Features IPv6 on Windows Server 2016 Lead image: Lead Image © Photo by mathyas kurmann Unsplash.com

Setting up and managing IPv6 on Windows Server 2016

Change of Address

Windows Server 2016 automatically prefers IPv6 addresses, if available, but the manual configuration steps differ from IPv4 and necessitate new tools. Here's how to approach IPv6 in your daily admin work. By Thomas Joos

One common reason why IT managers shy away from IPv6 is the hexadecimal notation with colons that divide the address into eight blocks, each with a length of 16 bits. For example, an IPv6 address looks like this: 001:0db7:85b3:07d3:1319:8a2d:437a:63d4. These addresses are difficult to memorize and assign manually. Consequently, automatic assignment is the way to go in IPv6 infrastructures.

All IPv6 nodes automatically configure a local address with the fe80::/64 prefix for each physical or logical IPv6 interface. These addresses can only be used for communication with neighboring nodes. They are not registered in the DNS, and if data needs to be sent to such an address, a zone ID is also required. In the case of manual configuration or allocation of an IPv6 address by a DHCP server, the corresponding entries are, of course, made automatically.

IPv6 Preferred

Microsoft Windows Server 2016 uses the Next Generation TCP/IP Stack, a TCP/IP protocol stack that integrates both IPv4 and IPv6. For example, if a DNS query returns IPv6 and IPv4 address, the stack will first attempt to communicate over IPv6. The preference of IPv6 over IPv4 offers IPv6-enabled applications better network connectivity.

Enabling IPv6 and its preference by default has no negative effect on IPv4 connectivity. In networks in which no IPv6 DNS entries are available, IPv6 addresses are not used for communication. Windows Server 2016 always tries to communicate with IPv6; if no IPv6 addresses are available, the server will use IPv4.

In a network with Windows Server 2016, IPv6 offers several advantages:

Larger address space. The IPv6 128-bit address space provides enough space for each device to have its own globally valid address.
More efficient routing. The revised IPv6 header and the new addressing scheme, which supports a hierarchical routing infrastructure, allow IPv6 routers to forward the corresponding network traffic faster.
Easy configuration. IPv6 hosts can configure themselves either by DHCP or a local router. The basic setup might be a bit more complicated, but the running operation is simpler.
Improved security. The IPv6 standards fix some of the security problems of IPv4 and provide better protection against address and port scans. They stipulate that IPv6 implementations must support Internet Protocol Security (IPsec).

Windows Server 2016 supports IPv6 after installation, so if you display network connection properties, you will see that IPv6 is automatically linked to the network connections (Figure 1 and Figure 2).

Figure 1: The Windows Server 2016 network settings are adjusted for IPv6.

Figure 2: IPv6 addresses can be displayed together with IPv4 addresses at the command line.

Configuring IPv6

If you configure a server with Windows 2016 for IPv6, the following automatic settings are possible:

1. An IPv6 host sends a multicast message and receives one or more router messages. The latter contain subnet prefixes that the IPv6 host uses to specify additional IPv6 addresses and add routes to the IPv6 routing table. Other configuration parameters are also included – for example, the standard gateway.

2. DHCPv6 provides subnet prefixes and other configuration parameters for the IPv6 host. For example, DHCPv6 is often used on IPv6 hosts under Windows to configure the DNS servers' IPv6 addresses, which is not possible with router detection. Windows Server 2016 has an IPv6-enabled DHCP server.

Windows Server 2016 provides a graphical interface for manually configuring IPv6. For Core or Nano servers, Windows Server 2016 also supports configuration at the command prompt with the netsh command. However, because Microsoft prefers PowerShell, you should use the appropriate cmdlets to control or query network settings. For a list of all relevant cmdlets, type:

Get-Command -Noun Net*

Under the properties for the IPv6 network connection, you can select the following settings:

Obtain an IPv6 address automatically. Configures the IPv6 addresses for this connection or adapter to be set automatically.
Use the following IPv6 address. Manually configures the IPv6 address and the default gateway for this connection or adapter.
IPv6 address. Specifies an IPv6 unicast address.
Subnet prefix length. Defines the length of the subnet prefix for the IPv6 address. For unicast IPv6 addresses, this should be 64 (the default).
Default gateway. Defines the default gateway's IPv6 unicast address.
Obtain DNS server address automatically. Assigns the DNS server's IPv6 address by DHCPv6.
Use the following DNS server addresses. Manually sets the addresses of the preferred and alternate DNS servers.

