Domain Controller thinks its on a Public Network

Whether the network of a domain controller is classified as domain network doesn't depend on the gateway configuration.

The behaviour of a false network classification can be caused the NLA (network location awareness) service starts before the domain is available. In this case the public or private network is chosen and not corrected afterwards.

How to check if this fault situation is given
When the domain controller after rebooting is in the public network, restart the NLA service or disconnect / reconnect the network. The domain controller should be in the domain network afterwards.

How to solve it
It may help to set the NLA Service to delayed start. Better, check why the domain needs long to be present. It seems that the domain needs longer to start when there are multiple network cards.

When it doesn't help
When neither speeding up the loading of the domain nor the delay of NLA help and the error is caused by the long loading of the domain (look: "how to check..."), then there are some more things that can be done.

• Write a script for restarting it an run it with the scheduler (dangerous)

• Shift the loading of the NLA service to the end of the service starts, changing the load order in the registry (dangerous)

  The following Registry entry sets the dependencies to NSI RpcSs TcpIp Dhcp Eventlog NTDS DNS:

  REGEDIT4
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc]
  "DependOnService"=hex(7):4e,53,49,00,52,70,63,53,73,00,54,63,70,49,70,00,44,68,\
  63,70,00,45,76,65,6e,74,6c,6f,67,00,4e,54,44,53,00,44,4e,53,00,00
  

• Execute "IPCONFIG /RENEW" from scheduler at startup with a delay of 1 or 2 minutes (better than starting NLA service)

• Restart the NLA service manually after every reboot (but: "IPCONFIG /RENEW" should be preferred)!

One more cause can also be when the domain controller has two or more IPs configured (on the same or on other network cards) and the additional networks aren't configured in the DNS.

Reproduction of the behaviour
On a test domain controller (single DC!) I deleted the default gateway entry and set the DNS Server to delayed start. Doing this the domain needed long to get loaded and the network was classified as public. After disconnecting and reconnecting the network cable, the network was classified correctly as domain network.

Edit

gratefully from the comments of Daniel Fisher lennybacon and Joshua Hanley:

How to add a dependency for NlaSvc to DNS and NTDS

run sc config nlasvc depend=NSI/RpcSs/TcpIp/Dhcp/Eventlog/DNS/NTDS from CMD (use sc.exe if you're running it in PowerShell). If you want to double-check the existing dependencies before adding DNS and NTDS, use sc qc nlasvc

Do you have a default gateway on that connection? Does it reply to ping requests?

Windows uses gateways to identify networks; if it doesn't have a gateway configured, or if it can't succesfully ping it, it will not be able to identify the network it's connected to and will assume it's a public one.

I've seen similar behavior standing up a 2008 R2 AD server. The thing that got me was having more than one NIC enabled, even though it wasn't in use. Once I disabled the unused NICs and rebooted, the problem went away.

The exact windows feature you're up against here is called NLA (Network Location Awareness). I don't know enough about it to claim to be an expert, but I know there's some interesting information out there on the intertubes about how it all works, or is supposed to work.

In my case, the server was DMZ and many firewall rules blocking the server to talk to domain controllers. In this case, you will need to open up Firewalls (hardware FW) to allow servers to communicate. Also to run a test, connect the server to network where firewall rules are allowing communications between client and servers.

Implementation of marsh-wiggle's excellent answer in Ansible:

- name: Set dependencies of NLA service
  ansible.windows.win_service:
    name: nlasvc
    dependencies:
      - DNS
      - NTDS
    dependency_action: add
  notify: restart nlasvc

where restart nlasvc calls the following handler:

- name: restart nlasvc
  ansible.windows.win_service:
    name: nlasvc
    state: restarted
    force_dependent_services: yes

I had a similar event on a stand-alone 2016 Active Directory DS server. Server showed in a Public network. The initial symptom was that DNS lookups would fail against this server using NSLookup. Attempts to open DNS manager resulted in an access denied message.

There were system event logs for LSA Event 40960 and NETLOGON 5781. Under Application and Services Logs > DNS there were DNS-Server-Service 4000 events logged.

This pointed to the server's machine password. The solution was stopping KDC, purging the list, resetting the machine's secret and restarting KDC.

net stop kdc
klist purge
netdom resetpwd /server:127.0.0.1 /userd:domainname.local\administrator /passwordd:*
net start kdc

A random password hash was generated and stored in the machine and in Active Directory. After restarting Active Directory Directory Services functionality was restored. A restart is recommended.

After installing a new domain controller, you may find that the "WINDOWS FIREWALL" does not get set properly to "DOMAIN: ON". This is a result of bad installation defaults provided by Microsoft. To fix this, clear the IP6 DNS settings on the network connection from "::0" back to automatic. Also, clear the IP6 Forwarders from the DNS server.