Solved

Can I remove the ::1 IPv6 loopback address as the Preferred DNS IP on the IPv6 interface of my Domain Controllers?

Posted on 2011-02-24
18
6,283 Views
Last Modified: 2012-06-22
Folks -

I've noticed that on a number of my domain controllers (DCs) that live in sites with network hardware that cannot pass IPv6 traffic, that my DCs are having DNS lookup issues.  For instance, you run nslookup and instantly see a 2 second or more delay.  When attempting to resolve any names that require forwarding, the lookup fails.

The DCs are healthy insofar as their internal services are concerned and the forest in general is very healthy.  I've found that if I simply remove the ::1 from the Preferred DNS of the IPv6 interface, my lookups work swimmingly, no issues.

Per my standards, and those sanctioned by Microsoft, all my DCs are set to look at another DC first (Preferred) and themselves second (Alternate).  With the ::1 being specified on the IPv6 interface, that violates that standard and also causes lookup issues as my switches in certain locations won't pass the traffic so the packets are dropped.

So that said... I don't want to disable IPv6, I'm well aware of the side-effects that can cause for Server 2008 and later.  But what I do want to do is remove the ::1 from the IPv6 interface DNS settings.  Will I hurt anything when it comes to AD with this change?  It seems that dcpromo puts the value here during promotion.  None of my member servers have ::1 specified.

Any input is appreciated.

Thanks!
0
Comment
Question by:amendala
  • 6
  • 5
  • 3
  • +3
18 Comments
 
LVL 87

Expert Comment

by:rindi
Comment Utility
There is no reason to have ip6 enabled if you don't need it. I always disable it as a matter of routine as it can cause issues or confusion. Normally it is only useful if your ISP supports it.
0
 
LVL 7

Expert Comment

by:Chris Patterson
Comment Utility
See the following link for the process of disabling ipv6:  http://support.microsoft.com/kb/929852.
0
 

Author Comment

by:amendala
Comment Utility
I wholeheartedly disagree.  There are plenty of reasons to leave IPv6 enabled even if you don't *think* you need it.  Windows Server 2008 and later use IPv6 extensively for internal operations that will fail if you disable the IPv6 subsystem.

Unchecking the box in the network interface for IPv6 does not disable the protocol, it merely restricts the NICs ability to TX/RX IPv6.  It leaves the subsystem for IPv6 intact which is a requirement for a huge number of server products from Microsoft (TMG, Hyper-V, Failover Clustering, DirectAccess, to name a few).

Hence why I said in my original post "I don't want to disable IPv6".

Below is a quote from Microsoft TechNet and mirrors a response I received from Premier Support a year ago:

---
From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process.  Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.
Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.
---
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
It's possible to disable the full IPv6 subsystem, which cpatterson's link explains how to do, but doing so does leave the IPv6 loopback available. With the subsystem disabled, Windows 2008 will function normally on IPv4 without the ill effects that occur when just disabling the protocol on the interfaces. All of the applications you mentiond will operate normally in an environment set up like this. But as I said, that registry tweak won't remove the IPv6 loopback. I don't think there is a technique that will.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
If you are not running Exchange on the Windows 2008 Server you can then disable IPv6 this is not a required protocol and I have it disabled on non Exchange servers. You can disable parts of IPv6 if you would like but if you are going to use IPv6 on your DC then you would need to keep the IPv6 DNS server listed if not you can cause DNS server errors. My recommendation is to fully remove IPv6 it is not needed.

http://www.windowsreference.com/networking/disable-ipv6-in-windows-server-20008-full-core-installation/

http://support.microsoft.com/kb/929852
0
 

Author Comment

by:amendala
Comment Utility
To reiterate, again, my question has absolutely nothing to do with disabling IPv6.  I've said repeatedly that I won't be doing that and I have no interest in doing so.  I disagree with the statements above and my experience, which includes extensive on-site work with MCS and Microsoft Premier in a 20,000+ seat environment, supports the fact that IPv6 should remain untouched whenever possible, whether you believe you are using it or not.

With all do respect, none of the statements above address my core question about the side-effects of removing the loopback interface from the Preferred DNS entry for IPv6 on Server 2008 R2 Domain Controllers.

I'm not interested in discussing IPv6 as a protocol any further.  What I want to know is if I can remove the loopback address from the IPv6 Preferred DNS entry on a Server 2008 R2 DC without ill-effects.  Dcpromo put it there, so removing it is a questionable practice unless I fully understand the potential remifications of doing so.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Again NO you can not remove it if you are going to use IPv6 IP addresses on a DC you MUST KEEP the IPv6 DNS server listed. If you are using IPv6 you would cause DNS and AD issues if you did not have the DNS server in IPv6 as well.

I would worked with MS Premier as well with them disabling IPv6 on servers that were having issues with replication, DNS resolution, and network drops. IPv6 is not fully integrated in my opinion in Windows 2008 server services yet close but not there yet.

This link allows you to disable some of the IPv6 components.

http://support.microsoft.com/kb/929852
0
 
LVL 7

Expert Comment

by:Chris Patterson
Comment Utility
You need to keep the lookback address for the ipv6 preferred DNS server.  The removal of this will cause issues.
0
 
LVL 3

Expert Comment

by:IPv6Guy
Comment Utility
Just because you have IPv6 enabled doesn't mean that you have to have a DNS server configured for it. By default, Windows machines are configured to "Obtain IPv6 address automatically", which will NOT configure ::1. I am not sure where this ::1 came from, but no, it does not have to be there.

