Firewall issues in a Windows 10 member PC

Brass Contributor

I am performing some tests in a lab environment.
I installed a Windows Server 2019 server and promoted it to a domain controller for the root domain of a new forest.
I installed a Windows 10 client and joined it to the domain.
From the Domain Controller I cannot manage the Windows 10 member PC (i.e. I cannot use Group Policy Results) because the firewall is activated.
If I disable the firewall in the client (either manually or via Group Policy) everything works fine.
Is it the standard behavior or am I missing any relevant step?
Regards
marius

4 Replies
How did you set the firewall, is it private or public?
Did you add the PC to the domain?
Are you able to ping from Server or Client?
Are you using Windows Firewall?
Many thanks for your answer.
Let me clarify: I did not set anything. I simply installed Windows 10 "next" "next" "next".
I joined the PC (a VM) to a domain.
At that point I discovered that the firewall was enabled for all the networks (private, public and domain).
My questions are:
- Is it the standard behavior?
- Am I missing any relevant step?
- Should the firewall stay enabled for a Windows 10 member PC, even if it does limit some domain funcions (i.e. Group Policy Results)?
- What is the best practice?
Regards
marius

Yes, firewall should be on and all members should get the domain network profile that allows all ports for active directory functions.

  

When NLA starts to detect the network location, the machine will contact a domain controller via port 389. If this detection is successful, it will get the domain firewall profile (allowing for correct ports) and we cannot change the network location profile.
If the domain was not found or process failed, NLA will let you to determine which firewall profile will be used, private or public.

The Network Location Awareness (NLA) service expects to be able to enumerate the domain’s forest name to choose the right network profile for the connection. The service does this by calling DsGetDcName on the forest root name and issuing an LDAP query on UDP port 389 to a root Domain Controller. The service expects to be able to connect to the PDC in the forest domain to populate the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\IntranetForests
If something hinders the DNS name resolution or the connection attempt to the DC, NLA is not able to set the appropriate network profile on the connection.

So I'd check the domain controller and problem client both have the static address of DC listed for DNS and no others such as router or public DNS

 

 

 

 

Thank you @Marius_Roma for your response.

The expected behavior would be you just connect to the domain and with Windows Firewall on , it will work as expected.

I suggest open the Feedback Hub app and report this issue.

Try run Windows Update and install all updates and restart your PC and see if problem persist?

Check the Event viewer and see if there is any failure in the client side?