Solved

Can I remove the ::1 IPv6 loopback address as the Preferred DNS IP on the IPv6 interface of my Domain Controllers?

Posted on 2011-02-24
18
6,713 Views
Last Modified: 2012-06-22
Folks -

I've noticed that on a number of my domain controllers (DCs) that live in sites with network hardware that cannot pass IPv6 traffic, that my DCs are having DNS lookup issues.  For instance, you run nslookup and instantly see a 2 second or more delay.  When attempting to resolve any names that require forwarding, the lookup fails.

The DCs are healthy insofar as their internal services are concerned and the forest in general is very healthy.  I've found that if I simply remove the ::1 from the Preferred DNS of the IPv6 interface, my lookups work swimmingly, no issues.

Per my standards, and those sanctioned by Microsoft, all my DCs are set to look at another DC first (Preferred) and themselves second (Alternate).  With the ::1 being specified on the IPv6 interface, that violates that standard and also causes lookup issues as my switches in certain locations won't pass the traffic so the packets are dropped.

So that said... I don't want to disable IPv6, I'm well aware of the side-effects that can cause for Server 2008 and later.  But what I do want to do is remove the ::1 from the IPv6 interface DNS settings.  Will I hurt anything when it comes to AD with this change?  It seems that dcpromo puts the value here during promotion.  None of my member servers have ::1 specified.

Any input is appreciated.

Thanks!
0
Comment
Question by:amendala
  • 6
  • 5
  • 3
  • +3
18 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 34971663
There is no reason to have ip6 enabled if you don't need it. I always disable it as a matter of routine as it can cause issues or confusion. Normally it is only useful if your ISP supports it.
0
 
LVL 7

Expert Comment

by:Chris Patterson
ID: 34971700
See the following link for the process of disabling ipv6:  http://support.microsoft.com/kb/929852.
0
 

Author Comment

by:amendala
ID: 34971951
I wholeheartedly disagree.  There are plenty of reasons to leave IPv6 enabled even if you don't *think* you need it.  Windows Server 2008 and later use IPv6 extensively for internal operations that will fail if you disable the IPv6 subsystem.

Unchecking the box in the network interface for IPv6 does not disable the protocol, it merely restricts the NICs ability to TX/RX IPv6.  It leaves the subsystem for IPv6 intact which is a requirement for a huge number of server products from Microsoft (TMG, Hyper-V, Failover Clustering, DirectAccess, to name a few).

Hence why I said in my original post "I don't want to disable IPv6".

Below is a quote from Microsoft TechNet and mirrors a response I received from Premier Support a year ago:

---
From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process.  Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.
Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.
---
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 39

Expert Comment

by:Adam Brown
ID: 34972339
It's possible to disable the full IPv6 subsystem, which cpatterson's link explains how to do, but doing so does leave the IPv6 loopback available. With the subsystem disabled, Windows 2008 will function normally on IPv4 without the ill effects that occur when just disabling the protocol on the interfaces. All of the applications you mentiond will operate normally in an environment set up like this. But as I said, that registry tweak won't remove the IPv6 loopback. I don't think there is a technique that will.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34972388
If you are not running Exchange on the Windows 2008 Server you can then disable IPv6 this is not a required protocol and I have it disabled on non Exchange servers. You can disable parts of IPv6 if you would like but if you are going to use IPv6 on your DC then you would need to keep the IPv6 DNS server listed if not you can cause DNS server errors. My recommendation is to fully remove IPv6 it is not needed.

http://www.windowsreference.com/networking/disable-ipv6-in-windows-server-20008-full-core-installation/

http://support.microsoft.com/kb/929852
0
 

Author Comment

by:amendala
ID: 34972486
To reiterate, again, my question has absolutely nothing to do with disabling IPv6.  I've said repeatedly that I won't be doing that and I have no interest in doing so.  I disagree with the statements above and my experience, which includes extensive on-site work with MCS and Microsoft Premier in a 20,000+ seat environment, supports the fact that IPv6 should remain untouched whenever possible, whether you believe you are using it or not.

With all do respect, none of the statements above address my core question about the side-effects of removing the loopback interface from the Preferred DNS entry for IPv6 on Server 2008 R2 Domain Controllers.

I'm not interested in discussing IPv6 as a protocol any further.  What I want to know is if I can remove the loopback address from the IPv6 Preferred DNS entry on a Server 2008 R2 DC without ill-effects.  Dcpromo put it there, so removing it is a questionable practice unless I fully understand the potential remifications of doing so.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34972939
Again NO you can not remove it if you are going to use IPv6 IP addresses on a DC you MUST KEEP the IPv6 DNS server listed. If you are using IPv6 you would cause DNS and AD issues if you did not have the DNS server in IPv6 as well.

I would worked with MS Premier as well with them disabling IPv6 on servers that were having issues with replication, DNS resolution, and network drops. IPv6 is not fully integrated in my opinion in Windows 2008 server services yet close but not there yet.

This link allows you to disable some of the IPv6 components.

http://support.microsoft.com/kb/929852 
0
 
LVL 7

Expert Comment

by:Chris Patterson
ID: 34972955
You need to keep the lookback address for the ipv6 preferred DNS server.  The removal of this will cause issues.
0
 
LVL 3

Expert Comment

by:IPv6Guy
ID: 34973156
Just because you have IPv6 enabled doesn't mean that you have to have a DNS server configured for it. By default, Windows machines are configured to "Obtain IPv6 address automatically", which will NOT configure ::1. I am not sure where this ::1 came from, but no, it does not have to be there.

