How To Setup A Radius Server Windows 2008 R2

New Server 2019 DC keeps setting Network Location to Private. Why?

Posted past DrStran9elove

I just setup my first Server 2019 domain controller and the darn matter keeps setting its network location to Private instead of Domain. If I restart NLA it fixes it, but once I reboot, goes back to Private. I set the NLA service to "Automatic (Delayed)" and it still doesn't work. I call back having to do that on Server 2016 though it doesn't seem to be fixing information technology hither. DNS seems to be working fine besides. I'one thousand at a complete loss here equally what to exercise.

DC is a VM running under Server 2019 HyperVisor. The DC'south DNS IP is gear up as itself. The VMs are on SSD then startup is really fast. Maybe this is some weird timing result.

Any suggestions?

49 Replies

Check to make certain 'Network List Service' is running. I've seen that cause this issue before. Likewise, when y'all say "The DC's DNS IP is set as itself." Are you using the hosts bodily IP accost or the loopback address? I believe Microsoft recommends using the loopback address over the bodily IP.

ane institute this helpful thumb_up thumb_down
NLS service is running, though it'south startup type is set to Manual. I've tried it with the Loopback and it'southward ain bodily IP.

Was this mail helpful? thumb_up thumb_down
It is having a difficult time talking to the domain controller. DNS is right? Gateway is right? Dual nic cards plugged in just not teamed properly? IF you lot manually restart the NLA service does it automatically change to DOMAIN?

Check DNS to brand sure no stale records and all address and pointers to the server are correct.

Check your switch for NETWORK errors... on the port with your 2019 DC and the other DC'due south. To meet if any are taking errors.

2 establish this helpful thumb_up thumb_down
Also might be worth checking your network menu driver and/or firmware version. Update every bit needed. If the machine is legitimately having an issue with network connectivity, that could cause the issue also.

one found this helpful thumb_up thumb_down
When I restart the NLA service information technology switches immediately to Domain, if I disable and reenable the NIC, it switches to the domain. Information technology's the only DNS record in at that place right now every bit it'southward the first piece of the network I'm edifice out. Gateway is correct, DNS is right, NIC Squad is setup properly (using Switch Contained and Dynamic Fashion).

1 found this helpful thumb_up thumb_down
I don't suppose there's some goofy gpo setting the network to private?

1 plant this helpful thumb_up thumb_down
At that place isn't, already checked.

Was this postal service helpful? thumb_up thumb_down
Annihilation airheaded with win firewall on the dc itself?

Was this postal service helpful? thumb_up thumb_down
Everything looks fine on the firewall

Was this post helpful? thumb_up thumb_down
check All-time Answer

Got information technology! Added a dependency for information technology to depend on the NetLogon service and boom! It worked.

ane of 2 establish this helpful thumb_up thumb_down
DrStran9elove, I am having this same trouble. Tin can you tell me what you lot did to fix it? How did yous add together the dependency?

Was this postal service helpful? thumb_up thumb_down
To create a dependency - Go into regedit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Right-click the service that you are trying to set a dependency for and select New -> Multi-string Value.

Rename the new value to DependOnService. Double-click the DependOnService value and enter the dependent service proper name into the Value Information: field and click OK. Close the registry editor.

Restart the server.

That didn't piece of work for me though.

My fix: I went into the dns settings and added my domain name to 'DNS suffice for this connectedness", checked the box to "Utilize this connexion'south suffix in DNS registration", and rebooted.

iii institute this helpful thumb_up thumb_down
cheers Jeff. I already did the DNS suffix a while agone and it didnt work. I'll try the dependency.

