IPv6 not working on some Server 2008 R2 machines
One of my servers (MYCOMPANYserver2) can't seem to ping any of the others by it's IPv6 IP address. I think this is causing problems on my network with these servers being unable to communicate with the domain controller.
I have a DHCP server, but there is no ipv6 scope configured. The machines have always just auto-configured themselves. They do appear to be registering the IPv6 address of the Microsoft 6to4 Adapter in the DNS server and up until recently that was working fine.
IPv4 connectivity is working 100% fine between all machines.
Here are the machines:
MYCOMPANYDC - Windows Server 2012 R2 domain controller, seems to be working fine
MYCOMPANYEX - Windows Server 2008 R2 exchange server, seems to be working fine
MYCOMPANYserver2 - Windows Server 2008 R2 secondary DC, it is having the problem.
Windows 7 Workstation - My personal workstation, which seems to be working fine
Here's the IPv6 addresses of the machines:
MYCOMPANYDC
Main ethernet adapter: fe80::a5cb:d4e:7e0b:caab%1
6to4 adapter: 2002:c6f9:f40a::c6f9:f40a(
MYCOMPANYEX
Main ethernet adapter: fe80::d0b3:2aeb:3df3:f5c%1
6to4 adapter: 2002:c6f9:f40d::c6f9:f40d(
MYCOMPANYserver2:
Main ethernet adapter: fe80::5ce3:8e38:aa32:aa7a%
6to4 adapter: 2002:c6f9:f4fd::c6f9:f4fd(
Windows7 Workstation:
Main ethernet adapter: fe80::4809:a4da:2e9d:643b%
6to4 adapter: 2002:c6f9:f49e::c6f9:f49e(
And the ping results
Windows 7 Workstation -> MYCOMPANYDC SUCCESS
Windows 7 Workstation -> MYCOMPANYEX SUCCESS
Windows 7 Workstation -> MYCOMPANYserver2 FAIL
MYCOMPANYserver2 -> MYCOMPANYDC FAIL
MYCOMPANYserver2 -> MYCOMPANYEX FAIL
MYCOMPANYDC -> MYCOMPANYEX SUCCESS
MYCOMPANYDC -> MYCOMPANYserver2 FAIL
Here's the IPCONFIG of MYCOMPANYserver2:
And here's the IPCONFIG of MYCOMPANYEX, which seems to be working:
I have a DHCP server, but there is no ipv6 scope configured. The machines have always just auto-configured themselves. They do appear to be registering the IPv6 address of the Microsoft 6to4 Adapter in the DNS server and up until recently that was working fine.
IPv4 connectivity is working 100% fine between all machines.
Here are the machines:
MYCOMPANYDC - Windows Server 2012 R2 domain controller, seems to be working fine
MYCOMPANYEX - Windows Server 2008 R2 exchange server, seems to be working fine
MYCOMPANYserver2 - Windows Server 2008 R2 secondary DC, it is having the problem.
Windows 7 Workstation - My personal workstation, which seems to be working fine
Here's the IPv6 addresses of the machines:
MYCOMPANYDC
Main ethernet adapter: fe80::a5cb:d4e:7e0b:caab%1
6to4 adapter: 2002:c6f9:f40a::c6f9:f40a(
MYCOMPANYEX
Main ethernet adapter: fe80::d0b3:2aeb:3df3:f5c%1
6to4 adapter: 2002:c6f9:f40d::c6f9:f40d(
MYCOMPANYserver2:
Main ethernet adapter: fe80::5ce3:8e38:aa32:aa7a%
6to4 adapter: 2002:c6f9:f4fd::c6f9:f4fd(
Windows7 Workstation:
Main ethernet adapter: fe80::4809:a4da:2e9d:643b%
6to4 adapter: 2002:c6f9:f49e::c6f9:f49e(
And the ping results
Windows 7 Workstation -> MYCOMPANYDC SUCCESS
Windows 7 Workstation -> MYCOMPANYEX SUCCESS
Windows 7 Workstation -> MYCOMPANYserver2 FAIL
MYCOMPANYserver2 -> MYCOMPANYDC FAIL
MYCOMPANYserver2 -> MYCOMPANYEX FAIL
MYCOMPANYDC -> MYCOMPANYEX SUCCESS
MYCOMPANYDC -> MYCOMPANYserver2 FAIL
Here's the IPCONFIG of MYCOMPANYserver2:
C:\Users\administrator.MYCOMPANY>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MYCOMPANYserver2
Primary Dns Suffix . . . . . . . : MYCOMPANY.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : MYCOMPANY.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : MYCOMPANY.com
Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-XX-XX-XX-XX-FD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:aa7a%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.44.253(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.44.62
DHCPv6 IAID . . . . . . . . . . . : 234890937
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-A1-BD-D6-00-26-B9-8E-0D-FD
DNS Servers . . . . . . . . . . . : 192.168.44.10
192.168.44.253
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.MYCOMPANY.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : MYCOMPANY.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter 6TO4 Adapter:
Connection-specific DNS Suffix . : MYCOMPANY.com
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:xxxx:xxxx:xxxx:f4fd(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.44.10
192.168.44.253
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter Local Area Connection* 12:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\administrator.MYCOMPANY>And here's the IPCONFIG of MYCOMPANYEX, which seems to be working:
C:\Users\Administrator.MYCOMPANY>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MYCOMPANYEX
Primary Dns Suffix . . . . . . . : MYCOMPANY.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : MYCOMPANY.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : MYCOMPANY.com
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-XX-XX-XX-XX-0A
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:3df3:f5c%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.44.13(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.44.62
DHCPv6 IAID . . . . . . . . . . . : 234886493
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-F2-21-F9-00-15-5D-20-9F-0A
DNS Servers . . . . . . . . . . . : 192.168.44.10
192.168.44.253
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter 6TO4 Adapter:
Connection-specific DNS Suffix . : MYCOMPANY.com
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:xxxx:xxxx::c6f9:f40d(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.44.10
192.168.44.253
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.MYCOMPANY.com:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : MYCOMPANY.com
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\Administrator.MYCOMPANY>
Did you perform a ping -6 and ping -4 to make sure the corresponding address family is used?
