7

We have a Windows Server 2008 R2 domain controller which always sets its NLA location to 'Network 3' after a reboot. Without fail, this defaults to Public, which screws with my Domain profile firewall settings. I have to manually disable and re-enable the network adapter before it will set itself back to the domain profile.

I've tried KB2524478 and a whole host of other things. Now I'm tired of trying to fix this problem (and fast running out of time) so just want to get around it. I was thinking about scripting the disable/enable with netsh and being done with it, but I'd like to go one step further and make sure that the NLA location is actually "Network 3" and not "the-domain.example.org" (more specifically, just checking it is not the domain) before I do. That way, I can schedule it more frequently than just on startup.

I'm just missing a piece of this puzzle — how to retrieve the location using something I can pipe to FIND /i "the-domain.example.org", so I can run it as:

<something> | ...
FIND /i "the-domain.example.org" || ...
NETSH interface set interface name="Local Area Connection" admin=DISABLED & ...
NETSH interface set interface name="Local Area Connection" admin=ENABLED

So what is <something>?

jimbobmcgee
  • 2,675
  • 4
  • 27
  • 43

1 Answers1

5

You can query the appropriate registry keys to see what the network profile is set to. You need to look in \HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures to find the subkey for the appropriate interface. This will require a little detective work but the easiest way is look for the MAC address of your current default gateway. Once you've located the interface's SubKey take note of the ProfileGUID. You can then use the ProfileGUID to locate that interface's Profile settings ..\NetworkList\Profiles. From there setting the REG_DWORD:Category back to 2 should set the interface's profile to Domain.

You need to turn off the NLA service before you make the change to the Category attribute. A simple net stop nlasvc will stop NLA and netprofm. Once you make the registry change restart it: net start netprofm.

  • 1
    Not bad. +1 for `netsh advfirewall set domainprofile state on`, at least, which might well be better than disable/re-enable. I almost accepted it, but will go away and test that it enables the domain policy properly, first. FWIW, I did eventually find the slightly alternate `netsh advfirewall monitor show currentprofile`, which gives me the domain name -- I will also check if it gives the names of non-domain network locations too (as that would *strictly* answer the question I asked). In any case, if your approach works I will use it for the actual fix, as it seems cleaner than mine, IMO. – jimbobmcgee Jan 07 '13 at 23:56
  • You will want to play around with the firewall profile settings and make sure you're actually getting *just* the Domain Profile with `netsh advfirewall set domainprofile state on`. I added the `allprofiles state off` just to be sure in my edit. –  Jan 08 '13 at 00:05
  • Still testing, but I think `netsh advfirewall set domainprofile state on` just tells the server that, when in a Domain Profile, the Firewall should be on; I don't *think* it actually changes the current profile to Domain... – jimbobmcgee Jan 08 '13 at 00:05
  • Just looked back over my notes. You are correct. Try the registry method. –  Jan 08 '13 at 00:08
  • 3
    OK, stuck with the disable/enable as it worked in my environment. Used `netsh advfirewall show currentprofile | find /i "Domain" || netsh interface set interface name="LAN" admin=DISABLED & netsh interface set interface name="LAN" admin=ENABLED` as my command, which you put me on to with your (subsequently edited) first answer. `netsh advfirewall monitor show currentprofile` does *technically* give the name of the current location, if anyone else is looking for that specific need... – jimbobmcgee Jan 08 '13 at 01:36