Why is my network profile stuck on Public?

Good morning.  A quick tip for today on an issue I run into from time to time.  I have seen a lot of Windows machines in my time.  One of the problems that I run into on a fairly regular basis is network communication issues.  A possible cause for these issues can be due to the Windows firewall being too restrictive.  That is what we are going to discuss today in this post.

Before we get into how to fix the network profile, let’s first discuss why the network profile even matters.  To do that we need to talk about the Windows firewall a little.  The Windows firewall provides a barrier between the Windows operating system and the network(s) to which it is attached.  It has 2 or 3 distinct profiles that it will operate in.  Whether it has 2 or 3 depends on if the system is joined to an Active Directory domain.  Each These 3 profiles are as follows:

  • Public – Windows assumes it is directly connected to the Internet or is on an unsafe or unfamiliar network.  This profile is the most restrictive and blocks most incoming traffic.
  • Private – Windows assumes this network is isolated from the Internet and is considered mostly safe.  This profile allows more traffic than the public profile, but some services are still blocked by default.
  • Domain – Windows assumes the network is trusted.  This profile is the least restrictive and by default allows most known services through.

As you probably already guessed the profile used by the Windows firewall correlates directly with the network profile assigned to the network adapter.  So if your network profile shows Public you can bet that almost all services will not work.

Now that we know about the profiles and what they do, how can we change the network profile.  If this were a client operating system like Windows 8/8.1/10 then it would be easy, just go into Network and Sharing Center and change the profile.  On a server operating system, for instance Windows Server 2012/2012R2/2016, the option to change the profile is not there.  That is, unless you count the side pop-out asking if you want to discover computers on the network.  Clicking yes on that pop-out will put the network profile into private.  Clicking no will put it into public.

If you clicked no, there is still hope.  There is a PowerShell command that can be used to set the network profile; Set-NetConnectionProfile.  Here is the command I use to quickly change the mode of all network cards in a system.

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

This will set all network cards to Private profile.

If you need to set just one network card, you will need to know the interface index.  To find this run the following command.

Get-NetConnectionProfile | FT Name,InterfaceAlias,InterfaceIndex -a

This will give a table of all the network adapters in the server with their names and indexes.  You can then run the following command to set a single network adapter

Set-NetConnectionProfile -InterfaceIndex <index number> -NetworkCategory Private

I hope you found this article helpful.  If you have anything to add or just want to leave a comment, please do so below.

 

Advertisements

Group Policy and the case of the missing permission.

Good morning.  I had a case yesterday that yielded several interesting article ideas.  This is probably the most interesting one, and I have seen this very issue on at least three occasions.  The issue started on a domain rename.  If you have ever done a domain rename, you know there are quite a few steps.  After doing some checks and making some corrections we were able to complete the domain rename.  My customer then advised that his Folder Redirection policy was not applying on any workstations.  So in this article I am going to cover how to troubleshoot a group policy not applying and the specific fix for the situation I ran into yesterday.

The first step when troubleshooting just about any group policy issue is to pull a group policy report from a client that should be getting the policy.  My preferred method is to go to a command prompt and run the following commands:

gpresult /h report.htm
report.htm

This will run the report and save it to a file called report.htm.  The second line then opens that report in a web browser.

When troubleshooting an issue where a policy is not applying I like to focus on the denied sections.  In our case folder redirection is a user policy, so I checked there.  Below is similar to what I found.
gpo-inaccessible

There were two clues as to what the issue was here.  The first clue is that the policy name is not being displayed.  Instead we just see the GUID (Globally Unique Identifier).  The second clue is the reason denied.  We can see it was denied because the policy is inaccessible, empty or disabled.

The next step was to check to see if the policy was accessible in the SYSVOL share.  In our case we had no problem accessing the files.  We then checked in the group policy management console.  We verified the policy was not empty or disabled.  So it would appear that we have eliminated all possible issues.  However there is another set of permissions.

delegation-tab

This was the set of permissions that were not correct in our case.  The Authenticated Users group was missing.  I have seen this issue on several occasions when one of my customers is trying to “lock down” the server.  Even if you add in another group, for instance Domain Users, and the user and/or computer is a member of that group, the GPO (Group Policy Object) will still fail to apply.  The fix is quite simple.  Add back the Authenticated Users group and give it read permissions.  After adding back Authenticated Users and running a gpupdate /force on the client the policy applied without issue.

