2

I am setting up AD in an isolated network so that I can enjoy the benefits of Microsoft's Hyper-V replication/High-availabilty/clustering/etc.

This network does not have a default gateway and all IP addresses are statically assigned. Servers are 2012 R2.

A domain-joined machine identifies the network connection as 'Unidentified'

I do NOT want to manually override the firewall config to treat 'Unidentified' networks as 'Private'

I do NOT want to manually assign connection-specific DNS Suffixes to the interfaces.

I DO want domain-joined machines to identify the network as 'Domain'

I have read that "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName” is used to identify the network 'Location', but as I am not using DHCP and i do not want to manually configure connection-specific DNS suffixes, this key is blank.

As a test step, i tried to manually set the default gateway of the domain joined computer to the IP address of the PDC, (previously blank) and NLA immediately identified that I was on the domain network. This 'works', but is a bit of a hack.. as the PDC is NOT the Default Gateway, and would NOT be the default gateway if I were to add one later to de-isaloate the network.

As another test step, i manually set the default gateway of the domain-joined computer to an un-used IP address in the same subnet (the IP i would use if i had a router/default gateway). After a reboot the domain-joined computer still did not identify the network as 'domain'

How can i get the domain-joined machine to identify the network as 'Domain', without DHCP, without connection-specific DNS suffixes, and without default gateways?

Is there another way? DNS configuration?

goofology
  • 382
  • 2
  • 14
  • If you "de-isolate" these hosts at some point then just set their DG as the actual DG. – joeqwerty Feb 04 '16 at 20:28
  • Wouldn't that break the 'domain' detection by NLA? For fun I tried to set the default gateway on the domain-joined machine to point to an unused static IP (what the gateway up address might be in the future) in the same subnet and it detected 'private', but not 'domain'. Do I need to set something in DNS? – goofology Feb 04 '16 at 20:33
  • I'm not sure why it's detecting the network as unidentified to begin with. If these are domain joined machines then it should be detecting them as domain joined. Pointing them at the PDCe as their DG may have "tricked" them into identifying the network correctly but pointing them to an actual DG shouldn't break them, I mean that's the way domain joined clients are configured in every AD domain on the planet. Domain clients don't use their PDCe as their DG, they use their DG. – joeqwerty Feb 04 '16 at 20:37
  • Essentially what I'm saying is that if your "trick" works for your purposes then great, but when you "de-isolate" the network then just point them at the actual DG. That's not going to break anything. – joeqwerty Feb 04 '16 at 20:39
  • But most domain joined clients receive their connection-specific DNS suffixes via DHCP.. Which assists in the detection of the 'domain' location... That is not an option in my case – goofology Feb 04 '16 at 20:41
  • Out of curiosity, what do the domain joined clients use for DNS? What is the DC using for DNS? – joeqwerty Feb 04 '16 at 21:05
  • DNS is on PDC. there are 2 machines in this domain: PDC and the app-server in question. – goofology Feb 04 '16 at 21:26
  • I realize that DNS is on the DC, what I'm asking is if the DC is using itself for DNS and if the domain member is using the DC for DNS? – joeqwerty Feb 04 '16 at 21:31
  • DC is pointed to itself (127.0.0.1), domain member is pointed at DC – goofology Feb 04 '16 at 21:32

0 Answers0