As an aside, when you are manually configuring your IPv6 settings, you can also configure the IPv6 DNS server with an IPv4 address (as long as IPv4 is still enabled) This just causes name resolution to take place over IPv4 instead of IPv6.

In short, NO, you do not "need" to have the DNS server configured for ::1, and I am not sure where that came from.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34973166
In Short you MUST use IPv6 DNS if you are running IPv6 for a Domain Controller this is required.
0
 
LVL 3

Expert Comment

by:IPv6Guy
ID: 34973191
Umm...no. Queries for AAAA records can be easily sent to an IPv4 address. I'm sorry, Darius, you are incorrect.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34973277
I'm IPv6 you are incorrect. MS puts the ::1 if you are using IPv6 on a Domain Controller automatically because this is a requirement because of DNS issues.

And if you have IPv6 enabled without the Ipv6 DNS you can run dcdiag /test:dns you will receive errors stating that DNS servers could not be contacted. Trust me I fix this issue on a regular here on EE. If there is not ::1 there is no loopback on to a DNS server for IPv6 which will again cause errors. What you should have is the correct IPv6 IP addresses addresses for your Enterprise DNS servers.

Now what would be the point of having IPv6 running without IPv6 DNS servers listed.

Enabling IPv6 by default and preferring of IPv6 traffic does not impair IPv4 connectivity. For example, on networks without IPv6 records in the DNS infrastructure, communications using IPv6 addresses are not attempted unless the user or application specifies the destination IPv6 address.

Now if you have DCs running IPv6 they will use IPv6 which requires IPv6 DNS listed. Now with clients that only use IPv4 they can still query the DNS server since they are querying with an IPv4 IP address.

Now you can change the binding order of the NICs to make IPv4 listed first on the Windows 2008 Servers which would require the Windows 2008 Servers to use IPv4. Now that said what would be the point of using IPv6 then.

http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
0
 
LVL 3

Expert Comment

by:IPv6Guy
ID: 34973392
I say again, there is zero requirement for an IPv6 stack to use an IPv6 based DNS server. Assuming that the hosts have a routeable IPv6 address assigned, I agree that *something* needs to be configured in the box that says DNS Server" under the TCP properties for the NIC.

My argument, though, is that this does not *have* to be configured for ::1. It could be configured for 2001::dead:beef, so long as you have a DNS server configured on that IPv6 address. It could also be configured to point to 192.168.10.1, if you have a DNS server configured on that address.

Why would you use IPv4 transport to retrieve AAAA records? Some organizations do not want to configure an IPv6 address for their existing (IPv4 based) DNS servers. Additionally, they may not want to configure a separate IPv6-based DNS server.  

My point is this: there is zero requirement that it be configured for ::1. IF the machine is running  DNS Server services on it and IPv6 is configured, yes ::1 will be set by default, but changing it to something else (another IPv6 address, an IPv4 address, etc) is fully supported.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34973432
I agree with you on this "It could be configured for 2001::dead:beef" this is what I'm saying here " What you should have is the correct IPv6 IP addresses addresses for your Enterprise DNS servers".

I agree with you on that. Maybe I'm reading the question but the question I'm seeing removing ::1 totally without replacing a correct IPv6 Enterprise DNS server.

So, IPv6 I think we agree.

My point was you must have at least ::1 listed. You can not remove IPv6 DNS IP address totally if you are using IPv6 on a DC.
0
 
LVL 3

Expert Comment

by:IPv6Guy
ID: 34973471
Let me add one bit to your sentence:

"What you should have is the correct IPv6 OR IPv4 IP addresses addresses for your Enterprise DNS servers".

I agree that if you remove::1, it needs to be replaced with something, it just doesn't HAVE to be an IPv6 address. A dual-stack Windows network can be configured so that not a single server will be configured with ::1 for the DNS and it will still function correctly.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 34973501
I guess we are still disagreeing on that part. From experience doesn't work.

But maybe we do agree just talking about apples to apples just saying it in apples to oranges.

From my experience if you are running IPv6 higher in the binding order without a proper address in the IPv6 DNS you will see DNS issues with then turns into Replication issues
0
 
LVL 3

Accepted Solution

by:
IPv6Guy earned 500 total points
ID: 34973683
Ok, I just verified with the IPv6 Stack and DNS teams at MSFT.

If you are running a dual stack server and put NOTHING AT ALL in the entry for IPv6 DNS Server, the stack will automatically use whatever DNS server is listed in the IPv4 properties.

So if OP deletes ::1, the system should continue to work using the DNS Server listed in TCP/IP properties for IPv4.


1
 

Author Comment

by:amendala
ID: 34980370
"In short, NO, you do not "need" to have the DNS server configured for ::1, and I am not sure where that came from."

The ::1 loopback specification for Preferred DNS comes from DCPROMO. Member servers by default do not possess this characteristic.  Upon running DCPROMO, ::1 will be placed in the Preferred DNS field for the IPv6 stack.

Long story short, I've also confirmed with Microsoft as of this morning that ::1 does not need to be listed there.  If you're using IPv6 IP addresses on your domain controllers, they recommend leaving it there so at the very least, the DC can perform lookups against itself (assuming you have no IPv4 DNS IPs listed).  However, my DCs are not running IPv6 addresses, everything is IPv4 addressed so there is no need to have ::1 listed.

I've scripted a removal of this on my DCs and run a verbose dcdiag from all of them with zero errors indicated.  Thank you all for your input.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question