Domain Controller thinks its on a Public Network

Do you have a default gateway on that connection? Does it reply to ping requests?

Windows uses gateways to identify networks; if it doesn't have a gateway configured, or if it can't succesfully ping it, it will not be able to identify the network it's connected to and will assume it's a public one.


Whether the network of a domain controller is classified as domain network doesn't depend on the gateway configuration.

The behaviour of a false network classification can be caused the NLA (network location awareness) service starts before the domain is available. In this case the public or private network is chosen and not corrected afterwards.

How to check if this fault situation is given
When the domain controller after rebooting is in the public network, restart the NLA service or disconnect / reconnect the network. The domain controller should be in the domain network afterwards.

How to solve it
It may help to set the NLA Service to delayed start. Better, check why the domain needs long to be present. It seems that the domain needs longer to start when there are multiple network cards.

When it doesn't help
When neither speeding up the loading of the domain nor the delay of NLA help and the error is caused by the long loading of the domain (look: "how to check..."), then there are some more things that can be done.

  • Write a script for restarting it an run it with the scheduler (dangerous)
  • Shift the loading of the NLA service to the end of the service starts, changing the load order in the registry (dangerous)

    The following Registry entry sets the dependencies to NSI RpcSs TcpIp Dhcp Eventlog NTDS DNS:

    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc]
    "DependOnService"=hex(7):4e,53,49,00,52,70,63,53,73,00,54,63,70,49,70,00,44,68,\
    63,70,00,45,76,65,6e,74,6c,6f,67,00,4e,54,44,53,00,44,4e,53,00,00
    
  • Execute "IPCONFIG /RENEW" from scheduler at startup with a delay of 1 or 2 minutes (better than starting NLA service)

  • Restart the NLA service manually after every reboot (but: "IPCONFIG /RENEW" should be preferred)!

One more cause can also be when the domain controller has two or more IPs configured (on the same or on other network cards) and the additional networks aren't configured in the DNS.

Reproduction of the behaviour
On a test domain controller (single DC!) I deleted the default gateway entry and set the DNS Server to delayed start. Doing this the domain needed long to get loaded and the network was classified as public. After disconnecting and reconnecting the network cable, the network was classified correctly as domain network.


Edit

gratefully from the comments of Daniel Fisher lennybacon and Joshua Hanley:

How to add a dependency for NlaSvc to DNS and NTDS

run sc config nlasvc depend=NSI/RpcSs/TcpIp/Dhcp/Eventlog/DNS/NTDS from CMD (use sc.exe if you're running it in PowerShell). If you want to double-check the existing dependencies before adding DNS and NTDS, use sc qc nlasvc


I've seen similar behavior standing up a 2008 R2 AD server. The thing that got me was having more than one NIC enabled, even though it wasn't in use. Once I disabled the unused NICs and rebooted, the problem went away.

The exact windows feature you're up against here is called NLA (Network Location Awareness). I don't know enough about it to claim to be an expert, but I know there's some interesting information out there on the intertubes about how it all works, or is supposed to work.