Installing and Configuring Windows Server 2012 Training Guide: Network Administration
- 11/15/2012
- Before you begin
- Lesson 1: Ensuring DHCP availability
- Lesson 2: Implementing DNSSEC
- Lesson 3: Managing networking using Windows PowerShell
- Lesson 4: Configuring IPv6/IPv4 interoperability
- Practice exercises
- Suggested practice exercises
- Answers
Lesson 4: Configuring IPv6/IPv4 interoperability
An increasingly important part of the administrator’s job role is to prepare the organization’s network for migration to Internet Protocol version 6 (IPv6). The reasons for this include the exponential growth of the Internet, the proliferation of mobile devices that need to be able to connect to the corporate network, and the impending exhaustion of the IPv4 address space. Unfortunately, many administrators still lack an understanding of basic IPv6 concepts and the necessary skills. This lesson provides an overview of IPv6 concepts and technologies as they relate to Windows-based networks and describes how to implement several IPv6 transition technologies as part of an overall IPv6 migration plan.
IPv6 concepts and terminology
While some IPv6 concepts and terminology are similar to those for IPv4, others are quite different. The following list is a brief summary of some of the important IPv6 terminology you should be familiar with to begin developing an IPv6 migration plan for your organization. Figure 6-9 illustrates how many of these concepts are interrelated. Additional IPv6 terminology is introduced later in this lesson when appropriate.
Node A device that can be configured with an IPv6 address. Examples of nodes include hosts and routers.
Host A node that can be either the source of or a destination for IPv6 traffic. Hosts are not able to forward IPv6 packets that are explicitly addressed to them. Instead, they silently discard such packets.
Router A node that is able to forward IPv6 packets not explicitly addressed to itself. Routers advertise their presence on a network. They also advertise host configuration information.
Link A collection of network interfaces that use the same 64-bit IPv6 unicast address prefix and which includes hosts but not routers. Links are bounded by routers and are also referred to as network segments or subnets.
Interface A representation for how a node is attached to a link. An interface can be either of the following:
Physical For example, a network adapter in a server.
Logical For example, a tunnel interface that encapsulates IPv6 packets inside an IPv4 header to send IPv6 traffic over an IPv4-only network.
Address An identifier that designates either the source or destination of an IPv6 packet. IPv6 addresses are assigned at the IPv6 layer of an interface. The different types of IPv6 addresses are described later in this lesson.
Neighbors Nodes connected to the same link. In IPv6, neighbors are able to detect and monitor reachability with one another by using a process called Neighbor Discovery.
Network Two or more links connected together by routers.
Site An autonomously operated IPv6 network that is connected to the IPv6 Internet.
Figure 6-9 Basic IPv6 networking concepts.
IPv6 and the TCP/IP protocol architecture
As Figure 6-10 illustrates, the TCP/IP protocol networking stack on the Microsoft Windows platform is implemented using a dual IP layer approach. This means for example that
- Only a single implementation of transport layer protocols such as Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) is needed for both IPv4 and IPv6 communications.
- Only a single implementation of framing layer protocols—such as Ethernet (802.3), Point-to-Point Protocol (PPP), and mobile broadband (802.11)—is needed for both IPv4 and IPv6 communications.
This dual IP layer TCP/IP stack is implemented on the following Windows platforms:
- Windows 8
- Windows 7
- Windows Vista
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
Figure 6-10 The dual IP layer TCP/IP protocol stack.
Default IPv6 functionality
On Windows platforms, IPv6 is installed by default and cannot be uninstalled because it is a fundamental component of Tcpip.sys, the TCP/IP driver file on these platforms. IPv6 is also enabled by default for all connections in the Network Connections folder on a Windows computer. To verify this, open the properties of a network connection, select the Networking tab, and check that Internet Protocol Version 6 (TCP/IPv6) is selected as shown in Figure 6-11.
Figure 6-11 IPv6 is enabled by default on Windows Server 2012.
IPv6 is also preferred over IPv4 for network communications by Windows computers. For example, if a DNS server returns both IPv4 and IPv6 addresses in response to a name query, Windows will first try to communicate with the remote host using IPv6. If this fails, Windows will then attempt to use IPv4.