Was this post helpful? thumb_up thumb_down
okay so i have added the DNS suffix in the network adapter, changed nlasvc to delayed outset, put the DNS suffix in my grouping policy, fabricated sure that my DNS suffix in my registry matches correctly to the i in my network adapter, created the dependency for the nlasvc to work with netlogon, and i accept changed the network profile category to a 2 in my registry. None of these have worked for me. I could write a script to restart the adapter at startup i suppose just I was wondering if anyone else has washed something that works that i havent tried yet. None of the changes survive the reboot, it reverts dorsum to the individual network instead of the domain network

Was this mail service helpful? thumb_up thumb_down
This worked for me: sc config nlasvc depend=DNS

0 of iv constitute this helpful thumb_up thumb_down
sc config nlasvc depend=DNS deletes all of the other dependencies and breaks the service entirely.

3 found this helpful thumb_up thumb_down
I am still looking at this. i have been looking in the registry in the network contour list for NLA. I noticed that some entries in the registry and there are two categories (the categories to change private, public, domain etc). One is chosen category and some other is chosen category type while other entries just accept category. Does anyone know why that is? My NLA entry too has two intranets cached for some reason in the registry on my PDC. I am thinking that maybe the clients tin can't pick one and so they run out of time in the authentication process and just resort to public. Can anyone comment on this?

Was this post helpful? thumb_up thumb_down
Have tried a number of these ideas without success. A better service to depend on would be DNS Customer (dnscache).

sc config nlasvc depend=dnscache

That and the lines beneath seemed to clear up NLA for me on a DC. From https://www.mcbsys.com/blog/2018/03/network-location-sensation-doesnt-identify-domain/

sc config NlaSvc beginning= delayed-car
sc triggerinfo NlaSvc commencement/networkon stop/networkoff
sc qc NlaSvc
sc qtriggerinfo NlaSvc

Skilful luck!

2 found this helpful thumb_up thumb_down
<rant>

Later on 12 years, the NLASvc is still a broken pain.

I tin can't tell you how many times (when I was a consultant, or when non-admins install a server) I've encountered people just shutting off the windows firewall vs dealing with this service, that Microsoft tin't seem to find time to ready,

How difficult can it be to add a setting to force connections to DOMAIN (They *almost* have a setting that works, in that y'all tin can set a GPO on

</rant>

- Computer Configuration -> Windows Settings -> Security Settings -> Network List Managing director Policies -> Unidentified Networks to "Private" or "Public"

Just then y'all have to duplicate your rules betwixt Domain and Individual, which can be not-trivial depending on how complicated your GPO rules are for Windows Firewall...

And even if y'all try to prepare Ready-NetConnectionProfile -NetworkCategory Domain
it will neglect every bit simply public and private may exist set.

Is information technology really this hard to resolve the hard block that is probably i or 2 if statements to let either the GPO to take Domain, or the -NetworkCategory to take Domain (And so yous could at least run a script to fix information technology equally the other alternative. Restart-Service nlasvc -Force only fixes it xc% of the time, sometimes disable/re-enable of the adapter is required)

And sometimes, Restart-Service nlasvc -Force
isn't plenty to resolve it, all the same
Get-NetAdapter | Restart-NetAdapter
does resolve it.

4 found this helpful thumb_up thumb_down
Setting up fresh 2019 domain and also encountered this ongoing network profile upshot. Simply hey - Adjacent characteristic update jump to have new Candy Beat out bonus levels so its but merchandise offs / compromises of priorities.

I tried all the usual. Filibuster NLA start, DNS suffix, register this adapters connection. But if just restart NLA then immediate domain profile.

Tried the Dr's Netlogon dependency. It works.

I must confess, you have an astonishingly skillful idea there, Doctor.

Was this post helpful? thumb_up thumb_down
Setting upwards fresh 2019 domain and also encountered this never ending network profile issue. But hey - Next feature update spring to take new Processed Crush bonus levels then its just merchandise offs / compromises of priorities.

I tried all the usual. Delay NLA start, DNS suffix, register this adapters connexion. But if merely restart NLA and so firsthand domain profile.

Tried the Dr'southward Netlogon dependency. Information technology works.

I must confess, y'all have an astonishingly expert idea there, Doctor.

Was this postal service helpful? thumb_up thumb_down
Cheers for this whole thread. I've been beating my head against the wall for two hours trying to figure out why I couldn't RDP into my 2019 Standard server.

