Several weeks ago my Remote Desktop access to my PDC (Primary Domain Controller) stopped working. I was too busy to investigate at that time because it wasn’t necessary, and for the time being I could use the console view within vSphere. Well, I finally got around to investigating this today. And, to my surprise, it relates to a Windows Service I’ve heard of but never interacted with: Network Location Awareness or NLA.
What is Network Location Awareness: This is the Windows method of determining if you’re connected to a PUBLIC network, PRIVATE network, or DOMAIN network. And furthermore, it also determines which set of firewall rules to apply.
Specifically, my PDC determined it was connected to a PUBLIC network, thus applying the PUBLIC default firewall rules and hence disabling Remote Desktop connections, as it should. I’ll bet there were other domain related services being blocked as well that I wasn’t aware of.
Why does this happen?
When the single domain controller is booting, the NLA may start before the domain is available. In this scenario, either a public or private network is chosen and not updated or corrected afterwards.
How did I fix this?
Control Panel > Administrative Tools > Services > Network Location Awareness > Restart
After the restart of NLA, check your Network & Sharing Center within Control Panel to verify your network type updated.
And also check that your Windows Firewall is now applying the correct network type firewall rules by going to Control Panel > Windows Firewall
How do we prevent this from happening again?
Although I can’t explain why this symptom didn’t occur for a very long time on my PDC, I can attest that once it started, it persist from reboot to reboot. So, a solution is needed. Since the problem is that NLA starts before the domain is available, the solution is to delay the start of NLA. To do this, we modify the NLA Windows Service settings to be Automatic (Delayed). You can access these settings by right-clicking on the NLA service in Services and choosing Properties.