Metanis
Well-Known Member
- Reaction score
- 934
- Location
- Medford, WI, USA
Windows boxes can have Public, Private, and Domain network types. This has ramifications regarding settings like Firewall profiles and Network Discovery. Unfortunately, this detection on a domain controller server can sometimes occur before the DNS and AD services are fully aware and functioning. When this happens the wrong Firewall profile gets applied it will appear like your server is no longer working correctly.
(And it's not obvious unless you know to hover your mouse over the Network icon in the taskbar so the popup information box displays which profile is currently active. Nothing like troubleshooting a service like Active Directory Web Services for an hour trying to figure out why you can't connect when you realize the wrong Firewall profile has been applied!)
The fix can be as easy as restarting the NLA (Network Location Awareness) service on the box. When DNS and gateway addresses are configured correctly the Network type will just click back to the correct Domain type and everything will begin to work normally.
For me it seems this problem was reoccuring after every server reboot and I'd forget how to fix it between intervals. So I created a little batch file that gets triggered by an event in the Active Directory Web Services log. After the server has started and the Directory is being serviced properly there will be an Informational event id 1200 in the ADWS log stating that "Active Directory Web Services is now servicing the specified directory instance."
That event tells me the server has finally stabilized and the Domain Controller and DNS Server tasks are ramped up. At this point I use that event to trigger a batch file. In Windows Server 2012 the service that actually enumerates network types is call the "Network List Service" and its acronym is "netprofm". This service will immediately restart itself but just to be safe I wait 10 seconds and then have it do a restart anyway. I also write a Warning event to the System Eventlog so I know the batch file was triggered. The batch file is run with my domain admin credentials.
(And it's not obvious unless you know to hover your mouse over the Network icon in the taskbar so the popup information box displays which profile is currently active. Nothing like troubleshooting a service like Active Directory Web Services for an hour trying to figure out why you can't connect when you realize the wrong Firewall profile has been applied!)
The fix can be as easy as restarting the NLA (Network Location Awareness) service on the box. When DNS and gateway addresses are configured correctly the Network type will just click back to the correct Domain type and everything will begin to work normally.
For me it seems this problem was reoccuring after every server reboot and I'd forget how to fix it between intervals. So I created a little batch file that gets triggered by an event in the Active Directory Web Services log. After the server has started and the Directory is being serviced properly there will be an Informational event id 1200 in the ADWS log stating that "Active Directory Web Services is now servicing the specified directory instance."
That event tells me the server has finally stabilized and the Domain Controller and DNS Server tasks are ramped up. At this point I use that event to trigger a batch file. In Windows Server 2012 the service that actually enumerates network types is call the "Network List Service" and its acronym is "netprofm". This service will immediately restart itself but just to be safe I wait 10 seconds and then have it do a restart anyway. I also write a Warning event to the System Eventlog so I know the batch file was triggered. The batch file is run with my domain admin credentials.
@echo off
echo Brute force method to try and ensure the NLA service correctly identifies our domain network so the proper firewall is applied!
c:
cd \scripts
net stop netprofm < y.dat
ping localhost -n 10
net start netprofm
eventcreate /s servername /u adminuser /p adminuserpassword /l SYSTEM /so BatchFile /t WARNING /id 999 /d "Batch file ran to try and fix Network Location setting."
Old batch file jockeys will recognize the "y.dat" as the method to type a "Y" when prompted for "Are you sure, Y or N?". Simply create a text file with a single Y and then save it as y.dat and then use the pipe symbol "<" in the batch file to automajically type that Y for you!echo Brute force method to try and ensure the NLA service correctly identifies our domain network so the proper firewall is applied!
c:
cd \scripts
net stop netprofm < y.dat
ping localhost -n 10
net start netprofm
eventcreate /s servername /u adminuser /p adminuserpassword /l SYSTEM /so BatchFile /t WARNING /id 999 /d "Batch file ran to try and fix Network Location setting."
