Forum Discussion
Server 2025 Core ADDS DC, Network Profile Showing as "Public" and not as "DomainAuthenticated"
OS: Windows Server 20225 Standard Core (no GUI), build 26085.1
Role: ADDS, DNS
ForestMode: Windows2025Forest
DomainMode: Windows2025Domain
Platform: Hyper-V guest
When standing up a clean Windows Server 2025 using server core and configuring it as a domain controller, the network category (profile) always shows as "public."
A clean load of Windows Server 2022 with server core as a domain controller has the same behavior. However, in Server 2022, the fix is to add DNS as a required service to the nlasvc (Network Location Awareness) service. Once that is done, the network category reflects "DomainAuthenticed" and persists between reboots.
In Server 2025, the nlasvc service does not have the same requiredservices as Windows Server 2022, and it does not start automatically. Even after configuring the nlasvc service the same way it is in Server 2022 and adding DNS as a required service, the network category still reflects "public." The only way to get the network category to properly reflect the "DomainAuthenticated" status is to disable and reenable the network adapter after each reboot.
It still plagues Version 10.0.26100.2033
I wanted to set up a new AD with 26100.2033 today and almost despaired because of the wrong firewall profile. The NlaSvc service doesn't seem to be set to automatic after installing the Windows AD role. I really wonder who tests these builds before releasing them, it really only helps to restart the network adapter so that the correct domain firewall profile is loaded, setting dependencies for the NlaSvc service no longer works either.
Hello everyone, I had a little time over the weekend to try out a few things again and finally came up with a way that allows me to get to the domain firewall profile (even after a restart) without any major ‘hacks’.
1.) It is important that the server that receives the AD role is assigned an IPv6.
2.) Furthermore, the DWORD AlwaysExpectDomainController must be created in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters and set to 1.
Before I forget, it is normal that the NLA service with version 2025 no longer has any dependencies or is now set to manual. The correct firewall profile is still assigned.
Maybe this will help someone.
Found this issue as been testing Server 2025 and noticed the Network Location Awareness service is set to Manual, not Automatic. Nothing is documented about this change in the services I can find.
Anything having to be done to the OS besides installing it out of the box for this feature to work properly is a "hack". No bandaids - even adding an IPv6 address should be required for this to work. It isn't in Server 2022. This should just work out of the box. By the way, in testing, demoting the server back to a member server returns the network adapter operation to normal. That's why I am convinced this has something to do with them removing the dependency on NLA, however, keeping the requirement as part of AD for some reason when the server becomes a DC. Guessing something wasn't coded properly. I hope to hear back from MS at some point on this.
Don’t expect a resolution of this problem before next year as MS has posted a notice with the November 12 updates as follows:
IMPORTANT Because of minimal operations during the Western holidays and the upcoming new year, there won’t be a non-security preview release for the month of December 2024. There will be a monthly security release for December 2024. Normal monthly servicing for both security and non-security preview releases will resume in January 2025.
Let's hope January will bring much needed fixes for all the WS 2025 issues.