Disabling IPv6
Although you cannot uninstall IPv6 on Windows platforms, you can disable it if desired. However, Microsoft does not recommend disabling IPv6 for the following reasons:
- During the development of Windows platforms by Microsoft, services and applications were tested only with IPv6 enabled. As a result, Microsoft cannot predict what might be the consequences of disabling IPv6 on Windows.
- Some Windows features will not function if IPv6 is disabled. Examples of such features include DirectAccess and Remote Assistance.
By leaving IPv6 enabled, you can ensure that your Windows computers are fully supported and that all network-enabled features can work as intended. However, if you decide you need to disable IPv6 on a Windows computer for some reason, there are several ways you can do this. For example, if you want to disable IPv6 for a specific local area network (LAN) interface on a Windows computer, you can do so by deselecting Internet Protocol Version 6 (TCP/IPv6) on the Networking tab of the connection’s properties shown previously in Figure 6-11. Note, however, that performing this action does not disable IPv6 for either the loopback interface or any tunnel interfaces on the computer.
To disable specific types of IPv6 functionality for all interfaces on a Windows computer, perform the following steps:
Create a new DWORD registry value named DisabledComponents under the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\
Create an eight-bit binary that defines the types of IPv6 functionality you want to disable by using the following information:
Bit 0 Set this bit to 1 to disable all IPv6 tunnel interfaces—including ISATAP, Teredo, 6 to 4, and IP-HTTPS—or set it to 0 to leave all IPv6 tunnel interfaces enabled.
Bit 1 Set this bit to 1 to disable all 6to4 tunnel interfaces, or set it to 0 to leave all 6to4 tunnel interfaces enabled.
Bit 2 Set this bit to 1 to disable all ISATAP-based interfaces, or set it to 0 to leave all ISATAP-based interfaces enabled.
Bit 3 Set this bit to 1 to disable all Teredo-based interfaces, or set it to 0 to leave all Teredo-based interfaces enabled.
Bit 4 Set this bit to 1 to disable IPv6 for all nontunnel interfaces, including LAN and PPP interfaces, or set it to 0 to leave all nontunnel interfaces enabled.
Bit 5 Set this bit to 1 to configure the default prefix table so that IPv4 is preferred over IPv6 when attempting to establish a network connection, or set it to 0 to leave IPv6 as the preferred network layer protocol.
Bit 6 Leave this bit set to 0 because it is reserved for future use.
Bit 7 Set this bit to 1 to disable all IP-HTTPS-based interfaces, or set it to 0 to leave all IP-HTTPS-based interfaces enabled.
Convert the binary number you created into hexadecimal form, and assign it as the value for the DisabledComponents registry value. Remember that bit 7 is the leftmost bit and bit 0 is the rightmost bit of the binary number.
Restart the computer to have the changes take effect.
For example, let’s say you want to disable both Teredo and 6to4 on a Windows computer but leave ISATAP and all other IPv6 functionality enabled. To do this, you need to assign values to bits 0 through 7 as follows:
- Bit 0 0
- Bit 1 1
- Bit 2 0
- Bit 3 1
- Bit 4 0
- Bit 5 0
- Bit 6 0
- Bit 7 0
The binary number 00001010 converted to hexadecimal form is 0xA, and this is the value you would assign to the DisabledComponents registry value.
IPv6 addressing
In contrast to the 32-bit (4-byte) addresses used by the IPv4 protocol, IPv6 uses 128-bit (16-byte) addresses. Using addresses like this that are four times longer increases the theoretically usable address space from 232 addresses (approximately 4 billion addresses) to 2128 addresses (approximately 3.4 x 1038 addresses). The actual address space for IPv6 is smaller, however, because of the hierarchical way that IPv6 addresses are constructed. Specifically, each 128-bit IPv6 consists of two parts:
- A 64-bit IPv6 prefix that indicates the address type, how packets containing the address should be routed, the subnet on which the interface having the address resides, or some combination of these types of information
- A 64-bit IPv6 interface identifier that identifies the interface on the subnet
IPv6 address representation
IPv4 addresses are usually represented in the familiar dotted-decimal form, such as 65.55.58.201, where each number represents 8 bits of the 32-bit address. By contrast, the much longer IPv6 addresses are typically represented by dividing the 128-bit address into 16-bit (4-byte) segments. Each segment is then converted from binary format to a 4-bit hexadecimal number, and these numbers are finally separated by using colons.
