Why is my network profile stuck on Public?

Good morning.  A quick tip for today on an issue I run into from time to time.  I have seen a lot of Windows machines in my time.  One of the problems that I run into on a fairly regular basis is network communication issues.  A possible cause for these issues can be due to the Windows firewall being too restrictive.  That is what we are going to discuss today in this post.

Before we get into how to fix the network profile, let’s first discuss why the network profile even matters.  To do that we need to talk about the Windows firewall a little.  The Windows firewall provides a barrier between the Windows operating system and the network(s) to which it is attached.  It has 2 or 3 distinct profiles that it will operate in.  Whether it has 2 or 3 depends on if the system is joined to an Active Directory domain.  Each These 3 profiles are as follows:

  • Public – Windows assumes it is directly connected to the Internet or is on an unsafe or unfamiliar network.  This profile is the most restrictive and blocks most incoming traffic.
  • Private – Windows assumes this network is isolated from the Internet and is considered mostly safe.  This profile allows more traffic than the public profile, but some services are still blocked by default.
  • Domain – Windows assumes the network is trusted.  This profile is the least restrictive and by default allows most known services through.

As you probably already guessed the profile used by the Windows firewall correlates directly with the network profile assigned to the network adapter.  So if your network profile shows Public you can bet that almost all services will not work.

Now that we know about the profiles and what they do, how can we change the network profile.  If this were a client operating system like Windows 8/8.1/10 then it would be easy, just go into Network and Sharing Center and change the profile.  On a server operating system, for instance Windows Server 2012/2012R2/2016, the option to change the profile is not there.  That is, unless you count the side pop-out asking if you want to discover computers on the network.  Clicking yes on that pop-out will put the network profile into private.  Clicking no will put it into public.

If you clicked no, there is still hope.  There is a PowerShell command that can be used to set the network profile; Set-NetConnectionProfile.  Here is the command I use to quickly change the mode of all network cards in a system.

Get-NetConnectionProfile | Set-NetConnectionProfile -NetworkCategory Private

This will set all network cards to Private profile.

If you need to set just one network card, you will need to know the interface index.  To find this run the following command.

Get-NetConnectionProfile | FT Name,InterfaceAlias,InterfaceIndex -a

This will give a table of all the network adapters in the server with their names and indexes.  You can then run the following command to set a single network adapter

Set-NetConnectionProfile -InterfaceIndex <index number> -NetworkCategory Private

I hope you found this article helpful.  If you have anything to add or just want to leave a comment, please do so below.

 

Exchange Shell and the missing child domain

Good morning.  Today I wanted to post a couple of quick one line PowerShell commands for Exchange 2010.  I used both of these today and they are invaluable in certain situations.

The first command is used to load local Exchange Shell.  Normally you don’t want to do this, but I had issues with RBAC (Role Based Access Control) that prevented doing anything in Exchange Shell or Exchange Management Console.

  1. Run a PowerShell command as Administrator
  2. Run: Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010

 

The second command is very useful in multi-domain exchange forests.  For instance if multiple user accounts are in a child domain, but Exchange is in the parent domain, and you need to move the mailboxes.
Here is the command without setting the AD server setting parameter:
Get-Mailbox -Database “Mailbox Database” -Domaincontroller DC.child.domain.com | New-MoveRequest -TargetDatabase “New Database” -Domaincontroller DC.child.domain.com

Here is the command to change the behavior of Exchange Shell to mimic Exchange Management Console:
Set-AdServerSettings -ViewEntireForest $True

And the resulting command to move mailboxes as above:
Get-Mailbox -Database “Mailbox Database” | New-MoveRequest -TargetDatabase “New Database”

 

I hope you have found this article informative.  If you have any comments or suggestions, please leave them below.

Group Policy and the case of the missing permission.

Good morning.  I had a case yesterday that yielded several interesting article ideas.  This is probably the most interesting one, and I have seen this very issue on at least three occasions.  The issue started on a domain rename.  If you have ever done a domain rename, you know there are quite a few steps.  After doing some checks and making some corrections we were able to complete the domain rename.  My customer then advised that his Folder Redirection policy was not applying on any workstations.  So in this article I am going to cover how to troubleshoot a group policy not applying and the specific fix for the situation I ran into yesterday.

The first step when troubleshooting just about any group policy issue is to pull a group policy report from a client that should be getting the policy.  My preferred method is to go to a command prompt and run the following commands:

gpresult /h report.htm
report.htm

This will run the report and save it to a file called report.htm.  The second line then opens that report in a web browser.

When troubleshooting an issue where a policy is not applying I like to focus on the denied sections.  In our case folder redirection is a user policy, so I checked there.  Below is similar to what I found.
gpo-inaccessible

There were two clues as to what the issue was here.  The first clue is that the policy name is not being displayed.  Instead we just see the GUID (Globally Unique Identifier).  The second clue is the reason denied.  We can see it was denied because the policy is inaccessible, empty or disabled.

