none
Direct Access 2012 - Active Directory Site subnet for IPHTTPS

    Question

  • Hi

    Has anyone had any experience with creating the AD site for Direct Access clients? I've been trying to decipher the below with no luck. I've tried adding what I thought was the IPv6 subnet address but when I run the command

    nltest/server:HOSTNAME /dsgetsite

    It returns

    Getting DC name failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

    Which indicates the site is not created for that host.

    My ISATAP address is:

    Connection-specific DNS Suffix  . :
    IPv6 Address. . . . . . . . . . . : fdd8:97cb:56a6:1:0:5efe:172.16.0.20
    Link-local IPv6 Address . . . . . : fe80::5efe:172.16.0.20%14

    I'll be grateful for any help!

    Active Directory Sites and Services configuration

    When you are using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) and your Windows-based ISATAP hosts obtain an ISATAP-based IPv6 address, they begin to use ISATAP-encapsulated traffic to communicate if the destination is also an ISATAP host. Because ISATAP uses a single 64-bit subnet for your entire intranet, your communication goes from a segmented, multi-subnet Internet Protocol version 4 (IPv4) communication model to a flat, single-subnet communication model with IPv6. This can affect the behavior of Active Directory Domain Services (AD DS) and other applications that rely on your Active Directory Sites and Services configuration. For example, if you used the Active Directory Sites and Services snap-in to configure sites, IPv4-based subnets, and inter-site transports for forwarding of requests to servers within sites, this configuration is not used by ISATAP hosts.

    To configure Active Directory sites and services for forwarding within sites for ISATAP hosts, you have to configure an IPv6 subnet object equivalent to each IPv4 subnet object, in which the IPv6 address prefix for the subnet expresses the same range of ISATAP host addresses as the IPv4 subnet.

    For example, for the IPv4 subnet 192.168.99.0/24 and the 64-bit ISATAP address prefix 2002:836b:1:1::/64, the equivalent IPv6 address prefix for the IPv6 subnet object is 2002:836b:1:1:0:5efe:192.168.99.0/120. For an arbitrary IPv4 prefix length (set to 24 in the example), the corresponding IPv6 prefix length is 96 + IPv4PrefixLength.

    For the IPv6 addresses of DirectAccess clients, you should add the following:

    • An IPv6 subnet for the range 2001:0:WWXX:YYZZ::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the first consecutive public IPv4 address (w.x.y.z) assigned to the Internet interface of the DirectAccess server. This IPv6 prefix is for Teredo-based DirectAccess clients.
    • If you have a native IPv6 infrastructure, an IPv6 subnet for the range 48-bitIntranetPrefix:5555::/64, in which 48-bitIntranetPrefix is the 48-bit native IPv6 prefix that is being used on your intranet. This IPv6 prefix is for Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-based DirectAccess clients.
    • If you are using a 6to4-based IPv6 prefix on your intranet, an IPv6 subnet for the range 2002:WWXX:YYZZ:2::/64, in which WWXX:YYZZ is the colon-hexadecimal version of the first consecutive public IPv4 address (w.x.y.z) assigned to the Internet interface of the DirectAccess server. This IPv6 prefix is for IP-HTTPS-based DirectAccess clients.
    • A series of 6to4-based IPv6 prefixes that begin with 2002: and represent the regional, public IPv4 address prefixes that are administered by Internet Assigned Numbers Authority (IANA) and regional registries. The 6to4-based prefix for a public IPv4 address prefix w.x.y.z/n is 2002:WWXX:YYZZ::/[16+n], in which WWXX:YYZZ is the colon-hexadecimal version of w.x.y.z. For example, the 7.0.0.0/8 range is administered by American Registry for Internet Numbers (ARIN) for North America. The corresponding 6to4-based prefix for this public IPv6 address range is 2002:700::/24. For information about the IPv4 public address space, see IANA IPv4 Address Space Registry (http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml). These IPv6 prefixes are for 6to4-based DirectAccess clients.
    Monday, March 25, 2013 2:23 PM

All replies

  • Hi,

    Based on your pasted information, the IP subnet you should add is fdd8:97cb:56a6:1::/64


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Monday, March 25, 2013 7:27 PM
  • Hi Jonas

    Thanks for your prompt response, I have added the IP subnet you suggested but when I run the command nltest/server:HOSTNAME /dsgetsite I still get the same error.

    As the clients have 2 interfaces (IPHTTPS interface and Teredo Tunneling interface) would I need to add an additional subnet for teredo subnet?

    As stated in the MS article above the Teredo address starts 2001:0:, so if the DA server IPv4 address is 172.168.0.20 converted to IPv6 is 0:0:0:0:0:ffff:aca8:14

    So based on the above the Teredo subnet should be
    2001:0:aca8:14::/64

    Is that correct?

     

    Tuesday, March 26, 2013 9:00 AM
  • Hi Did you get this working?

    Also , if you do not use ISATAP do you actually need to define IPv6 sites?


    Tuesday, March 26, 2013 11:08 AM
  • If I run the command nltest /server:HOSTNAME /dsgetsite it still errors so no its not working...

    The clients have IPv6 addresses so they need an AD site created just not sure what the subnet ID are...

    Tuesday, March 26, 2013 11:11 AM
  • Hi again,

    It should simply be that the IPv6 range(s) that your clients are using on their interfaces (IPHTTPS,Teredo,6to4) is added to the correct AD Site.
    With IPv6 the smallest subnet that you should add is a /64.
    The thing with Windows Server 2012 DA setups is that they use different ranges based on how you have designed your setup.

    (I normally run "nlsget /dsgetdc:" which will show you additional information to the commando you're running, but I tested your command on my client earlier today without any problems..)

    On thing though, why do you want to add them to a "new" AD site and not the AD site where your DA endpoint is placed?


    Jonas Blom | Relevo AB | http://blog.nrpt.se

    Tuesday, March 26, 2013 8:32 PM
  • On the point regarding a new site, I am adding this subnet to the endpoint already not creating a new site. I'll try this again when I'm back in the office on Wednesday...

    Thursday, March 28, 2013 8:22 AM