For example, when expressed in binary form, the following IPv6 address spans two lines of text on this page:
0010000000000001000011011011100000111111101010010000000000000000 0000000000000000000000000000000000000000110100111001110001011010
When converted into colon hexadecimal notation, however, the address is much shorter:
2001:0DB8:3FA9:0000:0000:0000:00D3:9C5A
The preceding address can be further compressed by suppressing leading zeros as follows:
2001:DB8:3FA9:0:0:0:D3:9C5A
Even further compression can be achieved by representing contiguous blocks of hexadecimal zeros as double colons as follows:
2001:DB8:3FA9::D3:9C5A
IPv6 prefixes
The first 64 bits of a 128-bit IPv6 address represent the IPv6 prefix for the address. An IPv6 prefix can be used to
- Specify the type of the IPv6 address.
- Define a summarized route.
- Indicate a subnet.
For example, the IPv6 prefix portion of the IPv6 address 2001:DB8:3FA9::D3:9C5A used in the previous section is 2001:DB8:3FA9:0.
IPv6 prefixes are expressed using an <address>/<prefix_length> format that is similar to the Classless Inter-Domain Routing (CIDR) notation used on IPv4 networks. The value of <prefix_length> can vary as follows:
- Subnets always have a prefix length of 64.
- Summarized routes always have a prefix length less than 64.
For example, an IPv6 prefix of 2001:DB8:3FA9::/48 represents a summarized route.
IPv6 address types
IPv4 addresses can be either unicast, multicast, or broadcast addresses. IPv6 addresses by comparison can be either of the following:
- Unicast This type of IPv6 address identifies a single interface within a region of an IPv6 network over which the address is unique.
- Multicast This type of IPv6 address identifies zero or more interfaces on the same host or different hosts and is used for one-to-many communications with delivery to multiple interfaces.
- Anycast This type of IPv6 address identifies multiple interfaces and is used for one-to-one-of-many communications with delivery to a single interface.
Unicast IPv6 addresses can be further categorized as either of the following:
- Global unicast addresses
- Link-local addresses
- Unique local addresses
- Special addresses
- Transition addresses
The sections that follow go into greater detail about unicast address types. Note that there are no broadcast addresses in IPv6. Instead, multicast addresses are used when broadcast functionality is required over a portion of an IPv6 network.
Global unicast addresses
Global unicast addresses are IPv6 addresses that are globally routable and therefore are reachable on the IPv6 Internet. Global unicast addresses for IPv6 are the equivalent of public addresses for IPv4.
A global unicast address is always structured as follows:
- The first three bits of the address are always 001 in binary format.
- The next 45 bits represent the global routing prefix for the organization’s site. Taken together with the three predefined high-order bits, they define the 48-bit site prefix, which is used by routers on the IPv6 Internet to identify IPv6 packets that should be forwarded to the routers of the organization’s site.
- The next 16 bits are used to identify the subnet within the site. Because 16 bits are available for defining subnets, each site can have up to 216 or 65,536 subnets.
- The final 64 bits specify the interface on the indicated subnet within the site.
Link-local addresses
Link-local addresses are IPv6 addresses that are used whenever a node needs to communicate with a neighbor (another node on the same link). For example, if a site has no routers, and therefore only one subnet, all network communications between hosts can take place using link-local addresses.
On Windows platforms, IPv6 link-local addresses are always configured automatically on all interfaces even if no other unicast IPv6 addresses are configured. The IPv4 equivalent to these addresses are IPv4 link-local addresses, which are addresses in the range 169.254.0.0/16 that are dynamically configured on interfaces when no Dynamic Host Configuration Protocol (DHCP) server is available. On Windows platforms, IPv4 link-local addresses are assigned using Automatic Private IP Addressing (APIPA).
A link-local address is always structured as follows:
- The first 64 bits are always 11111110 10000000 00000000 00000000 in binary format. This means that a link-local address always begins with FE80 and has a prefix identifier of FE80::/64.
- The final 64 bits specify the interface on the local link.
