NLA Profile + iSCSI Weirdness

coolrunnings82

Active Member
Mar 26, 2012
399
88
28
I have a hyper-v server that connects to an OmniOS SAN using MPIO. Whenever a storage network card changes configuration or is disconnected, Windows Firewall gets confused and acts like the primary network is Public instead of Domain and the machine becomes unavailable via RDP. A reboot fixes this but next time a storage connection goes down, it gets freaked and the same thing happens.

Some notes about my configuration:

  • The hyper-v server has 4x 10G network ports from 2 separate cards.
  • 1 card has 1x port dedicated to a hyper-v switch and not shared with the host OS. The other port serves the OS and connects it to the LAN. The LAN port has a local static IP set on it.
  • The 2nd card has both ports dedicated to iSCSI. The only protocols running on the card are IPv4 and QOS. Client for MS Networks etc. are unchecked.
  • Binding order is set so all the iSCSI ports are at the bottom of the list.
  • Power management is configured to not allow the OS to turn off the NICs.
  • The domain controller is virtual and runs on this same hyper-v server.
I've set NLA to delayed start but to no avail. I've also restarted the NLA service but this doesn't fix the problem. The only thing that resolves it is a reboot. I'm at a loss of what else to try. Ideas?
 

optimans

Member
Feb 20, 2015
56
52
18
Are you running Hyper-V Server 2016?

I have 2016 DC with similar problem. You might have to create a scheduled task to restart NLA running at startup with a delay of how ever many minutes it takes for the DC VM to be operational.

Run as NT Authority\SYSTEM
Run as hidden
Don't select run with highest privileges
Trigger: at startup and delay for x minutes
Action: start a program: net stop nlasvc /y
Action: start a program: net start nlasvc
(Use net as the program, and the rest as the arguments)

Just search for system user and it will automatically change it to NT Authority for you.

Try that and see how ya go. Hopefully it helps.
 
  • Like
Reactions: coolrunnings82

coolrunnings82

Active Member
Mar 26, 2012
399
88
28
I'm running Server 2012 R2 with the Hyper-V role installed. I tried restarting the NLA service manually and it didn't change anything. Also the NIC used for the Hyper-V switch continues to work fine. This is when I disconnect a cable on one (either one) of the two links used for iSCSI. I can try delaying the startup per the instructions above but I'm not sure it would have much effect given that this isn't happening at startup but only when a network link gets disconnected and reconnected...
 

optimans

Member
Feb 20, 2015
56
52
18
What models are the network cards? Wondering if it is driver related issue?

A workaround for remote access might help for now.

Have you set the network list manager policy to force unknown networks to private in GPO?

Computer Configuration\Policies\Windows Settings\Security Settings\Network List Manager Policies\Unidentified Networks
Location type: Private
Computer Configuration\Policies\Windows Settings\Security Settings\Network List Manager Policies\Identifying Networks
Location type: Private

Then create firewall rules for both domain and private networks for Echo Request, Windows Remote Management, Remote Desktop, etc so that when it loses its network profile you can still get access to the server.
 

coolrunnings82

Active Member
Mar 26, 2012
399
88
28
Network cards are Intel X540-T2. This happens both with onboard cards or add-in cards which are also that particular model. Haven't set the GPO yet. Mostly trying to figure out why it happens.
 

optimans

Member
Feb 20, 2015
56
52
18
How did you go setting up the GPO?

Did have another idea; Do you have RegisterThisConnectionsAddress enabled for all interfaces?

Powershell> Get-DnsClient