Domain server starts with wrong network profile

Carl Burch 216 Reputation points
2020-12-22T05:19:46.353+00:00

Server 2019 DC. When the server is started or restarted it always starts with the Private Network profile active in Windows Defender Firewall. This has been an issue since Server 2019 was released. I've experienced this on 5 different servers for 5 different clients I've set up server 2019 for.
I have to restart the Network Location Awareness service to get the Domain profile as active. I assume this is because NLASVC starts before the Active Directory services get going. My current workaround is using Task Scheduler where I created a task to stop NLASVC 1 minute after startup. Sometimes it works. Most of the time it doesn't. My next choice for delay on the task is 5 minutes. That's just to long. Now I can just export the task, edit the xml file to set the delay to 3 minutes. Then import the edited task and all is fine. But with that delay it creates a new problem with other programs (such as a third party MFA one client uses).
Looking at the Network Location Awareness service I note that it has no dependencies (but it stops the Network List Service when stopped). So my question is, what service can I make either NETPROFM or NLASVC dependent upon so that it doesn't start early? I'd like to do away with having to create a restart in Task Scheduler, as if the timing isn't "just right" it gives me issues with other programs.

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

11 answers

Sort by: Most helpful
  1. Anonymous
    2020-12-22T05:58:38.433+00:00

    Hi ,

    Have you set the NLA service to "Automatic (Delayed)"?

    50248-image.png

    If it still doesn't work, please refer to the following steps:

    1.Add a dependency for it to depend on the NetLogon service and see if it works.

    2.Added your domain name in DNS suffix for this connection, checked the box to "Use this connection's suffix in DNS registration", and rebooted. Check if the issue still occurs.

    50258-image.png

    Here is a similar thread discussed before, you could have a look:

    New Server 2019 DC keeps setting Network Location to Private. Why?

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Candy


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    5 people found this answer helpful.
    0 comments No comments

  2. Anonymous
    2020-12-23T01:10:36.54+00:00

    To create a dependency for NlaSvc service -Just run the following command:

    sc config NlaSvc depend= NSI/RpcSs/TcpIP/Dhcp/Eventlog/Netlogon  
    

    As picture below:

    50611-image.png

    Based on my experience, add domain name to DNS suffice for this connection and reboot. This can always work.

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.
    0 comments No comments

  3. EricM1970 5 Reputation points
    2024-10-28T16:22:34.9533333+00:00

    Hello All, I know it's been a while since anybody has posted, but this thread still comes up at the top of google searches on the topic so I thought I'd comment.This has been an intermittent issue (couple times a year) for me since Server 2012R2. Almost always when this happens on a 2012R2 server I can just reboot and it will return to the correct domain profile.

    As has been stated here there just is no solid fix for this, and it happens periodically with no reason that I can find. I've never found a "fix" for it, or a good reason of what causes it. Certainly I've never seen any official Microsoft documentation on it that addresses what is very obvious to all of us a fundamental and ongoing BUG with the windows firewall.

    I just had this happen to a freshly built 2022 server. I was actually in the firewall (hadn't changed anything yet) and got kicked off the server (I was remoted in.) I had to call someone at that location and have him go to the server room and verify the server was still up (it was.) Then I had him turn the firewall off and I was able to reconnect. What had happened is it had just flipped to the Public Firewall profile on it's own in the middle of me working on it for no real reason.

    I tried all of the fixes here to get it to change, nothing worked.

    Couple things I found - If I set a reservation for the nic on DHCP and let it pull an address, it would return to the Domain Firewall profile immediately (didn't even need to reboot.) Change it back to static and it would go to Public again. I was finally able to fix it by setting the Automatic Metric of the NIC to 1. After that, when I changed the NIC back to a static address it stayed in the Domain Profile. Fingers cross on how long it will last.

    In the name of full disclosure, I also had disabled other nics on the server and reactivated them, basically just seeing what I could get to stick to the wall.

    Again, this is very obviously a fundamental problem with the windows firewall that has existed for more than a decade that they just don't seem to care about.

    1 person found this answer helpful.

  4. Carl Burch 216 Reputation points
    2020-12-22T15:44:08.07+00:00

    The delayed start works intermittently. Now this server gets rebooted quite often, as it's a lab server I use for software testing before recommending or deploying to my clients. During times when I get the correct profile multiple reboots in a row, I'll forget to check it. That's usually when I get bit.
    As I recall, in previous versions of the server software it was simple to add a dependency from the service properties menu. I don't see that ability now. So how do I add the dependency now? It's been years since I've had to deal with dependency issues, and I've never dealt with it on 2019 yet.

    0 comments No comments

  5. Carl Burch 216 Reputation points
    2020-12-23T14:01:00.417+00:00

    Have set this up as above. Will use for a day to see how it does and will let you know.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.