Unique local addresses
Unique local addresses are IPv6 addresses that are private to an organization in the same way that private addresses—such as 10.x.x.x, 192.168.x.x, or 172.16.0.0 - 172.31.255.255—can be used on an IPv4 network. Unique local addresses, therefore, are not routable on the IPv6 Internet in the same way that an address like 10.20.100.55 is not routable on the IPv4 Internet.
A unique local address is always structured as follows:
- The first 8 bits are always 11111101 in binary format. This means that a unique local address always begins with FD and has a prefix identifier of FD00::/8.
- The next 40 bits represent the global identifier, which represents a specific site within the organization. This global identifier is randomly generated.
- The next 16 bits are used to identify the subnet within the site. Because 16 bits are available for defining subnets, each site can have up to 216 or 65,536 subnets.
- The final 64 bits specify the interface on the indicated subnet within the site.
Special addresses
The following two addresses have special significance in IPv6:
- The address 0:0:0:0:0:0:0:0, which is commonly represented as a double colon (::), indicates the absence of an IPv6 address. The IPv4 equivalent to this address is 0.0.0.0.
- The loopback address 0:0:0:0:0:0:0:1, which is commonly represented as ::1, is assigned to the loopback interface on a node. The loopback address is used whenever a node needs to send a packet to itself. The IPv4 equivalent to this address is 127.0.0.1.
Transition addresses
Transition addresses are IPv6 addresses used by IPv6 transition technologies such as ISATAP, Teredo, or 6to4. Transition addresses enable the coexistence of IPv4 and IPv6 hosts on the same network. IPv6 transition technologies are described in more detail later in this lesson.
Multicast addresses
Multicasting on IPv6 networks works essentially the same way that it does on IPv4 networks. An IPv6 multicast address always begins with 11111111 or FF and includes additional structure that identifies the scope of the address and the multicast group to which the interface belongs. IPv6 multicast addresses, therefore, are always of the form FF00::/8. For comparison, IPv4 multicast addresses are always of the form 224.0.0.0/4.
As indicated earlier in this lesson, IPv6 does not have broadcast addresses and instead uses certain multicast addresses whenever some form of broadcast functionality is required. Examples of this usage include the following multicast addresses:
- FF01::1 This address is an all-nodes multicast address that has interface-local scope.
- FF02::1 This address is an all-nodes multicast address that has link-local scope.
- FF01::2 This address is an all-routers multicast address that has interface-local scope.
- FF02::2 This address is an all-routers multicast address that has link-local scope.
- FF05::2 This address is an all-routers multicast address that has site-local scope.
For example, the equivalent of IPv6 address FF02::1 on an IPv4 network is 255.255.255.255.
IPv6 address assignment
On IPv4 networks, addresses can be assigned to interfaces in three ways: manually using static addresses, dynamically using DHCP, or automatically using APIPA. Administrators of small networks often configure IPv4 addresses manually, while midsize to large organizations usually use DHCP. Automatic address configuration using APIPA, however, is usually used only on very small networks such as a home or office LAN that connects to the Internet using a DSL router.
Address assignment on IPv6 networks is somewhat different. IPv6 addresses can be assigned to an interface by doing the following:
- Manually configuring one or more IPv6 addresses on the interface
- Stateful address autoconfiguration using a DHCPv6 server
- Stateless address autoconfiguration based on the receipt of Router Advertisement messages
- Both stateful and stateless address autoconfiguration
In addition, a link-local address is always automatically configured on an interface regardless of whether stateful or stateless address autoconfiguration is being used.
The main difference, however, between address assignment in IPv6 and in IPv4 is that the IPv6 protocol was designed to be autoconfiguring. This means that, in most cases, you will neither need to assign addresses manually nor deploy a DHCPv6 server; instead, you can use stateless address autoconfiguration for most of your network hosts. This means that, in contrast with physical interfaces (network adapters) on IPv4 hosts which are usually single-homed (have only a single address assigned), most physical interfaces on IPv6 hosts are multihomed (have multiple addresses assigned). Specifically, a physical IPv6 interface usually has at least two addresses:
- An automatically generated link-local address, which is used for traffic on the local link
- An additional unicast address (either a global address or a unique local address), which is used for traffic that needs to be routed beyond the local link
Manual address assignment
Manual assignment of IPv6 addresses is generally done only in two scenarios:
- For certain servers on your network
- On most router interfaces
On a computer running Windows Server 2012, you can manually configure an IPv6 address using any of the following methods:
- By opening the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box from the properties of an interface in the Network Connection folder and configuring the IPv6 address, subnet prefix length, default gateway, and DNS server addresses as shown in Figure 6-12
- By using the New-NetIPAddress and Set-DnsClientServerAddress cmdlets of Windows PowerShell
- By using commands from the netsh interface ipv6 context of the Netsh.exe command-line utility
Figure 6-12 Manually configuring an IPv6 address in Windows Server 2012.
