Anytime a non-routable network connection (any IPv4 network adapter that does *not* have a default gateway specified) is configured for a Windows Server 2008 server, the operating system will mark that network connection as an “Unidentified Network”. The downside? Windows Firewall kicks in by default unless you have changed the default policy to treat unidentified networks as private. This article discusses how to get rid of the Unidentified Network Error.
The Problem Space
Here is a picture of the problem in action. Even now in 2013, I still run into this problem occasionally upon reboots with Server 2008!
The problem with this “Unidentified Network” is that it affects the Windows Firewall settings. Server 2008 works by applying firewall rules to a network profile and this network profile is one of
Private. Under the Windows Firewall, the rules for
Private are relatively open: many network functions are allowed to support Active Directory or a trusted computer network scenario. The
Public firewall rules, on the other hand, are very restrictive. So even though a computer may have a network interface that allows it to be a valid Active Directory domain member (as in the picture above with the “Management Network” that is part of the armycloud.cloud.army.mil Active Directory domain), Windows Server 2008 will apply the restrictive “Public” firewall rules because the computer also has at least one
Public network; this is shown within the listed “iSCSI Fabric A” and “iSCSI Fabric B network interfaces.
“Hmmm” (with my ESP powers I can hear your thoughts!), “That Is Not a Good Thing. Losing iSCSI means Losing Storage Connectivity. That, in turn, means Downtime. We do *not like* Downtime!” And let me heartily second that opinion. So – given that in my case: a) I had to use Windows Server 2008; b) W2K8 Sucks in that this problem *will occur* every now and then; how to fix this problem??
Remember: The net effect of having an “Unidentified Network” under Windows Server 2008 is that the computer becomes largely non-functional in a trusted domain environment. Remote access, for example, is automatically turned off as is ping (ICMP) functionality. Aha! To work around this problem there are two strategies:
- Create a “fake” default route by pointing each unidentified network NIC to its own gateway and then using the
route -pcommand to ensure that the gateway is never used. There are blog entries on how to do this (see a technet blog I wrote years ago for one ).
- Easier is to modify the local Group Policy so that “Unidentified Networks” are set to use the
Privateprofile; this has the effect of relaxing the Windows Firewall security rules.
In the case of my project, several systems have this scenario: the DataCore SANsymphony-V servers we use to present some legacy HP SANs to a SQL Server 2008 R2 cluster, and another NAS server that allows a physical SQL Server 2008 R2 standalone server to work directly from databases stored on a NAS powered by Windows Server 2008 and accessed via a private network (to ensure maximum network throughput). For each of these servers, the following procedure was applied:
- Open an elevated command prompt and type
gpedit.msc. Then expand Computer Configuration -> Windows Settings -> Security Settings and click on the “Network List Manager Policies”. The screen displays as shown below:
- Double-click on the “Unidentified Networks” setting on the right side of the screen:
- Change the “Location type” from “Not configured” to “Private”:
- Close the Group Policy Editor and, from the elevated command prompt, type
gpupdate /forceand verify that the computer policies are updated. The network connection should now display as a
Privatenetwork (although it will still be labeled as an “Unidentified network”):
The above workaround is just that: a workaround. Just because I have been unable to determine why – at odd, rare intervals that seem to be correlate somewhat to Windows Updates – a functional Windows Server 2008 box will decide to “lose” its network definitions is a mystery. It is not a
Domain issue because I have verified in at least one documented instance that I rebooted a Windows Server 2008 on a functional Active Directory domain as part of a whole series of serialized manual server patches and the problem occurred. A reboot seems always to “fix” the problem (that is: the network connection shows up as
Domain) but I do not think it is simply a network hiccup. For example, I have an easily reproduceable error where Windows Server 2008 VMs simply refuse to stop cleanly from the guest and I must power them off from the VM control panel.
While I only have a very few Windows Server 2008 boxes left, I do not see them going away soon. (For example, an older NAS server I use simply won’t run under Server 2008 R2 as some of the proprietary drivers were apparently never updated.) So my effort here to workaround a disturbing network problem should not be taken as best practice.