Networking

How can we improve the networking platform and management in Windows Server?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Fix default NPS firewall rules for Server 2019

    Hi all,

    I understand there is an issue with Windows Server 2019/Windows 10 1809 however I was wondering if Microsoft are aware of any problems regarding the Firewall rather than the systems handling of user files.

    Recently I setup a Server 2019 VM (1.5GB Dynamic RAM, 2 Allocated Cores, 36GB Drive space, 3GB NIC Team) and installed the NPS and RDS Gateway role onto it however I noticed that despite the NPS role adding the standard firewall rules for port 1813 and 1812 they do not seem to be working.

    I have confirmed that with an exception allowing port 1812…

    17 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      8 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
    • Create a WiFi policy linked to User Configuration, to allow for GP WiFi conn mngmt on non-domain devices

      Currently the WiFi Network Policies exists only under Computer Configuration -> Policies -> Windows Settings -> Security Settings and can only be applied to Computers that are members of the domain.
      We need a similar WiFi Network Policy under User Configuration to be able to manage the domain Users capability to connect to WiFi with Enterprise authentication irrespective to which device they use to connect to the Enterprise WiFi

      1 vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
      • 1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
        • Support CAA records in nslookup

          The nslookup command line tool should support CAA (id=257) DNS resource record types. Bonus points for teaching Resolve-DnsName about this type as well. Super bonus points for supporting and rendering arbitrary record types: just print the data in a side-by-side hex/ASCII view. This way I can view newer record types without needing an OS update.

          2 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
          • DNS recursion using wrong NS for delegated zone CNAME

            When Server 2016 DNS Server has a delgation within a primary zone, CNAME records in that delegation result in queries to the delgation's name servers, not forwarders / root hints.
            For example:

            Primary zone: one.example
            Delegation: foo.one.example, with nameserver ns.bar.com

            In that delegated zone, there exists a record:

            baz.foo.one.example IN CNAME other.two.example

            two.example's zone, hosted by ns.somethingelse.com, has a record:
            other.two.example IN A 1.2.3.4

            From a client pointed at the DNS server, query baz.foo.one.example.

            I would expect the server to query ns.bar.com for baz, receive a reply of other.two.example, and then query either two.example's nameserver, or use the default forwarders…

            16 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              2 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
            • Expose whether DNS Client Server Address assigned by DHCP or Static

              The Get-DNSClientServerAddress cmdlet does not provide information on whether or not the Server Addresses were assigned via DHCP or have been statically assigned.

              This is presumably because the information is not provided to WMI/CIM.

              This information is available by using NETSH, so it is available in the OS.

              This would allow some problems in the xDNSServerAddress resource in the xNetworking DSC resource module (in the Resource Kit) to be solved.

              For more information about the problem and why it is causing problems, please see this issue in the xNetworking resource module: https://github.com/PowerShell/xNetworking/issues/164

              9 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                1 comment  ·  Managment tools  ·  Flag idea as inappropriate…  ·  Admin →
              • Additional DHCP Server Failover Links

                In Server 2012, Windows Server had DHCP failover added to eliminate the requirement of clustering for HA. DHCP failover is limited to either a Load Balanced pair or an Active-HotStandby member.

                It would be nice to have a load balanced pair of DHCP servers, with a second failover association of a Hot-Standby at a remote location.

                4 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  DHCP  ·  Flag idea as inappropriate…  ·  Admin →
                • DNS Manager should sort IP addresses numerically

                  In DNS Manager the Data column treats everything as a string so it sorts alphabetically. Instead, it should be smarter and recognize different types of data and sort those numerically. Specifically, it should recognize IPv4 addresses and sort them numerically.

                  We could go from:

                  To:

                  10.0.0.1
                  10.0.0.2
                  10.0.0.100
                  10.0.0.101
                  10.0.0.200
                  10.0.0.201

                  13 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    3 comments  ·  Managment tools  ·  Flag idea as inappropriate…  ·  Admin →
                  • Add more BGP debug info

                    There's no info about:
                    - routes that ingress or egress through BGP really,
                    - reasons of including/excluding BGP routes in/from main route table.

                    3 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
                    • Fix DNS management console sorting bug

                      Come on, after 8 years you have still not fixed this bug?
                      https://social.technet.microsoft.com/Forums/windowsserver/en-US/f1b686ad-824f-4c16-a66c-f9470a2dfa6d/2008-dns-ip-address-sorting-issue
                      And NO, this is neither MMC nor regional settings problem, since DHCP management console sorts the same (IP addresses) values CORRECTLY.
                      And NO, exporting to Excel is NOT an option!
                      Come on grow up and get serious, even in Srv 2K and 2K3 it worked like charm!

                      73 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        11 comments  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
                      • Include SNMPv2/v3 / 64bit counters to Windows Server 2016

                        As we all know all Windows Servers from 2000 to 2012 R2 only support 32bit counters for SNMP. Because of this if you run diagnostics on high speed interfaces / virtual interfaces like 1GbE, 10GbE, 40GbE, 100GbE counters will go over it's 32bit value and reset, causing MRTG graphs and other SNMP monitoring utilities to report false values. So my idea is that microsoft implements 64bit counters in SNMP implementation and finally adds support for 64bit SNMP.
                        My 7 year old 3com switch supports 64bit SNMP counters but the latest Windows 2012 R2 does not.

