How to move your mail infrastructure away from Lotus Notes

Monday, 5 January 2015

Solve "Unidentified Network Error" - Windows Server 2008

Solve "Unidentified Network Error" - Windows Server 2008: "gpupdate /force"

'via Blog this'

Solve “Unidentified Network Error” for Windows Server 2008

Anytime a non-routable network connection (any IPv4 network adapter that does *not* have a default gateway specified) is configured for a Windows Server 2008 server, the operating system will mark that network connection as an “Unidentified Network”. The downside? Windows Firewall kicks in by default unless you have changed the default policy to treat unidentified networks as private. This article discusses how to get rid of the Unidentified Network Error.

The Problem Space

Here is a picture of the problem in action. Even now in 2013, I still run into this problem occasionally upon reboots with Server 2008!
The problem with this “Unidentified Network” is that it affects the Windows Firewall settings. Server 2008 works by applying firewall rules to a network profile and this network profile is one ofDomainPublic, or Private. Under the Windows Firewall, the rules for Domain and Private are relatively open: many network functions are allowed to support Active Directory or a trusted computer network scenario. The Public firewall rules, on the other hand, are very restrictive. So even though a computer may have a network interface that allows it to be a valid Active Directory domain member (as in the picture above with the “Management Network” that is part of the Active Directory domain), Windows Server 2008 will apply the restrictive “Public” firewall rules because the computer also has at least one Publicnetwork; this is shown within the listed “iSCSI Fabric A” and “iSCSI Fabric B network interfaces.
“Hmmm” (with my ESP powers I can hear your thoughts!), “That Is Not a Good Thing. Losing iSCSI means Losing Storage Connectivity. That, in turn, means Downtime. We do *not like* Downtime!” And let me heartily second that opinion. So – given that in my case: a) I had to use Windows Server 2008; b) W2K8 Sucks in that this problem *will occur* every now and then; how to fix this problem??

A Workaround

Remember: The net effect of having an “Unidentified Network” under Windows Server 2008 is that the computer becomes largely non-functional in a trusted domain environment. Remote access, for example, is automatically turned off as is ping (ICMP) functionality. Aha! To work around this problem there are two strategies:
  1. Create a “fake” default route by pointing each unidentified network NIC to its own gateway and then using the route -p command to ensure that the gateway is never used. There are blog entries on how to do this (see a technet blog I wrote years ago for one ).
  2. Easier is to modify the local Group Policy so that “Unidentified Networks” are set to use the Private profile; this has the effect of relaxing the Windows Firewall security rules.
In the case of my project, several systems have this scenario: the DataCore SANsymphony-Vservers we use to present some legacy HP SANs to a SQL Server 2008 R2 cluster, and another NAS server that allows a physical SQL Server 2008 R2 standalone server to work directly from databases stored on a NAS powered by Windows Server 2008 and accessed via a private network (to ensure maximum network throughput). For each of these servers, the following procedure was applied:
  1. Open an elevated command prompt and type gpedit.msc. Then expand Computer Configuration -> Windows Settings -> Security Settings and click on the “Network List Manager Policies”. The screen displays as shown below:
  2. Double-click on the “Unidentified Networks” setting on the right side of the screen:
  3. Change the “Location type” from “Not configured” to “Private”:04-w2k8-unet
  4. Close the Group Policy Editor and, from the elevated command prompt, type gpupdate /force and verify that the computer policies are updated. The network connection should now display as a Private network (although it will still be labeled as an “Unidentified network”):

Final Thoughts…

The above workaround is just that: a workaround. Just because I have been unable to determine why – at odd, rare intervals that seem to be correlate somewhat to Windows Updates – a functional Windows Server 2008 box will decide to “lose” its network definitions is a mystery. It is not a Domain issue because I have verified in at least one documented instance that I rebooted a Windows Server 2008 on a functional Active Directory domain as part of a whole series of serialized manual server patches and the problem occurred. A reboot seems always to “fix” the problem (that is: the network connection shows up as Domain) but I do not think it is simply a network hiccup. For example, I have an easily reproduceable error where Windows Server 2008 VMs simply refuse to stop cleanly from the guest and I must power them off from the VM control panel.
While I only have a very few Windows Server 2008 boxes left, I do not see them going away soon. (For example, an older NAS server I use simply won’t run under Server 2008 R2 as some of the proprietary drivers were apparently never updated.) So my effort here to workaround a disturbing network problem should not be taken as best practice.


Post a Comment

Thank you for taking the time to comment. Your opinion is important and of value and we appreciate the positive feedback! If you are "Negative Nancy" then please do us, and humanity, a favor, and piss off.

Total Pageviews

Google+ Followers


Blog Archive

Popular Posts

Recent Comments

Rays Twitter feed


Web sites come and go and information is lost and therefore some pages are archived. @rayd123 . Powered by Blogger.