Windows server thinks its on a public network.


Thanks Evan!

Windows Server – Force Your Network Connection to Where it Belongs

Microsoft uses Network Location Awareness (NLA) to determine if a network connection is on a public LAN, private LAN, or domain network. Often, it gets it wrong. The issue with wrong placement is that the firewall rules that get used are based on the connection’s location.

There are circumstances where the location can be corrected from within the “Network and Sharing Center”. Often such changes do not survive a reboot or other network changes. You cannot use this method to move a connection to a less secure location (e.g. move Public to Private as Private usually has more relaxed firewall rules).

Below are steps you can take to help NLA properly recognize the connections location. The instructions are based on Windows 2008 R2 but they will work on other versions with little modification.

“Unidentified” Network – Move From Public to Private or Domain

If NLA can’t determine a connections location, it names it “Unidentified” and marks the location as Public. It chooses Public because that is most secure and you wouldn’t want anything less if the connection is on the DMZ.

There are two easy ways to fix this. One uses the Local Security Policy to change the default location of unidentified networks. The second method uses a change to the network connection properties to give NLA the information it needs to properly place the location.

Using Local Security Policy

This should only be used if the computer will never have any connections on the Public LAN. Otherwise, you run the risk of having a less secure firewall profile applied to your public connection.

  1. Open “Local Security Policy”.
  2. Click on “Network List Manager Policies” in the left pane. (This selection is buried in older versions of Windows.)
  3. Double-click on “Unidentified Networks” in the right pane.
  4. For computers that only exist on the private network, it is OK to set “Location type” to “private”.

Using Network Connection Properties

This is not about adding a gateway IP as that doesn’t work properly on a multi-homed server. Instead we will be adding a DNS suffix so that NLA can properly locate the domain controller which is how it knows to mark the location as “Domain network”.

  1. Go to Network Connections (from the Network and Sharing Center, click on “Change adapter settings”.)
  2. Go to the properties of one network connection marked as “Unidentified” but on the private LAN.
  3. Go to the properties for IPv4.
  4. Click the “Advanced…” button.
  5. Select the DNS tab.
  6. Enter your domain name into the text box for “DNS suffix for this connection:”.
  7. Disable and then enable the connection to get NLA to re-identify the location.

After enabling the connection, the Status should change to the domain name and Network Category to “Domain network”. Depending on your setup, it is likely that you only need to “fix” one connection to get all the related connections to see the domain.

Move From Private to Public

Usually, just setting the gateway IP on one of the public connections is enough to get NLA to set the location properly. If that doesn’t work, there are more drastic steps available. However, this is usually an indication of an improper and possibly unsecure network setup as NLA is seeing something that shouldn’t be there. For example, your domain controller should never be accessible on the public LAN.

There are two common ways to force NLA to mark a connection as public. One is to use a firewall rule to block NLA so that it has no choice but to use the default location. The other is to use the registry to disable NLA on the connection.

Using the Firewall

I haven’t tested this but the theory seems sound.

  1. Open “Windows Firewall with Advanced Security”.
  2. Go to Outbound rules.
  3. Click on “New Rule…”.
  4. Use these settings:
    Rule Type: Custom
    Program: Select “All programs” and then click on “Customize…”. Select “Network Location Awareness” (short name is NlaSvc).
    Protocol and Ports: Protocol type = Any.
    Scope: Local IPs = Enter all your public IPs. Double-check for connections with multiple IPs.
    Action: Block
    Profile: All
  5. Once rule is enabled, disable and then enable the network connection to get NLA to re-identify the location.

Using the Registry

I have not had this work for me but my circumstance may be different from yours. Finding the correct connection number is a bit hit or miss as there are a lot more entries than you would expect.

  1. Run regedit
  2. Go to HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
  3. Underneath you should see several keys labeled 0000, 0001, 0002 etc… Look through these and find the adapters where you want to disable NLA.
  4. For each of the adapters, add a new DWORD value named “*NdisDeviceType” and set it to 1 (make sure you get the * at the beginning of the name).

Getting Drastic

The location profiles are housed in the registry and it seems harmless to delete them and let Windows rebuild them. You will definitely want to backup the registry first and you will likely need to be connected to the server via KVM rather than remote (RDP). I will not take any responsibility if you choose this step as I am primarily putting this here for reference.

The location of the profiles is:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

About the author : dave

Leave a Reply

Your email address will not be published.