The 6to4 adapter should not be used at all for your internal purposes, it is for tunneling IPv6 thru a public IPv4 network.
The 6to4 adapter should not be used at all for your internal purposes, it is for tunneling IPv6 thru a public IPv4 network.
ASKER
Everyone is on the same VLAN, yes I have been using ping -6 and ping -4. Those ping requests seem to check my DNS server which pulls the AAAA record out and pings that.
I'm not really sure how the 6to4 adapter fits into the picture for me. I never wanted to use it... but it seems that it just comes out of the box pre-configured on every Windows machine I use and I can't see to turn it off. The 6to4 adapter's address seems to be the one that gets registered in the DNS server. Should it be different?
I'm not really sure how the 6to4 adapter fits into the picture for me. I never wanted to use it... but it seems that it just comes out of the box pre-configured on every Windows machine I use and I can't see to turn it off. The 6to4 adapter's address seems to be the one that gets registered in the DNS server. Should it be different?
Having the 6to4 IP registered could be the issue. The fe80:: addresses are non-routed, local-only, and work on LAN. Other addresses need to get routed or to be on the same network, and the 6to4 ones don't look that way.
ASKER
Is there a way I can disable the 6to4 adapters? Is it maybe a group policy option somewhere?
No clue. But I don't get how it should be possible for ping -4 to use the IPv6 address?!
ASKER
Ping -4 uses the ipv4 address as expected and everything works fine with ipv4 IP Addresses.
I'm hesitant to disable ipv6 on my servers and computers because of articles like this that suggest it is no longer a good best practice: http://blogs.msmvps.com/acefekay/2010/05/27/how-to-disable-rss-tcp-chimney-feature-and-ipv6/
I'd rather configure and use ipv6 correctly, and perhaps I don't understand what a correct configuration should look like.
Should the 6to4 adapter be disabled, a link-local fe80:: address is used on all primary ethernet adapters, and that fe80:: address is what gets registered in DNS? If so, how do I implement that?
Should the 6to4 adapter be enabled, as it is out of the box, use the 2002:: address and have that address be registered in DNS, and do whatever configuration is needed to allow communication through this IP to work properly? It's working fine for MYCOMPANYDC and MYCOMPANYEX, they can communicate fine over the 2002:: address, so what's wrong with the MYCOMPANYserver2?
Or, should I be doing something complete different, and configuring a DHCPv6 scope on the DHCP server, which has up until now been left unconfigured?
I'm hesitant to disable ipv6 on my servers and computers because of articles like this that suggest it is no longer a good best practice: http://blogs.msmvps.com/acefekay/2010/05/27/how-to-disable-rss-tcp-chimney-feature-and-ipv6/
I'd rather configure and use ipv6 correctly, and perhaps I don't understand what a correct configuration should look like.
Should the 6to4 adapter be disabled, a link-local fe80:: address is used on all primary ethernet adapters, and that fe80:: address is what gets registered in DNS? If so, how do I implement that?
Should the 6to4 adapter be enabled, as it is out of the box, use the 2002:: address and have that address be registered in DNS, and do whatever configuration is needed to allow communication through this IP to work properly? It's working fine for MYCOMPANYDC and MYCOMPANYEX, they can communicate fine over the 2002:: address, so what's wrong with the MYCOMPANYserver2?
Or, should I be doing something complete different, and configuring a DHCPv6 scope on the DHCP server, which has up until now been left unconfigured?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Success!! This solved it.
I disabled the Teredo, ISATAP and tunnel adapters by using the registry hack:
HKEY_LOCAL_MACHINE\SYSTEM\
This disables IPv6 for all tunnel interfaces (0x01), and prefers IPv4 over IPv6 (0x20).
The underlying problem was that the 6to4 Adapter was kicking in because it considered my private IP address range to be public.
My private IP range actually starts with 198 and I doctored the ipconfig results for confidentiality thinking it wouldn't make any difference. Sorry! :S
I have no idea why this only become a problem NOW, as opposed to earlier, but that's a mystery for another time.
I disabled the Teredo, ISATAP and tunnel adapters by using the registry hack:
HKEY_LOCAL_MACHINE\SYSTEM\
This disables IPv6 for all tunnel interfaces (0x01), and prefers IPv4 over IPv6 (0x20).
The underlying problem was that the 6to4 Adapter was kicking in because it considered my private IP address range to be public.
About the 6to4 tunneling protocol
By default, the 6to4 tunneling protocol is enabled in Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 when an interface is assigned a public IPv4 address (that is, an IPv4 address that is not in the ranges 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16). 6to4 automatically assigns an IPv6 address to the 6to4 tunneling interface for each such address that is assigned, and 6to4 will dynamically register these IPv6 addresses on the assigned DNS server. If this behavior is not desired, we recommend that you disable IPv6 tunnel interfaces on the affected hosts.
My private IP range actually starts with 198 and I doctored the ipconfig results for confidentiality thinking it wouldn't make any difference. Sorry! :S
I have no idea why this only become a problem NOW, as opposed to earlier, but that's a mystery for another time.
Interesting. Glad you got it resolved, and thanks for enriching our knowledge :D
harbor235 ;}