All posts tagged Windows Server 2022

Windows Server DHCP and Option 108

While enterprise adoption of IPv6 has been slow, it is still moving forward. For example, the U.S. federal government has mandated [M-21-07 – PDF] the transition to IPv6 to modernize its networks and enhance security, scalability, and interoperability. During the migration to IPv6, most systems will be configured with both IPv4 and IPv6, a configuration referred to as dual stack. Ultimately, the goal is the elimination of IPv4 entirely and the use of IPv6 exclusively. However, IPv6-only presents some unique challenges.

Access to IPv4

Although an organization can successfully migrate to IPv6-only networks internally, they do not control networks outside its boundaries. In some cases, a host on an IPv6-only network may need to communicate with an IPv4 resource. Administrators must deploy an IPv6 transition technology to support this scenario.

464XLAT

464XLAT, defined in RFC 6877, is a network architecture that facilitates the transition from IPv4 to IPv6 by enabling IPv4 traffic to operate over an IPv6-only network. It combines two translation mechanisms: a client-side translator (CLAT) on the user device, which converts IPv4 packets to IPv6, and a provider-side translator (PLAT) at the network edge, which converts the IPv6 packets back to IPv4 to communicate with IPv4-only internet services. This dual-translation approach allows devices in an IPv6-only environment to access both IPv6 and IPv4 resources without requiring a full IPv4 stack, making it an efficient solution for networks transitioning to IPv6 while maintaining compatibility with legacy IPv4 systems. To support 464XLAT, Windows provides specific functionality for CLAT, though with some limitations.

CLAT for Windows

Windows currently provides CLAT support only for cellular network interfaces. CLAT is not available for Wi-Fi or Ethernet interfaces today. However, Microsoft has publicly announced plans to extend CLAT support in Windows for these non-cellular network interfaces soon.

IPv6 Mostly

IPv6 Mostly, defined in RFC 8925, refers to a network configuration where IPv6 is the primary protocol for communication, but IPv4 is still supported for specific use cases. Devices in these networks prefer IPv6 for most operations, leveraging its larger address space and modern features, while maintaining limited IPv4 compatibility. IPv6 Mostly networks ease the transition from IPv4 to IPv6, balancing modern protocol adoption with support for older applications. They optimize resource usage and prepare networks for a future where IPv6 dominates, with tools like 464XLAT providing seamless IPv4 access when necessary.

DHCP Option 108

DHCP Option 108 is a specific configuration in DHCP that enables IPv6-only networks to signal clients to disable IPv4. When a client receives this option, it deactivates its IPv4 stack, relying solely on IPv6 for communication. Turning off IPv4 when it isn’t needed helps streamline network operations in IPv6-focused environments.

Option 108 and Windows Server DHCP

Commercial DHCP appliances like Infoblox and many open source DHCP platforms natively support DHCP option 108. However, no supported version of Windows Server, including the latest release (Windows Server 2025), supports DHCP option 108 natively. To enable DHCP option 108 on Windows DHCP servers, administrators can create a custom predefined option.

Custom Predefined Option

To create a custom predefined option for DHCP option 108 on a Windows DHCP server, open the DHCP management console (dhcpmgmt.msc) and perform the following steps.

  1. Right-click IPv4 and choose Set Predefined Options.
  2. Click Add.
  3. Enter IPv6 Only Preferred in the Name field.
  4. Select Long from the Data type drop-down list.
  5. Enter 108 in the Code field.
  6. Click Ok.

Assigning DHCP Option 108

Once complete, perform the following steps to assign DHCP option 108 to a DHCP scope.

  1. Select an IPv4 DHCP scope.
  2. Right-click Scope Options and choose Configure Options.
  3. Select 108 IPv6 Only Preferred from the Available Options list.
  4. Enter a value in seconds, in hexadecimal format. This value represents the duration for which a client should prefer IPv6-only mode. For example, 86,400 seconds (1 day) is 0x15180.
  5. Click Ok.

PowerShell

Custom predefined options can also be configured using PowerShell.

Custom Predefined Option

To create a custom predefined option for DHCP option 108, open an elevated PowerShell command on a Windows DHCP server and run the following command.

Add-DhcpServerv4OptionDefinition -Name ‘IPv6 Only Preferred’ -OptionId 108 -Type DWORD -PassThru

Assigning DHCP Option 108

To assign the custom predefined DHCP option 108 to a DHCP scope, run the following PowerShell command.

Set-DhcpServerv4OptionValue -ScopeId 172.16.5.0 -OptionId 108 -Value 0x15180 -PassThru

DHCP Offer

Once configured, if the client indicates support for DHCP option 108 in its DHCP Request, the DHCP server will include it in the DHCP Offer, as shown here.

