Windows Firewall GPO not applying properly

So I've got a small lab with 2 DCs, both running server 2019 core. I've created a GPO with some Firewall Rules and linked it at the top of the domain, applying to all devices, including both DCs.

DC1, which currently still holds all FSMO roles, has received the policy but the rules are not active

DC2, has received the policy and has all rules active.

I can't for the life of me figure out why one DC is properly applying the rules while the other isn't. I can navigate to the registry and see the firewall rules on both DCs, in an RSOP it shows that the computer is definitely receiving the policy and parsing it and I can even see the rules when searching for them in PowerShell, but ... then there's a difference when comparing both DCs:

DC1 (where rules are not applied):

EnforcementStatus Name Profile PrimaryStatus

----------------- ---- ------- -------------

ProfileInactive ComPlusNetworkAccess-DCOM-In Domain Inactive

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-UDP Any OK

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-TCP Any OK

ProfileInactive RemoteEventLogSvc-RPCSS-In-TCP Domain Inactive

ProfileInactive RemoteEventLogSvc-NP-In-TCP Domain Inactive

ProfileInactive RemoteEventLogSvc-In-TCP Domain Inactive

ProfileInactive RVM-RPCSS-In-TCP Domain Inactive

ProfileInactive RVM-VDSLDR-In-TCP Domain Inactive

ProfileInactive RVM-VDS-In-TCP Domain Inactive

ProfileInactive ComPlusRemoteAdministration-DCOM-In Domain Inactive

ProfileInactive WMI-ASYNC-In-TCP Domain Inactive

ProfileInactive WMI-WINMGMT-In-TCP Domain Inactive

ProfileInactive WMI-RPCSS-In-TCP Domain Inactive

ProfileInactive RemoteTask-RPCSS-In-TCP Domain Inactive

ProfileInactive RemoteTask-In-TCP Domain Inactive

Whereas on DC2 they look like this:

EnforcementStatus Name Profile PrimaryStatus

----------------- ---- ------- -------------

Enforced ComPlusNetworkAccess-DCOM-In Domain OK

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-UDP Any OK

{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-TCP Any OK

Enforced RemoteEventLogSvc-RPCSS-In-TCP Domain OK

Enforced RemoteEventLogSvc-NP-In-TCP Domain OK

Enforced RemoteEventLogSvc-In-TCP Domain OK

Enforced RVM-RPCSS-In-TCP Domain OK

Enforced RVM-VDSLDR-In-TCP Domain OK

Enforced RVM-VDS-In-TCP Domain OK

Enforced ComPlusRemoteAdministration-DCOM-In Domain OK

Enforced WMI-ASYNC-In-TCP Domain OK

Enforced WMI-WINMGMT-In-TCP Domain OK

Enforced WMI-RPCSS-In-TCP Domain OK

Enforced RemoteTask-RPCSS-In-TCP Domain OK

Enforced RemoteTask-In-TCP Domain OK

So in short, all rules applied via GPO to DC1 are in "Inactive" status and show enforcement status as "ProfileInactive" - which point to the Domain profile being disabled, but that's actually not the case at all - all firewall profiles are enabled on both DCs and of course there are some custom (domain profile) rules that get enabled by DCPromo anyway so that profile has to be up and working, but here from both DCs

DC1:

Name : Domain

Enabled : True

DefaultInboundAction : NotConfigured

DefaultOutboundAction : NotConfigured

AllowInboundRules : NotConfigured

AllowLocalFirewallRules : NotConfigured

AllowLocalIPsecRules : NotConfigured

AllowUserApps : NotConfigured

AllowUserPorts : NotConfigured

AllowUnicastResponseToMulticast : NotConfigured

NotifyOnListen : False

EnableStealthModeForIPsec : NotConfigured

LogFileName : %systemroot%\system32\LogFiles\Firewall\pfirewall.log

LogMaxSizeKilobytes : 4096

LogAllowed : False

LogBlocked : False

LogIgnored : NotConfigured

DisabledInterfaceAliases : {NotConfigured}

DC2:

Name : Domain

Enabled : True

DefaultInboundAction : NotConfigured

DefaultOutboundAction : NotConfigured

AllowInboundRules : NotConfigured

AllowLocalFirewallRules : NotConfigured

AllowLocalIPsecRules : NotConfigured

AllowUserApps : NotConfigured

AllowUserPorts : NotConfigured

AllowUnicastResponseToMulticast : NotConfigured

NotifyOnListen : False

EnableStealthModeForIPsec : NotConfigured

LogFileName : %systemroot%\system32\LogFiles\Firewall\pfirewall.log

LogMaxSizeKilobytes : 4096

LogAllowed : False

LogBlocked : False

LogIgnored : NotConfigured

DisabledInterfaceAliases : {NotConfigured}

Anyone got any clues of where the problem might lie?


In the network settings on DC1, are you connected to the domain profile? Settings -> Network & Internet -> Network and Sharing Center -> Change advanced sharing settings -> Ensure Domain is current profile.