I have started moving this information to https://help.ubuntu.com/community/SettingUpNFSHowTo
Contents
Installation
NFSv4 without Kerberos
NFSv4 Server
NFSv4 Client
NFSv4 and Autofs
NFSv4 and NFSv3 simultaneously
NFSv4 with Kerberos
Create and distribute credentials
NFSv4 Server with Kerberos
NFSv4 Client with Kerberos
Troubleshooting
Links
Installation
The required packages are different depending on if the system is a client or a server. In this Howto, the server is the host that has the files you want to share and the client is the host that will be mounting the NFS share.
NFSv4 client
sudo apt-get install nfs-common
NFSv4 server
sudo apt-get install nfs-kernel-server
After you finish installing nfs-kernel-server, you might see failure to start nfs-kernel-server due to missing entries in /etc/exports. Remember to restart the service when you finish configuring.
For the error message:
mount.nfs4: No such device
You will have to load the nfs module with the command
modprobe nfs
NFSv4 without Kerberos
NFSv4 Server
NFSv4 exports exist in a single pseudo filesystem, where the real directories are mounted with the --bind option. Here is some additional information regarding this fact.
Let's say we want to export our users' home directories in /home/users. First we create the export filesystem:
sudo mkdir /export
sudo mkdir /export/users
and mount the real users directory with:
sudo mount --bind /home/users /export/users
To save us from retyping this after every reboot we add the following line to /etc/fstab:
/home/users /export/users none bind 0 0
In /etc/default/nfs-kernel-server we set:
NEED_SVCGSSD=no # no is default
because we are not activating NFSv4 security this time.
To export our directories to a local network 192.168.1.0/24
using the insecure option allows clients such as Mac OS X to connect on ports above 1024. This option is not otherwise "insecure".
Setting the crossmnt option on the main psuedo mountpoint has the same effect as setting nohide on the sub-exports: It allows the client to map the sub-exports within the psuedo filesystem. These two options are mutually exclusive.
Note that when locking down which clients can map an export by setting the IP address, you can either specify an address range (as shown above) using a subnet mask, or you can list a single IP address followed by the options. Using a subnet mask for single client's full IP address is **not** required. Just use something like 192.168.1.123(rw). There are a couple options for specifying the subnet mask. One style is 255.255.255.0. The other style is /24 as shown. Both styles should work. The subnet mask marks which part of IP address must be evaluated.
Restart the service
sudo service nfs-kernel-server restart
On ubuntu 11.04 or later you may also need to start or restart the idmapd with:
sudo service idmapd restart
NFSv4 Client
On the client we can mount the complete export tree with one command:
sudo mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/ /mnt
We can also mount an exported subtree with:
sudo mount -t nfs4 -o proto=tcp,port=2049 nfs-server:/users /home/users
To save us from retyping this after every reboot we add the following
line to /etc/fstab:
nfs-server:/ /mnt nfs4 _netdev,auto 0 0
where the auto option mounts on startup and the _netdev option can be used by scripts to mount the filesystem when the network is available. Under NFSv3 (type nfs) the _netdev option will tell the system to wait to mount until the network is available. With a type of nfs4 this option is ignored, but can be used with mount -O _netdev in scripts later. Currently Ubuntu Server does not come with the scripts needed to auto-mount nfs4 entries in /etc/fstab after the network is up.
Note with remote NFS paths
They don't work the way they did in NFSv3. NFSv4 has a global root directory and all exported directories are children to it. So what would have been nfs-server:/export/users on NFSv3 is nfs-server:/users on NFSv4, because /export is the root directory.
Note regarding UID/GID permissions on NFSv4 without Kerberos
To make UID/GUD work as with NFSv3, set sec=sys both in the server's /etc/export and in the client's /etc/fstab. This will make NFSv4 work with the old host-based security scheme.
They do not work. Can someone please help investigating? Following this guide will result in UID/GID on the export being generic despite having same UID on client and server. (According to my experience it works at least with "precise", if uid/gid are equal on both sides. hwehner) Mounting same share on NFSv3 works correctly with regards to UID/GID. Does this need Kerberos to work fully? According to http://arstechnica.com/civis/viewtopic.php?f=16&t=1128994 and http://opensolaris.org/jive/thread.jspa?threadID=68381 you need to use Kerberos for the mapping to have any effect.