As an aside, when you are manually configuring your IPv6 settings, you can also configure the IPv6 DNS server with an IPv4 address (as long as IPv4 is still enabled) This just causes name resolution to take place over IPv4 instead of IPv6.

In short, NO, you do not "need" to have the DNS server configured for ::1, and I am not sure where that came from.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
In Short you MUST use IPv6 DNS if you are running IPv6 for a Domain Controller this is required.
0
 
LVL 3

Expert Comment

by:IPv6Guy
Comment Utility
Umm...no. Queries for AAAA records can be easily sent to an IPv4 address. I'm sorry, Darius, you are incorrect.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
I'm IPv6 you are incorrect. MS puts the ::1 if you are using IPv6 on a Domain Controller automatically because this is a requirement because of DNS issues.

And if you have IPv6 enabled without the Ipv6 DNS you can run dcdiag /test:dns you will receive errors stating that DNS servers could not be contacted. Trust me I fix this issue on a regular here on EE. If there is not ::1 there is no loopback on to a DNS server for IPv6 which will again cause errors. What you should have is the correct IPv6 IP addresses addresses for your Enterprise DNS servers.

Now what would be the point of having IPv6 running without IPv6 DNS servers listed.

Enabling IPv6 by default and preferring of IPv6 traffic does not impair IPv4 connectivity. For example, on networks without IPv6 records in the DNS infrastructure, communications using IPv6 addresses are not attempted unless the user or application specifies the destination IPv6 address.

Now if you have DCs running IPv6 they will use IPv6 which requires IPv6 DNS listed. Now with clients that only use IPv4 they can still query the DNS server since they are querying with an IPv4 IP address.

Now you can change the binding order of the NICs to make IPv4 listed first on the Windows 2008 Servers which would require the Windows 2008 Servers to use IPv4. Now that said what would be the point of using IPv6 then.

http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
0
 
LVL 3

Expert Comment

by:IPv6Guy
Comment Utility
I say again, there is zero requirement for an IPv6 stack to use an IPv6 based DNS server. Assuming that the hosts have a routeable IPv6 address assigned, I agree that *something* needs to be configured in the box that says DNS Server" under the TCP properties for the NIC.

My argument, though, is that this does not *have* to be configured for ::1. It could be configured for 2001::dead:beef, so long as you have a DNS server configured on that IPv6 address. It could also be configured to point to 192.168.10.1, if you have a DNS server configured on that address.

Why would you use IPv4 transport to retrieve AAAA records? Some organizations do not want to configure an IPv6 address for their existing (IPv4 based) DNS servers. Additionally, they may not want to configure a separate IPv6-based DNS server.  

My point is this: there is zero requirement that it be configured for ::1. IF the machine is running  DNS Server services on it and IPv6 is configured, yes ::1 will be set by default, but changing it to something else (another IPv6 address, an IPv4 address, etc) is fully supported.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
I agree with you on this "It could be configured for 2001::dead:beef" this is what I'm saying here " What you should have is the correct IPv6 IP addresses addresses for your Enterprise DNS servers".

I agree with you on that. Maybe I'm reading the question but the question I'm seeing removing ::1 totally without replacing a correct IPv6 Enterprise DNS server.

So, IPv6 I think we agree.

My point was you must have at least ::1 listed. You can not remove IPv6 DNS IP address totally if you are using IPv6 on a DC.
0
 
LVL 3

Expert Comment

by:IPv6Guy
Comment Utility
Let me add one bit to your sentence:

"What you should have is the correct IPv6 OR IPv4 IP addresses addresses for your Enterprise DNS servers".

I agree that if you remove::1, it needs to be replaced with something, it just doesn't HAVE to be an IPv6 address. A dual-stack Windows network can be configured so that not a single server will be configured with ::1 for the DNS and it will still function correctly.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
I guess we are still disagreeing on that part. From experience doesn't work.

But maybe we do agree just talking about apples to apples just saying it in apples to oranges.

From my experience if you are running IPv6 higher in the binding order without a proper address in the IPv6 DNS you will see DNS issues with then turns into Replication issues
0
 
LVL 3

Accepted Solution

by:
IPv6Guy earned 500 total points
Comment Utility
Ok, I just verified with the IPv6 Stack and DNS teams at MSFT.

If you are running a dual stack server and put NOTHING AT ALL in the entry for IPv6 DNS Server, the stack will automatically use whatever DNS server is listed in the IPv4 properties.

So if OP deletes ::1, the system should continue to work using the DNS Server listed in TCP/IP properties for IPv4.


1
 

Author Comment

by:amendala
Comment Utility
"In short, NO, you do not "need" to have the DNS server configured for ::1, and I am not sure where that came from."

The ::1 loopback specification for Preferred DNS comes from DCPROMO. Member servers by default do not possess this characteristic.  Upon running DCPROMO, ::1 will be placed in the Preferred DNS field for the IPv6 stack.

Long story short, I've also confirmed with Microsoft as of this morning that ::1 does not need to be listed there.  If you're using IPv6 IP addresses on your domain controllers, they recommend leaving it there so at the very least, the DC can perform lookups against itself (assuming you have no IPv4 DNS IPs listed).  However, my DCs are not running IPv6 addresses, everything is IPv4 addressed so there is no need to have ::1 listed.

I've scripted a removal of this on my DCs and run a verbose dcdiag from all of them with zero errors indicated.  Thank you all for your input.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now