Windows Firewall GPO not applying properly
So I've got a small lab with 2 DCs, both running server 2019 core. I've created a GPO with some Firewall Rules and linked it at the top of the domain, applying to all devices, including both DCs.
DC1, which currently still holds all FSMO roles, has received the policy but the rules are not active
DC2, has received the policy and has all rules active.
I can't for the life of me figure out why one DC is properly applying the rules while the other isn't. I can navigate to the registry and see the firewall rules on both DCs, in an RSOP it shows that the computer is definitely receiving the policy and parsing it and I can even see the rules when searching for them in PowerShell, but ... then there's a difference when comparing both DCs:
DC1 (where rules are not applied):
EnforcementStatus Name Profile PrimaryStatus
----------------- ---- ------- -------------
ProfileInactive ComPlusNetworkAccess-DCOM-In Domain Inactive
{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-UDP Any OK
{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-TCP Any OK
ProfileInactive RemoteEventLogSvc-RPCSS-In-TCP Domain Inactive
ProfileInactive RemoteEventLogSvc-NP-In-TCP Domain Inactive
ProfileInactive RemoteEventLogSvc-In-TCP Domain Inactive
ProfileInactive RVM-RPCSS-In-TCP Domain Inactive
ProfileInactive RVM-VDSLDR-In-TCP Domain Inactive
ProfileInactive RVM-VDS-In-TCP Domain Inactive
ProfileInactive ComPlusRemoteAdministration-DCOM-In Domain Inactive
ProfileInactive WMI-ASYNC-In-TCP Domain Inactive
ProfileInactive WMI-WINMGMT-In-TCP Domain Inactive
ProfileInactive WMI-RPCSS-In-TCP Domain Inactive
ProfileInactive RemoteTask-RPCSS-In-TCP Domain Inactive
ProfileInactive RemoteTask-In-TCP Domain Inactive
Whereas on DC2 they look like this:
EnforcementStatus Name Profile PrimaryStatus
----------------- ---- ------- -------------
Enforced ComPlusNetworkAccess-DCOM-In Domain OK
{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-UDP Any OK
{ProfileInactive, Enforced} RemoteDesktop-UserMode-In-TCP Any OK
Enforced RemoteEventLogSvc-RPCSS-In-TCP Domain OK
Enforced RemoteEventLogSvc-NP-In-TCP Domain OK
Enforced RemoteEventLogSvc-In-TCP Domain OK
Enforced RVM-RPCSS-In-TCP Domain OK
Enforced RVM-VDSLDR-In-TCP Domain OK
Enforced RVM-VDS-In-TCP Domain OK
Enforced ComPlusRemoteAdministration-DCOM-In Domain OK
Enforced WMI-ASYNC-In-TCP Domain OK
Enforced WMI-WINMGMT-In-TCP Domain OK
Enforced WMI-RPCSS-In-TCP Domain OK
Enforced RemoteTask-RPCSS-In-TCP Domain OK
Enforced RemoteTask-In-TCP Domain OK
So in short, all rules applied via GPO to DC1 are in "Inactive" status and show enforcement status as "ProfileInactive" - which point to the Domain profile being disabled, but that's actually not the case at all - all firewall profiles are enabled on both DCs and of course there are some custom (domain profile) rules that get enabled by DCPromo anyway so that profile has to be up and working, but here from both DCs
DC1:
Name : Domain
Enabled : True
DefaultInboundAction : NotConfigured
DefaultOutboundAction : NotConfigured
AllowInboundRules : NotConfigured
AllowLocalFirewallRules : NotConfigured
AllowLocalIPsecRules : NotConfigured
AllowUserApps : NotConfigured
AllowUserPorts : NotConfigured
AllowUnicastResponseToMulticast : NotConfigured
NotifyOnListen : False
EnableStealthModeForIPsec : NotConfigured
LogFileName : %systemroot%\system32\LogFiles\Firewall\pfirewall.log
LogMaxSizeKilobytes : 4096
LogAllowed : False
LogBlocked : False
LogIgnored : NotConfigured
DisabledInterfaceAliases : {NotConfigured}
DC2:
Name : Domain
Enabled : True
DefaultInboundAction : NotConfigured
DefaultOutboundAction : NotConfigured
AllowInboundRules : NotConfigured
AllowLocalFirewallRules : NotConfigured
AllowLocalIPsecRules : NotConfigured
AllowUserApps : NotConfigured
AllowUserPorts : NotConfigured
AllowUnicastResponseToMulticast : NotConfigured
NotifyOnListen : False
EnableStealthModeForIPsec : NotConfigured
LogFileName : %systemroot%\system32\LogFiles\Firewall\pfirewall.log
LogMaxSizeKilobytes : 4096
LogAllowed : False
LogBlocked : False
LogIgnored : NotConfigured
DisabledInterfaceAliases : {NotConfigured}
Anyone got any clues of where the problem might lie?
In the network settings on DC1, are you connected to the domain profile? Settings -> Network & Internet -> Network and Sharing Center -> Change advanced sharing settings -> Ensure Domain is current profile.