Windows Firewall GPO not applying properly

windows firewall active-directory group-policy

So I've got a small lab with 2 DCs, both running server 2019 core. I've created a GPO with some Firewall Rules and linked it at the top of the domain, applying to all devices, including both DCs.

DC1, which currently still holds all FSMO roles, has received the policy but the rules are not active

DC2, has received the policy and has all rules active.

I can't for the life of me figure out why one DC is properly applying the rules while the other isn't. I can navigate to the registry and see the firewall rules on both DCs, in an RSOP it shows that the computer is definitely receiving the policy and parsing it and I can even see the rules when searching for them in PowerShell, but ... then there's a difference when comparing both DCs:

DC1 (where rules are not applied):

EnforcementStatus Name Profile PrimaryStatus

----------------- ---- ------- -------------

ProfileInactive ComPlusNetworkAccess-DCOM-In Domain Inactive

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-UDP Any OK

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-TCP Any OK

ProfileInactive RemoteEventLogSvc-RPCSS-In-TCP Domain Inactive

ProfileInactive RemoteEventLogSvc-NP-In-TCP Domain Inactive

ProfileInactive RemoteEventLogSvc-In-TCP Domain Inactive

ProfileInactive RVM-RPCSS-In-TCP Domain Inactive

ProfileInactive RVM-VDSLDR-In-TCP Domain Inactive

ProfileInactive RVM-VDS-In-TCP Domain Inactive

ProfileInactive ComPlusRemoteAdministration-DCOM-In Domain Inactive

ProfileInactive WMI-ASYNC-In-TCP Domain Inactive

ProfileInactive WMI-WINMGMT-In-TCP Domain Inactive

ProfileInactive WMI-RPCSS-In-TCP Domain Inactive

ProfileInactive RemoteTask-RPCSS-In-TCP Domain Inactive

ProfileInactive RemoteTask-In-TCP Domain Inactive

Whereas on DC2 they look like this:

EnforcementStatus Name Profile PrimaryStatus

----------------- ---- ------- -------------

Enforced ComPlusNetworkAccess-DCOM-In Domain OK

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-UDP Any OK

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-TCP Any OK

Enforced RemoteEventLogSvc-RPCSS-In-TCP Domain OK

Enforced RemoteEventLogSvc-NP-In-TCP Domain OK

Enforced RemoteEventLogSvc-In-TCP Domain OK

Enforced RVM-RPCSS-In-TCP Domain OK

Enforced RVM-VDSLDR-In-TCP Domain OK

Enforced RVM-VDS-In-TCP Domain OK

Enforced ComPlusRemoteAdministration-DCOM-In Domain OK

Enforced WMI-ASYNC-In-TCP Domain OK

Enforced WMI-WINMGMT-In-TCP Domain OK

Enforced WMI-RPCSS-In-TCP Domain OK

Enforced RemoteTask-RPCSS-In-TCP Domain OK

Enforced RemoteTask-In-TCP Domain OK

So in short, all rules applied via GPO to DC1 are in "Inactive" status and show enforcement status as "ProfileInactive" - which point to the Domain profile being disabled, but that's actually not the case at all - all firewall profiles are enabled on both DCs and of course there are some custom (domain profile) rules that get enabled by DCPromo anyway so that profile has to be up and working, but here from both DCs

DC1:

Name : Domain

Enabled : True

DefaultInboundAction : NotConfigured

DefaultOutboundAction : NotConfigured

AllowInboundRules : NotConfigured

AllowLocalFirewallRules : NotConfigured

AllowLocalIPsecRules : NotConfigured

AllowUserApps : NotConfigured

AllowUserPorts : NotConfigured

AllowUnicastResponseToMulticast : NotConfigured

NotifyOnListen : False

EnableStealthModeForIPsec : NotConfigured

LogFileName : %systemroot%\system32\LogFiles\Firewall\pfirewall.log

LogMaxSizeKilobytes : 4096

LogAllowed : False

LogBlocked : False

LogIgnored : NotConfigured

DisabledInterfaceAliases : {NotConfigured}

DC2:

Name : Domain

Enabled : True

DefaultInboundAction : NotConfigured

DefaultOutboundAction : NotConfigured

AllowInboundRules : NotConfigured

AllowLocalFirewallRules : NotConfigured

AllowLocalIPsecRules : NotConfigured

AllowUserApps : NotConfigured

AllowUserPorts : NotConfigured

AllowUnicastResponseToMulticast : NotConfigured

NotifyOnListen : False

EnableStealthModeForIPsec : NotConfigured

LogFileName : %systemroot%\system32\LogFiles\Firewall\pfirewall.log

LogMaxSizeKilobytes : 4096

LogAllowed : False

LogBlocked : False

LogIgnored : NotConfigured

DisabledInterfaceAliases : {NotConfigured}

Anyone got any clues of where the problem might lie?


In the network settings on DC1, are you connected to the domain profile? Settings -> Network & Internet -> Network and Sharing Center -> Change advanced sharing settings -> Ensure Domain is current profile.

Related

How do I go about VMs in the cloud I only need for specific times?
How to download backup files which is WordPress Data on GCP?
Why does ipa-client-install fail when downloading the CA cert
EC2 instance automatically becomes unavailable - 504 Gateway timeout
Difficulty adding new folder in network root directory
Extended/Logical partition with parted
Apache to serve both static file and webapp
Option to configure TLS version in rsyslog
How can I find multiple values from windows command line output?
Apache mod_rewrite encode query string parameters
postgresql trigger for updating multiple columns
haproxy forcing a redirect to login and redirect back