none
IPv6 On 2012R2 Domain Controllers - Leave it Bound to the Interface or Not? RRS feed

  • Question

  • Hello Community -

    Scenario:

    We are planning to replace our 2008R2 Domain Controllers with 2012R2 Domain Controllers

    We have a 2008R2 Forest Functional Level and a 2008R2 Domain functional level.  Everything is On-Premise.

    All current 2008r2 Domain Controllers have IPv6 unchecked in their Local Are Connections Properties dialog box, and IPv4 is selected. I understand that technically this means IPv6 is just unbound from that interface, and not really 'disabled'?  

    My question is if we should continue to leave it unchecked on our new DC's, since we have no issues at the moment (or need) Or if there is some compelling reason to leave it checked.  The last thing I want to do is to create any new issues. 

    I have read different forums and opinions on this, but I still don't feel that I have enough information to make a decision. Seems like this is a contested discussion point. I fully understand IPv6 is the future. But I also read an article where IPv6 did cause some problems. 

    Also of note, we use Linux BIND DNS Servers and do not use any Microsoft DNS Services. 

    So in Summary, I'm looking for an Expert opinion of why I should or should not enable the checkbox for it.  Is there really any detriment to leaving it off for now since that is how we are currently operating?  I can't think of any good reason to introduce this change with my new DC's unless it will hamper us in some way.

    Right now the template we have ready to go has this unchecked. 

    (Also we have Windows 10, 8.1, and 7 clients - 2010 Exchange etc)

    Thanks in Advance for all responses. 


    • Edited by Ken2020 Wednesday, May 24, 2017 7:36 PM
    Wednesday, May 24, 2017 7:34 PM

Answers

All replies

  • There are several opinions towards disabling IPv6 or not. Some people believe it is no longer recommended to disable IPv6 while the rest are on the opposite side. I am not trying to repeat all those recommendations again, but I remember we had some problems in which when we tracked them down, we reached to a point where we thought disabling IPv6 will do the trick and we found it correct, once we disabled it, the problems solved. I can not recall correctly what was the problem. So sorry about that.

    Another point is, AD works with site and subnets to locate client and DC's. So when there are no IPv6 subnets in AD, why should I bother myself to deal with IPv6 when it is not even usable? Besides, I knew that IPv6 is a future protocol but since the organization had no plan in upgrading to using IPv6, we were safe to disable it.


    After all, these are just my personal opinions, there might be poeple who are against this approach. Have you looked at below links:


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    • Marked as answer by Ken2020 Tuesday, May 30, 2017 12:11 PM
    Wednesday, May 24, 2017 8:06 PM
    Moderator
  • I'd leave it enabled unless you have conflicts. A conflict could arise in the case you have a router or other device handing out public or non-domain IPv6 DNS information which would thwart the premise of active directory's reliance on domain DNS. So if you did have an IPv6 DHCP server on network just make sure it hands out the correct domain DNS information or turn off the IPv6 DHCP server on that device.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, May 24, 2017 8:16 PM
  • Thanks Mahdi for that response. We pretty much share the same opinion. If I need to have it on, I really want to know why I need to have it on based on my environment. 

    Yes I have looked at those links as I have been scouring to find an answer to this question.

    Wednesday, May 24, 2017 8:17 PM
  • Thank you for your opinion, it is appreciated!

    That is part of my concern.  Having things out of my control cause an issue.

    If I have the IPv6 interface enabled, down the road if someone makes a mistake and puts a router or the like in the environment, then I may have conflicts or issues with AD and/or Exchange?  

    What happened to the premise of turning things off that your not using, even from a security perspective?

    But the question still is why leave it on at all if you don't need it in your current environment?  Can't we just enable it later down the road if/when it would be needed?  


    • Edited by Ken2020 Wednesday, May 24, 2017 8:28 PM
    Wednesday, May 24, 2017 8:28 PM
  • If someone plugs in a rouge router you may end up with routing loops or the like regardless of IPv6. Some possible pros / cons here. If you don't use it then it should be fine to uncheck it on connection properties.

    http://ipv6.com/articles/nat/NAT-Pros-and-Cons.htm

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, May 24, 2017 8:36 PM
  • And then I read things like this that make you wonder. 

    But in my case, I would have never had it enabled to start with. 

    https://windorks.wordpress.com/2014/02/24/known-issues-with-disabling-or-unbinding-ipv6/

    Wednesday, May 24, 2017 8:48 PM