Learn More

If you are interested in learning more about IPv6 Mostly and DHCP option 108, be sure to listen to the following episodes of the IPv6 Buzz Podcast.

Summary

As organizations continue their transition toward IPv6, DHCP option 108 provides administrators with a simple and effective way to reduce reliance on legacy IPv4 by signaling clients to prefer IPv6-only operation if they can support it. While Windows Server does not natively support this option, creating a custom predefined setting ensures administrators can take advantage of this important feature.

Additional Information

M-21-07 – Completing the Transition to IPv6 for U.S. Federal Government Agencies [PDF]

Microsoft Plans to Extend CLAT Support in Windows 11

RFC 6877 – 464XLAT: Combination of Stateful and Stateless Translation

RFC 8925 – IPv6-Only Preferred Option for DHCPv4

IPv6 Buzz Podcast on PacketPushers.Net

3 Comments
by Richard M. Hicks on August 25, 2025  •  Permalink
Posted in 464XLAT, administration, CLAT, Deployment, DHCP, Dynamic Host Configuration Protocol, Enterprise, Infrastructure, IPv6, IPv6 Transition, Microsoft, Operational Support, PowerShell, systems management, transition technology, WinCLAT, Windows 11, Windows CLAT, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 25, 2025

https://directaccess.richardhicks.com/2025/08/25/windows-server-dhcp-and-option-108/

Microsoft DirectAccess Formally Deprecated

Today, Microsoft has announced the formal deprecation of DirectAccess. Microsoft DirectAccess is a widely deployed enterprise secure remote access solution that provides seamless, transparent, always-on remote network connectivity for managed (domain-joined) Windows clients. First introduced in Windows Server 2008 R2, it’s been a popular solution with many advantages over ordinary VPN technologies of the past.

Windows Server 2012

DirectAccess was almost entirely rewritten in Windows Server 2012. Many of the features and enhancements offered for DirectAccess with the Unified Access Gateway (UAG – a separate product with additional costs) were built into the operating system directly. In addition, Microsoft introduced integrated load balancing and geographic redundancy features.

Demise of DirectAccess

DirectAccess relies heavily on classic on-premises technologies like Active Directory. All DirectAccess servers and clients must be joined to a domain. In addition, all DirectAccess clients must be running the Enterprise edition of Windows. With organizations rapidly adopting cloud services such as Azure and Entra ID, Microsoft began to develop an alternative solution that better integrated with the cloud. That solution is Always On VPN. With that, Microsoft stopped developing DirectAccess after the release of Windows Server 2012 R2. No new features or capabilities have been added to DirectAccess since that time.

Deprecation

We’ve been speculating about the end of life for DirectAccess for quite some time now. However, this formal deprecation announcement from Microsoft is official. It is the end of the road for this technology. To be clear, though, DirectAccess is available today in Windows Server 2022 and Windows 11. DirectAccess will be included in the upcoming release of Windows Server 2025. However, formal deprecation from Microsoft means they will remove DirectAccess components from the next release of the operating system.

What Happens Now?

Organizations should begin formal planning efforts to migrate away from DirectAccess. Here are a few popular solutions to consider.

Always On VPN

Always On VPN is the direct replacement for DirectAccess. It was designed to provide feature parity for DirectAccess, with seamless, transparent, always-on remote network connectivity. However, Always On VPN better integrates with Entra ID and supports conditional access. It does not require domain-joined devices or servers and works well with cloud-native endpoints. Always On VPN is a good choice for organizations that employ hybrid Entra-joined devices.

Entra Private Access

Entra Private Access, part of the Entra Global Secure Access suite, is an identity-centric zero-trust network access (ZTNA) solution from Microsoft. It is in public preview now and has some compelling advantages over traditional VPNs. However, Entra Private Access is not feature complete today. In addition, it is best suited to cloud-native (Entra-joined only) endpoints.

Absolute Secure Access

Absolute Secure Access (formerly NetMotion Mobility) is a premium enterprise remote access solution with many advanced options. It is by far the best solution on the market today. Absolute Secure Access is a software solution that supports zero-trust configuration and includes many features to improve and enhance security, performance, and visibility. In addition, it provides cross-platform support, including Windows, macOS, iOS, and Android operating systems.

Learn More

We have several decades of experience working with secure remote access technologies. We can help you and your organization find the best solution for your needs. Fill out the form below for a free one-hour consultation to discuss your DirectAccess migration strategy today.