This is a possibly related bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500778
Not clear what is meant by UID/GID on the export being generic. This guide does not explicitly state that idmapd must also run on the client side, i.e. /etc/default/nfs-common needs the same settings as described in the server section. If idmapd is running the UID/GID are mapped correctly. Check with ps ax|grep rpc that rpc.idmapd is running.
If all directory listings show just "nobody" and "nogroup" instead of real user and group names, then you might want to check the Domain parameter set in /etc/idmapd.conf. NFSv4 client and server should be in the same domain. Other operating systems might derive the NFSv4 domain name from the domain name mentioned in /etc/resolv.conf (e.g. Solaris 10).
If you have a slow network connection and are not establishing mount at reboot, you can change the line in etc/fstab:
nfs-server:/ /mnt nfs4 noauto 0 0
and execute this mount after a short pause once all devices are loaded. Add the following lines to /etc/rc.local
# sleep 5
# mount /mnt
In Ubuntu 11.10 or earlier, f you experience Problems like this:
Warning: rpc.idmapd appears not to be running.
All uids will be mapped to the nobody uid.
mount: unknown filesystem type 'nfs4'
(all directories and files on the client are owned by uid/gid 4294967294:4294967294) then you need to set in /etc/default/nfs-common:
NEED_IDMAPD=yes
and restart nfs-common.
# service idmapd restart
The "unknown Filesystem" Error will disappear as well. (Make sure you restart the idmapd on both client and server after making changes, otherwise uid/gid problems can persist.)
NFSv4 and Autofs
Automount (or autofs) can be used in combination with NFSv4. Details on the configuration of autofs can be found in the AutofsHowto. The configuration is identical to NFSv2 and NFSv3 except that you have to specify -fstype=nfs4 as option. Automount supports NFSv4's feature to mount all file systems exported by server at once. The exports are then treated as an entity, i.e. they are "all" mounted when you step into "one" directory on the NFS server's file systems. When auto-mounting each file system separately the behavior is slightly different. In that case you would have to step into "each" file system to make it show up on the NFS client.
NFSv4 and NFSv3 simultaneously
NFSv4 and NFSv3 can be used simultaneously on a NFS server as well as on a NFS client. You have to setup NFSv3 on your NFS server (see SettingUpNFSHowTo). You can then export a file system with NFSv4 and NFSv3 simultaneously. Just put the appropriate export statements into /etc/exports and you are done. You might want to do this when you have NFS clients that don't support NFSv4, e.g. Mac OS X and Windows clients. But don't forget about the security risks of NFS with clients that can not be trusted.
NFSv4 with Kerberos
When using NFS without kerberos the security of all data in the NFS share depends on the integrity of all clients and the security of the network connections. If you use kerberos the security doesn't depend on all client machines because the server gives access to users with a valid kerberos ticket only. The security isn't completely delegated to the client machines (unlike without kerberos). Therefore you need a principal in your kerberos realm for each user who want's to access the NFS share. See Kerberos in the Ubuntu Server Guide on this topic. The section "Kerberos Linux Client" applies also to Ubuntu 8.04.
You need a working Kerberos (MIT or Heimdal) KDC (Key Distribution Center) before continuing. NFS4 and Kerberos work fine with Ubuntu 8.04; they do not seem to work with the (much) older Ubuntu 6.06, or at least I couldn't get Heimdal to work correctly.
Please note, that we have three different entities: the Kerberos-server; the NFS-server and the NFS-client. Your Kerberos-server (or KDC) and NFS-server could be the same machine, but they could also very well be separate entities. We will use separate "prompts" to distinguish, i.e. if you see
KDC$ echo "hello"
... this means you need to type echo "hello" on the KDC.
Please note that you can now (with Ubuntu 8.04 and later) use any encryption type you want, there is no more need to extract only des-cbc-crc, as most sites suggest. See [http://mailman.mit.edu/pipermail/kerberos/2008-May/013698.html this mailinglist message].
Please also note, that des-cbc-crc encryption is depreciated and, starting with Ubuntu 10.04, is no longer supported by default in the Kerberos libraries. For nfs4 to work, you need to add allow_weak_crypto = true to /etc/krb5.conf
MIT
On the nfs-server and nfs-client you need at least the krb5-user and optional libpam-krb5 if you wish to authenticate against krb5.
