Domain server starts with wrong network profile

Question

Server 2019 DC. When the server is started or restarted it always starts with the Private Network profile active in Windows Defender Firewall. This has been an issue since Server 2019 was released. I've experienced this on 5 different servers for 5 different clients I've set up server 2019 for.
I have to restart the Network Location Awareness service to get the Domain profile as active. I assume this is because NLASVC starts before the Active Directory services get going. My current workaround is using Task Scheduler where I created a task to stop NLASVC 1 minute after startup. Sometimes it works. Most of the time it doesn't. My next choice for delay on the task is 5 minutes. That's just to long. Now I can just export the task, edit the xml file to set the delay to 3 minutes. Then import the edited task and all is fine. But with that delay it creates a new problem with other programs (such as a third party MFA one client uses).
Looking at the Network Location Awareness service I note that it has no dependencies (but it stops the Network List Service when stopped). So my question is, what service can I make either NETPROFM or NLASVC dependent upon so that it doesn't start early? I'd like to do away with having to create a restart in Task Scheduler, as if the timing isn't "just right" it gives me issues with other programs.

Answer 1

Hi ,

Have you set the NLA service to "Automatic (Delayed)"?

If it still doesn't work, please refer to the following steps:

1.Add a dependency for it to depend on the NetLogon service and see if it works.

2.Added your domain name in DNS suffix for this connection, checked the box to "Use this connection's suffix in DNS registration", and rebooted. Check if the issue still occurs.

Here is a similar thread discussed before, you could have a look:

New Server 2019 DC keeps setting Network Location to Private. Why?

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,

Candy

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

To create a dependency for NlaSvc service -Just run the following command:

sc config NlaSvc depend= NSI/RpcSs/TcpIP/Dhcp/Eventlog/Netlogon  

As picture below:

Based on my experience, add domain name to DNS suffice for this connection and reboot. This can always work.

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

The delayed start works intermittently. Now this server gets rebooted quite often, as it's a lab server I use for software testing before recommending or deploying to my clients. During times when I get the correct profile multiple reboots in a row, I'll forget to check it. That's usually when I get bit.
As I recall, in previous versions of the server software it was simple to add a dependency from the service properties menu. I don't see that ability now. So how do I add the dependency now? It's been years since I've had to deal with dependency issues, and I've never dealt with it on 2019 yet.

Answer 4

Have set this up as above. Will use for a day to see how it does and will let you know.

Answer 5

Always recommended to have at least two domain controller for high availability and for disaster mitigation. Simple solution is to delay restart NLA service via Task scheduler.

--please don't forget to Accept as answer if the reply is helpful--