You can access the additional settings for IPv6 from the Advanced button. In the IP Settings tab, specify the computer's IPv6 addressing in more detail: For each IPv6 unicast address, you must specify an IPv6 address and a subnet prefix length. The Add button is only available if the Use the following IPv6 address option is set in the IPv6 address settings. For each default gateway, you must specify an IPv6 address and specify whether the metric for this gateway is to be determined using the connection speed or the adapter speed or whether you want to define the metric yourself. You decide whether such a metric applies to the IPv6 addresses or the standard gateways or whether it is determined by the connection speed or the adapter speed. The metric is used when there are multiple routes to choose from in the routing table that correspond to the destination address of a forwarded packet. Windows Server 2016 selects the route with the lowest metric. The metric can reflect the number of hops, the speed and reliability of the path, the path throughput, or administrative properties.

Adapting DNS for IPv6

Under advanced IPv6 settings, the DNS tab lets you make adjustments for name resolution. No changes need to be made here for generally adding Windows Server 2016 to a domain. Freshly installed, the following options are enabled by default:

Append primary and connection specific DNS suffixes
Append parent suffixes of the primary DNS suffix
Register this connection's addresses in DNS

The individual options play a significant role in name resolution in a DNS infrastructure. Append primary and connection specific DNS suffixes means that when resolving hostnames, the host always automatically tries to append the configured primary DNS suffix of its own computer name. For example, if you want to resolve a hostname with the name dc01, the host attempts name resolution in the style of dc01.contoso.int, given a primary DNS suffix of contoso.int.

The Append parent suffixes of the primary DNS suffix option means that the names of superordinate domains are also used for name resolution. For example, if you want to resolve a server name dc05 in a subordinate domain named muenchen.de.contoso.int, the computer first tries the resolution via dc05.muenchen.de.contoso.int if this is the computer's primary DNS suffix. Then it tries to resolve the name as dc05.de.contoso.int followed by dc05.contoso.int, because these domains are on a higher level than the muenchen.de.contoso.int domain. In this area, you also have the option of entering another DNS suffix of your choice with DNS suffix for this connection. If the computer does not find the entered name on its configured DNS server via its own primary DNS suffix, it tries to find it with the DNS suffix in this field.

Register this connection's addresses in DNS allows a DNS server to register entries dynamically. This dynamic DNS eliminates the need for manual host entries. As soon as a computer logs on to the network, it tries automatically to enter its fully qualified domain name (FQDN) on the configured DNS server, unless this option has been deactivated. This point is very important for internal name resolution on an Active Directory (AD) network.

Under the DNS tab, you can also use Append these DNS suffixes (in order) to configure DNS suffixes to resolve incomplete hostnames. Enabling this means that neither the server's primary DNS suffix nor the connection's DNS suffixes are used. Instead, Windows Server 2016 appends the DNS suffixes in the order that can be found in this field.

During the configuration, make sure that the DNS suffix of the Windows domain in which this server is a member is entered first in this list if possible. This option is often required for name resolution in forests with several trees. To do this, all the trees in the forest are entered in the sequence to ensure name resolution within AD. This option is particularly useful when using Exchange servers if the Exchange servers are distributed across several trees and domains. This option is not enabled by default.

Additionally, stipulating Use this connection's DNS suffix in DNS registration ensures that the server name is registered in DNS with its computer name and its primary DNS suffix – that is, its FQDN. Additionally, the name with the DNS suffix configured in the DNS suffix for this connection field is also stored on the DNS server. This option also is not activated by default.