The next step was to check to see if the policy was accessible in the SYSVOL share.  In our case we had no problem accessing the files.  We then checked in the group policy management console.  We verified the policy was not empty or disabled.  So it would appear that we have eliminated all possible issues.  However there is another set of permissions.

delegation-tab

This was the set of permissions that were not correct in our case.  The Authenticated Users group was missing.  I have seen this issue on several occasions when one of my customers is trying to “lock down” the server.  Even if you add in another group, for instance Domain Users, and the user and/or computer is a member of that group, the GPO (Group Policy Object) will still fail to apply.  The fix is quite simple.  Add back the Authenticated Users group and give it read permissions.  After adding back Authenticated Users and running a gpupdate /force on the client the policy applied without issue.

I hope you have found this informative.  If you have anything to add or just want to comment, please do so below.

SMB 1 in Windows 10

Today we have a quick tip from Luis, one of my partners in crime.  He had a customer that was experiencing poor file sharing performance with Windows 10 clients.  After replicating the environment Luis discovered the issue was due to the SMB (Server Message Block) version being used.  He was able to increase the performance by forcing a lower version of SMB to be used.  He discovered though that SMB version 1 is no longer supported by default in Windows 10.  He found a way to turn it back on.

I wanted to share that with you as it can be useful in a situation where there is an older file server.  When I say older, think Windows 2003 or Windows XP.  So it is no wonder than Microsoft has decided not to allow SMB 1 by default.  I don’t recommend following this procedure simply to increase performance as the trade-off is less security and fewer features.  Also following the below process will not by itself increase speed, as the highest version of SMB will be negotiated*.  This process will allow a Windows Server 2016 or Windows 10 client to connect to an older Windows system hosting a file share.

To enable SMB 1 do the following on the Windows Server 2016 or Windows 10 client.

  1. Open the registry editor and navigate to the following key:
    HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  2. Open the DependOnService key.
    default
  3. Add MRxSmb10 to the list below MRSmb20 entry and click OK.
    new
  4. Close the registry editor and restart the Workstation service.

 

I hope you enjoyed this article and found it informative.  If you have anything to add or just want to comment, please feel to do so below.

 

*If you are dead-set on running SMB 1 to improve performance have a look at this Microsoft article.

The machine attempted to join the domain but failed. The error code was 2700.

Good morning.  I ran into an interesting issue a couple of weeks ago.  I had a customer that was not able to join any of their client systems to a newly created Windows Essentials domain.  When running the domain join wizard they were receiving a generic error.  When digging into the event log we were able to find an error code in the following event.

Event ID: 4097
Source: NetJoin
Type: Error
Description:
The machine <server name> attempted to join the domain <domain name> but failed. The error code was 2700.

So what does error code 2700 mean anyway.  I did some checking and could not find a good answer.  I dug into the clientsetup.log and found the following line that gave me the answer I was looking for.

[3156] 170119.143840.1334: ClientSetup: nativeNetJoinDomain returned ErrCode=2700
[3156] 170119.143840.1334: ClientSetup: Join domain fails on the first time, exception: System.ComponentModel.Win32Exception (0x80004005): This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school

This makes sense as a client cannot be connected to two domains at the same time.

Now that we know what the issue, here is the fix.

  1. Open the settings menu in Windows.  This can be done by clicking start icon and choosing Settings.  Choose the Accounts option.
    1-settings
  2. Pick the Access work or school option.
    2-access-work-or-school
  3. Click on the Azure connection to bring up the option to disconnect.
    3-disconnect
  4. When you click on Disconnect, you will get a prompt.  Click Yes.
    4-disconnect-yes
  5. You will get another prompt.  Choose Disconnect again.
    5-disconnect-are-you-sure
  6. Enter alternate account information and click OK.
    6-enter-alt-contact-information
  7. Finally choose the option to Restart now.
    7-restart

After restarting you should now not have any issues joining the Windows domain.

I hope you found this article informative.  If you have anything to add or want to comment, please do so below.

 

 

 

 

 

 

How to run Windows Foundation edition as a Hyper-V virtual machine.

I recently needed to reproduce a customer issue in my lab environment.  My lab is a Windows 10 workstation with the Hyper-V role installed.  Part of reproducing the issue involved building out a Windows Server 2012 R2 Foundation virtual machine. I figured this would not be a problem as 2012 R2 runs fine as a virtual machine.  This was not the case though.  I ran into a major hurdle with the integration tools.  I will describe the process I went through to get a Windows Server 2012 R2 Foundation virtual machine running smoothly.

Now before anyone goes out and tries the below procedure for a production system, please understand that running Foundation edition as a virtual machine is not supported by Microsoft.  Also it will likely violate the EULA (End User License Agreement).  Typically Foundation edition is only sold with an OEM license.  That means it comes pre-installed on hardware and must remain on that hardware.  So in order to do this, and not violate the EULA, a non-OEM license is required.  I have a MSDN subscription and thus have a valid license.  Additionally, I am not running the server for any type of production workload.