Calculation netlogon equally dependency for nlasvc solved it for me.

Thank youDrStran9elove and everyone else.

whew.

Was this post helpful? thumb_up thumb_down
I've besides just had this issue on Server2012R2 that has been running for about iv years no trouble. The last update and subsequent reboot acquired the network to switch to Public and threw out my Backup software clients that rely on a Firewall dominion to become to a port on the Domain Network.

Looking atDrStran9elove's solution its a possible prepare, however the solution above says to create a new key DependOnService. This key already exists for NlaSvc and the dependencies set as NSI,RpcSs,TcpIp,Dhcp,Eventlog. I'm surprised that with all those dependencies, the Server OS yet gets it wrong. I haven't tried the fix notwithstanding as this is the first time it has happened. Only for Server 2019 to still be suffering the same upshot is unforgivable.

Was this post helpful? thumb_up thumb_down
Some other Update. I added DNS and NTDS to the NLA service on my 2012 domain controllers. It seemed to work on my domain controllers. I added anther server 2019 for applications/RDS/RADIUS and information technology is having problems authenticating with the network at present considering of NLA. I added two dependencies for NLA on this server 2019, dnscache and netlogon. The netlogon dependecy helped a petty bit for the log on process only my network is even so coming up as public. This is a newly built server i was going to deploy to the production environment but i am now thinking about rebuilding it again. Anyone have any ideas?

Was this post helpful? thumb_up thumb_down
I nigh hate to be "Mr. Obvious" hither, but "mrwrighty" is right; This is a MICROSOFT Bug; and Microsoft should ready it! This is just obviously bad, and incorrect! There are people here offering half-baked "workarounds" by basically but guessing at what the result may exist. And, who knows - past calculation another dependency; while not considering pre-existing dependencies - who knows what else may be broken by making that change? Either way, the obvious thing is to report this to Microsoft as a bug, over and over and over and over over again, until they go the hint; and until they fix it. Though, after this corporeality of fourth dimension, and with this MICROSOFT Problems existing for such a very long fourth dimension; I wonder if they volition fix it? Server 2019 has been out for... about 1 year now (?) and this still is an upshot; and also has existed in other versions of Windows Server?

At my uncle'southward shop, I just encountered this, while setting upwardly a small domain for 20 workstations using Sever 2019 Essentials. It'due south not a showstopper at this point; and I will endeavor some of the in a higher place steps, but this clearly is a VENDOR event; the vendor in this case existence Microsoft.

A big thank you to all those who have worked out possible fixes for this effect - YOU are the heart and soul of; and the definition of a true "community!"

Regards

Jeff

2 found this helpful thumb_up thumb_down
Brand new Server 2019 standard install on new hardware. ii reboots and twice the network has come up up as public. Come on Microsoft go your bloody shit together.

Was this post helpful? thumb_up thumb_down
I have tried everything to fix this. A few people have said it is actually a networking effect. I haven't tried that notwithstanding. I'thousand going to effort that next.

Was this post helpful? thumb_up thumb_down
Mel3680

This person is a verified professional.

Verify your account to enable Information technology peers to see that yous are a professional.

New contributor sonora

Dr's Dependency on Netlogon did non work for me, but making NlaSvc dependent on DNS did the play a trick on.

Was this post helpful? thumb_up thumb_down
Practiced one, had a 2016 DC that was running as a Hyper-V host refuse to observe it'south own Domain afterwards reboots

Unremarkably the NlaSrv on delay works

yous can fix the firewall to detect all networks as individual in a GPO

CC\Policies\Windows Settings\Security Settings\Network List Director\Alter Unidentified to Individual and Identifying Networks to Private

that is SOP since 2008

Thank you Dr

Was this post helpful? thumb_up thumb_down
OK spoke likewise before long, I estimate vii of 10 reboots was better than nothing

Added a script to restart the NlaSvc later on booted for a minute

we shall see how that goes..yikes

Was this post helpful? thumb_up thumb_down
admzan

This person is a verified professional.

