12

I'm currently evaluating Server 2012 to serve as a domain controller in a small heterogeneous network of Linux and Windows workstations and servers, all of which would eventually be joined to the domain. This is a 100% dual stack network; every device has IPv4 and IPv6 connectivity. The router is a Linux server running radvd 1.9.1 and various other necessities.

I have just installed the first domain controller; its domain name is ad.businessname.com (where businessname.com is handled by external DNS servers; the domain also has the public website, email etc. and these won't be joined to the domain at this time). It's a Server Core installed with AD DS and DNS roles. All seems well and I'm about ready to set up the second DC and start joining computers, but...

Now my network has extra IPv6 router advertisements on it, advertising Unique Local Addresses. It's also advertising the native IPv6 prefix that the actual router is advertising. At first I thought that these RAs were originating from the domain controller, since they disappeared when I shut it off, but after running Wireshark I see they came from my actual IPv6 router. Wireshark is showing that this version of the RA very shortly follows a Neighbor Solicitation for fd4a:e7ab:34a5::1 coming from the DC.

Strangely, the router is also sending the original route advertisement which it normally sends when the domain controller is not present on the network. This version of the RA matches /etc/radvd.conf (a copy is below). A quick session with Wireshark confirmed that both versions of the router advertisement are coming from the MAC address of the Linux router running radvd.

So far these seem harmless, as my IPv6 connectivity hasn't been interrupted by the presence of the extra RA. But since I have global IPv6 connectivity already, the ULAs seem unnecessary and unwanted.

I've spent much of last night and today scouring the Internet to try to figure out what's going on, but have found little to explain anything beyond a hint that it might have something to do with the IP Helper Service (and vague warnings to not turn it off). But as far as I have ever heard, it should be safe to disable this service when native IPv6 is available.

So my questions are:

  • Why is Windows sending a Neighbor Solicitation for a ULA network?
  • Why are these RAs being sent, apparently in response?
  • Why do they advertise ULAs in addition to my native addresses?
  • Isn't this going to cause a problem with IPv6 routing later on?
  • Do I have to put up with this, or how can I make Windows and radvd behave?

Various configuration information follows:

Here is a captured RA that was sent (as shown by radvdump which is IMO easier to read than wireshark's output). You can see that it is advertising both the ULA and the public prefix (obscured here). And when I shut down the domain controller, this version of the RA stops appearing on the network.

#
# radvd configuration generated by radvdump 1.9.1
# based on Router Advertisement from fe80::20c:29ff:fef4:66f1
# received by interface eth0
#

interface eth0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 0;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;
        AdvLinkMTU 1500;

        prefix fd4a:e7ab:34a5::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 86400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        prefix 2001:db8:16:bf::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 86400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS fd4a:e7ab:34a5::1
        {
                AdvRDNSSLifetime 86400;
        }; # End of RDNSS definition


        DNSSL businessname.com
        {
                AdvDNSSLLifetime 1800;
        }; # End of DNSSL definition

}; # End of interface definition

Here is the original router advertisement, which matches the router's /etc/radvd.conf and is still being sent onto the network, alternating with the one above:

#
# radvd configuration generated by radvdump 1.9.1
# based on Router Advertisement from fe80::20c:29ff:fef4:66f1
# received by interface eth0
#

interface eth0
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag off;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 1800;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;

        prefix 2001:db8:16:bf::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr off;
        }; # End of prefix definition


        RDNSS 2001:4860:4860::8888 2001:4860:4860::8844
        {
                AdvRDNSSLifetime 600;
        }; # End of RDNSS definition

}; # End of interface definition

The list of installed roles/features on the domain controller:

[dc1]: PS C:\Users\Administrator\Documents> Get-WindowsFeature | where {$_.InstallState -eq "Installed"}

