Setting up and managing IPv6 on Windows Server 2016
Change of Address
One common reason why IT managers shy away from IPv6 is the hexadecimal notation with colons that divide the address into eight blocks, each with a length of 16 bits. For example, an IPv6 address looks like this: 001:0db7:85b3:07d3:1319:8a2d:437a:63d4 . These addresses are difficult to memorize and assign manually. Consequently, automatic assignment is the way to go in IPv6 infrastructures.
All IPv6 nodes automatically configure a local address with the fe80::/64 prefix for each physical or logical IPv6 interface. These addresses can only be used for communication with neighboring nodes. They are not registered in the DNS, and if data needs to be sent to such an address, a zone ID is also required. In the case of manual configuration or allocation of an IPv6 address by a DHCP server, the corresponding entries are, of course, made automatically.
IPv6 Preferred
Microsoft Windows Server 2016 uses the Next Generation TCP/IP Stack, a TCP/IP protocol stack that integrates both IPv4 and IPv6. For example, if a DNS query returns IPv6 and IPv4 address, the stack will first attempt to communicate over IPv6. The preference of IPv6 over IPv4 offers IPv6-enabled applications better network connectivity.
Enabling IPv6 and its preference by default has no negative effect on IPv4 connectivity. In networks in which no IPv6 DNS entries are available, IPv6 addresses are not used for communication. Windows Server 2016 always tries to communicate with IPv6; if no IPv6 addresses are available, the server will use IPv4.
In a network with Windows Server 2016, IPv6 offers several advantages:
- Larger address space. The IPv6 128-bit address space provides enough space for each device to have its own globally valid address.
- More efficient routing. The revised IPv6 header and the new addressing scheme, which supports a hierarchical routing infrastructure, allow IPv6 routers to forward the corresponding network traffic faster.
- Easy configuration. IPv6 hosts can configure themselves either by DHCP or a local router. The basic setup might be a bit more complicated, but the running operation is simpler.
- Improved security. The IPv6 standards fix some of the security problems of IPv4 and provide better protection against address and port scans. They stipulate that IPv6 implementations must support Internet Protocol Security (IPsec).
Windows Server 2016 supports IPv6 after installation, so if you display network connection properties, you will see that IPv6 is automatically linked to the network connections (Figure 1 and Figure 2).
Configuring IPv6
If you configure a server with Windows 2016 for IPv6, the following automatic settings are possible:
1. An IPv6 host sends a multicast message and receives one or more router messages. The latter contain subnet prefixes that the IPv6 host uses to specify additional IPv6 addresses and add routes to the IPv6 routing table. Other configuration parameters are also included – for example, the standard gateway.
2. DHCPv6 provides subnet prefixes and other configuration parameters for the IPv6 host. For example, DHCPv6 is often used on IPv6 hosts under Windows to configure the DNS servers' IPv6 addresses, which is not possible with router detection. Windows Server 2016 has an IPv6-enabled DHCP server.
Windows Server 2016 provides a graphical interface for manually configuring IPv6. For Core or Nano servers, Windows Server 2016 also supports configuration at the command prompt with the netsh
command. However, because Microsoft prefers PowerShell, you should use the appropriate cmdlets to control or query network settings. For a list of all relevant cmdlets, type:
Get-Command -Noun Net*
Under the properties for the IPv6 network connection, you can select the following settings:
- Obtain an IPv6 address automatically . Configures the IPv6 addresses for this connection or adapter to be set automatically.
- Use the following IPv6 address . Manually configures the IPv6 address and the default gateway for this connection or adapter.
- IPv6 address . Specifies an IPv6 unicast address.
- Subnet prefix length . Defines the length of the subnet prefix for the IPv6 address. For unicast IPv6 addresses, this should be 64 (the default).
- Default gateway . Defines the default gateway's IPv6 unicast address.
- Obtain DNS server address automatically . Assigns the DNS server's IPv6 address by DHCPv6.
- Use the following DNS server addresses . Manually sets the addresses of the preferred and alternate DNS servers.
You can access the additional settings for IPv6 from the Advanced button. In the IP Settings tab, specify the computer's IPv6 addressing in more detail: For each IPv6 unicast address, you must specify an IPv6 address and a subnet prefix length. The Add button is only available if the Use the following IPv6 address option is set in the IPv6 address settings. For each default gateway, you must specify an IPv6 address and specify whether the metric for this gateway is to be determined using the connection speed or the adapter speed or whether you want to define the metric yourself. You decide whether such a metric applies to the IPv6 addresses or the standard gateways or whether it is determined by the connection speed or the adapter speed. The metric is used when there are multiple routes to choose from in the routing table that correspond to the destination address of a forwarded packet. Windows Server 2016 selects the route with the lowest metric. The metric can reflect the number of hops, the speed and reliability of the path, the path throughput, or administrative properties.
