Table of Contents
Problem Description: Major Connectivity Failure After DC Restart
A critical bug in Windows Server 2025 is causing Active Directory Domain Controllers (DCs) to become unreachable after every server restart. This issue, officially confirmed by Microsoft, results from the server applying the default (public/private) Windows Firewall profile instead of the required domain firewall profile upon reboot. The consequences are severe:
- Domain controllers are inaccessible on the domain network.
- Applications and services fail or remain unreachable.
- Ports and protocols may be exposed that should be restricted, creating a security risk.
This problem is particularly disruptive for organizations relying on Active Directory for authentication, resource access, and overall network security.
Root Cause
- Firewall Profile Misassignment: After a restart, Windows Server 2025 DCs fail to detect the domain network correctly and revert to a public or private firewall profile, rather than the domain profile.
- Network Location Awareness (NLA) Service Race Condition: NLA may start before DNS/LDAP services are fully available, causing it to misclassify the network type.
- No Permanent Fix Yet: Microsoft is aware and working on a patch, but no permanent solution is available as of April 2025.
Impact
- Critical business services may fail.
- Security posture is weakened due to incorrect firewall rules.
- Manual intervention required after every restart, increasing operational overhead and risk.
Solution: Microsoft-Recommended Workaround
Until a permanent fix arrives, the only reliable workaround is to restart the network adapter after every reboot. This forces Windows to re-evaluate the network location and apply the correct domain firewall profile.
Manual Workaround
- Open PowerShell as Administrator
- Run: Restart-NetAdapter *
This command restarts all network adapters, restoring correct network profile detection.
Automate with a Scheduled Task
To avoid manual intervention after every reboot, create a scheduled task that runs the above command at startup:
- Open Task Scheduler
- Create a New Task:
- Trigger: At system startup
- Action: Start a program
- Program/script: powershell.exe
- Add arguments: -Command “Restart-NetAdapter *”
- Run with highest privileges
- Configure for: Windows Server 2025
This ensures the network adapter is restarted automatically after every reboot, minimizing downtime and manual effort.
Additional Best Practices
- Monitor for Microsoft Updates: Apply the official fix as soon as Microsoft releases it.
- Maintain Redundant DCs: If possible, have multiple domain controllers to reduce risk during outages.
- Document and Communicate: Ensure all IT staff are aware of the workaround and have clear, step-by-step instructions.
Despite this frustrating bug, you can maintain business continuity and security by automating the recommended workaround. Stay proactive, keep your systems monitored, and be ready to apply Microsoft’s permanent fix as soon as it’s released. Your expertise in implementing these temporary solutions will ensure your organization remains resilient and secure during this challenging period.