Server 2008 with Hyper-V - domain controller - Firewall GUI's show firewall ON, but netsh reports firewall OFF

I've worked with the Windows Firewall since it was introduced in Windows XP
SP2 and Windows 2008 since it went to beta.

But, now I'm confused (the system is working fine - its just that netsh
appears to give inconsistent results - see question at the end of this
post).

The server is running Windows Server 2008 64 bit with Hyper-V. In the
"parent" VM, I have AD Domain Services and WSUS installed with the firewall
configured via GPO (this is a small domain I have at home for testing etc.).

If I run the Start, Administrative Tools, Windows Firewall with Advanced
Security it tells me:
For your security, some settings are controlled by Group Policy
Domain Profile is Active
Windows Firewall is on.
Inbound connections that do not match a rule are blocked
Outbound connections that do not match a a rule are allowed

If I run Control Panel, Windows Firewall, it tells me:
For your security, some settings are controlled by Group Policy
Windows Firewall is on.
Inbound connections that do not have an exception are blocked.
Display a notification when a program is blocked: Yes
Network Location: Domain network

If I click Change Settings, the Windows Firewall Settings dialog tells me:
For your security, some settings are controlled by Group Policy
the On radio button is selected, but grayed out
the Exceptions tab shows several exceptions, some set by Group Policy
and some set locally
[I've allowed local exceptions in the Group Policy]

If I run this command (I get the same result in a "normal" and "elevated"
command prompt window)

netsh firewall show state

I get this:

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Enable

Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
500 UDP Any (null)
4500 UDP Any (null)
88 UDP Any (null)
88 TCP Any (null)
80 TCP Any (null)
53212 TCP Any (null)
53211 TCP Any (null)
53 UDP Any (null)
53 TCP Any (null)
389 UDP Any (null)
389 TCP Any (null)
3268 TCP Any (null)
123 UDP Any (null)

All of the above conforms to my understanding of what I have configured.

If I run this command (I get the same result in a "normal" and "elevated"
command prompt window)

netsh advfirewall show currentprofile

I get this:

Domain Profile Settings:
----------------------------------------------------------------------
State OFF
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable

Logging:
LogAllowedConnections Enable
LogDroppedConnections Enable
FileName
C:\Windows\system32\LogFiles\Firewall\pfirewall.lo g
MaxFileSize 4096

Ok.

So what does "State OFF" mean when all other indications are that the
firewall is ON?

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

"Bruce Sanderson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've worked with the Windows Firewall since it was introduced in Windows
> XP SP2 and Windows 2008 since it went to beta.
>
> But, now I'm confused (the system is working fine - its just that netsh
> appears to give inconsistent results - see question at the end of this
> post).
>
> The server is running Windows Server 2008 64 bit with Hyper-V. In the
> "parent" VM, I have AD Domain Services and WSUS installed with the
> firewall configured via GPO (this is a small domain I have at home for
> testing etc.).
>
> If I run the Start, Administrative Tools, Windows Firewall with Advanced
> Security it tells me:
> For your security, some settings are controlled by Group Policy
> Domain Profile is Active
> Windows Firewall is on.
> Inbound connections that do not match a rule are blocked
> Outbound connections that do not match a a rule are allowed
>
> If I run Control Panel, Windows Firewall, it tells me:
> For your security, some settings are controlled by Group Policy
> Windows Firewall is on.
> Inbound connections that do not have an exception are blocked.
> Display a notification when a program is blocked: Yes
> Network Location: Domain network
>
> If I click Change Settings, the Windows Firewall Settings dialog tells me:
> For your security, some settings are controlled by Group Policy
> the On radio button is selected, but grayed out
> the Exceptions tab shows several exceptions, some set by Group Policy
> and some set locally
> [I've allowed local exceptions in the Group Policy]
>
> If I run this command (I get the same result in a "normal" and "elevated"
> command prompt window)
>
> netsh firewall show state
>
> I get this:
>
> Firewall status:
> -------------------------------------------------------------------
> Profile = Domain
> Operational mode = Enable
> Exception mode = Enable
> Multicast/broadcast response mode = Enable
> Notification mode = Enable
> Group policy version = Windows Firewall
> Remote admin mode = Enable
>
> Ports currently open on all network interfaces:
> Port Protocol Version Program
> -------------------------------------------------------------------
> 500 UDP Any (null)
> 4500 UDP Any (null)
> 88 UDP Any (null)
> 88 TCP Any (null)
> 80 TCP Any (null)
> 53212 TCP Any (null)
> 53211 TCP Any (null)
> 53 UDP Any (null)
> 53 TCP Any (null)
> 389 UDP Any (null)
> 389 TCP Any (null)
> 3268 TCP Any (null)
> 123 UDP Any (null)
>
> All of the above conforms to my understanding of what I have configured.
>
> If I run this command (I get the same result in a "normal" and "elevated"
> command prompt window)
>
> netsh advfirewall show currentprofile
>
> I get this:
>
> Domain Profile Settings:
> ----------------------------------------------------------------------
> State OFF
> Firewall Policy BlockInbound,AllowOutbound
> LocalFirewallRules N/A (GPO-store only)
> LocalConSecRules N/A (GPO-store only)
> InboundUserNotification Enable
> RemoteManagement Disable
> UnicastResponseToMulticast Enable
>
> Logging:
> LogAllowedConnections Enable
> LogDroppedConnections Enable
> FileName C:\Windows\system32\LogFiles\Firewall\pfirewall.lo g
> MaxFileSize 4096
>
> Ok.
>
> So what does "State OFF" mean when all other indications are that the
> firewall is ON?
>
> --
> Bruce Sanderson
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>
>
>