To resolve server names quickly and efficiently in different DNS zones, enable the Append these DNS suffixes (in order) option under Advanced IPv6 settings on the server using the DNS tab. Enter your own tree's namespace and then append the other trees' namespaces. The purpose of this configuration is the fast resolution of servers in other trees. For example, if you want to resolve the dc1 domain controller (DC) in the contoso.int tree, you must always enter dc1.contoso.int if the machine is not a member of this tree. This setting is only optional, but it adds more robustness to AD name resolution. You will want to configure this setting on every DC and on every Exchange server in your forest, as well as on computers of administrators or power users who constantly need to connect to other domains. You should always enter your own domain and namespace before you query other namespaces.

You can check the effect of this action by entering the nslookup command, where you can only enter dc1 at this point. The server asks its preferred DNS server whether a server named dc1.contoso.int can be found (if contoso.int is your primary DNS suffix). If this server does not exist in this domain, the next namespace is queried.

Many administrators simply enter a new static host entry on their DNS server that points to the IP address of the server in the other namespace. However, this procedure is not correct, even if it works in principle. In this case, it does not return the correct DNS name of the corresponding server, but the server name with the zone of the DNS server in which the server was entered as the host. Particularly in a larger AD, you should make sure that the configurations are also formally correct. This often helps to avoid problems that you have not considered. For example, if you create a new dc1 entry for the dc1.contoso.com DC in the microsoft.com zone, pointing to the server's IP address, the name is resolved as dc1.microsoft.com, although the actual name of the server is dc1.contoso.com. Resolution will work, but it will return an incorrect name.

After configuring or adding the computer to the domain, open a command prompt and type nslookup. The command must not cause any error messages and must display the correct FQDN of the DNS server and its IP address. If this is not the case, first check that the primary DNS suffix matches the zone name. The domain's primary DNS suffix is automatically assigned when it is added to the domain. Next, determine whether the DNS server's IP address is correctly entered in the computer's IP settings.

Configuring IPv6 with netsh

The netsh command-line tool is used for IPv6 configuration from the command prompt, with

> netsh interface ipv6 add address

to configure IPv6 addresses. The syntax is as follows:

> netsh interface ipv6 add address interface=<interfacename|index> address=<IPv6_address>/<Prefix_length> type=unicast|anycast validlifetime=<time>|infinite preferredlifetime=<time>|infinite store=active|persistent

The individual options have the following meaning:

interface: Name of the interface's connection, adapter, or index.
address: IPv6 address (optionally followed by the length of the subnet prefix, 64 by default).
type: Type of IPv6 address; unicast (default) or anycast.
validlifetime: The lifetime for which the address is valid. This period must be specified in days, hours, minutes, and seconds (e.g., 1d2h3m4s. By default, the lifetime is infinite.
preferredlifetime: The period over which the address is preferred. It must be specified in days, hours, minutes, and seconds (e.g., 1d2h3m4s). The default value for this setting is infinite.
store: Specifies how to store the IPv6 address. Either active (the address is removed when the system is rebooted) or persistent (the address is retained when the system is rebooted, which is also the default setting).

Use the following example to configure the 1002:db6::281d:1283::1 IPv6 unicast address persistently for a LAN interface and with an unlimited lifetime:

> netsh interface ipv6 add address "LAN" 1002:db6::281d:1283::1

You can use

netsh interface ipv6 add route

to configure a default gateway and route, and you can manually set up the DNS servers for an IPv6 connection. To add DNS servers, use the command:

> netsh interface ipv6 add dnsserver interface=<Interfacename> address=<IPv6-Address> index=<Order>

By default, the DNS server is placed at the end of the list, but if you enter a value in index, the DNS server moves to the corresponding position in the list.

