Overview

Microsoft's latest server operating system, Windows Server 2025, has encountered a significant issue affecting domain controllers (DCs). After a system restart, these servers may fail to manage network traffic correctly due to the application of an incorrect firewall profile. This misconfiguration can lead to service disruptions and potential security vulnerabilities.

Nature of the Bug

Upon rebooting, affected Windows Server 2025 domain controllers load the standard or public firewall profile instead of the appropriate domain firewall profile. This misapplication results in several critical issues:

  • Domain Controller Accessibility: The incorrect firewall profile may block essential services, rendering domain controllers inaccessible within the network.
  • Service and Application Failures: Applications and services dependent on domain controllers may fail or become unreachable.
  • Security Risks: The public firewall profile may leave ports and protocols open that should be restricted, increasing exposure to potential threats.

This issue is specific to Windows Server 2025 systems with the Active Directory Domain Services (AD DS) role. Earlier versions of Windows Server and client operating systems are not affected.

Technical Details

Firewall profiles in Windows are designed to apply specific rules based on the network environment:

  • Domain Profile: Applied when connected to a domain network, enforcing strict rules suitable for enterprise environments.
  • Private Profile: Used for private networks, such as home or small office networks.
  • Public Profile: Applied when connected to public networks, enforcing more restrictive rules to protect the system.

In this bug, the domain controllers fail to apply the domain profile upon restart, defaulting instead to the public profile. This misconfiguration disrupts essential Active Directory functions, including:

  • Group Policy Application: Policies may fail to propagate correctly.
  • Replication Traffic: Domain controllers may not replicate directory information properly.
  • Authentication Services: Services like Kerberos and LDAP may be hindered, affecting user authentication.

Workarounds and Mitigation

Microsoft has acknowledged the issue and provided a temporary workaround. Administrators can manually restart the network adapter on affected servers using the following PowerShell command:

CODEBLOCK0

This action forces the system to reapply the correct firewall profile. However, since the issue recurs after each reboot, this workaround must be repeated every time the server restarts. To automate this process, administrators can create a scheduled task that runs the command at system startup.

Implications and Impact

The firewall profile misconfiguration poses several risks:

  • Operational Downtime: Inaccessible domain controllers can lead to authentication failures and service disruptions.
  • Security Exposure: An incorrect firewall profile may expose the network to external threats.
  • Administrative Overhead: Repeated manual or automated interventions increase the complexity of system management.

Microsoft's Response

Microsoft is actively working on a permanent fix for this issue, which will be provided in a future update. Administrators are advised to monitor official communications from Microsoft for updates and apply the recommended workarounds in the interim.

Conclusion

The Windows Server 2025 domain controller firewall bug is a critical issue that requires immediate attention from IT administrators. Implementing the provided workarounds can help mitigate the impact until a permanent solution is available. Staying informed through official channels is essential to ensure the security and stability of enterprise networks.