19 March 2012

Windows 2008 R2 obtains address via DHCP, but is configured with Static Address

We currently have 3 Windows servers in our organization:
  1. Legacy 2003 Domain Controller ear-marked for retirement (not part of my IPv6 implementation).
  2. Windows 2008 R2 Domain Controller (FSMO Master)
  3. Windows 2008 R2 Application Server
Server #3 above recently had some interesting addressing issues with IPv6.

The servers are all statically addressed; the IP configuration window looks familiar to most people:
Despite the obvious selection of "Use the following..." options in the screenshot here, this particular Windows box insisted on also obtaining both a DHCPv6 lease from the router, as well as making it's own autoconfiguration address from the Router Advertisement (RA) the router was sending out.

So the box ended up with 3 Global Unicast IPv6 addresses:
  1. Statically configured address (the correct one)
  2. DHCPv6 assigned address (unwanted)
  3. IPv6 Auto Configuration address (unwanted)
Of course, Windows added all 3 addresses to the Active Directory managed DNS zone so the A record for the server resolved to all 3 addresses.

This raises a couple of issues, but mainly it affected my firewalling. I use husk internally to manage firewall rules; this means the vast majority of rules are written using the FQDN of hosts, rather than their addresses (I will write a separate post about this). When applying firewall rules, the FQDN is resolved to address, but only 1 rule is added. The problem with that is if the host has several addresses, a rule is only added for ONE of those addresses. You can try it yourself on a Linux machine:
iptables -A OUTPUT -d google.com -j ACCEPT
iptables -nvL OUTPUT
The above commands will show that one rule was added; ONE IP Address for "google.com" was selected (randomly for the intents and purposes of this writeup) and the rule inserted to that 1 address.

After some research and discussion on ServerFault, a colleague at a friends work (who is a Windows-guru) suggested manually disabling all the "automatic" stuff:
# This stops the AutoConf address being added
netsh interface ipv6 set interface "IDMZ Team" routerdiscovery=disabled

# This stops the DHCPv6 lease being obtained and added
netsh interface ipv6 set interface "IDMZ Team" managedaddress=disabled
netsh interface ipv6 set interface "IDMZ Team" otherstateful=disabled
Interestingly, I have not had to do this on the other Win2k8R2 server we have, and can't explain why I've had to on this machine.

Many thanks to @Holocryptic for assistance while tracking this issue down.

No comments:

Post a Comment