DirectAccess uses IPv6 exclusively for communication between the DirectAccess client and server. The DNS64 and NAT64 services running on the DirectAccess server allow the client to connect to IPv4-only resources on the corporate network. Although no IPv6 knowledge is necessary to implement DirectAccess, it is most certainly required to support it going forward. A fundamental understanding of IPv6 is vital when it comes to troubleshooting DirectAccess connectivity issues, so learning IPv6 is critically important for the DirectAccess administrator.
To help you learn more about IPv6, here are three essential resources I think you will find helpful!
Understanding IPv6 (Joe Davies) – This is an excellent reference for the IPv6 protocol and should be on every DirectAccess administrator’s desk. This book provides detailed documentation and explanations for the IPv6 protocol including IPv6 transition protocols, which are commonly used with DirectAccess.
Practical IPv6 for Windows Administrators (Ed Horley) – Another essential title for learning IPv6. This book focuses on the use of IPv6 for a variety of popular Windows workloads, including DirectAccess.
IPv6 Address Planning (Tom Coffeen) – This book is an optional read for DirectAccess administrators, but a recommended one still. There is no IPv6 address planning required to implement DirectAccess, as most commonly IPv6 addressing happens automatically. However, this book will help you understand IPv6 subnetting, which can be helpful for fully understanding DirectAccess.
If you prefer video training, be sure to check out this great course on Pluralsight from Ed Horley. Don’t be afraid of IPv6. Embrace it! Start learning IPv6 today!
Posted by Richard M. Hicks on January 28, 2016
When troubleshooting name resolution issues on a Windows client, NSlookup is an essential tool. However, it is important to understand that using NSlookup on a DirectAccess client might not always work as you expect. Although using NSlookup on a DirectAccess client will work normally when the client is on the corporate network, it will not provide the correct results to queries for internal hostnames when the DirectAccess client is outside of the corporate network without taking additional steps. This is because when a DirectAccess client is outside the corporate network, the Name Resolution Policy Table (NRPT) is enabled. The NRPT provides policy-based name resolution routing for DirectAccess clients, sending name resolution requests for certain namespaces to specific DNS servers. You can view the NRPT on a Windows 8.x DirectAccess client by issuing the following PowerShell command:
You can view the NRPT on a Windows 7 DirectAccess client by issuing the following netsh command:
netsh namespace show policy
Here you’ll notice that the namespace .lab.richardhicks.net is configured to use the DNS64 service running on the DirectAccess server at 2002:62bd:d898:3333::1. Notice also that the host nls.lab.richardhicks.net is not configured to use a DNS server. This effectively exempts this host from the NRPT, forcing name resolution requests for this Fully-Qualified Domain Name (FQDN) to be delivered to the DNS servers configured on the network adapter.
A Working Example
With the NRPT enabled, which occurs whenever the DirectAccess client is outside of the corporate network, a name resolution request for app1.lab.richardhicks.net would be sent to the DNS64 service on the DirectAccess server. A name resolution request for technet.microsoft.com would be sent to the DNS servers assigned to the network adapter because the NRPT contains no entry for this namespace. And even though the host nls.lab.richardhicks.net is a part of the internal namespace, a name resolution request for this host would also be sent to the DNS servers assigned to the network adapter because it has been specifically exempted from the NRPT.
The NSlookup utility is unaware of the NRPT. Whenever you use NSlookup it will, by default, automatically send queries directly to the DNS servers configured on the network adapter, regardless of the NRPT. If you wish to use NSlookup to test name resolution for external hostnames, use it as you normally would. However, if you wish to use NSlookup to resolve internal hostnames over the DirectAccess connection, you will need to tell NSlookup to use the DNS64 service running on the DirectAccess server. You can do this by running NSlookup interactively and using the server command to point it to the IPv6 address of the DNS64 service, which you can find in the NRPT.
This also applies to the PowerShell cmdlet Resolve-DNSname. Here you’ll use the -Server switch to specify the DNS64 server’s IPv6 address.
Resolve-DNSName –Server <DNS64_IPv6_Address> app1.lab.richardhicks.net
Posted by Richard M. Hicks on January 13, 2014
Joseph Davies’ latest book Understanding IPv6: Your Essential Guide to IPv6 on Windows Networks is now available. Now in its third edition, this book is an excellent reference for systems administrators and network engineers wanting to learn the fundamentals of IPv6, and specifically how IPv6 is deployed on Microsoft networks. The book explains in detail the inner workings of the IPv6 protocol, including addressing, IPv6 headers, ICMPv6, and neighbor discover. In addition the book also covers IPv6 name resolution, routing, and transition technologies such as ISATAP, 6to4, Teredo, IP-HTTPS, DNS64, and NAT64. New in this addition is a chapter covering DirectAccess in Windows Server 2008 R2 and Windows Server 2012. Get your copy today!
Posted by Richard M. Hicks on July 3, 2012
IPv6 is one of the main underpinnings of DirectAccess. All communication between the DirectAccess client and the DirectAccess server and corporate network resources takes place using IPv6 only. DNS64 and NAT64, the protocol translators for DNS and NAT, address these concerns by translating native IPv6 traffic to IPv4, allowing the DirectAccess client to communicate with systems on the corporate network that are running only IPv4. This significantly reduces the barrier to entry for the adoption of DirectAccess as a remote access solution, but it doesn’t eliminate the requirement for IPv6 altogether. When DNS64 and NAT64 are leveraged, either as part of UAG DirectAccess or the unified remote access role in Windows Server 2012, it is important to remember that the DirectAccess client still communicates with the DirectAccess server using IPv6. It is for this reason that I strongly recommend and encourage systems and network engineers to start learning IPv6 today! I realize that IPv6 looks a bit scary from the outside. The address space is 128-bit and IPv6 addresses are written in hexadecimal, which can be quite daunting for many, me included. There are some new acronyms to learn as well. However, do you recall a time when you didn’t know IPv4? I certainly do! I remember first learning it and thinking I would never get it. Subnet masks? Dotted decimal notation? CIDR? They were completely foreign concepts. Eventually you learn it, gain experience deploying and troubleshooting it, and soon thereafter it becomes second nature. That is most people’s experience with IPv4, and it will be no different with IPv6. It will just take time to learn this new technology.
So, don’t be overwhelmed by IPv6! It’s not like you have to learn an entire new networking model top to bottom. After all, the bottom line is that it is just layer 3 – IP. Begin reading books on the subject and more importantly start deploying it in a lab environment. Soon you’ll have valuable knowledge and experience with the IPv6 protocol which will make you a more complete engineer. To get started, here are a few resources I’d recommend as you begin your quest for IPv6 knowledge and experience:
Understanding IPv6 – This is an excellent book to read to start learning about IPv6. Joe Davies is an outstanding writer and the third edition of this book is due out this summer. Ed Horley, a preeminent expert in the field of IPv6 and co-chair of the California IPv6 Task Force is serving as the technical reviewer so it is sure to be outstanding.
IPv6 Essentials – Another great book about IPv6 written by Silvia Hagen.
IPv6 test lab guide – Test lab guides are essential for learning new features of the Microsoft operating system and applications. The IPv6 test lab guide provides detailed and prescriptive guidance for deploying IPv6 on a Microsoft network.
Posted by Richard M. Hicks on May 8, 2012