I hope you have found this informative.  If you have anything to add or just want to comment, please do so below.

The Software Protection Service, part 2

Good morning.  I ran into an interesting issue this morning that I wanted to share.  I have seen this particular problem on several occasions, but a Google search comes up empty.  So I had a customer this morning that was seeing activation issues in 2012 R2.  More specifically, he was unable to make any changes with slmgr.vbs.  In case you were not aware, slmgr.vbs is the command line tool to enter/remove product keys and get information about activation status.

I started troubleshooting this by running the MGADiag (Microsoft Genuine Advantage Diagnostic) tool*.  I was specifically looking for this line: OEMID and OEMTableID Consistent: yes.  This indicates that the server can use an OEM SLP key.  So that ruled out that as a possible issue.

I then wanted to find out why the Software Protection Service was reporting Windows is not activated.  I ran the command: slmgr /dlv.  This command will display licensing information with full verbosity.  The command threw an error though.
slmgr-dlv-error

When running slue.exe 0x2a 0x8007041D, I received the following message:
slmgr-dlv-error-extended

So it appears that the Software Protection Service is not starting.  I confirmed this in the System Event log.
spp-not-starting

Now the big question.  Why is the Software Protection Service not starting?  To determine this I ran a filter on the event viewer to only show me event ID 7000 errors.  I then scrolled to the first event.  In this case the event was first recorded on 12/5/2016.  My next stop was Programs and Features.  It was no surprise that installed on the same day the problem started was SEP (Symantec Endpoint Protection).  I say this as I have seen SEP cause a multitude of issues on server operating systems.  I point out SEP because it is the most common.  I have also seen numerous other security software packages cause problems.  In our case we removed SEP and rebooted.  After the reboot Windows is now reporting that it is activated.

I hope this post has been informative for you.  If you have anything to add or you see any errors please post in the comments below.

 

*I ran into a really good blog article after working on this issue.  It turns out the MGADiag tool is only designed for Windows 7/2008R2.  While it will run on higher version of OSes, there is now a built-in tool.  Thanks to John D over at johndstech.com for posting this.

 

How to upgrade Windows Server Essentials to Standard edition

Time for another quick tip.  In case you hadn’t guessed already, I really like Essentials.  You get quite a few features for a much better price than Standard edition.  There are some limitations though with Essentials.  The good news is that the server can later be upgraded to Standard and the process only takes a few minutes.  On the flip side, a standard license has to be purchased.

Let’s walk through the upgrade process.

  1. Purchase a Windows Server Standard license
  2. Open an administrative PowerShell command
  3. Run the following command to verify the target edition:
    dism /online /Get-TargetEditions
    You should see Target Edition : ServerStandard or something similar
  4. Run the following command to complete the upgrade:
    dism /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula
    Change the edition and product key to match the ones you have.

You should see output similar to below.  Reboot when prompted.

upgrade-to-standard

I hope you found this informative.  If you have any comments or suggestions, please leave them below.

Windows Server 2016 Essentials and Remote Desktop Services, the untold story

Good morning.  Time for another installment.  Today I wanted to talk about 2 of my favorite Microsoft technologies in one article; RDS (Remote Desktop Services) and the Essentials experience.

Recently I have seen a rise in the deployment of RDS, specifically Session Host, on Windows Server 2016 Essentials.  While this seems like the perfect money saving combination, Essentials is about $200-300 cheaper than the Standard SKU, it is not.  While not well documented, this configuration is not supported by Microsoft*.  This may not deter some admins.  However, it also will not work properly.  While I have seen this issue on several occasions in customer environments, I figured I would reproduce this.  Below is the documentation of that process.

I started by installing Windows Server 2016 Essentials into a generation 2 VM (Virtual Machine).  I ran the initial configuration wizard to complete setup.  I verified that only 2 simultaneous interactive logon sessions would work.  See the screen capture below.

too-many-users

I then shutdown the server and took a checkpoint.  After booting the VM back up, I installed RDS via the installation wizard.  The roles installed properly, but I received an error when creating the session collection.  After a reboot the session collection did show up.  This seemed odd to me, but upon checking Server Manager all seemed to be normal.  I then tested the number of simultaneous connections again.  I ran into the same 2 user limit.

