locked
DirectAccess - IPv6 Domain Controller connectivity question RRS feed

  • Question

  • Good afternoon,

    We're currently supporting an environment where we have 3 domain controllers (2008 R2) serving a single AD Site, all equally weighted .

    We have a NLB load balanced IP-HTTPS only DirectAccess implementation where machines also contact the same three DC's.

    Someone in their infinite wisdom has decided to disable IPv6 on one of those domain controllers. I'm not sure why and there was no documented change to disable it.

    What would the expected impact of this be in instances where DA connected clients were to contact the single server with Ipv6 off?

    I believe this was a contributing factor to us having issues with Teredo connections originally, as I can see a IPv6 enable DC is required as a minimum: https://technet.microsoft.com/en-us/library/ee382305(v=ws.10).aspx

    The question I have however is with IP-HTTPS connections. Would clients simply fail over to the other 2 DC's that do have ipv6 enabled or would all manner of oddness occur? Specifically I'm wondering if group policies might encounter difficulties being processed? 

    On one of our client machines the following was noted:

    The processing of Group Policy failed. Windows attempted to read the file \\xxx.xxx.xxx.xxx\sysvol\xxx.xxx.xxx.xxx\Policies\{3XX2XXX0-016D-11D2-94XF-00CXXFB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
    a) Name Resolution/Network Connectivity to the current domain controller. 
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
    c) The Distributed File System (DFS) client has been disabled.

    So just trying to troubleshoot and strengthen my case to turn IPv6 back on on the DC in question.

    Thanks for your time!


    Tuesday, March 3, 2015 12:05 PM

All replies

  • In theory it shouldn't matter, as the DA servers are talking With the DC's With IPv4 only. Unless you have deployed native IPv6 of course.

    But it is best practise and common sense to keep all DC's in the same configuration. If you strip away the DA problem you have, it would still be sound to make the one odd DC at the same Level of configuration as the other ones.

    Wednesday, March 4, 2015 9:05 AM