# apt-get install krb5-user
# apt-get install libpam-krb5
Heimdal
On the nfs-server and nfs-client you need heimdal-clients and optional libpam-krb5 if you wish to authenticate against krb5.
# apt-get install heimdal-clients
# apt-get install libpam-krb5
You need the gss kernel modules on nfs-servers and nfs-clients.
# modprobe rpcsec_gss_krb5
Add rpcsec_gss_krb5 to /etc/modules to have it loaded automatically. (I'm pretty sure they're loaded automatically though).
Create and distribute credentials
NFSv4 needs machine credentials for the server and every client, which wants to use the NFSv4 security features.
Create the credentials for the nfs-server and all nfs-clients on the Kerberos KDC and distribute the extraced keys with scp to the destination
You can make sure that only this entry has been created by executing "sudo klist -e -k /etc/krb5.keytab".
Create nfs/ principals
Authenticate as your admin user. You can do this from any machine in your kerberos-domain, as long as your kadmind is running; then add principals for your server and client machines. Replace "nfs-server.domain" with the fully qualified domain name of the machines. For example, if your server is called "snoopy" and your domain is "office.example.com", you would add a principal named "nfs/snoopy.office.example.com" for the server. Note: kadmin must be run with -l (locally) on the KDC if there is no kadmind. Please be aware of https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/309738/
Heimdal
$ kinit kadmin/admin
$ kadmin add -r nfs/nfs-server.domain
$ kadmin add -r nfs/nfs-client.domain
Now add these to the keytab-files on your NFS-server and client. Log in to your NFSserver (as root, because you will need to edit the /etc/krb5.keytab file) and initialize as Kerberos administrator. If your domain is fully kerberized, logging in as root will automatically give you the right access, in which case you don't need to use "kinit" anymore.
Now add these to the keytab-files on your NFS-server and client. Log in to your NFSserver (as root, because you will need to edit the /etc/krb5.keytab file) and initialize as Kerberos administrator.
Please note that you can specify allowed hosts only in the any authentication flavor. gss/krb5 flavours are accessible from anywhere, if you do not use additional firewall rules.
To export only with secure authentication flavors do not include a host(...) line in /etc/exports
The gss/krb5 flavours are:
krb5: users are authenticated
krb5i: this includes krb5. Additionaly data integrity is provided.
krb5p: this includes krb5i. Additionaly privacy is provided.
To display your exports enter:
# exportfs -v
NFSv4 Client with Kerberos
Check your machine credentials in /etc/krb5.keytab
How to configure Pfsense with OpenDNS (Web filtering)
Requirements 1. Install pfsense 2.3.1 (More than one Dynamic DNS included in this version) 2. Sign up with OpenDNS 3. Configure your network on OpenDNS and don’t forget to configure your web filter settings)
Pointing your network to OpenDNS
Assuming that you have completed the above requirements, first you have to change your DNS on pfsense to OPENDNS. To do this, go to Systems > General Setup. Under DNS Server Settings DNS Server 1: 208.67.222.222 DNS Server 2: 208.67.220.220 DNS Server Override: Unchecked Disable DNS Forwarder: Checked Once you finished, click Save to save all the setting you entered
DNS Resolver & Forwarder
Once you completed the above process, you need to disable DNS Resolver and enable DNS Forwarder. (I am not sure if DNS Resolver can be configured with OpenDNS, I tried to configure it but no luck. With DNS Forwarder, everything work well. Maybe someone can help out to explaining it WHY) To do this, you need to go to Services > DNS Resolver > Enable: (Unchecked) After that, Go to Services > DNS Forwarder > Enable: Checked Interfaces: All Click Save
Dynamic DNS
When finished, Go to Services > Dynamic DNS > Add In this case, I’ll be using OpenDNS but you can pick any services that you like. Service Type: OpenDNS Interface to Monitor: WAN Hostname: opendns.com MX: leave blank Wildcards: Unchecked Verbose Logging: Checked Username: email address that you registered with on OpenDNS Password: Your Password Confirm: Your Password again Description: You can enter “OpenDNS Account” Save setting.
Note: If the cached ip is not available, check you settings again. If you see a green ip, everything is okay.