The following is an example of using Windows PowerShell to manually configure an IPv6 address on a physical interface of a computer running Windows Server 2012. First, here is the output from running the Ipconfig command on the server:
PS C:\> ipconfig Windows IP Configuration Ethernet adapter Ethernet: Connection-specific DNS Suffix . : Link-local IPv6 Address . . . . . : fe80::2025:61fb:b68:c266%12 IPv4 Address. . . . . . . . . . . : 172.16.11.75 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.16.11.1 Tunnel adapter isatap.{DD59BFFD-706A-4685-9073-647788046335}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Tunnel adapter Teredo Tunneling Pseudo-Interface: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . :
From the preceding command, you can see that the physical interface named Ethernet has two addresses assigned:
- The IPv4 address 172.16.11.75
- The link-local IPv6 address fe80::2025:61fb:b68:c266%12
The %12 appended to the link-local address is called a zone identifier and is used to specify the link on which the address is located. On Windows platforms, the zone identifier is equal to the index of the interface, and you can use the Get-NetAdapter cmdlet to display a list of names and indexes of physical interfaces on computers running Windows Server 2012 as follows:
PS C:\> Get-NetAdapter | fl Name,ifIndex Name : Ethernet ifIndex : 12
Instead of using the Ipconfig command, you can also use the Get-NetIPAddress cmdlet like this to display the address information for the interface named Ethernet:
PS C:\> Get-NetIPAddress | where {$_.InterfaceAlias -eq "Ethernet"} IPAddress : fe80::2025:61fb:b68:c266%12 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv6 Type : Unicast PrefixLength : 64 PrefixOrigin : WellKnown SuffixOrigin : Link AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore IPAddress : 172.16.11.75 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv4 Type : Unicast PrefixLength : 24 PrefixOrigin : Manual SuffixOrigin : Manual AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore
Note how the preceding cmdlet output is more informative than the Ipconfig command.
I’ll now show you how to use the NewNetIPAddress cmdlet to assign a new global unicast IPv6 address with prefix length 64 and also a default gateway address to the Ethernet interface:
PS C:\> New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 2001:DB8:3FA9::D3:9C5A ` -PrefixLength 64 -DefaultGateway 2001:DB8:3FA9::0C01 IPAddress : 2001:db8:3fa9::d3:9c5a InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv6 Type : Unicast PrefixLength : 64 PrefixOrigin : Manual SuffixOrigin : Manual AddressState : Tentative ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore IPAddress : 2001:db8:3fa9::d3:9c5a InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv6 Type : Unicast PrefixLength : 64 PrefixOrigin : Manual SuffixOrigin : Manual AddressState : Invalid ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : PersistentStore
To verify the result, you can use the Get-NetIPAddress cmdlet with the –AddressFamily parameter to display only IPv6 addressing information as follows:
PS C:\> Get-NetIPAddress -AddressFamily IPv6 | where {$_.InterfaceAlias -eq "Ethernet"} IPAddress : fe80::2025:61fb:b68:c266%12 InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv6 Type : Unicast PrefixLength : 64 PrefixOrigin : WellKnown SuffixOrigin : Link AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore IPAddress : 2001:db8:3fa9::d3:9c5a InterfaceIndex : 12 InterfaceAlias : Ethernet AddressFamily : IPv6 Type : Unicast PrefixLength : 64 PrefixOrigin : Manual SuffixOrigin : Manual AddressState : Preferred ValidLifetime : Infinite ([TimeSpan]::MaxValue) PreferredLifetime : Infinite ([TimeSpan]::MaxValue) SkipAsSource : False PolicyStore : ActiveStore
The interface is now multihomed because it has one link-local IPv6 address and one global IPv6 address. Opening the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box displays the expected manually configured address information, as shown in Figure 6-13.
