Forum Discussion
Server 2025 Core ADDS DC, Network Profile Showing as "Public" and not as "DomainAuthenticated"
OS: Windows Server 20225 Standard Core (no GUI), build 26085.1
Role: ADDS, DNS
ForestMode: Windows2025Forest
DomainMode: Windows2025Domain
Platform: Hyper-V guest
When standing up a clean Windows Server 2025 using server core and configuring it as a domain controller, the network category (profile) always shows as "public."
A clean load of Windows Server 2022 with server core as a domain controller has the same behavior. However, in Server 2022, the fix is to add DNS as a required service to the nlasvc (Network Location Awareness) service. Once that is done, the network category reflects "DomainAuthenticed" and persists between reboots.
In Server 2025, the nlasvc service does not have the same requiredservices as Windows Server 2022, and it does not start automatically. Even after configuring the nlasvc service the same way it is in Server 2022 and adding DNS as a required service, the network category still reflects "public." The only way to get the network category to properly reflect the "DomainAuthenticated" status is to disable and reenable the network adapter after each reboot.
76 Replies
Hallelujah, thanks r2dluc , it's finally official: Windows Server 2025 known issues and notifications | Microsoft Learn
Yes, it is now official after a year since this bug was reported.
Microsoft works worse and worse, no longer listens to their users (customers) so they make worse products that they don't even test, so they are full of bugs (that they don't fix), with less functionality, features and performance. It only adds functionality, features and products that nobody has demanded and that only benefits Microsoft (never the user) through subscriptions. Now it's all about subscriptions and artificial intelligence. Before it was “Mobile First/Cloud First” and now it is “Subscription First/IA First”.
The current Microsoft is a real disaster.
totally agree
Good news, they seem to have aknowledged the problem...
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-2025-restarts-break-services-on-domain-controllers/
I just wanted to post here that when the NIC is set to public on a Domain Controller, Windows Services that rely on Domain Authenticated status never starts, this raise alerts in our monitoring tool and unnecessary works from our team.
I have also experience authentication issues when endpoints choose this DC to authenticate and NIC is set to Public. ( I have other 3 DCs 2022 Server with no similar issues).
Hi,
I've created this Workaround Script:
It will create a folder C:\install\scripts, put a fix script in it and schedule it to run at startup, the script will reset the adapter if in public profile$scriptContent = @" # FixPubFWProfile.ps1 # This script fixes the public network profile # Get the network profiles `$networkProfiles = Get-NetConnectionProfile # Wait for 60 seconds Start-Sleep -Seconds 60 # Loop through each profile and restart-adapter if it is set to public foreach (`$Nprofile in `$networkProfiles) { if (`$Nprofile.NetworkCategory -eq "Public") { Restart-NetAdapter -Name `$Nprofile.InterfaceAlias } } "@ $scriptPath = "c:\Install\Scripts\FixPubFWProfile.ps1" # Create the directory if it doesn't exist if (-not (Test-Path -Path (Split-Path -Path $scriptPath))) { New-Item -ItemType Directory -Path (Split-Path -Path $scriptPath) -Force } # Write the script content to the file Set-Content -Path $scriptPath -Value $scriptContent Write-Output "Script created at $scriptPath" $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -NoProfile -File `"$scriptPath`"" $trigger = New-ScheduledTaskTrigger -AtStartup $principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable #check if the task already exists $taskExists = Get-ScheduledTask -TaskName "FixPublicNetworkProfile" -ErrorAction SilentlyContinue if ($taskExists) { Write-Output "Scheduled task 'FixPublicNetworkProfile' already exists" } else { Register-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -Settings $settings -TaskName "FixPublicNetworkProfile" -Description "Fixes the public network profile 1 minute after startup" Write-Output "Scheduled task 'FixPublicNetworkProfile' created to run at startup with a 1 minute delay in the script" }also on my blog: https://www.technine.be/wp-content/uploads/2025/04/Fix-Public-Network-Profile.ps1
hope this helps,
I can confirm that setting a manual IPv6 address on the NIC has resolved this issue for us.
EDIT - appears that this reg key is required along with the IPv6 address being setHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters
Add a DWORD parameter: AlwaysExpectDomainController
Set value to:1
Hi Eleanor, any news?
This is March 2025 and the issue still exists. I have spent way too many hours trying to resolve this at a client site. The resolution was to stand up a Server 2022 DC. No issues whatsoever.
Ray S
Used the following for reference: Network location awareness not detecting domain network from offsite location - Microsoft Q&A
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
Name: NegativeCachePeriod
Type: REG_DWORD
Value Data: 0 (default value: 45 seconds; set to 0 to disable caching)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
Name: MaxNegativeCacheTtl
Type: REG_DWORD
Value Data: 0 (default value: 5 seconds; set to 0 to disable caching)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters
Add a DWORD parameter :AlwaysExpectDomainController
Set value to:1
After reboot - Get-NetConnectionProfile returns DomainAuthenticatedAdding the AlwaysExpectDomainController key on 2022 fixed this issue for me. I just put in a GPO for my DC OU to do this going forward, was quite a pain
Still having this issue even after setting these keys 2025 DC. =(
I gave up using Server 2025, in my view it's way buggy. I won't push a client toward it.
Not working on 2025, it works on 2019 and 2022, only the disabling/enabling of the network interface after the boot is working on 2025...
Use of a 2025 as DC is hell, even as RDP server is hell...
It's now the END of February - and still no fix?
RidiculousI can confirm the easy fix is to define a local IPV6 address for the adapter.
For example: fd12:3456:789a:0001:0000:0000:0000:0063 /64
My adapter immediately switched to the 'test.local' domain and persisted after reboot!
Interesting, my IPv4 address is hardcoded and my IPv6 is address is DHCP and gets an address from my Cisco equipment. Is an IPv6 DHCP address not good enough?
Ray
It's not a secret that MS 2025 has been a problem for plenty of administrators, the NLA not being the only issue. The only possible way to have some reliability is to keep an older DC around in case of an unexpected reboot. MS new administration from the CEO down are turning out to be a disaster, more concerned with the cloud's money machine than with their software clients.
When will they start paying attention again? Who knows.