Another option is to block Local DNS configured on a Computer. To do this, you have to create two LAN Firewall Rules. One rule that allow all requests from pfsense local DNS and the second one will block all requests from external DNS. Firewall > Rules > LAN > Add with up arrow Action: Pass Interface: Lan Address Family: IPv4 Protocol: TCP/UDP Source: Invert match-Unchecked/ ANY Destination: LAN Address Destination port range: DNS (53) Log: Checked if you like Description: Enter smth related to this rule. Click Save After that, copy the same rule and change the following settings. Action: Block and Destination: Any. Other settings remain the same.
I hope that this howto help you alot.
Secondly, big thanks to pfsense team for releasing pfsense 2.3.1 You guys are the best.
Okay so the way I was doing it actually did work just fine. The problem is just that I didn't have enough resources to run that VM. So just to answer my own question... here are the details to how I did the VM duplication across different servers without shared disk.
Because you don't have a shared disk, you can't do a typical 'clone' and then 'migration'. Instead you do a typical clone
Here's the command to do the cloning (/local/vm/ is the path to your VM images, usually /var/something/):
Update the config with any new changes. In my case (and this was what was causing my problem), I needed to lower the "memory" and "currentMemory" attributes.
Running virt-install to Build the KVM Guest System
virt-install must be run as root and accepts a wide range of command-line arguments that are used to provide configuration information related to the virtual machine being created. Some of these command-line options are mandatory (specifically name, ram and disk storage must be provided) while others are optional. A summary of these arguments is outlined in the following table:
Argument
Description
-h, --help
Show the help message and exit
--connect=CONNECT
Connect to a non-default hypervisor.
-n NAME, --name=NAME
Name of the new guest virtual machine instance. This must be unique amongst all guests known to the hypervisor on the connection, including those not currently active. To re-define an existing guest, use the virsh(1) tool to shut it down (’virsh shutdown’) & delete (’virsh undefine’) it prior to running "virt-install".
-r MEMORY, --ram=MEMORY
Memory to allocate for guest instance in megabytes. If the hypervisor does not have enough free memory, it is usual for it to automatically take memory away from the host operating system to satisfy this allocation.
--arch=ARCH
Request a non-native CPU architecture for the guest virtual machine. The option is only currently available with QEMU guests, and will not enable use of acceleration. If omitted, the host CPU architecture will be used in the guest.
-u UUID, --uuid=UUID
UUID for the guest; if none is given a random UUID will be generated. If you specify UUID, you should use a 32-digit hexadecimal number. UUID are intended to be unique across the entire data center, and indeed world. Bear this in mind if manually specifying a UUID
--vcpus=VCPUS
Number of virtual cpus to configure for the guest. Not all hypervisors support SMP guests, in which case this argument will be silently ignored
--check-cpu
Check that the number virtual cpus requested does not exceed physical CPUs and warn if they do.
--cpuset=CPUSET
Set which physical cpus the guest can use. "CPUSET" is a comma separated list of numbers, which can also be specified in ranges. If the value ’auto’ is passed, virt-install attempts to automatically determine an optimal cpu pinning using NUMA data, if available.
--os-type=OS_TYPE
Optimize the guest configuration for a type of operating system (ex. ’linux’, ’windows’). This will attempt to pick the most suitable ACPI & APIC settings, optimally supported mouse drivers, virtio, and generally accommodate other operating system quirks. See "--os-variant" for valid options. For a full list of valid options refer to the man page (man virt-install).
--os-variant=OS_VARIANT
Further optimize the guest configuration for a specific operating system variant (ex. ’fedora8’, ’winxp’). This parameter is optional, and does not require an "--os-type" to be specified. For a full list of valid options refer to the man page (man virt-install).
--host-device=HOSTDEV
Attach a physical host device to the guest. HOSTDEV is a node device name as used by libvirt (as shown by ’virsh nodedev-list’).
--sound
Attach a virtual audio device to the guest. (Full virtualization only).
--noacpi
Override the OS type / variant to disables the ACPI setting for fully virtualized guest. (Full virtualization only).
-v, --hvm
Request the use of full virtualization, if both para & full virtualization are available on the host. This parameter may not be available if connecting to a Xen hypervisor on a machine without hardware virtualization support. This parameter is implied if connecting to a QEMU based hypervisor.
-p, --paravirt
This guest should be a paravirtualized guest. If the host supports both para & full virtualization, and neither this parameter nor the "--hvm" are specified, this will be assumed.
--accelerate
When installing a QEMU guest, make use of the KVM or KQEMU kernel acceleration capabilities if available. Use of this option is recommended unless a guest OS is known to be incompatible with the accelerators. The KVM accelerator is preferred over KQEMU if both are available.