That definitely doesn't look right. I just ran the same command on this
machine (Vista in a workgroup) and the output shows

Private Profile Settings:

State ON

If I disable the firewall from the GUI it changes to OFF.

It could have something to do with Hyper-V. Do you have a virtual
network linked to the NIC? This makes pretty major changes to the way the
NIC works. The host actually connects to the network through the virtual
switch.

Microsoft actually recommends that you do not run any role except
Hyper-V in the parent partition.

Bill, thanks for your reply.

This physical computer has only one network adapter and there are virtual
machines that (when they are running) communicate with each other, other LAN
attached computers and the Internet (via a router), so yes, there is a
virtual network linked to the NIC.

I ran the netsh advfirewall show currentprofile on another Windows Server
2008 Domain Controller (single DC in experimental domain) installation and
it shows:

Domain Profile Settings
--------------------------------------------
State ON

So, looks like you're supposition that Hyper-V is causing the discrepancy is
most likely bang on.

In a "production" installation, I wouldn't recomend using the Hyper-V parent
partition as a Domain Controller either. In my simple home installation,
the server is mostly to be a domain controller and WSUS server - running
Virtual Machines is secondary, but I wanted to get some experience with
Hyper-V, so added that role.

I find many references in forums, articles etc. that say "Microsoft
recommends" not running applications in the Parent vm, but I can't find any
Microsoft document that says this (not that it/they don't exist, just I
can't find them!). Do you know where such recommendations by Microsoft can
be found? I'd like to have it handy for future reference.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
>
>
> "Bruce Sanderson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I've worked with the Windows Firewall since it was introduced in Windows
>> XP SP2 and Windows 2008 since it went to beta.
>>
>> But, now I'm confused (the system is working fine - its just that netsh
>> appears to give inconsistent results - see question at the end of this
>> post).
>>
>> The server is running Windows Server 2008 64 bit with Hyper-V. In the
>> "parent" VM, I have AD Domain Services and WSUS installed with the
>> firewall configured via GPO (this is a small domain I have at home for
>> testing etc.).
>>
>> If I run the Start, Administrative Tools, Windows Firewall with Advanced
>> Security it tells me:
>> For your security, some settings are controlled by Group Policy
>> Domain Profile is Active
>> Windows Firewall is on.
>> Inbound connections that do not match a rule are blocked
>> Outbound connections that do not match a a rule are allowed
>>
>> If I run Control Panel, Windows Firewall, it tells me:
>> For your security, some settings are controlled by Group Policy
>> Windows Firewall is on.
>> Inbound connections that do not have an exception are blocked.
>> Display a notification when a program is blocked: Yes
>> Network Location: Domain network
>>
>> If I click Change Settings, the Windows Firewall Settings dialog tells
>> me:
>> For your security, some settings are controlled by Group Policy
>> the On radio button is selected, but grayed out
>> the Exceptions tab shows several exceptions, some set by Group Policy
>> and some set locally
>> [I've allowed local exceptions in the Group Policy]
>>
>> If I run this command (I get the same result in a "normal" and "elevated"
>> command prompt window)
>>
>> netsh firewall show state
>>
>> I get this:
>>
>> Firewall status:
>> -------------------------------------------------------------------
>> Profile = Domain
>> Operational mode = Enable
>> Exception mode = Enable
>> Multicast/broadcast response mode = Enable
>> Notification mode = Enable
>> Group policy version = Windows Firewall
>> Remote admin mode = Enable
>>
>> Ports currently open on all network interfaces:
>> Port Protocol Version Program
>> -------------------------------------------------------------------
>> 500 UDP Any (null)
>> 4500 UDP Any (null)
>> 88 UDP Any (null)
>> 88 TCP Any (null)
>> 80 TCP Any (null)
>> 53212 TCP Any (null)
>> 53211 TCP Any (null)
>> 53 UDP Any (null)
>> 53 TCP Any (null)
>> 389 UDP Any (null)
>> 389 TCP Any (null)
>> 3268 TCP Any (null)
>> 123 UDP Any (null)
>>
>> All of the above conforms to my understanding of what I have configured.
>>
>> If I run this command (I get the same result in a "normal" and "elevated"
>> command prompt window)
>>
>> netsh advfirewall show currentprofile
>>
>> I get this:
>>
>> Domain Profile Settings:
>> ----------------------------------------------------------------------
>> State OFF
>> Firewall Policy BlockInbound,AllowOutbound
>> LocalFirewallRules N/A (GPO-store only)
>> LocalConSecRules N/A (GPO-store only)
>> InboundUserNotification Enable
>> RemoteManagement Disable
>> UnicastResponseToMulticast Enable
>>
>> Logging:
>> LogAllowedConnections Enable
>> LogDroppedConnections Enable
>> FileName C:\Windows\system32\LogFiles\Firewall\pfirewall.lo g
>> MaxFileSize 4096
>>
>> Ok.
>>
>> So what does "State OFF" mean when all other indications are that the
>> firewall is ON?
>>
>> --
>> Bruce Sanderson
>> http://members.shaw.ca/bsanders
>>
>> It is perfectly useless to know the right answer to the wrong question.
>>
>>
>>
>
> That definitely doesn't look right. I just ran the same command on this
> machine (Vista in a workgroup) and the output shows
>
> Private Profile Settings:
>
> State ON
>
> If I disable the firewall from the GUI it changes to OFF.
>
> It could have something to do with Hyper-V. Do you have a virtual
> network linked to the NIC? This makes pretty major changes to the way the
> NIC works. The host actually connects to the network through the virtual
> switch.
>
> Microsoft actually recommends that you do not run any role except
> Hyper-V in the parent partition.

