It could happen. I saw this issue couple of times, not only on domain controllers, but also on other domain joined computers.
The cause of this problem is the Network Location Awareness service. We know, that this service is recognising network location based on gateway and is trying to locate AD server thru port 389. Well, when gateway is changed or no server connection true port 389 is available, we have a new network location – by default it is Public.
Anyway, it can happened that NLA service starts before the AD services are started (or before DC is reachable on a non DC server). In this case, we will have public network profile on DC or domain joined computers. If firewall is enabled, most of network services will not run as the firewall for the Public profile is almost closed.
We have few possibilities to solve this situation. Maybe the most simple way is to restart the server, but I don’t know if I can restart the server at this moment and what was the original cause of the problem – maybe it will reappear. The second option is to disable / reenable the NIC adapter and in most cases, it will solve the issue. We will get the same result if we just restart the NLA service – this is a better way.
In some cases, you cannot connect to the computer for some reason. In this case, I use PowerShell remote session to solve the problem.
Here are the steps:
Enter-PSSession ComputerName (establish connection to computer with the problem)
Get-NetConnectionProfile (this will show you your current location profile – if this is the source of the problem, the location will not be Domain)
Restart-Service nlasvc (this cmdlet will restart NLA service; after this step you should see Domain network profile)
Get-NetConnectionProfile (just to check if the solution works)
Exit-PSSession (disconnect form the remote computer)
Based on my experience, this solution works always. Some administrators also suggest to change start option for NLA service to Automatic (Delayed Start). I am not sure if this is a good solution; be careful with it. Maybe you can do it in cases where this error is frequent (better: search for the original cause and solve the problem)
Many administrators in small environments (where we have Essentials server) have to buy a trusted certificates to make RWW working. The common problem of all those environments is, that there is no money for buying certificates or owners don’t understand why they need to buy certificates. This is why I am writing a post how to certify RWW with Let’s encrypt certificates.
It is a bit different to do it because Let’s encrypt certificates have validation period only three months and maybe it seems, you will have a lot of work – but don’t be afraid; we have two ways to simplify this procedure and my preferred procedure is with a product called Certify.
- First download Certify from this link (https://certify.webprofusion.com/).
- Install Certify with default options as you can see on screen shots. There is no need to change any settings; the application is simple and can be always installed with default options.
- Now you have to modify Essentials server configuration. Certify can issue the certificate banded to name of default web site in IIS. This means that we have to modify default site bindings (look at picture) in a way that we have public RWW name bind to default web site and port 80 – 443 SSL is not needed.
- For the first time, when you enter Certify, you will need to add your contact details. It is just to care about your certificates.
- Open Certify and start registering the new certificate.
- From the form select default web site and clear checkbox from local server name.
- CLick Save.
- Click Request certificate. At this point you will receive the certificate – be careful on firewall rules; you need to open port 80 and 443.
- We have now to do the last step: go to Configure Auto Renew and type Username and Password for user who is able to request the certificate.
That’s all you need. Now you have configured RWW with free trusted certificate, the certificate will be renewed automatically when will expire and you don’t need to manually renew it anymore.
The same process can be done on any IIS website or for any certificate that could be requested thru IIS.
Of course you have heard about the new malware, which yesterday created a lot of problems in industry. Unfortunately it is not an unknown problem.
Microsoft released a patch for this type of vulnerability already in March, but it seems once again that administrators are not patching their systems.
So, if you haven’t patched your systems at least every month, if you haven’t patched your system from March, is time to do it. And don’t forget to have a good defense system (antivirus and other prevention mechanisms). Update them to!
You can find additional information in this link.
Here is a link to post how was neutralized and who did this.
Anyway, we have already a version 2.0; you can read about this version here.
Again, please patch your systems! This update will solve a vulnerability. And don’t forget: this is not the first malware who was written on known vulnerability – patch your systems constantly!
Additionally, please disable SMB1 protocol – it is not new that it is not secure. Here and here are some guidelines how to do it via GPO.
Sometimes you will have to transfer DHCP settings via netsh command. This could be useful for a couple of reasons and it is fine to know how to approach it. Anyway, this is the quickest way to do a DHCP migration.
First you have to login to source server (it could be also a failover clustered DHCP service) and open CMD as Administrator. Then you have to enter in netsh mode with typing:
Now you have to select server with typing:
dns server \\servername
Where servername is the name of the old DHCP server or clustered service name. This will connect you to DHCP server and you are ready to export settings with this command:
export filename all to export the entire configuration or
export filename 192.168.222.0 to export only a scope configuration (in my case 192.168.222.0)
Of course, you have to replace the filename with full path and name of the file where you want to save exported data. This file now must be transferred to target – new server and we are ready to import the configuration. Of course, priory you import the configuration, the new server has to be authorized in AD. To begin an import procedure, we have to do the same steps as on the old server; open command prompt, enter into netsh mode and select DHCP server. After this, we have just a step to import settings with this command:
Import filename all to import all settings or
Import filename 192.168.222.0 to import just a scope
That’s all. Just be sure to double-check if the import did its job, disable and unautorize the old server (you can do it also with netsh: netsh dhcp delete server ServerIP). Of course, don’t forget to uninstall the service on the old computer.
You have finished. Good work!
Need to learn about Microsoft technologies? If the answer is yes, you can start downloading E-Books from here. They are completely free and very useful.