Maybe this is due to RDS licensing not being installed or configured?  I then installed and activated a license server on the same machine.  I added a 50 pack of user CALs.  Finally, I added the license server and the network service account to the Terminal Server License Servers group in AD.  After a restart, RD Licensing manager is reporting all green checks.  However RD Licensing Diagnoser is reporting it is not configured with a license server.  See the screenshots below.  This led me to check the deployment properties and I found it was configured for Per User mode with the correct server.

rd-licensing-happy

rd-licensing-diagnoser

At this point it is pretty clear this is not going to work properly, but I wanted to dig a little deeper and find out why.  Time to break out the PowerShell.  I ran the following commands to manually configure Session Host via PowerShell:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting$obj.ChangeMode(4)

Upon running the last command I receive an error indicating the method is not specified, meaning the parameter doesn’t exist.  This led me to output all parameters from the Win32_TerminalServiceSetting object.  This is how I discovered the root cause for the limitation.  It appears that even though I have install Session Host, the server is still in Remote Desktop for Administration mode.  In this mode it is not possible to specify a license server or licensing mode.  Also there is the limitation of two simultaneous interactive logon sessions.

powershell-output

So is it possible to get around this or correct it?  The good news is that the process is fairly easy.  The bad news is that an upgrade to standard edition is required.  A walk-through of the upgrade process can be found here.  I went through this process in my test environment.  After reactivating my license server and updating the licensing mode in the deployment properties, my RD Licensing Diagnoser reported no issues.  Also for curiosity sake, below is a screenshot of the same PowerShell output after upgrading to Standard.

powershell-output-after-upgrading

So the moral of the story is if you need RDS in Windows Server 2016 you will need Standard edition or higher.  I hope this has been informative for you.  If you have any comments or suggestions, please leave them below.

 

 

*There is only one reference, that I could find, to the supportability of RDS on the Essentials SKU.  It is in the Windows Server 2012 R2 Licensing Datasheet.  On page 5, look for footnote 8.

The DNS management console fails to update or gets “stuck”

Another quick tip here.  I recently had a DNS (Domain Name System) console that was failing to update.  I knew that DNS was functioning properly and that all the records were there.  They were just not showing up on this particular server.  This is actually a pretty easy fix.

To reset the DNS console, or most mmc consoles, you just need to delete the settings file.  There is a settings file for each user that has logged in.  This file is located at C:\Users\<username>\AppData\Roaming\Microsoft\MMC\dnsmgmt.  You may notice other files in this directory.  Those files are the settings files for their respective mmc consoles.

Unable to extend an NTFS volume

Good afternoon.  I ran into an interesting issue this afternoon I wanted to share.  I had a customer that was receiving the following error:

“The volume cannot be extended because the number of clusters will exceed the maximum number of clusters supported by the filesystem.”

Unable to extend, cluster size

He encountered the error when trying to extend a volume.  The volume was 20TB (Terabytes) and he was trying to add another 19TB for a total of 39TB.  After some research I found, based on his setup, that the maximum volume size was 32.75TB.  We extended the volume to that size and we were done.

I figured someone might find it useful if I l go over the process of determining the maximum size for a volume.  There are a couple pieces of key information that are required.  The first is the maximum number of clusters in a NTFS volume.  This is 2^32 -1 clusters, or roughly 4 billion.  The second piece of information we need is the bytes per cluster.  To get this information, run the following command: fsutil fsinfo ntfsinfo x:
Replace the x: with the actual drive letter.  Below is output from the command.  In this example we see that we are using 4096 bytes per cluster or 4K for short.

bytes per cluster

Now that we have both pieces of information we just need to do some simple math to find the maximum volume size.  Multiply the maximum maximum number of clusters by the cluster size.  Taking the example above, that would be 4,294,967,295 * 4096 = 17,592,186,040,320 bytes.  To convert this to megabytes, divide the number by 1,048,576 (1024*1024).  In this example we get 16,777,215 Megabytes.

To make this even easier, here is a handy table:

Cluster size NTFS Max Size
512 bytes 2,199,023,255,040 (2TB)
1024 bytes 4,398,046,510,080 (4TB)
2048 bytes 8,796,093,020,160 (8TB)
4096 bytes 17,592,186,040,320 (16TB)
8192 bytes 35,184,372,080,640 (32TB)
16384 bytes 70,368,744,161,280 (64TB)
32768 bytes 140,737,488,322,560 (128TB)
65536 bytes 281,474,976,654,120 (256TB)

I hope you enjoyed this article.  If you have any suggestions or comments please leave them below.