Windows server 2022-Network profile keeps changing to Public network after every reboot.

Question

Single domain infra. The server is acting as AD, DNS and DHCP. Every time the server reboots, the network profile changes back to public network instead of domain network. Once rebooted, need to kill the process for NLA service and then the profile automatically changing back to domain.

• Tried delaying the NLA service
• Tried changing the local policy to 'Always wait for the network at computer startup and logon'

Answer 1

Hi Arun,

Has your issue been solved? If it has, please accept the answer so that it could be spred further to those in need too. If not, is there anything I can help you with? Please let me know. :)

Vivian

Answer 2

Hi Arun,

Your problem could be caused by some common triggers, such as incorrect NIC DNS settings or DNS registration, NIC driver initialization timing, NlaSvc starting before DnsCache or Netlogon, IPv6/IPv4 binding issues, or cached NetworkList profile state that doesn’t refresh until NLA is recycled.

First apply the NlaSvc dependency change and verify DNS adapter settings and Netlogon registration. These changes address the most likely race condition where NLA starts too soon and misclassifies the interface. If those do not resolve the problem, run the data collection below:

1. Make NlaSvc depend on services that must be running first

Ensure NlaSvc waits for TCP/IP stack, DHCP, DNS client and Netlogon. This forces Windows to start NlaSvc only after the network and domain services are up.

PowerShell command to set service dependency (run elevated):

powershell

sc.exe config NlaSvc depend= Tcpip Dhcp Dnscache Netlogon

Notes:

There must be a single space after depend=.

Reboot after applying and verify behavior.

If Netlogon is not present on this server as a service name, use Netlogon. If sc complains, apply via registry:

powershell

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NlaSvc" -Name "DependOnService" -PropertyType MultiString -Value @("Tcpip","Dhcp","Dnscache","Netlogon") -Force

2. Confirm DNS and network adapter configuration

Ensure the server’s NIC points only to the local server’s IP (127.0.0.1 is not appropriate for DNS on DC; use the server’s own LAN IP) or preferred DNS set to the DC IP; do not use external DNS as preferred.

In the NIC IPv4 properties, enable “Register this connection’s addresses in DNS” and “Use this connection’s DNS suffix in DNS registration”.

Disable any DHCP reservations or other sources that could provide alternate DNS servers.

3. Ensure Netlogon and DNS registration complete before NLA

Confirm Netlogon successfully registers SRV records on boot: check event log for Netlogon 5781/5774 events or run nltest /dsregdns manually after boot to test registration.

If registration fails on boot but succeeds after a while, the service dependency above will help. If Netlogon still races, increase Netlogon debug logging temporarily to collect diagnostics.

4. Disable/verify extra protocol bindings and IPv6 settings

If IPv6 is not used in your environment, do NOT disable the IPv6 stack via registry; instead remove unnecessary protocol bindings from the adapter and ensure IPv6 DNS registration is correct.

Verify there are no leftover virtual adapters or VPN clients that appear connected at boot and confuse NLA.

5. Clear NLA network profile cache (one-time housekeeping)

If stale profile data exists it can cause misclassification. Export and delete NetworkList profiles then reboot.

Steps (run elevated; export then delete):

Export current profiles for backup:

powershell

reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" C:\ProfilesBackup.reg

Delete profiles:

powershell

Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\*" -Recurse -Force

Reboot and allow Windows to recreate profiles.

6. If timing issues remain, create a controlled restart of NlaSvc at boot as a last-resort workaround

Create a Scheduled Task that runs with highest privileges at startup with a delay (for example 60 seconds) to restart NlaSvc. This is a pragmatic fallback when service-dependency changes are insufficient.

Example schtask to create (run elevated PowerShell):

powershell

$Action = New-ScheduledTaskAction -Execute 'sc.exe' -Argument 'stop NlaSvc && sc.exe start NlaSvc'
$Trigger = New-ScheduledTaskTrigger -AtStartup -Delay (New-TimeSpan -Seconds 60)
Register-ScheduledTask -TaskName "RestartNlaAfterBoot" -Action $Action -Trigger $Trigger -RunLevel Highest -User "SYSTEM"

Troubleshooting steps to collect if issue persists

If the issue continues after applying the above, please collect and send the following so I can trace the exact race condition:

• System event log entries filtered for source NetworkProfile, NlaSvc, Netlogon, DNS Client, DHCP, and Tcpip from the last boot.
• Output of sc queryex NlaSvc, sc qc NlaSvc, and Get-Service Netlogon, Dnscache, Dhcp after a fresh reboot (before killing NLA).
• ipconfig /all captured immediately after boot.
• Results of nltest /dsgetdc:yourdomain and nltest /sc_verify:yourdomain and nltest /dsregdns after boot.
• Network adapter driver version and vendor; note if drivers are out of date or if vendor supplied NIC teaming/virtualization software is present.

Hope you've got what you need, and if you find this info helpful, please accept the answer so that others so benefit too. Thank you :)

Best regards,

Vivian