IMPORTANT ANNOUNCEMENT FOR OUR READERS!
AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!
We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!
Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.
If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.
NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!
As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!
Hey y’all, Mark back with a new topic we haven’t really talked about much here on the blog, IPv6. When I go onsite with customers I tend to have two discussions over and over again. First, RPC ports and firewalls. Ned Pyle has taken care of that one here and here. The second, IPv6. The point of this post is not the technical how it all works deep down, the point is to be similar to the on-site discussions I have every other week and is geared at the Windows/System Administrator. Ray Zabillia and I have more posts planned on some basics and how it all works in the coming weeks. If this is a topic of interest we can keep going from there and do some real in depth on some of the transitions technologies and how to roll your own lab even. Please let us know in the comments! Now on to the glimpse of the on-site discussions.
“Who cares about IPv6? We got IPv4 working and it’s working just fine.”
I bet you do. It’s has similar logical argument of, “who cares about 64-bit computing we have 32-bit”. Do you want to make that claim as well? On February 3, 2011, the Internet Corporation for Assigned Names and Numbers (ICANN) joined the Number Resources Organization (NRO), the Internet Architecture Board (IAB) and the Internet Society to announce that the pool of public Internet Protocol version 4 (IPv4) addresses has now been completely allocated.
On 14 September 2012, the RIPE NCC began to allocate IPv4 address space from the last /8 of IPv4 address space it holds. Currently IPv4 address space is now allocated according to section 5.6 of the IPv4 Address Allocation and Assignment Policies for the RIPE NCC service region. The IPv4 pools of the RIRs (Regional Internet Registry) are nearly exhausted RIPE NCC IPv4 Available Pool. Shortly thereafter the ISPs will exhaust their pools. It is at this point that customers will be impacted by the exhaustion, because there will not be any IPv4 addresses available to give them. They are all gone. Donezo.
Also there are several limitations of IPv4. I’m not saying you need to roll out IPv6 tomorrow, but let’s not do things that will make it hard in the future to transition to.
“IPv4 Limitations? Like what?”
Well for starters we are out of addresses as said above. Chances are you are getting MORE internet connected devices not less. But let’s assume you are lucky enough to have an entire class A or B address to yourself and you don’t need more addresses for the foreseeable future. Do you need IP level security or will you need that in the future? I’m guessing so. IPSec is optional in IPv4 but has become a standard in IPv6 from day one which makes the implementations of IPSEC consistent across vendor implementations. What about Quality of Service (QOS)? IPv4 can do that by using the Type of Service (TOS) field but doesn’t work when the packet is encrypted. So hopefully you don’t want both SECURITY and QOS at the same time. It’s getting harder and harder to force IPv4 to do what is easily accomplished in IPv6.
“We got NAT working right now so it’s fine”
That’s a whole other ball of wax. Not to mention its adding complexity to the network which can make troubleshooting issues even harder to deal with, but not every application works with NAT due to the fact it doesn’t have a “real” IP address on the client. Making IPSec work with NAT is also a challenge. NAT can solve some problems but it can also introduce some others. It’s probably not sustainable for the long haul.
“Hmmm all this sounds like you should talk to the Network Team about this, they are up the hall. This is not my problem”
Alright we’ve arrived at the core of this argument. It is ABSOLUTELY your problem. If you’ve never had to troubleshoot a server not being able to connect to another server, it must be your first day on the job. Connectivity troubleshooting is a critical tool in your troubleshooting bag. If it’s not, add it immediately; you’re welcome. Being able to understand an IPv6 address and what it all means will be helpful and in reality a necessity in the future. I’ve had customers where the network team is “testing” IPv6 and the client now starts receiving this “mystery address”. Is that normal? Is it working like it suppose to? Am I on the right network? All these questions today can be answered with an IPv4 address, why would you NOT answer them because the address looks different? The thought of not having basic understanding of IPv4 today is unthinkable, having IPv6 skills will not only put you ahead of the curve today, and it will set you up for the future. Real life example coming up here shortly.
