8

When neither provider-independent address space or an ISP assigned static prefix is available, and a delegated prefix (via DHCPv6) is the only option…

What is the "best practice" for configuring Active Directory and Domain Controllers to support IPv6?

Corey
  • 1,943
  • 12
  • 38
  • 53
  • 6
    Your entire network will use Unique Local Addresses internally. pfSense should be able to handle assigning these addresses. The global addresses you get from Comcast will be used to access the Internet. And please complain loudly to your account manager about the lack of a fixed IPv6 block. – Michael Hampton Sep 22 '16 at 06:19
  • What sort of detail do you want, that wasn't already given? Rather than clarifying your question, your edits made it more vague and less answerable. – Michael Hampton Sep 25 '16 at 18:59
  • if you know IPv4 Active Directory setup than you can do same with IPv6 also. and i have checked your edits revisions you have continually changed your question. – Shiv Singh Sep 28 '16 at 07:38
  • 1
    I'm looking for a comprehensive answer about the best way to configure the network in that scenario. Should ULA be used? Should static v6 addresses be assigned to DCs or allow them to auto-configure? What happens if the prefix changes? Should I create a reverse zone for the prefix? Should I add the prefix to an AD site? – Corey Sep 28 '16 at 12:06
  • What would the DHCPv6 config look like? – Corey Sep 28 '16 at 20:55
  • Remember that you need to edit your question. Comments are temporary, and some people don't see them at all, depending on how they read the site. – Michael Hampton Oct 03 '16 at 18:49
  • @MichaelHampton are you suggesting you should run both global unicast AND unique local ipv6 address space? I was under the impression you should avoid ULA and request a /48 from ARIN. – Jacob Evans Mar 09 '17 at 19:58
  • @JacobEvans Avoiding ULA might be reasonable _if_ ISPs behaved reasonably in how they deployed IPv6. Advice to avoid ULA is unfortunately outdated and largely based on theory rather than reality. – Michael Hampton Mar 09 '17 at 20:01
  • @MichaelHampton that actually makes a lot of sense, are there any docs or POCs out there with people doing combinations of link-local, unique local, and global unicast that you are aware of? (I wish stackexchange had pm or public slack channel for this but I really want to know.) – Jacob Evans Mar 09 '17 at 20:17
  • 1
    @JacobEvans RFC 6879 section 4.1 has a good discussion. – Michael Hampton Mar 09 '17 at 20:19

1 Answers1

3

I never received an answer on this and couldn't find anything else on the Intertubes, so I figured I would answer this myself with my own setup/experience.

ISP: Comcast with a delegated prefix via DHCPv6
Router: pfSense 2.3.3

The WAN interface of the router is configured for DHCPv6 with a prefix hint of /56. (Your hint may need to be different based on your CPE and location.)

The LAN interface is set to "track" the WAN interface.

You will need to insure you have a firewall rule configured to allow IPv6 traffic on your LAN interface.

The DHCPv6 server on pfSense is not enabled, nor do I have one anywhere else on the network.

The Router Advertisements on the LAN interface are configured for "Unmanaged", and the only other option I have filled in is the "Domain search list".

On the DNS Resolver, I have Domain Overrides configured for my AD domain using the internal IPv4 addresses of my DCs.

On my internal DNS servers, I created a reverse zone for the IPv6 network that is assigned to my LAN interface. (This works, but I have to keep an eye on it, in case the prefix delegation ever changes.)

The end result of all this…

Windows computers assign themselves IPv6 address based on the RAs from the router. However, because Windows does not support RFC6106, it only obtains DNS addresses from DHCPv4. This is actually a good thing in this case, since the IPv6 prefix is not static and might change without notice, therefore changing the IPv6 address of the DNS servers.

Windows computers also register there AAAA and PTR records for their IPv6 address.

What happens when the prefix changes?

Not much, existing connections continue to function using the "depreciated" prefix, and new connections are created with the new prefix.

I think I am breaking a "Best Practice" by not assigning static v6 addresses to my DC/DNS servers, but it seems to work just fine. (Would love some input on this.)

The only thing I have to do manually when the prefix changes, is create the corresponding reverse lookup zone in DNS. (I should probably write a PS script to do that for me.)

If Comcast offered static prefixes, that would make things a bit cleaner.

Corey
  • 1,943
  • 12
  • 38
  • 53