreciate any help. i am trying out 2 VM software @ mo, Oracle virtualbox and Hyper-V manager

Evan Barr said...

@Unknown: For Hyper-V, you need to go to Virtual Switch Manager and create a new virtual switch. If you give it a connection type of "External network", then your whole network can be given access to any VM connected to said switch. Next, select your VM and go to settings. Change the Network Adapter to use the newly created switch.

clay77 said...

So, after using the Network Connection Properties method, the adapter shows up mydomain.com 2 (Unauthenticated). I'm guessing this is because that subnet doesn't have access to the AD subnet, whereas the subnet of the other NIC does. Sound correct?

clay77 said...

For those that have the same issue - I enabled AD/DNS access to the second subnet, disabled the 1st ("domain") NIC, rejoined the domain using the 2nd ("Unauthenticated") NIC and then reverted the NIC settings. Painful but it did the trick.

Evan Barr said...

@clay77: Thank you for your addition. I would add that it is best to have a DC on each subnet *before* adding other connections as you have discovered.

Unknown said...

Hi Evan, replying to your answer from 3/8/16.
That is exactly my problem as well QUOTE" For Hyper-V, you need to go to Virtual Switch Manager and create a new virtual switch. If you give it a connection type of "External network", then your whole network can be given access to any VM connected to said switch. Next, select your VM and go to settings. Change the Network Adapter to use the newly created switch."UNQUOTE

i can select external, click on my LAN adapter, but it wont except it, i try to apply it and get the following message "Error applying Virtual Switch Properties changes
Failed while adding virtual Ethernet switch connections
Ethernet port
´{1CBCEC8E-3035-4EEA-8695-E5F3FEB0B72C}` bind failed: General access denied error {0x80070005}

Also is there any way i can get Hyper V to recognise my USB Sticks?

Evan Barr said...

@Howard: I have not come across that issue and don't have a ready answer for you. If I write any articles on Hyper-V, I will consider these topics.

Unknown said...

@Evan Barr, ok many thanks

Anonymous said...

A simple PowerShell Command can also "flip the switch" for you:

PS C:\Users\Administrator> Set-NetConnectionProfile -InterfaceIndex 12 -NetworkCategory Private

Anonymous said...

Thank you, we tried all options. But the issue was that the Kerberos ticket was corrupted.

Unknown said...

Thanks!

Anonymous said...

Good article! We are linking to this great article on our website.

Keep up the great writing.

Anonymous said...

I have a server 2012, domain controller with two NIC's. One NIC is supposed to be public and the other is domain(Private). I can't get the public NIC to set to Public profile, even if I don't assign any IP. I have tried the firewall rule but did not work for me.

Evan Barr said...

@Rynhart: Make sure the nics are on two different networks with no interconnections (other than a router optionally). Your domain controllers should only be on the private network and on the same subnet. Next, either have the gateway IP only on the public nic, or if you have a router on the private network, you can specify gateways on both nics but make sure you use a large metric on the private nic. The public nic must have a public IP and a gateway IP. It is OK to use DHCP to make all the assignments.

Make sure the public nic does not have any DNS suffixes. Also, try turning off IPV6. Unless you have a public IPV6 address, it is OK to leave that off.

San Diego Guy said...

Perfect! Your page has clear instructions that solved the problem. Thank you!

Tom H said...

I appreciate the first option for assigning connection-specific dns suffix. On recent OS, can use powershell: Restart-NetAdapter command to get it to disable and enable (works even when using RDP - just a short disconnect).

Anonymous said...

Thank you!!! Adding a "DNS suffix for this connection" under network connection properties worked like a charm. Now I don't have to keep leaving and re-joining the domain just to get back into the Domain network profile!

Post a Comment