: IPv6 on Domain Controllers

  • 238 Views
  • Last Post 15 January 2019
Alix posted this 10 January 2019

Hi Everyone,

We are planning to upgrade our Active Directory 2008 R2 to 2012 R2.

We have two distant sites : one site with two Domain Controllers on the same local network and one site with only one Domain Controller, on an other local network.

The network configuration of the Domain Controllers 2008 R2 have IPv6 uncheked.

For now, the networks are only supporting IPv4 and it seems to be impossible (or difficult) to use IPv6 Global unicast addresses.

So the big question : as Microsoft is claiming that IPv6 must be enabled on the Domain Controller (to  avoid breaking the UDP 389 LDAP communications), what is really the best practice for our 3 DC 2012 R2 ?

1.       Put IPv6 cheked in the network configuration with an automatic assignation. This will result in a situation with 2 IPv6 addresses :

Fe80 : link local : usable only in the local network (ok for 2 of the 3 DC, which are on the same local network).

2002 : 6to4 : usable by the 3 DC

This « 6to4 address » is stored in the DNS Server.

 

2.       Put IPv6 uncheked in the network configuration (just as with our 2008 R2 DC) but not disabling it (and not modifying registry configuration).

 

Thanks a lot for sharing your experience !


Order By: Standard | Newest | Votes
michael1 posted this 10 January 2019

At this date, why on earth would you install 2012 R2 and not Server 2019 or at least Server 2016? Your network is obsolete before you even begin your upgrade.

 

I’d recommend you leave IPv6 checked. It doesn’t hurt anything, it helps some things, and the only oddity (if you aren’t otherwise using IPv6) is the AAAA records

in DNS.

 

show

jheaton posted this 10 January 2019

I think the OP is in the same type of situation I am here, with older DCs in the org.  I don’t see that he is installing 2012R2 DCs, it seems to me he’s cleaning out the last

of his old 2008R2 DCs, and 2012R2 is the highest level he can take his domain.  We’re in the same boat.  Our most recent DCs are all 2016, but we have a number of older DCs to get rid of.

 

I do agree to leave IPv6 in place, whether you’re currently using it or not.  You’re going to at some point.

 

show

aakash posted this 10 January 2019

Another option is to prioritize IPv4 over IPv6:

Set DisabledComponents=32 (0x20) at HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters



 

Unchecking the IPv6 option does cause problems.  But if it must be disabled, which isn’t recommended, it would be better to disable it via the registry vs unbinding it, and it

makes it easier to enable/change in the future:

Set DisabledComponents=255 (0xFF) at HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters



 

Reference:

https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users

 



-Aakash Shah



 

show

Alix posted this 11 January 2019

Thanks for your time and for your experience.
Your answers are approving IPv6 unchecked and I am not surprised even if I would have prefer the other solution.
We don't use IPv6 and honnestly we don't know it.The experience related inhttps://windorks.wordpress.com/2014/09/17/the-day-ipv6-broke-my-dc/
is not so good (even if the article says texto "disabling IPv6 isn’t the answer")
An other discussion shows that the question IPv6 is really a point :https://social.technet.microsoft.com/Forums/windows/en-US/191f4e90-1a8b-48dc-aabd-7bad49ff5c57/ipv6-on-2012r2-domain-controllers-leave-it-bound-to-the-interface-or-not?forum=winserverDS
So, if you are not using IPv6 in 2012 R2 DC (or 2016 DC ;-), do you really have problems ?
Idem, if you are using IPv6 "automatic attribution FE80:" on 2012 R2 DC (or 2016 DC ;-) on IPv4 only networks with a configuration including 2 DC on the same network (so they are communicating via IPv6 FE80: I guess) and a third DC on an other IPv4 network (which cannot communicate on IPv6 with the others 2) : do you have problems ?
Thanks again,
Alix
PS :For some reasons (which can be seen ugly in an "ideal world = everything uptodate and money is not a problem"), 2016 is not an option and we have to stay with 2012 for a few months...  
Le jeu. 10 janv. 2019 à 23:31, Aakash Shah <aakash.shah@xxxxxxxxxxxxxxxx> a écrit :
















Another option is to prioritize IPv4 over IPv6:

Set DisabledComponents=32 (0x20) at HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters



 

Unchecking the IPv6 option does cause problems.  But if it must be disabled, which isn’t recommended, it would be better to disable it via the registry vs unbinding it, and it

makes it easier to enable/change in the future:

Set DisabledComponents=255 (0xFF) at HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters



 

Reference:

https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users

 



-Aakash Shah



 

show

Alix posted this 15 January 2019

Hi Everyone,I hope that I have found the best situation for my case :- 2 DC on the same network, on the same site- 1 DC on a different network on a different site
Protocole IPv6 is not enabled on the network (switch, router).
IPv6 is let enabled on the 3 DC but I have disabled the 6to4 interface => they are only using the FE80: address
The subnet configuration in the Active Directory sites is only using IPv4 subnetworks.The DNS Server configuration on the 3 DC is listening only on the IPv4 address.
Thanks,
A.
Le ven. 11 janv. 2019 à 09:41, Alix Henrotte <alix.henrotte@xxxxxxxxxxxxxxxx> a écrit :
Thanks for your time and for your experience.
Your answers are approving IPv6 unchecked and I am not surprised even if I would have prefer the other solution.
We don't use IPv6 and honnestly we don't know it.The experience related inhttps://windorks.wordpress.com/2014/09/17/the-day-ipv6-broke-my-dc/
is not so good (even if the article says texto "disabling IPv6 isn’t the answer")
An other discussion shows that the question IPv6 is really a point :https://social.technet.microsoft.com/Forums/windows/en-US/191f4e90-1a8b-48dc-aabd-7bad49ff5c57/ipv6-on-2012r2-domain-controllers-leave-it-bound-to-the-interface-or-not?forum=winserverDS
So, if you are not using IPv6 in 2012 R2 DC (or 2016 DC ;-), do you really have problems ?
Idem, if you are using IPv6 "automatic attribution FE80:" on 2012 R2 DC (or 2016 DC ;-) on IPv4 only networks with a configuration including 2 DC on the same network (so they are communicating via IPv6 FE80: I guess) and a third DC on an other IPv4 network (which cannot communicate on IPv6 with the others 2) : do you have problems ?
Thanks again,
Alix
PS :For some reasons (which can be seen ugly in an "ideal world = everything uptodate and money is not a problem"), 2016 is not an option and we have to stay with 2012 for a few months...  
Le jeu. 10 janv. 2019 à 23:31, Aakash Shah <aakash.shah@xxxxxxxxxxxxxxxx> a écrit :
















Another option is to prioritize IPv4 over IPv6:

Set DisabledComponents=32 (0x20) at HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters



 

Unchecking the IPv6 option does cause problems.  But if it must be disabled, which isn’t recommended, it would be better to disable it via the registry vs unbinding it, and it

makes it easier to enable/change in the future:

Set DisabledComponents=255 (0xFF) at HKLM\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters



 

Reference:

https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users

 



-Aakash Shah



 

show

Close