How to restrict AD DS, DNS, and FS services to internal interfaces on Window Server 2019?

I have a Windows Server 2019 server, which is running some services itself, and Hyper-V virtual machines with Windows and Linux guests.

To centralize user and machine management, I have setup Active Directory Domain Services, DNS, and File and Storage services on the host system. I have joined the various virtual machines to the AD domain, and control users and (virtual) machine policies from a single point.

This is working fine, in an isolated view.

The bigger picture is, that all services (AD DS, DNS, File and Storage) are binding to everything (any interface). I realized it quick, and disabled (or changed) the firewall rules for the services to match only the internal interface, I want the services on.

However, after the nightly restart (installing patches, etc.), some/most of the firewall rules added by AD DS, DNS, File and Storage, were reenabled and changed to its default state (any interface).

How do I configure AD DS, DNS, and File and Storage services to bind only to a specified internal interface, or how do I force my firewall rule changes so "they" (the services) don't override it after every server restart?

Solution 1:

Don't mix AD, Hyper-V and File Server in one Windows Server instance. Just install Hyper-V on baremetal and deploy sepearte Windows VMs for AD and FileServer role. Virtual Switches allow you to segregate network interfaces for each role.

Here is explanation regarding combining Hyper-V and AD role on the same server: https://www.hyper-v.io/combining-hyper-v-dc-role-server-bad-idea/