I started the process by creating a generation 2 VM (virtual machine).  Unfortunately I found out this will not work as the VM bugchecked during setup.  I deleted that VM and created a generation 1 VM.  I was then able to get the Windows loaded.  This is when I discovered the major hurdle I mentioned above.  The VM responded very slowly to mouse and keyboard input.  I also noticed severely degraded performance.  This was to the point of the VM almost being unusable.  The VM behaved as if none of the integration services drivers were installed.  Unfortunately Windows 10/2016 do not have the option to insert the integration disk.  I was able to get the vmguest.iso from a 2012 R2 hyper-v host.  However when I tried to run the setup I was informed that the latest integration services were already installed.

At this point I realized this was not going to be easy, but I enjoy a challenge.  I browsed the vmguest.iso inside the Foundation VM.  I extracted the following file: D:\support\amd64\Windows6.2-HyperVIntegrationServices-x64.cab.  I then went into device manager.  I noticed quite a few, a dozen or so, unknown devices.
unknown-devices

I then tried to manually load the drivers from the extracted cab file.  While the driver was found, it was not signed.  I figured no sweat, just disable driver signing requirement in the BCD (Boot Configuration Data).  Yet another roadblock.  It is no longer possible to permanently disable driver signature enforcement.  I was able to boot into driver signature enforcement disabled mode.  I then manually loaded drivers for all the Unknown devices.  This corrected the input and performance issues, at least for that boot.  Booting into normal mode caused all the issues to return.

f8-boot-menu

Getting the drivers to load each time Windows booted was the final step in getting the virtual machine to run properly.  I looked into the bcdedit command line options and was not able to find an option to boot to driver signing disabled mode.  What I ended up doing was to add a dummy entry to the boot list and set the timeout to 30 seconds with the following commands.

bcdedit /copy {current} /d "Dummy Entry"
bcdedit /timeout 30

 

dummy

Presently, on each boot I press F8 to get the boot options.  I then select Disable Driver Signature Enforcement.  Now the VM runs with all guest integration services.

If you have been able to find a better way to do this I would like to hear about it in the comments below.

 

Windows Foundation Edition and Single Label domains

Good morning.  I had an interesting issue a couple of days ago I wanted to cover in depth.  I had a customer with a 2003 single label domain.  He was migrating to 2012 R2 Foundation.  He had added the Foundation server as a peer domain controller to the 2003 domain.  The problems came up when he shutdown the 2003 domain controller.  He would receive errors in the silsvc (Server Infrastructure License service) log.  Initially I was under the impression that that Foundation edition does not support single label domains and this is what I told him.  For my customer he preferred running in a workgroup configuration and so he removed active directory from the server.  I wanted to duplicate this environment in my lab to see if I could determine the root cause of the errors and if it was possible to eliminate them.

My test environment consisted of a 2003 R2 virtual machine that was cleanly loaded.  On that server, I setup a single label domain named “mydomain”.  I then installed a 2012 R2 Foundation virtual machine.  This was a significant challenge in itself.  Look for another blog post on getting 2012 R2 Foundation working in a virtual machine.  These virtual machines were linked by a private virtual switch.  Once the virtual machines were setup, I joined the 2012 R2 Foundation server to the 2003 single label domain.  I then promoted the 2012 R2 Foundation as a domain controller.  Finally I verified that replication was working and that the DNS (Domain Name System) zones were present on the 2012 R2 Foundation server.

At this point I checked the silsvc log.  All tests were passing without issue.  I then shutdown the 2003 server.  This was where things went awry.  On the next check done by silsvc the following popup was received.
popup-error

Checking the silsvc log showed two errors.  The first was an event ID 2 that stated: “The Forest Trust Check in the Licensing component did not pass because error 0x8007054B occurred in function f1 [PHQG].  The specified domain either does not exist or could not be contacted.”  This error is identical to the one I saw with my customer.  Additionally I received an event ID 38 that stated: “The Forest Trust Check detected a condition in your environment that is out of compliance with the licensing policy.  This server will be automatically shut down if the issue is not corrected in x day(s) x hour(s) x minute(s).”

forest-trust-check-failed

I then did some digging around to determine if any of the active directory tools were affected.  Everything seemed to work fine with the exception of the Active Directory Domains and Trusts.  When launching that MMC (Microsoft Management Console) I received the following error: “You cannot modify domain or trust information because a Primary Domain Controller (PDC) emulator cannot be contacted.  Please verify that the PDC emulator for the current domain and the network are both online and functioning properly.”
pdc-emulator

This explains why turning off the 2003 domain controller caused the forest trust check to fail.  The silsvc needs to be able to contact the PDC emulator to check for trusts.  If it cannot, then the check fails.  I powered up the 2003 domain controller and transferred the FSMO (Flexible Single Master Operations) roles to the Foundation server.  I was then able to shutdown the 2003 server without receiving any errors.

I hope you found this article informative.  If you have any comments or suggestions please leave them below.