Fix Server 2025 DC Stuck on Public Firewall

Your Server 2025 domain controller keeps falling back to the Public firewall profile after every reboot. The NLA service loses the race, and shares, RDP, and AD auth all break until you intervene.

Windows Server 2025 has a nasty bug where domain controllers boot into the Public firewall profile instead of Domain. The nlasvc (Network Location Awareness) service doesn't start fast enough, so Windows can't confirm it's on a domain network before the firewall profile locks in.

The result: shares stop working, RDP drops, and AD authentication breaks. Everything looks fine once you manually kick the network adapter, but it comes back after the next reboot.

Quick Fix: Restart the Network Adapter

Run this in an elevated PowerShell prompt after each reboot:

Restart-NetAdapter *

This forces NLA to re-evaluate and switch to the Domain profile. You can confirm it worked:

Get-NetConnectionProfile

Look for NetworkCategory: DomainAuthenticated.

Better Fix: Scheduled Task on Boot

Don't rely on remembering to run this manually. Create a scheduled task that fires on startup:

$action = New-ScheduledTaskAction -Execute "powershell.exe" `
    -Argument "-NoProfile -Command Start-Sleep 30; Restart-NetAdapter *"
$trigger = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
Register-ScheduledTask -TaskName "Fix-NLA-FirewallProfile" `
    -Action $action -Trigger $trigger -Principal $principal `
    -Description "Restarts NICs after boot to fix Public firewall profile bug"

The 30-second delay gives the OS time to fully initialize before restarting adapters.

Permanent Fix: Install KB5060842

Microsoft patched this in KB5060842. Check if it's available for your build:

Get-HotFix | Where-Object HotFixID -eq "KB5060842"

If it's not installed, grab it from Windows Update or the Microsoft Update Catalog.

Verify

After applying either fix, reboot and check:

Get-NetConnectionProfile | Select-Object Name, NetworkCategory

Expected output: NetworkCategory: DomainAuthenticated

If it still shows Public, check that the NLA service is set to Automatic:

Get-Service nlasvc | Select-Object StartType, Status

Disable UDP for RDP Connections - Force TCP-only RDP when sessions drop over VPNs
Fix Domain Trust Relationship in PowerShell - Reset machine account passwords without rejoining the domain
Enable RDP Remotely via PowerShell - Turn on Remote Desktop without physical access

Need help with Windows Server 2025 deployments? Contact Rain City Techworks.

Quick Fix: Restart the Network Adapter

Better Fix: Scheduled Task on Boot

Permanent Fix: Install KB5060842

Verify

Related Posts