Additional Information

Deprecated Features for Windows Client

1 Comment
by Richard M. Hicks on June 12, 2024  •  Permalink
Posted in Absolute, Absolute Secure Access, Absolute Software, Active Directory, Always On VPN, AOVPN, Azure, Azure Active Directory, Azure AD, Azure AD Join, Azure Conditional Access, cloud, Cloud Service, Consulting Services, Deployment, Device Management, DirectAccess, DirectAccess Deprecated, DirectAccess End of Life, DirectAccess EOL, end of life, Enterprise, enterprise mobility, Entra, Entra Global Secure Access, Entra ID, Entra Private Access, EOL, Forefront UAG 2010, Group Policy, Hybrid Azure AD Join, Infrastructure, Microsoft, Microsoft Entra ID, Microsoft Entra Private Access, Mobility, NetMotion Mobility, Windows 10, Windows 11, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025, Zero Trust, Zero Trust Network Access, ZTNA
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on June 12, 2024

https://directaccess.richardhicks.com/2024/06/12/microsoft-directaccess-formally-deprecated/

10 PowerShell Commands Always On VPN Administrators Should Know

Managing a secure and reliable VPN infrastructure is critical for supporting today’s highly mobile workforce. For Always On VPN administrators, PowerShell is an indispensable tool for achieving this goal. Not only can PowerShell be used to automate the installation and configuration of Windows Server Routing and Remote Access Service (RRAS) server, but it can also be used to audit configuration and monitor system health and user activity as well. In addition, it is highly recommended that the RRAS role be installed on Server Core for optimum security and performance. Administrators must be familiar with these PowerShell commands and more to support RRAS on Windows Server Core in their environment.

RemoteAccess Module

The RemoteAccess PowerShell module should be installed when the RRAS server is configured. There are 122 commands in this module, but only a subset of those pertain to the VPN server role. Here are ten popular commands for monitoring and managing an Always On VPN RRAS server.

Configuration Review

The following PowerShell commands are useful for reviewing the current RRAS server configuration.

Get-RemoteAccess – Displays the current configuration of the VPN server. Details include installation status, TLS certificate configuration, VPN client IP address assignment method, IPv4 and IPv6 addressing information (if using the static address assignment method), authentication type, and configured RADIUS servers.

Get-VpnAuthProtocol – Displays authentication configuration details such as accepted authentication types for both user and device connections, root certification authority (CA) certificate restrictions (if enabled), and certificate advertisement and EKU restrictions if enabled.

Get-VpnServerConfiguration – Displays additional VPN server configuration information, such as the IPsec configuration for IKEv2, the number of VPN ports configured, and more.

System Health

Get-RemoteAccessHealth – Displays the current health status of various VPN server services. The command’s default output is a little noisy. I recommend filtering it as follows:

Get-RemoteAccessHealth | Where-Object HealthState -NotMatch Disabled | Format-Table -AutoSize

User Activity

The following PowerShell commands can be used to view current and historical user activity details.

Get-RemoteAccessConnectionStatistics – Displays all active VPN connections on the server.

Get-RemoteAccessConnectionStatisticsSummary – Displays cumulative information about VPN connections on the server since the last service restart or reboot, such as the total number of connections, the number of unique users, the maximum number of concurrent connections, and the amount of data transferred.

Get-RemoteAccessUserActivity – Displays all active VPN connections for a specific user or device.

Management

The following PowerShell commands are helpful for reviewing authentication and logging settings.

Get-RemoteAccessRadius – Allows the administrator to view the currently configured RADIUS servers on the VPN server.

Get-RemoteAccessAccounting – Allows the administrator to view the current accounting repository (RADIUS or inbox) on the VPN server.

Clear-RemoteAccessInboxAccountingStore – Allows the administrator to remove log data from the Inbox Accounting database. Removing log data from the database can be helpful when transitioning a test server to production or to free up disk space by reducing the size of the logging database.

Additional Modules

In addition to the PowerShell commands above, Always On VPN administrators can leverage my custom PowerShell modules for advanced server and client configuration. These modules are published in the PowerShell Gallery.

AovpnTools – PowerShell module to configure and optimize Windows RRAS servers to support Always On VPN.

Install-Module -Name AovpnTools

InboxAccountingDatabaseManagement – PowerShell module to configure and manage the Inbox Accounting database for logging system information and user activity on the VPN server.

Install-Module -Name InboxAccountingDatabaseManagement

Additional Information

Always On VPN and RRAS on Windows Server Core

Inbox Accounting Database Management

AovpnTools PowerShell Module on GitHub

Inbox Accounting Database Module on GitHub

2 Comments
by Richard M. Hicks on November 2, 2023  •  Permalink
Posted in administration, Always On VPN, AOVPN, Deployment, Device Management, device tunnel, Enterprise, enterprise mobility, Mobility, Operational Support, PowerShell, Remote Access, routing and remote access service, RRAS, Security, Server Core, systems management, troubleshooting, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 2, 2023

https://directaccess.richardhicks.com/2023/11/02/10-powershell-commands-always-on-vpn-administrators-should-know/

« Older Posts