Figure 6-13 Verifying IPv6 address settings configured using Windows PowerShell.
To configure preferred and alternate DNS servers for this interface, use the Set-DnsClientServerAddress cmdlet. For more information on Net TCP/IP and DNS client cmdlets, see the following TechNet Library pages:
Stateless address autoconfiguration
Stateless address autoconfiguration is one of the most valuable aspects of IPv6 because it allows IPv6 nodes to communicate on a network without the need of manually assigning addresses to them or deploying a DHCP server. The automatic assignment of link-local addresses to interfaces on an IPv6 host is one example of stateless address autoconfiguration at work, and it allows hosts on the same link to communicate with one another. This type of address autoconfiguration is called stateless because it does not make use of an address configuration protocol such as DHCP.
Another example of stateless address configuration at work is when an IPv6 host uses router discovery to automatically configure additional addresses, such as global or unicast local addresses, a default gateway address, and other IPv6 configuration parameters. What typically happens is this:
The host (which here is a computer running Windows Server 2012) sends out a Router Solicitation message to request a router advertisement from any router listening on the host’s link.
A router (either an IPv6 router or an ISATAP router) on the host’s link responds to the host’s message by sending a Router Advertisement message to the host.
The host uses the information in the Router Advertisement message to assign a tentative address to the host, along with any additional settings specified. IPv6 addresses that have been autoconfigured can be in any of the following states:
Tentative The address still needs to be verified as unique by performing duplicate address detection. Tentative addresses cannot receive unicast traffic until they have been verified as valid.
Valid The address is unique. A valid address is also either preferred or deprecated.
Preferred The address is valid and therefore can be used for sending or receiving unicast traffic.
Deprecated The address is valid and can be used for sending or receiving unicast traffic but should not be used to initiate any new communication.
Invalid The address can no longer be used for sending or receiving unicast traffic.
The time during which an address is in a particular state is determined by information provided by the router.
Stateful address autoconfiguration
Stateful address autoconfiguration is based on the use of an address-resolution protocol. On IPv4 networks, DHCP is such a protocol, and it can be used for dynamically assigning IP addresses and other configuration settings to interfaces on hosts. The infrastructure for DHCP consists of DHCP servers, DHCP clients, and DHCP relay agents that can relay DHCP messages between clients and servers on different subnets.
The IPv6 version of this protocol is called DHCPv6, and it uses a similar infrastructure of DHCPv6 servers, DHCPv6 clients, and DHCPv6 relay agents. However, DHCPv6 can provide IPv6 hosts with both stateful address configuration and stateless configuration settings. This can be a problem because it can result in additional addresses being assigned to hosts, but you can prevent this from happening by configuring your IPv6 routers appropriately so that hosts are assigned only stateful addresses by DHCPv6 servers.
One reason for deploying a DHCPv6 server on an IPv6 network is because Windows does not support stateless address autoconfiguration of DNS server settings using Router Advertisement messages. This means that a DHCPv6 server is required if your Windows computers need to be able to perform DNS name resolution using IPv6.
DHCPv6 client software is built into the following versions of Windows:
- Windows 8
- Windows 7
- Windows Vista
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
Configuring a DHCPv6 server
The DHCP Server service in the following versions of Windows Server supports both stateful and stateless address autoconfiguration via DHCPv6:
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
You can configure a computer running Windows Server 2012 as either a DHCPv6 stateless server or a DHCPv6 stateful server by performing the following steps:
Begin by installing the DHCP server role on your server.
Assign static IPv6 addresses to the DHCPv6 server interfaces that will be listening for incoming DHCPv6 request messages.
Open the DHCP snap-in, and expand the IPv6 node beneath the server node.
To configure DHCPv6 options for stateless address autoconfiguration, right-click on the Server Options node beneath the IPv6 node and select Configure Options as shown here:
Then configure the DHCPv6 server options as desired. For example, you could configure option 23 DNS Recursive Name Server IPv6 Address List as shown here:
To configure DHCPv6 options for stateful address autoconfiguration, right-click on the IPv6 node and select New Scope as shown here:
Then use the New Scope Wizard to specify a name and description for the scope, an IPv6 subnet prefix, and other information required.
