Microsoft has issued a critical alert to IT administrators regarding a significant bug impacting Windows Server 2025 domain controllers.
The warning highlights that after a system restart, these servers may encounter a failure in properly managing network traffic. This malfunction carries the potential to cause disruptions within Active Directory (AD) environments, a core component for network management in many organizations.
The root cause of this problem lies in the behavior of the domain controllers after a reboot. Instead of correctly loading the necessary domain firewall profile, the servers are mistakenly loading the standard firewall profile. This misapplication of the firewall settings leads to a cascade of issues. Affected domain controllers may become unreachable on the domain network, effectively isolating them. Furthermore, applications and services hosted on these servers or accessed by remote devices may experience failures or become inaccessible, hindering normal operations. Critically, ports and protocols that should be secured by the domain firewall profile might remain open, introducing potential security vulnerabilities within the network. It's important to note that this issue is specific to Windows Server 2025 systems running the Active Directory Domain Services role, with client systems and earlier server versions remaining unaffected.
To address this immediate problem, Microsoft has provided a temporary workaround for affected systems. Administrators can manually resolve the network traffic issue by restarting the network adapter on the impacted servers using a specific PowerShell command. However, this solution is not persistent and must be reapplied each time the server undergoes a restart, as the underlying problem reoccurs with every reboot. To improve efficiency, Microsoft suggests automating this process by creating a scheduled task that automatically restarts the network adapter whenever a domain controller is restarted.
The fundamental reason for this issue is the domain controllers' inability to apply the correct network profile following a reboot. Instead of loading the "Domain Authenticated" profile, they are defaulting to a more restrictive "Public" or standard firewall profile. This incorrect profile application disrupts essential Active Directory functions, including the application of Group Policy, replication processes between domain controllers, and user authentication. While similar issues have been observed in previous Windows Server versions, such as Windows Server 2022, prior fixes implemented for those versions do not resolve this specific problem in Windows Server 2025.
Microsoft has acknowledged the severity of the issue and has confirmed that its engineers are actively engaged in developing a permanent resolution. The company anticipates that a fix will be included in a future update; however, a specific timeline for its release has not yet been provided. In the interim, Microsoft strongly recommends several actions for administrators. They should implement the provided manual workaround or automate it using scheduled tasks to mitigate the immediate impact. Additionally, close monitoring of domain controllers for any signs of connectivity or service disruptions is crucial. Finally, administrators are advised to avoid unnecessary restarts of affected servers whenever possible to minimize potential disruptions. Organizations utilizing Windows Server 2025 with Active Directory Domain Services should prepare for potential downtime during necessary restarts and take steps to ensure the continued operation of critical services that rely on Active Directory through these temporary measures.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