“Yea but still, I hear IPv6 screws stuff up that’s why I disable it like so”
Of course you have. First off, I’ve yet to hear what IPv6 “screws up”. Second, this isn’t disabling IPv6, this is unbinding it from the network adapter. If your goal is to disable IPv6 on the system, you have not done so. It is still running on your system. If you need to re-check that box there is NO PROGRAMMATIC WAY**(see bottom of page) to do so. So if you gone ahead and built that uncheck in your image and you do need IPv6 on that network adapter you’ll need to log into EVERY MACHINE AND RE-CHECK IT. Oh how fun that will be. If you do need to disable it follow KB 929852 using the Disabled Components registry key. I recommend not disabling it but if you have absolutely must, use a GPO so you can easily undo this in the future. As stated in the KB if you do use the Disabled Components registry key that checkbox will still be checked. That is expected behavior.
“This is all great in theory but does this actually happen in the real world?”
We here at AskPFEPlat have a unique perspective by spending so much time in front of so many customers we get to see what does happen in the real world. Recently Ray was assisting one of our large enterprise customers in their migration from Windows Server 2003 Active Directory to Windows Server 2008 R2. They had just installed a few 2008 R2 domain controllers and shortly thereafter Ray received a call from one of the company’s AD architect asking to explain why he was getting an IPv6 addresses in response to his “ping” on the 2008 R2 domain controllers. Further, why were there two IPv6 addresses assigned? And why did one of address always begin with FEC0 and the other with 2002? What addresses are being registered in DNS?
Now at this particular customer most of the IT support and administration, including Active Directory has been outsource to a third party vendor. So Ray had a meeting with the customers’ in house AD staff and several members of the third party outsourcers AD staff. One of the members from the third party AD support staff announced that this had an easy fix, they would simply just uncheck the IPv6 protocol box on the Network adapter settings to disable IPv6 and the problems would be resolved.
See the real life problem? Face palm! If a vendor is telling you to disable IPv6 to “fix an issue” or “has seen it cause problems” push back a bit and ask them what is it actually fixing or problems that it is causing. Have them be specific. It’s time to not allow IPv6 to be this great universe mystery.
“Ok I’m coming around a bit. What is Microsoft’s stance on IPv6?”
I’ll let the official documentation do the talking on this one. Short answer: Leave it on. Original can be found at IPv6 For Microsoft Windows: FAQ.
“It is unfortunate that some organizations disable IPv6 on their computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.
From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.
Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.”
“What Microsoft products support IPv6?”
Get the official list here. It is a lot.
“Anything else I should know?”
A quote from the Foreword of Understanding IPV6 – Third Edition sums it up very well.
“In the past 24 months, we’ve made immense progress toward the goal of upgrading the Internet. IPv6 is no longer the next-generation Internet Protocol; it has become the now-generation Internet Protocol.
The World IPv6 Launch in June 2012 marked a key turning point in this transition. When you read this book, some of the most important web services in the world, not only from Microsoft but from across the technology community, are operational on the IPv6 Internet. Millions of users with IPv6-ready computers are using IPv6 to interact with these services and with one another. The apps, the operating systems, the routing infrastructure, the ISPs, and the services are not merely ready, they’re activated.”
IPv6 Program Manger
Ok hopefully by this point in the post you’ve come around fully on IPv6 and are ready to dive in. The point of this is that IPv6 is not coming, it is here now. IPv4 is in fact the legacy technology. In our next post we’ll get into more of the innards and making sense of it all. Don’t worry it’s not that scary. As always let us know what you think in the comments.
-Mark “IPv6 Ready” Morowczyski and Ray “IPv6 Ready” Zabilla
Update (6/17/13 5:00 PM CST). One of our readers, MVP Richard Hicks, points out in the comments there is a way to do this using powershell. Set-NetAdapterBinding -Name MyAdapter -DisplayName “Internet Protocol Version 6 (TCP/IPv6)” -Enabled $true. This is correct but only will work in Windows 8/2012. For more info on this command check here.
Part 2 of this series can be found here.
Part 3 of this series can be found here.