Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages

:

Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > How to force network profile redetection with NLA and Windows Firewall
February 01
How to force network profile redetection with NLA and Windows Firewall

Windows Firewall requires a proper network location detection to work correctly, especially when a machine is on a domain network. Sometimes, not even domain controller (DCs) themselves detect their network location properly, because the responsible service - the Network Location Awareness service (nlasvc) - is starting too soon during the boot process when domain services, DC location or other features are not yet available.

In order to detect Domain network profile correctly, the NLA service must be able to issue LDAP UDP ping against the PDC of the domain and if such a machine is not yet accessible for any reason, it falls back to Public network profile.

To force a manual update to refresh the network list and their associated profiles, just restart the NlaSvc service (note that there is a dependent service called Network List service - netprofm - which needs to be restarted as well, thus the -Force parameter):

Restart-Service NlaSvc -Force

 

Note 1: on Windows 2008 (not R2) or Windows Vista, you do not have network profiles per individual NICs, but the whole firewall will apply only a single network profile - the one which is the most restrictive. So if you happen to have more than a single network adapter on Windows 6.0, you may not be in the Domain profile just because some other network interaface connects to a Public or Private network simultaneously.

Note 2: on Windows 2008 or  Windows 2008 R2 acting as AD DS (Active Directory) domain controller (DC) you may not be able to switch into the Domain profile even after the NlaSvc restart. This may happen if you disable IPv6 on the DC itself using the registry value called DisabledComponents. As a side effect of disabling the IPv6 stack, Windows 2008 and Windows 2008 R2 DCs stop listening to LDAP UDP port 389 on the loopback IP address of 127.0.0.1. Actually, they never listen to the loopback IPv4 address at all even if you have IPv6 enabled, but because they listen to ::1 UDP 389 it fixes itself. Although DCs listen to LDAP TCP 389 on the localhost IPv4 address, for some reason they do not listen to the UDP port locally. In such a case the NLA sevice cannot ping localhost on the LDAP UDP port and will treat the network as Public regardless of anything. Windows 2012 repaired this by listening to the LDAP UDP 389 on 0.0.0.0 regardless of IPv6 stack enabled or not.

Comments

Configuring NLASVC

We are  in a situation where we know that one of the NIC's is a management NIC and NLASVC should not probe it.  Is there any way to hardcode NIC type as private for a given NIC from NLA perspective?

This is on Windows 7 Domain workstation.  If tagging a NIC permanently is not an option at NLASVC level, is there any other way to stop NLASVC probe management NIC every now and then or is there any way to configure probing frequency?
 on 18/05/2018 20:26

Re: How to force network profile redetection with NLA and Windows Firewall

try using the GPEDIT.MSC, Security Settings, Network List Manager Policies to configure the settings for either the certain network connection explicitly or for any un-categorized network.
 on 21/05/2018 17:29

Re: How to force network profile redetection with NLA and Windows Firewall

Thanks for this
 on 27/02/2019 23:19

Add Comment

Sorry comments are disable due to the constant load of spam *


This simple antispam field seems to work well. Just put here the number.

Title


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *


Body *


Attachments