                        MRTG: http://oss.oetiker.ch/mrtg/

                        16 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                        • Improve DNS logging options

                          Allow us to put a filter in to log for specific lookups. We should be able to specify a list of names, a list of domains. We will at times have a misbehaving client or piece of malware, or we have an old domain or host and we'd like to know what's still using it. Being able to create a targeted log for these types of situations would often come in handy. As it is, we end up needing to run a network capture on all our domain controllers. The ability to use a Powershell or dnscmd command to add…

                          18 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  DNS  ·  Flag idea as inappropriate…  ·  Admin →
                          • 4G

                            Network

                            2 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Layer 2 & Ethernet  ·  Flag idea as inappropriate…  ·  Admin →
                            • RE-code the DFACS utility

                              RE-code the released DHCP Failover Auto Config Sync (DFACS) utility. We were considering an implementation of it but scrapped the idea hearing of all the alleged scary issues in the comments e.g. memory consumption, deletion of scopes, issues with reservations, etc. The result of implementing the tool should mitigate config drift, not end up causing other larger issues!

                              Please do update me if a new build fixing the reported issues.

                              1 vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  DHCP  ·  Flag idea as inappropriate…  ·  Admin →
                              • Remove Network Location Awareness from Windows Server

                                Remove Network Location Awareness from Windows Server, all it does is cause problems. There is no reason to include this service in Windows Server, servers have static network settings, people do not consistently move servers to different networks. Network Location Awareness service fails way to often on reboots to find the proper network it should connect to. It then assigns the incorrect Windows Firewall to the NIC. This services needs to be removed, or we need the ability to set a static location (Domain).

                                5 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
                                • Fix the ping timeout bug that gives incorrect "reply timed out" messages in Server 2012r2 and Windows 10 for pings under 1000ms timeout

                                  Ping can take a timeout, if the timeout is set less than 1000ms then genuine replies start getting ignored as timed out failures.

                                  Does not affect Server 2003 or 2008.

                                  Does affect Server 2012 r2 and Windows 10

                                  Appears to be a problem in WinAPI / networking stack rather than .Net or ping.exe implementation - happens at ICMPSendEcho2Ex and ICMP6SendEcho2Ex layers at least.

                                  Documented in detail here: https://stackoverflow.com/questions/45528336/winapi-why-does-icmpsendecho2ex-report-false-timeouts-when-timeout-is-set-belo

                                  and here: http://web.archive.org/web/20150519002258/http://www.frameflow.com:80/ping-utility-flaw-in-windows-api-creating-false-timeouts/

                                  1 vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Windows Firewall does not always display the correct default Main Mode IPsec policy

                                    Bug:

                                    The Windows Firewall snap-in does not always show the default Main Mode IPsec policy, it shows whatever MM policy was last created or assigned.

                                    Expected Behavior:

                                    Even if there are multiple Main Mode policies (called Main Mode Crypto Sets internally), the policy with the name of '{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}' should always be displayed as the default in the GUI because it is the default used by Windows for IPsec.

                                    Steps to Reproduce:

                                    *In the Windows Firewall snap-in you can see the current default IPsec Main Mode proposal set by going to Properties of the Windows Firewall > IPsec Settings tab >…

                                    6 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      2 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Cannot create IKEv2 tunnel mode IPsec rules in PowerShell, but IKEv1 works just fine

                                      Bug:

                                      When creating an IPsec rule which uses the IKEv2 keying module in PowerShell, an error is thrown, but it is not likely a PowerShell error, but an underlying bug in Windows.

                                      Expected Behavior:

                                      We should be able to manage IKEv2 IPsec rules however we wish, including creating tunnel mode IKEv2 rules without using RRAS.

                                      Steps To Reproduce:

                                      In PowerShell, the following code should work (notice the KeyModule):

                                      -------start---------
                                      $P1MachineCertOnly = New-NetIPsecPhase1AuthSet -Default <rest of command not shown>

                                      $IPsec3Tunnel = @{
                                      IPsecRuleName = 'IPsec3'
                                      DisplayName = 'IPsec3'
                                      KeyModule = 'IKEv2'
                                      Mode = 'Tunnel'
                                      LocalAddress = '192.168.1.0/24'
                                      LocalTunnelEndpoint = '192.168.1.204'
                                      RemoteAddress…

                                      5 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Firewall  ·  Flag idea as inappropriate…  ·  Admin →
                                      • DnsServerResourceRecord does not support multi-string records

                                        RFC-4408 (section 3.1.3) https://tools.ietf.org/html/rfc4408#section-3.1.3 defines the use of multi-string records for SPF (DNS TXT records), however the Get- or Add- DNSServerResourceRecord commands do not support this. For the Get- the actual DNS record is truncated to 256 chars, and for the Add- it simply errors out with an invalid propery.

                                        Example of a valid DNS record (that can be configured by the DNS GUI)
                                        $RecordName = "spfrecord"
                                        $RecordText = "v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 ip4:192.168.0.3 ip4:192.168.0.4 ip4:192.168.0.5 ip4:192.168.0.6 ip4:192.168.0.7 ip4:192.168.0.8 ip4:192.168.0.9 ip4:192.168.0.10 ip4:192.168.0.11 ip4:192.168.0.12 ip4:192.168.0.13 ip4:192.168.0.14 include:spf.protection.outlook.com mx -all"
                                        $Zone = "contoso.com"
                                        $Type = "TXT"
                                        $DNSServer = "DC1.contoso.com"
                                        Add-DnsServerResourceRecord -DescriptiveText $RecordText -Name…

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Managment tools  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Routing and RRAS

                                          Routing and RRAS is Broken on Windows Server 2016.
                                          I can''t dail up via pppoe.
                                          It would be great, if this could be fixed.

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            1 comment  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4
                                          • Don't see your idea?

                                          Networking

                                          Feedback and Knowledge Base