Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 06, 2009

Supporting IPv6 in Your Windows Server 2008 Environment

Understand common migration and transition scenarios
A Web Exclusive from Windows IT Pro
John Howie
Features
InstantDoc #103014
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Domain Name System (DNS) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

In my previous three IPv6 articles—"The Inevitability of IPv6, Part 1," "The Inevitability of IPv6, Part 2," and "Managing Your Migration and Transition from IPv4 to IPv6"—I introduced you to the fundamentals of IPv6, described various aspects of its use in Windows and non-Windows environments, and discussed migration and transition technologies.

Now, with Windows Server 2008 in the picture, I want to focus on using the new server OS to support IPv6 in your environments, including how to use it in the common migration and transition scenarios. When Microsoft released Server 2008, the company made some changes to how IPv6 is supported to improve security and to ease migration and transition to IPv6. I'll cover those changes, too.

IPv6 changes in Server 2008
To better support IPv6 and improve security, Microsoft made some key changes to common features and to the OS itself. The two most obvious changes are the addition of Dynamic Host Configuration Protocol for IPv6 (DHCPv6), and improved support for IPv6 addresses in DNS, particularly for the registration and display of IPv6 addresses. But two other changes are of significant note.

The first is that Server 2008, by default, won't generate an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) if no ISATAP router is available. Server 2008 will determine that no ISATAP router is available if the host name ISATAP can't be resolved through standard means, including DNS queries, HOST file lookup, and name broadcast. This security feature prevents nodes that have ISATAP interfaces from connecting to Server 2008 using IPv6 packets encapsulated in IPv4 packets, potentially bypassing router Access Control Lists (ACLs) and firewalls. The theory is that if the host name ISATAP can be resolved, then the network administrator wants to permit IPv6 connectivity through encapsulation of IPv6 in IPv4 packets. If you need to enable the ISATAP interface when there no ISATAP router is available—say, to support IPv6-only applications—you can manually enable the ISATAP interface and force Server 2008 to accept incoming encapsulated traffic by typing the command

netsh interface ipv6 isatap set state enabled
Note that all other version of Windows that support IPv6—Windows Vista, Windows XP, and Windows Server 2003—will allocate an address to the ISATAP interface even if the host name ISATAP can't be resolved, and it can be used to communicate with other ISATAP-enabled hosts. The second noteworthy change in Server 2008 is also related to ISATAP. If you create an A record in a DNS zone on a Server 2008-based DNS server for ISATAP, the DNS server won't respond to DNS queries for the host name ISATAP, by default. This feature, also security-related, prevents a user from inadvertently (or maliciously) starting a machine called ISATAP and having an A record created in DNS that can then be resolved. A machine with the name ISATAP is presumed to be an ISATAP router, and all IPv6 nodes will attempt to communicate with it—via encapsulation of IPv6 packets in IPv4 packets—to request IPv6 addresses through router solicitation. If the machine named ISATAP responds with an IPv6 address prefix, it will become the default router for all IPv6 traffic, allowing a rogue administrator to intercept all traffic.

If you want to use ISATAP as part of your migration and transition strategy, and you've installed and configured an ISATAP server, you can enable Server 2008–based DNS to serve responses to queries for an A record for the host name ISATAP by editing the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\GlobalQueryBlockList. This entry is a multi-string and contains two entries—isatap and wpad (which also has security implications). Simply remove the isatap entry and restart the DNS server. You'll need to make this change on all the DNS servers that contain the zone(s) in which the entry ISATAP is defined. You can also use the Dnscmd command line utility. For more information about configuring the global query block list, including how to use Dnscmd tool to manage it, download the Microsoft article "DNS Server Global Query Block List."

   Previous  [1]  2  3  Next 


Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Managing IT Across Multiple Locations

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement