Always recommended to have at least two domain controller for high availability and for disaster mitigation. Simple solution is to delay restart NLA service via Task scheduler.
--please don't forget to Accept as answer if the reply is helpful--
Domain server starts with wrong network profile
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 71%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Carl Burch
216
Reputation points
Server 2019 DC. When the server is started or restarted it always starts with the Private Network profile active in Windows Defender Firewall. This has been an issue since Server 2019 was released. I've experienced this on 5 different servers for 5 different clients I've set up server 2019 for.
I have to restart the Network Location Awareness service to get the Domain profile as active. I assume this is because NLASVC starts before the Active Directory services get going. My current workaround is using Task Scheduler where I created a task to stop NLASVC 1 minute after startup. Sometimes it works. Most of the time it doesn't. My next choice for delay on the task is 5 minutes. That's just to long. Now I can just export the task, edit the xml file to set the delay to 3 minutes. Then import the edited task and all is fine. But with that delay it creates a new problem with other programs (such as a third party MFA one client uses).
Looking at the Network Location Awareness service I note that it has no dependencies (but it stops the Network List Service when stopped). So my question is, what service can I make either NETPROFM or NLASVC dependent upon so that it doesn't start early? I'd like to do away with having to create a restart in Task Scheduler, as if the timing isn't "just right" it gives me issues with other programs.
Windows for business | Windows Server | User experience | Other
12 answers
Sort by: Most helpful
-
-
Carl Burch 216 Reputation points
2020-12-23T14:06:34.91+00:00 Well, it didn't work upon the morning restart. With what's going on in my lab today I'll be restarting it several times I know. Got a reminder note taped to it to check the active profile upon each restart. We'll see what happens as that morning restart may have just been a fluke.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-12-24T02:13:47.483+00:00 it didn't work upon the morning restart.
Make sure configuration for NLA dependencies and DNS suffix for this connection are right when you find it didn't work.
I see someone add Netlogon, DNS, and NTDS as a dependency to NLA and it works.
You might do a test:
sc config nlasvc depend=NSI/RpcSs/TcpIp/Dhcp/Eventlog/DNS/NTDS/NetlogonIf above steps still doesn't work, we need to trace and monitor logs to analyze the cause. Tool such as Network Monitor and Process Monitor can be considered .However, analysis of log is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.
Here is the link:
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers
--------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
-
Carl Burch 216 Reputation points
2020-12-26T15:01:18.683+00:00 Bottom line is that it's not working. So I give up and have reverted back to the task scheduler with a 2 minute delay to restart NLASVC on startup.
-
Anonymous
2020-12-29T00:50:55.693+00:00 Thanks for your efforts you have put into this case. I am sorry that this issue still hasn't been resolved. As a workaround, you can delay restart NLA service via Task scheduler. If you want to find the cause, I would still suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 95%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EF6%3C/text%3E%3C/svg%3E)
FunckAdam-6052 0 Reputation points2023-07-10T20:47:30.54+00:00 You may want to consider a reactive restart rather than a timed one.
By using PowerShell to check the network profile your scheduled task can act without delay if it needs to, and just sit quietly if it's not needed.{ I just ran into this the first time myself, so the code below doesn't have much field testing. Depending on the environment and root cause other services could be relevant. }
<# Make sure the Connection Profile has correctly established as DomainAuthenticated #> $NetConnection = Get-NetConnectionProfile ($NetConnection.NetworkCategory -ne 'DomainAuthenticated') { get-service NlaSvc | restart-service }