Creating Manual Routes for IPv6

To create manual routes for IPv6, do not use the route command as with IPv4, but again the netsh tool (or alternatively PowerShell). You can define a manual route for IPv6 as follows:

> netsh interface ipv6 add route prefix=<IPv6Address>/<Integer> interface=<Name|Index> nexthop=<IPv6Address> siteprefixlength=<Integer> metric=<Integer> publish=<value> validlifetime=<Integer>|Infinite preferredlifetime=<Integer> store=active|persistent

You can achieve the following by using the individual options:

prefix: Address or subnet prefix for which a route is added.
interface: Interface name or index.
nexthop: Next connection point in the network.
siteprefixlength: Prefix length for the entire location assigned to the router.
metric: Route metric.
publish: Represents a value of age, yes, or no, where age means that the route announcement contains the remaining validity period until deletion; yes means that the route is never deleted, regardless of the value of the validity period, and each route announcement contains the same specified validity period; and no means the route is not advertised. The no or age values ensure that the route is deleted after the validity period has expired.
validlifetime: The validity period of a route in days, hours, minutes, and seconds (approximately 1d2h3m4s). The default value is infinite.
preferredlifetime: The preferred period of the route's validity. By default, this value corresponds to the validity period.
store: With the active option, changes are only retained until the next system start; with persistent, the change is permanent (default).

Testing and Optimizing Name Resolution

If IPv4 and IPv6 are available on a network, Windows Server 2016 prioritizes traffic over IPv6. If it does not work properly, Windows Server 2016 detects this and automatically switches to IPv4 in the background. To test name resolution in Windows Server 2016, use the Resolve DNSname cmdlet in PowerShell, rather than the old nslookup command-line tool. This cmdlet is optimized for IPv6 and indicates whether certain zones use an IPv6 address.

Windows Server 2016 automatically adjusts the configuration of network connections, so settings can be confusing when you install AD. If you type nslookup at the command prompt after completing the AD installation on the DC, you might see somewhat confusing output. The server returns :1 as the address, because of the network connections configuration. First, call up the network connections' administration; the fastest way to do this is with ncpa.cpl in the Start menu. There, you call the IPv6 protocol's properties. You will see that Windows Server 2016 has activated the Use the following DNS server addresses option and stored the ::1 entry, which corresponds to 127.0.0.1 (localhost) for IPv4.

Configured in this way, the DNS server asks the local DNS server for reverse lookups with IPv6. Create an IPv6 reverse lookup zone and make sure there is a pointer to the server's IPv6 address. Activate the Obtain DNS server address automatically option or enter a valid IPv6 address. This configuration avoids the nslookup message.

Understanding DHCP Failover

The DHCP failover feature allows two DHCP servers to provide IP addresses and option configurations for the same subnet or range. The two DHCP servers exchange lease information. It is also possible to configure failover in a load balancing configuration that distributes client requests to the two servers.

The failover relationship is limited to IPv4 areas and subnets (Figure 3). Computers that use IPv6 determine their own IPv6 address with stateless, automatic IP configuration. In this mode, the DHCP server only provides the DHCP option configuration. The server does not retain lease status information.

Figure 3: IPv4 and IPv6 can be used in parallel on a DHCP server in Windows Server 2016.

A server with the role of a primary server for one subnet can also be a secondary server for another subnet. In a load-balancing mode deployment, the two servers simultaneously process IP addresses and options for clients on a specified subnet. The client requests are processed by load balancing and distributed to the two servers.

For DHCP failover to work, the time between the two servers in a failover relationship must be synchronized. On startup, the failover configuration wizard compares the current time on the servers involved. If the time difference between the servers is greater than one minute, the failover setup process is stopped.

Static Entries in the DNS Database

The DNS servers are administered in Server Manager by calling the DNS command in the Tools menu. There may be situations where you need to add hostnames manually and the dynamic entries alone are not sufficient. In this case, use the New Host command in the context menu of the zone to which the entry is to be added. You enter the hostname – without the name of the zone – and the IP address. You can make an entry in the reverse lookup zone called a PTR record.

Right-clicking on a zone gives you two management options for this zone: Click Reload to reload the settings and the view of the zone in the snap-in, whereby the zone is transferred from AD back into the view. With New Host (A or AAAA), insert a new static entry into the DNS database as described. The AAAA entry contains an IPv6 address; an A entry contains an IPv4 address.

Conclusions

IPv6 is bound to assert itself on internal networks, but before you switch all servers and network devices to IPv6, you should make sure that all applications on the network support it. Windows Server 2016 also changes the management of network traffic, saying goodbye to some proven tools. IPv6 requires some training but offers some advantages in the network and runs largely automatically once the settings are set correctly.