-c CDROM, --cdrom=CDROM
File or device use as a virtual CD-ROM device for fully virtualized guests. It can be path to an ISO image, or to a CDROM device. It can also be a URL from which to fetch/access a minimal boot ISO image. The URLs take the same format as described for the "--location" argument. If a cdrom has been specified via the "--disk" option, and neither "--cdrom" nor any other install option is specified, the "--disk" cdrom is used as the install media.
-l LOCATION, --location=LOCATION
Installation source for guest virtual machine kernel+initrd pair. The "LOCATION" can take one of the following forms:
DIRECTORY - Path to a local directory containing an installable distribution image
nfs:host:/path or nfs://host/path - An NFS server location containing an installable distribution image
http://host/path - An HTTP server location containing an installable distribution image
ftp://host/path - An FTP server location containing an installable distribution image
--pxe
Use the PXE boot protocol to load the initial ramdisk and kernel for starting the guest installation process.
--import
Skip the OS installation process, and build a guest around an existing disk image. The device used for booting is the first device specified via "--disk" or "--file".
--livecd
Specify that the installation media is a live CD and thus the guest needs to be configured to boot off the CDROM device permanently. It may be desirable to also use the "--nodisks" flag in combination.
-x EXTRA, --extra-args=EXTRA
Additional kernel command line arguments to pass to the installer when performing a guest install from "--location".
--disk=DISKOPTS
Specifies media to use as storage for the guest, with various options.
--disk opt1=val1,opt2=val2,...
To specify media, one of the following options is required:
path - A path to some storage media to use, existing or not. Existing media can be a file or block device. If installing on a remote host, the existing media must be shared as a libvirt storage volume. Specifying a non-existent path implies attempting to create the new storage, and will require specifyng a ’size’ value. If the base directory of the path is a libvirt storage pool on the host, the new storage will be created as a libvirt storage volume. For remote hosts, the base directory is required to be a storage pool if using this method.
pool - An existing libvirt storage pool name to create new storage on. Requires specifying a ’size’ value.
vol - An existing libvirt storage volume to use. This is specified as ’poolname/volname’.
device - Disk device type. Value can be ’cdrom’, ’disk’, or ’floppy’. Default is ’disk’. If a ’cdrom’ is specified, and no install method is chosen, the cdrom is used as the install media.
bus - Disk bus type. Value can be ’ide’, ’scsi’, ’usb’, ’virtio’ or ’xen’. The default is hypervisor dependent since not all hypervisors support all bus types.
perms - Disk permissions. Value can be ’rw’ (Read/Write), ’ro’ (Readonly), or ’sh’ (Shared Read/Write). Default is ’rw’
size - size (in GB) to use if creating new storage
sparse - whether to skip fully allocating newly created storage. Value is ’true’ or ’false’. Default is ’true’ (do not fully allocate). The initial time taken to fully-allocate the guest virtual disk (spare=false) will be usually by balanced by faster install times inside the guest. Thus use of this option is recommended to ensure consistently high performance and to avoid I/O errors in the guest should the host filesystem fill up.
cache - The cache mode to be used. The host pagecache provides cache memory. The cache value can be ’none’, ’writethrough’, or ’writeback’. ’writethrough’ provides read caching. ’writeback’ provides read and write caching. See the examples section for some uses. This option deprecates "--file", "--file-size", and "--nonsparse".
-f DISKFILE, --file=DISKFILE
Path to the file, disk partition, or logical volume to use as the backing store for the guest’s virtual disk. This option is deprecated in favor of "--disk".
-s DISKSIZE, --file-size=DISKSIZE
Size of the file to create for the guest virtual disk. This is deprecated in favor of "--disk".
--nonsparse
Fully allocate the storage when creating. This is deprecated in favort of "--disk"
--nodisks
Request a virtual machine without any local disk storage, typically used for running ’Live CD’ images or installing to network storage (iSCSI or NFS root).
