250 Hello

Random Musings on Exchange and Virtualization

SkipAsSource Flag Cleared In Windows 2012

SkipAsSource Flag Cleared In Windows 2012

  • Comments 12
  • Likes

For a while now I’ve been using the Netsh SkipAsSource Flag to allow multiple IPs on a server and only the primary IP registers in DNS.  The previous series of articles in this series are here:

  1. Fine Grained Control When Registering Multiple IP Addresses On a Network Card
  2. Fine Grained Control When Registering Multiple IP Addresses–Part Deux
  3. Fine Grained Control When Registering Multiple IP Addresses–Part Trois

 

Update 19-9-2013;  Tried this out on the RTM build of Windows Server 2012 R2.  Same issue.

 

Life was good until Shawn Martin added a comment asking about a hotfix for Windows Server 2012 to fix a previous issue from Windows Server 2008 R2.  Hotfix 2554859 was noted in the original article, but I had not experienced the behaviour on Server 2012 as I was not using the GUI.

 

This is an excerpt from KB 2554859 describing the issue:

  • You install hotfix 2386184 on the computer to enable the skipassource flag of the netsh command.
  • You assign many IP addresses to a network adapter on the computer by using the netsh command together with the skipassource flag.
  • You update some IP settings for the network adapter in the Network and Sharing Center graphical user interface (GUI). For example, you edit the subnet mask of an IP address that has the skipassource flag set to true.
  • In this scenario, the skipassource flag of the IP address and of all IP addresses that are listed under that address in the GUI are cleared incorrectly.

 

Unfortunately, this issue also manifests itself in Windows Server 2012, though the last bullet is slightly different. 

Let’s run through the behaviour you will see and then what to do about it

 

Starting Configuration

This is our starting configuration.  A simple setup with a single IPv4 address bound to one NIC. 

Get-NetAdapter | Get-NetIPAddress | Select IPAddress, SkipAsSource

Windows Server 2012 Starting IP Configuration

Let’s use PowerShell’s New-NetIPAddress cmdlet to add an additional IP 192.168.10.121 and specify the –SkipAsSource parameter. 

 

New-NetIPAddress –IPAddress 192.168.10.121 –InterfaceAlias “Ethernet 2” –SkipAsSource $True

Windows Server 2012 - Binding New IPv4 Address With New-NetIPAddress

Looks OK, but we shall verify…

Get-NetAdapter | Get-NetIPAddress | Select IPAddress, SkipAsSource 

Checking SkipAsSource Is Set Using PowerShell

 

So far so good!  Time to change it up!

Enter the GUI

To replicate the issue, let’s now make a change to the IP we just added through the GUI, and change the subnet mask:

Changing Subnet Mask To /24 In Windows 2012 GUI

 

And when we check the SkipAsSource settings after saving the change in the GUI, we can see that the SkipAsSource flag has been lost for the IP address of 192.168.10.121

 

After Editing in GUI, SkipAsSource Flag Is Cleared For IP

 

Interestingly enough if we add multiple additional IPs, each of which is set to SkipAsSource $True, and we only edit IP 192.168.10.121 in the GUI; only that specific IP loses it’s SkipAsSource flag. 

We can see this below, IPs 192.168.10.121 to .125 were added all of which have SkipAsSource set to $True. 

 

Editing Single IPv4 Does Not Revert SkipAsSource For Other IPv4 Addresses In Windows 2012

GUI is then used to edit just 192.168.10.121, and afterwards only that IP has lost its SkipAsSource flag.

Editing Single IPv4 Does Not Revert SkipAsSource For Other IPv4 Addresses In Windows 2012

 

Workaround

At this time to please do not edit the IP configuration of a machine where SkipAsSource is used via the GUI.  PowerShell can be used to configure IPs where this feature is used.  If the GUI is used the SkipAsSource will be set changed for the IP(s) that were modified.