Verify your account to enable IT peers to come across that you are a professional.

New contributor sonora

The netlogon dependency worked for me. What a PITA that this is nonetheless a problem after all these years.

Even more than fun when substitution is in the mix and it can't contact the domain...

Was this mail service helpful? thumb_up thumb_down
What I have found to work is adding netlogon and DNS to the dependency of NLA
On a Single DC too add Directory Services
This is working as information technology should with no ill effects so far
If you take a single Hyper-V server it never picks the domain

Servers = sc config nlasvc depend= NSI/RpcSs/TcpIp/Dhcp/Eventlog/Dnscache/Netlogon
DC = sc config nlasvc depend= NSI/RpcSs/TcpIp/Dhcp/Eventlog/DNS/NTDS

This has been an issue since 2008 so MS volition never "fix it"

Was this post helpful? thumb_up thumb_down
None of these Are working for me at all please fix this

Was this post helpful? thumb_up thumb_down
This works, only why? Why won't they fix it? Result still persists with months of updates. I encounter this on multiple 2019 servers and 2019 Advert servers.

Was this post helpful? thumb_up thumb_down
Who are you lot asking to fix information technology - spiceheads?

Was this post helpful? thumb_up thumb_down
add together this to your registry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc]
"DelayedAutostart"=dword:00000001

information technology will filibuster NLA

Otherwise you have some kind of DNS effect

Between the delay and the dependencies the fault of picking the wrong domain is no longer an consequence, even with a single HV server

Was this post helpful? thumb_up thumb_down
What kind of DNS result? IN this case information technology's only one DNS server & the DC is the DNS server every bit well. Iv person office. Never had this outcome with Server 2008 R2 and Server 2016. Merely accept hit this multiple times with Server 2019. This specific example I did a server migration from Server 2008R2 to Server 2019. Erstwhile server has been decommissioned, merely this one annoyance remains. I have seen this on a couple other Server 2019 deployments equally well.

A fleck odd to take to make registry edits for this. Shouldn't it be patched past MS?

Was this mail helpful? thumb_up thumb_down
This has been an issue since 2008

The registry edit would be so it is easier to deploy than manually irresolute the service in the console

Microsoft volition never resolve this

Meet my mail service here

Feb eighteen, 2021 at 11:41 AM

The dependencies with the delay has worked even in environments with one piece of server hardware

no sense killing yourself over it

Also if some phenomenon happens and MS does resolve this you can always put the dependencies and the delay back to manufacturing plant settings

Try it in a lab if you are leery

accept intendance

RNR

1 institute this helpful thumb_up thumb_down
yep - I agree. Just venting on MS. They dear to not fix bugs for years....years.

Was this post helpful? thumb_up thumb_down
Just throwing in my two cents here...I received a study that a VM was not responding.

Remote in - VM was stuck "Stopping" odd, but okay. A tip to restarting that specific VM process is to runGet-VM | Select Name, idwithin PowerShell, using that ID open up upwardly the details tab of Job Managing director and nuke it. Came back up, yay!

One small trouble, the VM'south NIC was now showing "Unidentified network" began the usual troubleshoot steps that were mentioned in this post. Nada.

Found in that location was a secondary network profile listed here:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles

I deleted the secondary (Unidentified Network Profile), removed the NIC from the VM settings (via the host), re-added information technology and the network profile was back to normal.

I've seen multiple problems crusade this type of trouble (Namely DNS/Gateway typos or issues with the DcGetName ((Bank check your dcdiag, kids!)) and about always get out the NLA service at "Automated Delayed".

Hope that helps anyone else who may be having the issue. Deleting that profile and re-adding the NIC to the VM was the ONLY thing that stock-still this specific outcome.

Was this post helpful? thumb_up thumb_down
I have a brand new Server 2019 (fully updated) DC. Everything was fine until I enabled SMB1 (because I accept to support a Server 2003). Then I was suddenly in Private instead of Domain. Restarting NLA does fix information technology until the side by side reboot.

I added the NetLogon dependency to the existing listing of dependencies, simply that did not work. Then I added DNS every bit a dependency and that DID piece of work.

Thanks to all.

Was this postal service helpful? thumb_up thumb_down
where did you put the dependency for netlogin to become it to piece of work

Was this postal service helpful? thumb_up thumb_down
This is such a fundamental bug in a server operating system that has, to my knowledge, existed since Server 2012R2 and hither we are 9 years on with Server 2019 and the trouble still exists. First how can MS miss such a glaring issues and how come in the plethora of huge updates over the years information technology is still not fixed. We should not be having to find workarounds for this.

Was this post helpful? thumb_up thumb_down
I don't like monkeying with critical dependent services defaults, and then what is working for my Virtual DC's is to delay start the Virtual App Server.
Because if the DC goes to Public or Private, and so does the Apps server and twice every bit much work to become information technology working right again.

I set the NlaSVC to delayed start, and have a scheduled task that runs 15 minutes subsequently startup to restart NlaSVC.

Scheduled Tasks, Run on Startup, 15 Minute Delay
Run logged in or not, and run with highest privileges.
Fix user for admin service or admin account and enter password.

cmd /c net stop NlaSVC /y && net start NlaSVC

The /y is to answer YES to dependency prompts.

This ever works for me.

Was this post helpful? thumb_up thumb_down
I volition second the fix that Mel3680 suggests in the post merely above this. I happen to run across the aforementioned article on my own and wanted to share, but Mel3680 beat me to information technology :)

The ready appears to work (tested with several reboots), and is much easier and elegant to implement. I did this on a basic fax server I'g setting up and worked great.

https://superit.in/dmz-rodc-is-going-in-public-network-profile-after-reboot/

Add beneath registry cardinal and reboot your RODC. One time below reg fundamental is set up, your server will proceed sending requests to RWDC until is found.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters

Add together a DWORD parameter : AlwaysExpectDomainController

Set value to:1

Notation: This registry primal alters the behavior when NLA retries domain detection.

Was this post helpful? thumb_up thumb_down
I am glad everyone has kept hunting for a better solution to an outcome that has been around for over a decade

Looks like it originally came from MS itself

https://docs.microsoft.com/en-us/answers/questions/400385/network-location-awareness-not-detecting-d...

I would rather add together a primal than modify service dependencies

Was this mail service helpful? thumb_up thumb_down

Read these next...

Snap, AD auth fixes, Canada bans Huawei, Linux, space lasers, & Daredevil
Spiceworks Originals
Your daily dose of tech news, in brief. Welcome to not but Friday, but according to Lonny6654 who wrote today's community-created Spark article, information technology is also World Bee Day. To raise awareness of the importance of pollinators, the threats they face, ...
The SOC Briefing for May 20th - Updates Here nosotros Come!
Security
Proficient forenoon and welcome to today's conference. Nosotros have a lot of updates and none more than relevant than Microsoft since their AD Hallmark issues from last calendar week's patch Tuesday. We accept some updates for VMware, WordPress, QNAP, SOnicwall and Apple. We thursday...
Spark! Pro series – 20th May 2022
Spiceworks Originals
Happy Friday and Happy World Bee Solar day! Every bit I had stated in a previous Spark! I am a kickoff fourth dimension Beekeeper this year! Find out more about World Bee Day and our little friends here. Just a reminder, if y'all are re...
World Bee Day 2022
Holidays
May 20th is World Bee Day, a day to raise awareness about our trivial friends. So exist sure to celebrate with a glass of Mead and learn more about dear bees. I have included my take on our little friends an...
What do you want to play this weekend?
Water Cooler
I'g always request "What did you lot play this weekend" and never "What exercise you desire to play this weekend" only not but that what exercise you desire to practice in full general?Me? Well, I firmly believe the weekend starts on Friday, just specifically after you clock out. Then, wit...