-w NETWORK, --network=NETWORK
Connect the guest to the host network. The value for "NETWORK" can take one of 3 formats:
bridge:BRIDGE - Connect to a bridge device in the host called "BRIDGE". Use this option if the host has static networking config & the guest requires full outbound and inbound connectivity to/from the LAN. Also use this if live migration will be used with this guest.
network:NAME - Connect to a virtual network in the host called "NAME". Virtual networks can be listed, created, deleted using the "virsh" command line tool. In an unmodified install of "libvirt" there is usually a virtual network with a name of "default". Use a virtual network if the host has dynamic networking (eg NetworkManager), or using wireless. The guest will be NATed to the LAN by whichever connection is active.
user - Connect to the LAN using SLIRP. Only use this if running a QEMU guest as an unprivileged user. This provides a very limited form of NAT.
If this option is omitted a single NIC will be created in the guest. If there is a bridge device in the host with a physical interface enslaved, that will be used for connectivity. Failing that, the virtual network called "default" will be used. This option can be specified multiple times to setup more than one NIC.
-b BRIDGE, --bridge=BRIDGE
Bridge device to connect the guest NIC to. This parameter is deprecated in favour of the "--network" parameter.
-m MAC, --mac=MAC
Fixed MAC address for the guest; If this parameter is omitted, or the value "RANDOM" is specified a suitable address will be randomly generated. For Xen virtual machines it is required that the first 3 pairs in the MAC address be the sequence ’00:16:3e’, while for QEMU or KVM virtual machines it must be ’54:52:00’.
--nonetworks
Request a virtual machine without any network interfaces.
--vnc
Setup a virtual console in the guest and export it as a VNC server in the host. Unless the "--vncport" parameter is also provided, the VNC server will run on the first free port number at 5900 or above. The actual VNC display allocated can be obtained using the "vncdisplay" command to "virsh" (or virt-viewer(1) can be used which handles this detail for the use).
--vncport=VNCPORT
Request a permanent, statically assigned port number for the guest VNC console. Use of this option is discouraged as other guests may automatically choose to run on this port causing a clash.
--sdl
Setup a virtual console in the guest and display an SDL window in the host to render the output. If the SDL window is closed the guest may be unconditionally terminated.
--nographics
No graphical console will be allocated for the guest. Fully virtualized guests (Xen FV or QEmu/KVM) will need to have a text console configured on the first serial port in the guest (this can be done via the --extra-args option). Xen PV will set this up automatically. The command ’virsh console NAME’ can be used to connect to the serial device.
--noautoconsole
Don’t automatically try to connect to the guest console. The default behaviour is to launch a VNC client to display the graphical console, or to run the "virsh" "console" command to display the text console. Use of this parameter will disable this behaviour.
-k KEYMAP, --keymap=KEYMAP
Request that the virtual VNC console be configured to run with a non- English keyboard layout.
-d, --debug
Print debugging information to the terminal when running the install process. The debugging information is also stored in "$HOME/.virtinst/virt-install.log" even if this parameter is omitted.
--noreboot
Prevent the domain from automatically rebooting after the install has completed.
--wait=WAIT
Amount of time to wait (in minutes) for a VM to complete its install. Without this option, virt-install will wait for the console to close (not neccessarily indicating the guest has shutdown), or in the case of --noautoconsole, simply kick off the install and exit. Any negative value will make virt-install wait indefinitely, a value of 0 triggers the same results as noautoconsole. If the time limit is succeeded, virt-install simply exits, leaving the virtual machine in its current state.
--force
Prevent interactive prompts. If the intended prompt was a yes/no prompt, always say yes. For any other prompts, the application will exit.
--prompt
Specifically enable prompting. Default prompting is off (as of virtinst 0.400.0)
Example virt-install Command
With reference to the above command-line argument list, we can now look at an example command-line construct using the virt-install tool.
The following command creates a new KVM virtual machine configured to run Windows XP. It creates a new, 6GB disk image, assigns 512MB of RAM to the virtual machine, configures a CD device for the installation media and uses VNC to display the console:
Once the guest system has been created, the virt-viewer screen will appear containing the operating system installer loaded from the specified installation media:
So, that works in this instance! But why and how? Let’s break it down:
[ ] Whatever expression is inside these brackets will match ONE character.
[a-z] This expression means “ONE character that is any lowercase letter, a through z.”
[A-Z] This expression means “ONE character that is any uppercase letter, A through Z.”
The “space” in between these two expressions is a literal “space” character.
( ) Parenthesis surrounding an expression make a “group”. Groups can be referred to by variables. In this case we defined two groups. Without any effort on your part, these groups are numbered, starting with variable “1” on the left-most group and counting upward to the right. This will come in handy when we fill in the REPLACE field.
How to Set Network Location to be Public or Private in Windows 10
Information
A network location identifies the type of network that a PC is connected to with a network adapter.
The first time you connect to a network, you might be asked if you want to find PCs, devices, and content on the network, and automatically connect to devices like printers and TVs. Turning on this setting prepares your PC for sharing files and devices on a network. It also automatically sets the appropriate Windows Firewall and security settings for the type of network that you connected to. You can change the network location anytime.
This tutorial will show you how to set the network on your PC to be connected to a domain, public, or private type of location for all users in Windows 10.
You must be signed in as an administrator to be able to change the network location of a network adapter.
Note
Public network = By default, the public network location type is assigned to any new networks when they are first connected. A public network is considered to be shared with the world, with no protection between the local computer and any other computer. Therefore, the Windows Firewall rules associated with the public profile are the most restrictive. This blocks the following apps and services from working: PlayTo, file sharing, network discovery, and automatic setup of network printers, TVs, and other devices.
Private network = A private network location type can be for home or small office networks, or when you know and trust the people and devices on the network. This setting allows your PC to connect to a homegroup and devices on the network, such as printers.
Domain network = The domain network location type is detected when the local computer is a member of an Active Directory domain, and the local computer can authenticate to a domain controller for that domain through one of its network connections.
CONTENTS:
Option One: To Change a Network Location in Settings app
Option Two: To Change a Network Location in Registry Editor
Option Three: To Change a Network Location Local Security Policy
Option Four: To Change a Network Location in PowerShell
Option Five: To Change Network Location of Current Network Connection in PowerShell
Option Six: To Change Network Location of Current Network Connection using a VBS file
EXAMPLE: Network Location of adapter in "Network and Sharing Center"
OPTION ONE
To Change a Network Location in Settings app
1. Do step 2 or step 3 below for how you would like to open Network settings.
2. Click/tap on your networksystem icon in the taskbar notification area, click/tap on the Network settings link, and go to step 4below. (see screenshot below)
3. Open Settings, click/tap on the Network & Internet icon, and go to step 4 below.
4. Do step 5 (Ethernet) or step 6 (Wi-Fi) below for you currently connected network.
5. To Change Network Location of Ethernet Network
A) Click/tap on Ethernet on the left side, click/tap on the Ethernet connection (ex: Brink-Router2) on the right side you arecurrently connected to, and go to step 7 below. (see screenshot below)
6. To Change Network Location of Wi-Fi Network
A) Click/tap on Wi-Fi on the left side, click/tap on the Manage known networks link. (see screenshot below)
B) Click/tap on the wireless network name (ex: Brink-Router2) you are currently connected to, click/tap on Properties, and go tostep 7 below. (see screenshot below)
7. Do step 8 (Private) or step 9 (Public) below for the network location you want.
Note
Make this PC discoverable settings will not be available if you have UAC set to Always notify. Setting UAC to a different level will allow Make this PC discoverable settings to be available.
Make this PC discoverable settings will not be available if you have a Hyper-V virtual switch with this Ethernet connection.
8. To Change to a Private Network Location
A) Turn on Make this PC discoverable, and go to step 10 below. (see screenshots below)
9. To Change to a Public Network Location
A) Turn off Make this PC discoverable, and go to step 10 below. (see screenshots below)
10. When finished, you can close Settings if you like.
OPTION TWO
To Change a Network Location in Registry Editor
1. Type regedit in the search box (Windows+Q) on Start or taskbar, and press Enter to open Registry Editor.
4. Double click/tap on the Profiles key in the left pane to expand it. Click/tap on each long GUID number subkey, and look at it'sProfileName string value in the right pane to see if it has the current network name (ex: Network) until found. (see screenshot below)
5. When you find the correct ProfileName for your network name, double click/tap on the Category DWORD value in the same right pane to modify it. (see screenshot below)
6. Type in a new data value number for the network location you want, and click/tap on OK. (see screenshot below)
Network Location
Data Value
Public
0 (zero)
Private
1
Domain
2
7. When finished, you can now close Registry Editor if you like.
8. Sometimes you may need to sign out and in of your user account to apply the new network location.
OPTION THREE
To Change a Network Location Local Security Policy
Information
Note
OPTION ONE 
To Change a Network Location in Settings app
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
