Critical Windows Server 2025 Bug Alters Firewall Profiles on Domain Controllers

Overview

Microsoft has recently identified a critical issue affecting Windows Server 2025 domain controllers running the Active Directory Domain Services (AD DS) role. This bug causes domain controllers to incorrectly apply firewall profiles after a system restart, leading to significant network accessibility and security concerns.

Nature of the Bug

Upon rebooting, affected domain controllers fail to load the appropriate "Domain Authenticated" firewall profile. Instead, they default to the "Public" or standard firewall profile. This misconfiguration results in:

• Network Inaccessibility: Domain controllers may become unreachable within the domain network, disrupting essential services such as authentication, Group Policy application, and replication.
• Service Failures: Applications and services dependent on the domain controller may fail or become inaccessible.
• Security Vulnerabilities: Ports and protocols that should be restricted by the domain firewall profile may remain open, exposing the network to potential threats.

This issue is specific to Windows Server 2025 systems with the AD DS role and does not affect client systems or earlier server versions.

Technical Details

The problem arises from the domain controllers' failure to apply the correct network profile upon reboot. Instead of recognizing the domain network and applying the "Domain Authenticated" firewall profile, the servers default to a "Public" profile. This misassignment disrupts critical Active Directory functions, including:

• Group Policy Processing: Policies may fail to apply or update on member machines.
• Authentication and Replication: Authentication requests and replication between controllers and clients may be hindered.

Similar issues have been observed in previous Windows Server versions, such as 2022, but prior fixes do not resolve this new problem in Windows Server 2025, indicating a regression or new underlying cause.

Workarounds and Mitigation

Microsoft has provided a temporary workaround to mitigate the issue:

1. Manual Network Adapter Restart: Administrators can manually restart the network adapter on affected domain controllers using the following PowerShell command:

``INLINECODE0 ``

This action forces the system to reapply the correct firewall profile, restoring domain functionality. However, this workaround must be executed after every reboot, as the problem recurs each time the server restarts.

1. Automated Scheduled Task: To reduce manual intervention, administrators can create a scheduled task that triggers the network adapter restart automatically upon system startup. This approach helps maintain operational continuity but does not resolve the underlying issue.

Implications for Enterprise Networks

For organizations relying on Active Directory services, this bug poses significant risks:

• Operational Downtime: Domain controllers becoming unreachable leads to authentication failures and disruption of critical services.
• Security Exposure: The misapplied firewall profile may leave open ports unintended for domain networks, increasing vulnerability.
• Increased Administrative Burden: Manual or scripted workarounds are required, complicating post-restart procedures and increasing the risk of human error.

Recommendations for Administrators

Until Microsoft releases a permanent fix, administrators should:

• Implement the Workaround: Apply the manual or automated network adapter restart after each reboot to restore proper firewall profile application.
• Monitor Domain Controller Health: Closely watch for any connectivity issues or service errors related to Active Directory functionalities.
• Minimize Restarts: Avoid unnecessary reboots of affected domain controllers to reduce the frequency of encountering the issue.
• Communicate with Stakeholders: Ensure all relevant IT teams and users are informed about potential service interruptions.
• Prepare Contingency Plans: Anticipate potential operational impacts and have fallback procedures ready to maintain critical services dependent on Active Directory.

Microsoft's Response and Outlook

Microsoft has acknowledged the bug and indicated that its engineering teams are actively working on a comprehensive resolution. While no specific timeline has been announced, forthcoming cumulative updates for Windows Server 2025 are expected to permanently address the firewall profile misapplication after reboot.

Conclusion

The Windows Server 2025 domain controller restart bug affecting firewall profile application is a critical issue with direct consequences for Active Directory operation, network security, and enterprise continuity. While a manual workaround is available, it demands deliberate action after every restart, underscoring the need for Microsoft’s forthcoming permanent fix. In the meantime, administrators must adopt the workaround, monitor their environments closely, and limit restarts to safeguard Active Directory-dependent services.

Reference Links

• Windows Server 2025 known issues and notifications | Microsoft Learn
• Microsoft: Windows Server 2025 restarts break connectivity on some DCs
• Critical Windows Server 2025 Bug Alters Firewall Profiles on Domain Controllers | Windows Forum
• Windows Server 2025 Firewall Profile Bug Disrupts Domain Controller Security and Connectivity | Windows Forum
• Windows Server 2025 Domain Controller Firewall Bug: Critical Impact & Workarounds | Windows Forum