Forum Discussion
Server 2025 Core ADDS DC, Network Profile Showing as "Public" and not as "DomainAuthenticated"
OS: Windows Server 20225 Standard Core (no GUI), build 26085.1
Role: ADDS, DNS
ForestMode: Windows2025Forest
DomainMode: Windows2025Domain
Platform: Hyper-V guest
When standing up a clean Windows Server 2025 using server core and configuring it as a domain controller, the network category (profile) always shows as "public."
A clean load of Windows Server 2022 with server core as a domain controller has the same behavior. However, in Server 2022, the fix is to add DNS as a required service to the nlasvc (Network Location Awareness) service. Once that is done, the network category reflects "DomainAuthenticed" and persists between reboots.
In Server 2025, the nlasvc service does not have the same requiredservices as Windows Server 2022, and it does not start automatically. Even after configuring the nlasvc service the same way it is in Server 2022 and adding DNS as a required service, the network category still reflects "public." The only way to get the network category to properly reflect the "DomainAuthenticated" status is to disable and reenable the network adapter after each reboot.
Anything having to be done to the OS besides installing it out of the box for this feature to work properly is a "hack". No bandaids - even adding an IPv6 address should be required for this to work. It isn't in Server 2022. This should just work out of the box. By the way, in testing, demoting the server back to a member server returns the network adapter operation to normal. That's why I am convinced this has something to do with them removing the dependency on NLA, however, keeping the requirement as part of AD for some reason when the server becomes a DC. Guessing something wasn't coded properly. I hope to hear back from MS at some point on this.
Found this issue as been testing Server 2025 and noticed the Network Location Awareness service is set to Manual, not Automatic. Nothing is documented about this change in the services I can find.
Hello everyone, I had a little time over the weekend to try out a few things again and finally came up with a way that allows me to get to the domain firewall profile (even after a restart) without any major ‘hacks’.
1.) It is important that the server that receives the AD role is assigned an IPv6.
2.) Furthermore, the DWORD AlwaysExpectDomainController must be created in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters and set to 1.
Before I forget, it is normal that the NLA service with version 2025 no longer has any dependencies or is now set to manual. The correct firewall profile is still assigned.
Maybe this will help someone.
If everyone could go into Feedback Hub in the settings of 2025, and explain this. Strength in numbers. I also have an open case with them that they have escalated to the product team. I have had this case open even since the pre-release. They took lots of captures, and logs, in both the failed states and after restarting the NIC. They thought my scheduled task to restart the NIC at boot up was clever. Yea, it works, but it's not clean and native and they understand this is not a true workaround or fix. There is light at the end of the tunnel as they were able to reproduce this issue in their lab.
This is not listed in the official Microsoft Windows Server 2025 known issues:
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025
Microsoft clearly has no interest in fixing this. They only seem to be interested in what affects their cloud services or for what that they can charge a monthly subscription for.
Or maybe they are not even aware of this bug due to their incompetence and ineptitude.
I wanted to set up a new AD with 26100.2033 today and almost despaired because of the wrong firewall profile. The NlaSvc service doesn't seem to be set to automatic after installing the Windows AD role. I really wonder who tests these builds before releasing them, it really only helps to restart the network adapter so that the correct domain firewall profile is loaded, setting dependencies for the NlaSvc service no longer works either.
It still plagues Version 10.0.26100.2033
The production release of the ISO still has this problem. Microsoft has escalated with their engineers, however, it still went RTM with this issue when you make it a DC. Any other server, probably fine to deploy, especially Hyper-V with all the good stuff that brings, like GPU pools, but don't make it a domain controller, unless you put that "bandaid" mentioned above in place.
- Microsoft, this is ridiculous...
We are rolling out new DCs with latest build and STILL having this problem.
I don't understand why a bug that was reported back in April is still happening. When is this going to be fixed?
Also, why is this even a default option? Are people taking their servers on strolls to public networks? I don't understand why it would default to this in the first place... Unbelievable this is still an issue in the final build 26100.1742. I upgraded 2022 DCs in two different domains to 2025 and all of them have the public firewall profile set unless/until I disable/re-enable the nic.
- We have upgraded some DCs and ran into this issue. Came here trying to find a solution....
So it looks like M$ has known about this earlier this year, I don't understand why it persists on new builds. I was under the impression it was a new issue, but nope. They've know for over 6 months and still haven't fixed. Ridiculous.- Update: The only solution we have found is disabling and re-enabling the NIC.
I don't understand why we are scripting this on an issue that Microsoft was aware of over 6 months ago...
Again, what percentage of DCs do sysadmins want set to public? I'm still confused why anyone would want that in the first place.