 

This is an example of using Set-NetIPAddress to change the PrefixLength (Subnet Mask) to /24.  Note that even through SkipAsSource was not explicitly used in the Set-NetIPAddress cmdlet, the original setting was honoured

Using PowerShell In Windows 2012 To Preserve SkipAsSource

Cheers,

Rhoderick

>>>

 

Can You Help Us?  -- Yes !

If you would like to have Microsoft Premier Field Engineering (PFE) visit your company and assist with the topic(s) presented in this blog post, then please contact your Microsoft Premier Technical Account Manager (TAM) for more information on scheduling and our varied offerings!

If you are not currently benefiting from Microsoft Premier support and you’d like more information about Premier, please email the appropriate contact below, and tell them you how you got introduced!

US

Canada

For all other areas please use the US contact point.





Comments
  • Thanks for the continued consolidation of this information!  I keep having to come back to refresh my memory on the intricacies of the issue and your series helps greatly!

    With that said, I have a question.  What if you require multiple NICs (e.g. for multi-homing on multiple networks).  How do you enforce outbound traffic always occurs over a specific IP/Network?  Can you add the first IP of a secondary NIC with the SkipAsSource flag?  Will this always be a problem for the secondary NIC (since the GUI can remove this flag for the first IP tied to it)?

  • Thanks for the feedback Matthew - it makes the effort worthwhile!

    The SkipAsSource controls DNS registration.  If your case if we have multiple NICs on a server and each is on a different subnet then we will  be looking at the routing table to tell us how that traffic should be routed out.  

    What you may be also thinking about is what happens if I have multiple IPs on a singe NIC.  How does the traffic come out in that case?  In Windows 2003 the weak host model was used.  So if traffic came it to an additional IP, it would return from the primary IP.    In 2008+ the strong host model is used by default.  That means traffic coming in to an IP will return from it.  I'm not doing the topic justice, so pop weak host and strong host model into your search engine of choice and read away!  Typically you will see Lync dudes/dudettes discussing this.

    HTH

    Rhoderick

  • How about his as a minor workaround After adding or modifying the IP via the GUI, use powershell to: Set-NetIpAddress -IPAddress -SkipAsSource:$true Get-NetAdapter | Get-NetIPAddress | Select IPAddress, SkipAsSource will now show the IP skipassource changed to True,

  • The Carrage Return has been removed from the above statement(??) Set-NetIpAddress -IPAddress -SkipAsSource:$true

  • Hi Kieran, yes there is a known issue with the TechNet comments widget at the moment. I've already reported that and the blog support team is working on this. One issue is that the formatting is not properly preserved - sorry !! Yes we can come back and fix this with PowerShell, but you should not have to do this :( Cheers, Rhoderick

  • Hi Rhoderick, I'm back! Sorry I never responded to your response above, but once again I am having this very issue and once again led me to this post.

    So my question above is the same, but in this case I have multiple NICs though they have IPs all for the same network. But I have a situation where the server is choosing to use one of the IPs (main IP on NIC2) for outbound traffic to one system local to its site/subnet, but it chooses to use a different IP (main IP on NIC1) for outbound traffic to a system on a different subnet. Note: NIC2 has the DNS registration checkbox UNCHECKED... basically using the NIC2 to get around the skipassource/netsh/hotfix chaos for the DNS registration issue but now it's a flat out routing issue.

    I'm not entirely sure this is a routing issue because both NICs have the same IP subnet. But one of the systems in question is expecting traffic to come from the "main IP" of the sending server, but because the sending server is choosing the wrong source address, access is being denied. This is driving us batty.

    I would imagine "skipassource" is not just a DNS function but more for preventing an IP from being used as a source address, period. At least that's what I would think based on the name "skip as source". Any ideas??

    Also, have we gotten any information as to why this is still an issue with 2012 R2? Do we know when MSFT is going to actually build this functionality into the GUI itself vs. using powershell/netsh? Expecting administrators to only use the command line options to get around a lacking of the GUI can't be a long term solution, can it?

  • Hi Matthew,


    Have you seen this:

    http://blogs.technet.com/b/networking/archive/2009/04/24/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx

    Cheers,
    Rhoderick

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment