8

We have a small network consisting of a Sonicwall, Windows Server 2016 DC, and Exchange Server 2016 (hosted on a second WS2016 machine) along with a number of Windows 10 clients.

Due to compatibility with one of our vendors, we are being forced to enable IPv6 on our network (beyond just link local addressing that is the default).

Here is the problem I am experiencing: If our servers have IPv6 enabled, Windows clients prefer to use IPv6 for communication including authenticating on the domain. Everything including authentation and exchange stop working if the DNS records are not setup properly.

  1. My Domain Controller must have a static IPv6, because it is the dhcp server.
  2. Setting a static IP through the GUI does not disable DHCP client, so it must be disabled using the powershell command: Set-NetIPInterface Ethernet -AddressFamily IPv6 -DHCP Disabled
  3. If I use a static IP, the domain controller does not register in DNS.
  4. If I manually add an AAAA record for the domain controller in DNS, it gets removed on the next refresh.
  5. If I re-enable DHCP, the correct records get added to the DNS, however an additional AAAA record for the DHCP assigned IP also gets added which still breaks the system.
  6. If I create a DHCP reservation for the DC that is the SAME as its static IP, the whole thing works, temporarily, until a reboot. After the reboot, the GUI displays "Obtain an IPv6 address automatically" again which does not work as that IS the DHCP server and it cannot reach itself without an address.

There does not appear to be any documentation on properly configuring IPv6 for static IPs in Windows Server 2016. If anyone can help I would greatly appreciate it.

DWCP
  • 81
  • 1
  • 2
  • 3
    `If I use a static IP, the domain controller does not register in DNS` - Our DCs are static, they register their IPv6 addresses just fine. Did you uncheck the box to register the connection in DNS or something? What have you set on the DCs as far as DNS servers for resolution in the interface settings? Did you point it at 127.0.0.1, and ::1? Or something else? – Zoredache May 25 '17 at 20:57
  • Thanks for the response Zoredache. I have verified that the register connection in DNS box is checked. I have tried ::1 as well as the actual static IP of the DC. Another thing I noticed is unchecking the "register in dns" box for IPv6 also unchecks it for IPv4. IPv4 is working just fine as long as the box remains checked. – DWCP May 25 '17 at 21:14
  • I've had a hard time finding "best practices" for combining AD with IPv6 on SMB type networks. I just don't think there are enough people out there trying to do it yet. Check out my related question... https://serverfault.com/questions/804607/what-is-the-proper-way-to-configure-active-directory-and-domain-controllers-when – Corey Jun 01 '17 at 22:10
  • The Netlogon service handles all DNS record registration for all interfaces, regardless of the checkbox kn the interface - one of the reasons why multi-homed DCs are not recommended. – Semicolon May 09 '18 at 22:35

2 Answers2

1

Depending on the size of the Enterprise, kill DNS scavenging, if it is a smaller environment.

If it is larger, than that solution could be a bit messy and you may want to run a script occasionally that will scavenge with exceptions. I wrote something in PS sometime ago, if this is something you may need, lemme know.

Marc Everlove
  • 166
  • 4
0

Found this snippit in an article by Mark Morowczynski (MSFT) IPv6 for the Windows Administrator (archive)

With IPv4, normally we are used to just one IP address getting registered in DNS for a given machine. With IPv6 we have to deal with different types of addresses (Link local, Global etc as discussed earlier by Mark and Ray in their blog. http://blogs.technet.com/b/askpfeplat/archive/2013/06/24/ipv6-for-the-windows-administrator-ipv6-fundamentals.aspx). (archive)

Note all types of IPv6 addresses are not registered in DNS. For example, Link local address starting with FE80: (active only with in its local subnet and not a routable address) do not get registered in DNS. Global address get registered in DNS as Quad A record. When dealing with Transition technologies, Teredo addresses do not get registered in DNS. The Microsoft Technet article Domain Name System Client Behavior in Windows Vista explains this behavior in detail.

Ian Boyd
  • 5,131
  • 14
  • 57
  • 79
James Rich
  • 1