"Bruce Sanderson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Bill, thanks for your reply.
>
> This physical computer has only one network adapter and there are virtual
> machines that (when they are running) communicate with each other, other
> LAN attached computers and the Internet (via a router), so yes, there is a
> virtual network linked to the NIC.
>
> I ran the netsh advfirewall show currentprofile on another Windows Server
> 2008 Domain Controller (single DC in experimental domain) installation and
> it shows:
>
> Domain Profile Settings
> --------------------------------------------
> State ON
>
> So, looks like you're supposition that Hyper-V is causing the discrepancy
> is most likely bang on.
>
> In a "production" installation, I wouldn't recomend using the Hyper-V
> parent partition as a Domain Controller either. In my simple home
> installation, the server is mostly to be a domain controller and WSUS
> server - running Virtual Machines is secondary, but I wanted to get some
> experience with Hyper-V, so added that role.
>
> I find many references in forums, articles etc. that say "Microsoft
> recommends" not running applications in the Parent vm, but I can't find
> any Microsoft document that says this (not that it/they don't exist, just
> I can't find them!). Do you know where such recommendations by Microsoft
> can be found? I'd like to have it handy for future reference.
>
> --
> Bruce Sanderson
> http://members.shaw.ca/bsanders
>
> It is perfectly useless to know the right answer to the wrong question.
>

Here is a link to a Technet article which mentions it.

http://technet.microsoft.com/en-us/l.../cc794726.aspx

The main reasons seem to be security based, not performance based.

Great! Thanks Bill.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
>
>
> "Bruce Sanderson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Bill, thanks for your reply.
>>
>> This physical computer has only one network adapter and there are virtual
>> machines that (when they are running) communicate with each other, other
>> LAN attached computers and the Internet (via a router), so yes, there is
>> a virtual network linked to the NIC.
>>
>> I ran the netsh advfirewall show currentprofile on another Windows Server
>> 2008 Domain Controller (single DC in experimental domain) installation
>> and it shows:
>>
>> Domain Profile Settings
>> --------------------------------------------
>> State ON
>>
>> So, looks like you're supposition that Hyper-V is causing the discrepancy
>> is most likely bang on.
>>
>> In a "production" installation, I wouldn't recomend using the Hyper-V
>> parent partition as a Domain Controller either. In my simple home
>> installation, the server is mostly to be a domain controller and WSUS
>> server - running Virtual Machines is secondary, but I wanted to get some
>> experience with Hyper-V, so added that role.
>>
>> I find many references in forums, articles etc. that say "Microsoft
>> recommends" not running applications in the Parent vm, but I can't find
>> any Microsoft document that says this (not that it/they don't exist, just
>> I can't find them!). Do you know where such recommendations by Microsoft
>> can be found? I'd like to have it handy for future reference.
>>
>> --
>> Bruce Sanderson
>> http://members.shaw.ca/bsanders
>>
>> It is perfectly useless to know the right answer to the wrong question.
>>
>
> Here is a link to a Technet article which mentions it.
>
> http://technet.microsoft.com/en-us/l.../cc794726.aspx
>
> The main reasons seem to be security based, not performance based.