Display Name                                            Name                       Install State
------------                                            ----                       -------------
[X] Active Directory Domain Services                    AD-Domain-Services             Installed
[X] DNS Server                                          DNS                            Installed
[X] File And Storage Services                           FileAndStorage-Services        Installed
    [X] File and iSCSI Services                         File-Services                  Installed
        [X] File Server                                 FS-FileServer                  Installed
    [X] Storage Services                                Storage-Services               Installed
[X] .NET Framework 4.5 Features                         NET-Framework-45-Fea...        Installed
    [X] .NET Framework 4.5                              NET-Framework-45-Core          Installed
    [X] WCF Services                                    NET-WCF-Services45             Installed
        [X] TCP Port Sharing                            NET-WCF-TCP-PortShar...        Installed
[X] Group Policy Management                             GPMC                           Installed
[X] Remote Server Administration Tools                  RSAT                           Installed
    [X] Role Administration Tools                       RSAT-Role-Tools                Installed
        [X] AD DS and AD LDS Tools                      RSAT-AD-Tools                  Installed
            [X] Active Directory module for Windows ... RSAT-AD-PowerShell             Installed
[X] Windows PowerShell                                  PowerShellRoot                 Installed
    [X] Windows PowerShell 3.0                          PowerShell                     Installed
[X] WoW64 Support                                       WoW64-Support                  Installed

The IPv6 configuration of the Ethernet interface, as requested in chat:

[dc1]: PS C:\Users\Administrator\Documents> netsh interface ipv6 show interface interface=Ethernet

Interface Ethernet Parameters
----------------------------------------------
IfLuid                             : ethernet_7
IfIndex                            : 12
State                              : connected
Metric                             : 10
Link MTU                           : 1500 bytes
Reachable Time                     : 33500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 64
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled
ECN capability                     : application
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940

2 Answers2

9

While I still don't know exactly why this happened (and would welcome explanations!) it seems to be fixed now.


I went over the networking configuration with a fine tooth comb, and discovered to my chagrin that the default gateway had a typo in it!

[dc1]: PS C:\Users\Administrator\Documents> Get-NetRoute -PolicyStore PersistentStore -AddressFamily IPv6

ifIndex DestinationPrefix                              NextHop                                  RouteMetric PolicyStore
------- -----------------                              -------                                  ----------- -----------
12      ::/0                                           2001:db8:116:bf::1                               256 Persiste...

Um, oops! 116:bf should be 16:bf.

So I fixed the typo, and for good measure deleted the ULA address from the Ethernet interface, and voila, no more extra RAs, and my network is happy again.

[dc1]: PS C:\Users\Administrator\Documents> Remove-NetRoute -NextHop 2001:db8:116:bf::1

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target "NetRoute -DestinationPrefix ::/0 -InterfaceIndex 12 -NextHop 2001:db8:116:bf::1 -Store Active"
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target "NetRoute -DestinationPrefix ::/0 -InterfaceIndex 12 -NextHop 2001:db8:116:bf::1 -Store Persistent"
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
[dc1]: PS C:\Users\Administrator\Documents> New-NetRoute -NextHop 2001:db8:16:bf::1 -DestinationPrefix ::/0 -InterfaceIndex 12

ifIndex DestinationPrefix                              NextHop                                  RouteMetric PolicyStore
------- -----------------                              -------                                  ----------- -----------
12      ::/0                                           2001:db8:16:bf::1                                256 ActiveStore
12      ::/0                                           2001:db8:16:bf::1                                256 Persiste...
[dc1]: PS C:\Users\Administrator\Documents> Remove-NetIPAddress -AddressFamily IPv6 -IPAddress fd4a:e7ab:34a5:0:807e:e44a:7ffc:ea90 -PrefixLength 64

Confirm
Are you sure you want to perform this action?
Performing operation "Remove" on Target "NetIPAddress -IPv6Address fd4a:e7ab:34a5:0:807e:e44a:7ffc:ea90 -InterfaceIndex 12 -Store Active"
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

No further sign of ULAs in neighbor solicitations, router advertisements or anywhere else, says Wireshark.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
4

I cannot quite explain why your DC is sending routing advertisements, but you at least could try disabling them for the interface in question

netsh interface ipv6 set interface interface="Local Area Connection" advertise=disabled

Which should be the default setting according to the netsh help and seems not to make much sense any other way since your DC is presumably not meant to be a router.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169