IPv6 transition technologies
The ultimate goal of IPv6 is for IPv4 to eventually be retired and all nodes on all TCP/IP networks to use only IPv6. However, such a goal might take years, or even decades, to achieve. In the meantime, IPv4 and IPv6 nodes must be able to interoperate on the same network so that communications will not be disrupted, and IPv6 transition technologies make this possible. Windows platforms can be used to implement the following IPv6 transition technologies:
- ISATAP This transition technology allows IPv6/IPv4 nodes on an IPv4-only intranet to use IPv6 to communicate with each other and across the IPv6 Internet.
- 6to4 This transition technology provides automatic tunneling that allows IPv6/IPv4 hosts to establish IPv6 connectivity with each other across the IPv4 Internet. However, implementing 6to4 requires that the edge device (router) use a public IPv4 address.
- Teredo This transition technology provides automatic tunneling that allows IPv6/IPv4 hosts to establish IPv6 connectivity with each other across the IPv4 Internet even when IPv4 network address translation (NAT) devices need to be traversed. Because of this capability, Teredo is more suitable than 6to4 for small office/home office (SOHO) environments that use NATs to hide their private IPv4 addresses from the Internet.
In addition, Windows platforms support the following IPv6-to-IPv4 traffic translation technologies:
- NAT64 This technology is used to allow IPv6-only nodes to access IPv4-only hosts. The DirectAccess feature of Windows Server 2012 uses NAT64 to enable DirectAccess clients (which act as IPv6-only nodes) to access hosts on an IPv4 corporate network.
- DNS64 This technology is used to map IPv6-only address record (AAAA) name queries to IPv4 address record (A) name queries. Using DNS64 together with NAT64 enables IPv6 nodes to initiate communication with IPv4-only nodes with no changes to either node.
- PortProxy This technology allows IPv4/IPv6 TCP traffic to be proxied to IPv4/IPv6 TCP traffic at a different address. The technology is useful when nodes cannot communicate using either IPv4 or IPv6.
The following section describes one of these transition technologies (ISATAP) in more detail.
ISATAP
ISATAP enables unicast communication between IPv6/IPv4 hosts across the IPv4-only Internet. ISATAP works by encapsulating IPv6 packets with an IPv4 header so that the IPv6 packet can be sent over an IPv4-only network. This approach is called IPv6-over-IPv4 tunneling, and ISATAP uses automatic tunneling that does not require any manual configuration.
ISATAP addresses
ISATAP addresses are assigned by ISATAP hosts to their ISATAP tunnel interfaces. An ISATAP address consists of a valid 64-bit unicast address prefix and a 64-bit interface identifier. The interface identify can be either ::0:5efe:w.x.y.z or ::200:5efe:w.x.y.z,where w.x.y.z is either a private or public IPv4 address, respectively.
On Windows platforms, IPv6 automatically creates a separate ISATAP tunneling interface for each LAN interface that has a unique DNS suffix. A link-local ISATAP address is then automatically configured on these ISATAP interfaces to enable IPv6 communication over an IPv4-only network without the need of assigning global or unique local ISATAP addresses to the interfaces.
In Windows Server 2012, you can use the Get-NetIPInterface cmdlet to list the interfaces on the computer (the command output has been truncated for display reasons):
PS C:\> Get-NetIPInterface -AddressFamily IPv6 ifIndex InterfaceAlias NlMtu(Bytes) InterfaceMetric ConnectionState ------- -------------- ------------ --------------- --------------- 12 Ethernet 1500 5 Connected 14 Teredo Tunneling Pseudo-Inte... 1280 50 Disconnected 13 isatap.{DD59BFFD-706A-4685-9... 1280 50 Disconnected 1 Loopback Pseudo-Interface 1 4294967295 50 Connected
From the preceding output, you can see that the index number of the ISATAP interface is 13, which allows you to display more detailed information about the interface as follows:
PS C:\> Get-NetIPInterface -AddressFamily IPv6 -ifIndex 13 | fl InterfaceIndex : 13 InterfaceAlias : isatap.{DD59BFFD-706A-4685-9073-647788046335} AddressFamily : IPv6 Forwarding : Disabled Advertising : Disabled NlMtu(Bytes) : 1280 AutomaticMetric : Enabled InterfaceMetric : 50 NeighborDiscoverySupported : Yes NeighborUnreachabilityDetection : Disabled BaseReachableTime(ms) : 30000 ReachableTime(ms) : 23000 RetransmitTime(ms) : 1000 DadTransmits : 0 RouterDiscovery : Enabled ManagedAddressConfiguration : Disabled OtherStatefulConfiguration : Disabled WeakHostSend : Disabled WeakHostReceive : Disabled IgnoreDefaultRoutes : Disabled AdvertisedRouterLifetime : 00:30:00 AdvertiseDefaultRoute : Disabled CurrentHopLimit : 0 ForceArpNdWolPattern : Disabled DirectedMacWolPattern : Disabled EcnMarking : AppDecide Dhcp : Disabled ConnectionState : Disconnected PolicyStore : ActiveStore
ISATAP components
As shown in Figure 6-14, an ISATAP infrastructure includes the following components:
- ISATAP subnets An ISATAP subnet is a portion of an IPv4-only network on which ISATAP will be used for IPv6-over-IPv4 tunneling.