Adapting DNS for IPv6
Under advanced IPv6 settings, the DNS tab lets you make adjustments for name resolution. No changes need to be made here for generally adding Windows Server 2016 to a domain. Freshly installed, the following options are enabled by default:
- Append primary and connection specific DNS suffixes
- Append parent suffixes of the primary DNS suffix
- Register this connection's addresses in DNS
The individual options play a significant role in name resolution in a DNS infrastructure. Append primary and connection specific DNS suffixes means that when resolving hostnames, the host always automatically tries to append the configured primary DNS suffix of its own computer name. For example, if you want to resolve a hostname with the name dc01 , the host attempts name resolution in the style of dc01.contoso.int , given a primary DNS suffix of contoso.int .
The Append parent suffixes of the primary DNS suffix option means that the names of superordinate domains are also used for name resolution. For example, if you want to resolve a server name dc05 in a subordinate domain named muenchen.de.contoso.int , the computer first tries the resolution via dc05.muenchen.de.contoso.int if this is the computer's primary DNS suffix. Then it tries to resolve the name as dc05.de.contoso.int followed by dc05.contoso.int , because these domains are on a higher level than the muenchen.de.contoso.int domain. In this area, you also have the option of entering another DNS suffix of your choice with DNS suffix for this connection . If the computer does not find the entered name on its configured DNS server via its own primary DNS suffix, it tries to find it with the DNS suffix in this field.
Register this connection's addresses in DNS allows a DNS server to register entries dynamically. This dynamic DNS eliminates the need for manual host entries. As soon as a computer logs on to the network, it tries automatically to enter its fully qualified domain name (FQDN) on the configured DNS server, unless this option has been deactivated. This point is very important for internal name resolution on an Active Directory (AD) network.
Under the DNS tab, you can also use Append these DNS suffixes (in order) to configure DNS suffixes to resolve incomplete hostnames. Enabling this means that neither the server's primary DNS suffix nor the connection's DNS suffixes are used. Instead, Windows Server 2016 appends the DNS suffixes in the order that can be found in this field.
During the configuration, make sure that the DNS suffix of the Windows domain in which this server is a member is entered first in this list if possible. This option is often required for name resolution in forests with several trees. To do this, all the trees in the forest are entered in the sequence to ensure name resolution within AD. This option is particularly useful when using Exchange servers if the Exchange servers are distributed across several trees and domains. This option is not enabled by default.
Additionally, stipulating Use this connection's DNS suffix in DNS registration ensures that the server name is registered in DNS with its computer name and its primary DNS suffix – that is, its FQDN. Additionally, the name with the DNS suffix configured in the DNS suffix for this connection field is also stored on the DNS server. This option also is not activated by default.
To resolve server names quickly and efficiently in different DNS zones, enable the Append these DNS suffixes (in order) option under Advanced IPv6 settings on the server using the DNS tab. Enter your own tree's namespace and then append the other trees' namespaces. The purpose of this configuration is the fast resolution of servers in other trees. For example, if you want to resolve the dc1 domain controller (DC) in the contoso.int tree, you must always enter dc1.contoso.int if the machine is not a member of this tree. This setting is only optional, but it adds more robustness to AD name resolution. You will want to configure this setting on every DC and on every Exchange server in your forest, as well as on computers of administrators or power users who constantly need to connect to other domains. You should always enter your own domain and namespace before you query other namespaces.
You can check the effect of this action by entering the nslookup
command, where you can only enter dc1
at this point. The server asks its preferred DNS server whether a server named dc1.contoso.int
can be found (if contoso.int
is your primary DNS suffix). If this server does not exist in this domain, the next namespace is queried.
Many administrators simply enter a new static host entry on their DNS server that points to the IP address of the server in the other namespace. However, this procedure is not correct, even if it works in principle. In this case, it does not return the correct DNS name of the corresponding server, but the server name with the zone of the DNS server in which the server was entered as the host. Particularly in a larger AD, you should make sure that the configurations are also formally correct. This often helps to avoid problems that you have not considered. For example, if you create a new dc1 entry for the dc1.contoso.com DC in the microsoft.com zone, pointing to the server's IP address, the name is resolved as dc1.microsoft.com , although the actual name of the server is dc1.contoso.com . Resolution will work, but it will return an incorrect name.
After configuring or adding the computer to the domain, open a command prompt and type nslookup
. The command must not cause any error messages and must display the correct FQDN of the DNS server and its IP address. If this is not the case, first check that the primary DNS suffix matches the zone name. The domain's primary DNS suffix is automatically assigned when it is added to the domain. Next, determine whether the DNS server's IP address is correctly entered in the computer's IP settings.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.