You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

So, the time has come to retire our old Windows 2003 server. This box runs bookkeeping software (Exact Globe 2003, and BCS Delta), and is exclusively used internally by the administrative staff.

The first thought that came to mind: since we're running several Linux servers already on IPv6-only, would it be possible to run a Windows server also on IPv6?

While Windows Server 2012 has been released recently, we can not use it (yet), because the latest version of Windows that our current VMware setup (ESXi 4.1) supports as guest OS is Server 2008 R2.

So I'llgo for 2008 R2 and give it a shot.

Basic functions

IPv6-only VLAN

A dedicated VLAN was created for IPv6-only systems, so that building, testing and configuring would not interfere with any production networks. Configuring this VLAN with only IPv6 allows to use simpler IP Access Control Lists (ACLs), and start from scratch:

interface Vlan9
 description IPv6_only_Servers
 no ip address
 no ip proxy-arp
 ipv6 address 2001:610:148:BAD::1/64
 ipv6 nd prefix 2001:610:148:BAD::/64
 ipv6 traffic-filter ipv6_servers2_out in
 ipv6 traffic-filter ipv6_servers2_in out
end

I started out with IPv6 ACLs that disallow everything by default, and then open up specific things.

Addressing

Obviously, the first thing to do is to uncheck IPv4 in the interface configuration (smile)For IPv6 addressing I choose autoconfigured EUI64, no privacy extensions. The reason is that this is a server, and it will not be used for any web browsing activities. Static addresses also help configuring the (empty) IP ACLs. The idea is that during configuration and testing the IPv6 ACLs will be constructed, based on stuff that does not work. Eventually, when everything works, it might be an option to use privacy extensions.

Also, I disabled all tunnelling stuff (ISATAP, Teredo, etc). Combined script:

REM RFC 4941 privacy extensions (i.e. temporary address for outgoing connections)
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
 
REM Don't use random identifiers. This will result in EUI64 based adddresses
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

REM disable unused tunneling protocols
netsh interface ipv6 6to4 set state disabled
netsh interface ipv6 isatap set state disabled
netsh interface ipv6 set teredo disabled

 

DNS

The DNS server addresses are statically assigned, and are picked from the SURFnet DNSSEC-validating resolvers.

The "Register this connection's addresses in DNS" option has been deselected, because this causes DNS registration requests to go out, which we do not want. Eventually things look like this:

 

NTP

 

At the time of writing, the default time server that is used by Windows 2008 R2 to sync its clock, time.windows.com, unfortunately is not (yet) reachable over IPv6.

But again, SURFnet comes to the rescue, because several of their NTP servers are IPv6-enabled. I picked chime3.surfnet.nl, which, according to the web interface, appears to be a Meinberg NTP server. Windows seems to dig it:

 

 

 

 

  • No labels