- ISATAP hosts An ISATAP host has an ISATAP tunneling interface, which it can use communicate with other ISATAP hosts on the same ISATAP subnet. Windows computers can function as ISATAP hosts using either link-local, unique-local, or global ISATAP addresses.
- ISATAP routers An ISATAP router is used to enable communication between ISATAP hosts on an ISATAP subnet and IPv6 hosts on an IPv6-capable network. Computers running Windows Server 2012 can function as ISATAP routers by configuring their LAN interfaces with appropriate IPv6 addresses, routes, and other settings.
Figure 6-14 The components of an ISATAP deployment.
You can configure a Windows computer to use an ISATAP router in the following ways:
- By using Group Policy as shown in Figure 6-15
- By using the Set-NetIsatapConfiguration cmdlet
- By using the Netsh interface isatap set router command
Figure 6-15 Group Policy settings for IPv6 transition technologies.
Lesson summary
Windows uses a dual IP layer TCP/IP stack that supports both IPv4 and IPv6 communications.
IPv6 is enabled by default and cannot be uninstalled, but you can selectively disable different types of IPv6 interfaces and capabilities by editing the registry.
IPv6 addresses can be unicast, multicast, or anycast. Unicast addresses include global, link-local, unique-local, special, and transition addresses.
The type of an IPv6 address can often be determined by its prefix.
IPv6 addresses can be assigned manually or by using stateless or stateful address autoconfiguration.
Windows Server 2012 can be configured as a stateless or stateful DHCPv6 server.
Windows includes several IPv6 transition technologies, including ISATAP, 6to4, and Teredo. Windows also includes several traffic-translation technologies, including NAT64, DNS64, and PortProxy.
The components of an ISATAP deployment include ISATAP subnets, ISATAP hosts, and ISATAP routers. Windows computers can be ISATAP hosts, and Windows Server 2012 can be configured as an ISATAP router.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
Which of the following is not true about IPv6 on Windows Server 2012?
Windows Server 2012 has a dual IP layer TCP/IP stack that supports both IPv4 and IPv6.
IPv6 can be disabled on all interfaces by editing the registry on a Windows Server 2012 computer.
Windows Server 2012 can be used as a DHCPv6 server for stateless address autoconfiguration.
Windows Server 2012 can be used as an ISATAP router.
The IPv6 address assigned to an interface has a prefix identifier of FE80::/64. What type of address is it?
Global address
Unique-local address
Link-local address
Multicast address
Which Windows PowerShell cmdlet can be used to display the address information for an interface?
Ipconfig
Get-NetAdapter
Get-NetIPAddress
Get-NetIPInterface
What do you need to do or use for Windows computers on an IPv4-only network to be able to communicate with Windows computers on a different network that is IPv6-capable?
You need to do nothing because Windows computers automatically assign IPv6 addresses to their LAN interfaces using stateless address autoconfiguration.
You need to deploy Windows Server 2012 as an ISATAP router and use it to forward traffic between the IPv4-only and IPv6-capable networks.
You need to deploy Windows Server 2012 as a Teredo server and use it to forward traffic between the IPv4-only and IPv6-capable networks.
You need to deploy Windows Server 2012 as a DHCPv6 server and use it to assign global IPv6 addresses to the computers on the IPv4-only network.