Wednesday, 7 September 2011

Windows 7, Server 2008 and IPV6

Some practical advice on IPV6 and why you shouldn't just disable the protocol in the enterprise.

By default, Windows 7 is IPV6 ready and the protocol is enabled automatically on all network adapters.

The default IPV6 address beginning with FE8
In the absence of any DHCP server, Windows assigns an address beginning with FE8. The is known as a link-local address and is equivalent to the IPV4 automatic IP configuration(169.x.x.x). The FE8 address is NOT registered in DNS automatically. This does not impact the corporate environment and I recommend you leave this default configuration alone. This configuration will be required for some Windows 7 features like Home Group feature but could probably be disabled, but why go to this effort for no reason?

The 6to4 Adapter and the 2002: address
If you are using an IPV4 range which is publically routable on the Internet then Windows 7, Server 2008 + R2 will automatically create a 6to4 adpater. This uses an IPV6 address beginning with 2002:. This IPV6 address is automatically registered in DNS as an AAAA host record as well as the IPV4 record.

Potential Problem in WAN environment
This can be bad news if you have a Windows Server 2008 that has the 6to4 adapter enabled as it will register an AAAA IPV6 host record for the server with a 2002: address. Any Windows 7 client connecting to the server, which also has the 6to4 adapter enabled, will then use IPV6 tunneled within IPv4 packets. The consequence of this is the packets are encapsulated and most WAN optimisers can't do their thing. This could have a major impact on WAN connections relying on WAN optimisation such as Riverbed devices. Especially if you are in a fast moving Windows 7 upgrade project.

The Fix
This can simply be resolved by either disabling the 6to4 adapter on any Windows 7/Server 2008 acting as a server across a WAN or alternatively just disable it on all Window 7/Server 2008 computers to avoid any issues.

To disable the 6to4 adpater don't disable it in Device Manager or stop the IP Helper service. The best approach is to use the NetSH command as below:-

netsh interface 6to4 set state disable disable

The first disable, removes the the adapter, the second disable stops the IP Helper service recreating on next startup.

This can easily be added to a computer startup script for mas deployment or pushed out with scripting/systems management tools.

You can run IPCONFIG /FlushDNS to immediatley cleanup the AAAA dns record on the DNS Server or wait for a reboot.

So why don't you just disable IPV6 protocol?

Because its more effort, you're changing default Windows behaviour for no good reason and its a sledge hammer approach. You never know what it might break in Windows 7. I've seen reference to Direct Access, Remote Assistance and Windows Mail, although I'm not sure why disabling IPV6 impacts these features.

See http://eniackb.blogspot.com/2009/07/how-to-disable-ipv6-in-windows-2008.html for examples on disabling IPV6.





No comments:

Post a Comment