Sorry to take so long to reply - been kind of busy and out of touch lately.

1. Why is there no Hyper-V newsgroup? I know I am not alone in finding web
"forums" slow and clumsy to use, including the Microsoft TechNet forums - I
avoid using web forums whenever possible because it is too slow navigating
around, viewing posts etc. Newsgroups are much quicker and easier to use
via a newsgroup reader (e.g. Windows Mail or Outlook Express). Please
suggest to whoever manages the Microsoft newsgroups (e.g.
msnews.microsoft.com) or Hyper-V that a newsgroup for Hyper-V (e.g.
microsoft.public.windows.server.hyper-v) would be useful.

2. Why does netsh say the firewall is OFF when all the firewall related GUIs
(e.g. Windows Firewall with Advanced Security) show that the firewall is ON?
Is there an document somewhere that explains this difference? Also, all
other evidence is that the firewall is indeed blocking unwanted traffic and
is thus ON. For example, if I remove the check mark (in the Windows
Firewall Control Panel aplet) for Remote Service Management, attempting to
view or manage services remotely (e.g. via Computer Management) from another
computer fails (RPC service not available). When I add the check mark back
again, I can again view and manage services remotely.

3. I see no Event Log entries about any problems with the firewall
configuration or Hyper-V (or other services) in any event logs.

4. This is a very small installation (just the one server), so it is not
practical for me to remove the Active Directory or other services (e.g.
several file shares)from this server. I'll consider moving these services
to a child partition, but then, since the only domain controller will be a
virtual machine running on this server, I won't be practical to make the
hyper-v parent partition a domain member, which will be awkward.

5. as suggested, I executed the command netsh advfirewall set currentprofile
state on. Apart from the fact that the netsh advfirewall show
currentprofile command now reports Status: ON, I can not detect any change
in behaviour of the firewall, the server or the services running on it -
everything is still working as it was before, including Active Directory,
WSUS, file sharing etc.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"George Yin(MSFT)" <v-(E-Mail Removed)> wrote in message
news:v%(E-Mail Removed)...
> Hello,
>
> Yes, we do not recommend installing other services or applications on the
> parent partition except the Hyper-V role.
>
> I have a Hyper-V server running in my domain environment. I have checked
> all the firewall setting and they are working fine. The Domain Profile
> Settings State shows ON.
>
> This "state off" usually means that the relevant profile has been turned
> off. Would you please try manually turning on the profile to see how it
> goes? Try the following command to see if it can help:
>
> Netsh advfirewall set currentprofile state on
>
> If this cannot help. I would suggest that you check the Event Viewer,
> located at the sections under "Applications and Services
> Logs\Microsoft\Windows" starting with words "Hyper-V-", to see if any
> errors or warnings exist.
>
> You may also need to check firewall settings to see if any incorrect
> configuration exist.
>
> If possible, I would also suggest that you try removing other services and
> applications, or try reinstalling the Hyper-V server (without any other
> applications or services) to see if the problem remains.
>
> Besides, if you have any questions or problems relating to Hyper-V, I
> would
> like to suggest that you post in our Hyper-V forum. People there have
> better knowledge on Hyper-V and they may share some useful information
> with
> you.
>
> http://social.technet.microsoft.com/...yperv/threads/
>
> Sincerely,
> George Yin
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> ================================================== ===
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ===
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Hello Bruce,

Thank you for the updating.

Regarding the question 1.
====================

I can fully understand your concern.

However, forum is considered as the next generation of communication
platform and, all the current newsgroups will be migrated to forum.

I have heard from the forum product group that they are doing a lot of jobs
to improve the forum. Some similar tools, like OE that can be used in
newsgroup, are also being developed. This may take a little longer, but I
am sure that you will enjoy it.

I am sorry if it brings any inconvenience right now.

Regarding the questions 2, 3 and 5.
=========================

Did you configure the Group Policy for Windows Firewall with Advanced
Security like this?

The Firewall state is set to 'On (recommended)', on the Domain Profile tab,
of the Windows Firewall with Advanced Security.

If you did, the Firewall state of the Windows Firewall with Advanced
Security on the client computers is greyed out. This means that any changes
on the client side will be overridden by the Group Policy (you can still
add new rules), even you can turn the profile on or off. However, that
doesn't really affect the current settings and doesn't really turn the
profile on or off.

So, please check if the Group Policy is really applied to the client
machine (including all the rules set in the Group Policy)

If it is, you can ignore the output of the "netsh advfirewall show
currentprofile", as it doesn't really affect the current settings.
Actually, the Group Policy does.

If not, you may need to check the network settings. Try "gpupdate /force"
on the client machine to see how it goes.

Regarding the question 4.
====================

I would agree with you. That may be much better than putting Active
Directory into a child partition.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

Sincerely,
George Yin
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.