Server 2025 Core ADDS DC, Network Profile Showing as "Public" and not as "DomainAuthenticated"

So in the May release preview update for 24H2 it has this:

• [Network] Fixed: This update addresses an issue where Windows Server 2025 always shows the network as “public” on new domain controllers. It now checks for a domain controller name before using loopback addresses to ensure proper Lightweight Directory Access Protocol (LDAP) binding.

So I assume it will be fixed in the June Cumulative Update for Server 2025.

https://blogs.windows.com/windows-insider/2025/05/19/releasing-windows-11-build-26100-4188-to-the-release-preview-channel/

The only solution that has worked for me is the April 5 Eric_Moreau script. I guess this issue is related to other security items in the Server 2025 code that has not been able to get resolved. Why not have done so already is puzzling, the Windows Server 2025 known issues and notifications | Microsoft Learn is not a resolution, in fact I find the above script an easier and cleaner solution. 

I agree with those critics stating MS is now cloud first and also slow in responding to clients issues. Maybe it has to do with all the layoffs recently. See:  Hard hit was the tech giant’s home state of Washington, where Microsoft informed state officials it was cutting 1,985 workers tied to its Redmond headquarters, many of them in software engineering and product management roles.

With Server 2025 DC none of the fixes has worked so far. This is an issue that MS should fix. My guess this problem is related to how other related security items are being handled and they have not found a way to resolve it. 

Hallelujah, thanks r2dluc , it's finally official: Windows Server 2025 known issues and notifications | Microsoft Learn

Good news, they seem to have aknowledged the problem...

https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-2025-restarts-break-services-on-domain-controllers/

I just wanted to post here that when the NIC is set to public on a Domain Controller, Windows Services that rely on Domain Authenticated status never starts, this raise alerts in our monitoring tool and unnecessary works from our team. 

I have also experience authentication issues when endpoints choose this DC to authenticate and NIC is set to Public.  ( I have other 3 DCs 2022 Server with no similar issues).

Hi,

I've created this Workaround Script:

It will create a folder C:\install\scripts, put a fix script in it and schedule it to run at startup, the script will reset the adapter if in public profile

$scriptContent = @"
# FixPubFWProfile.ps1
# This script fixes the public network profile

# Get the network profiles
`$networkProfiles = Get-NetConnectionProfile

# Wait for 60 seconds
Start-Sleep -Seconds 60

# Loop through each profile and restart-adapter if it is set to public
foreach (`$Nprofile in `$networkProfiles) {
    if (`$Nprofile.NetworkCategory -eq "Public") { 
        Restart-NetAdapter -Name `$Nprofile.InterfaceAlias
    }
}
"@

$scriptPath = "c:\Install\Scripts\FixPubFWProfile.ps1"

# Create the directory if it doesn't exist
if (-not (Test-Path -Path (Split-Path -Path $scriptPath))) {
    New-Item -ItemType Directory -Path (Split-Path -Path $scriptPath) -Force
}

# Write the script content to the file
Set-Content -Path $scriptPath -Value $scriptContent

Write-Output "Script created at $scriptPath"

$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -NoProfile -File `"$scriptPath`""
$trigger = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable

#check if the task already exists
$taskExists = Get-ScheduledTask -TaskName "FixPublicNetworkProfile" -ErrorAction SilentlyContinue
if ($taskExists) {
    Write-Output "Scheduled task 'FixPublicNetworkProfile' already exists"
}
else {
    Register-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -Settings $settings -TaskName "FixPublicNetworkProfile" -Description "Fixes the public network profile 1 minute after startup"
    Write-Output "Scheduled task 'FixPublicNetworkProfile' created to run at startup with a 1 minute delay in the script"
}

also on my blog: https://www.technine.be/wp-content/uploads/2025/04/Fix-Public-Network-Profile.ps1

hope this helps, 

I can confirm that setting a manual IPv6 address on the NIC has resolved this issue for us.

EDIT - appears that this reg key is required along with the IPv6 address being set

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters

Add a DWORD parameter: AlwaysExpectDomainController

Set value to:1

Hi Eleanor, any news? 

This is March 2025 and the issue still exists. I have spent way too many hours trying to resolve this at a client site. The resolution was to stand up a Server 2022 DC. No issues whatsoever.

Ray S