After I disable ipv6 on my Win 2012 DC, the Windows firewall profile changes from Guest to Domain.
Domain network profile is correct for domain controller and all domain members. When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.
The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey:
If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.
--please don't forget to Accept as answer if the reply is helpful--
7 people are following this question.