IPv6 Disabled? – 0xffffffff to 0xff fixup

Like many environments, you may have disabled IPv6 on your workstations and servers. There are plenty of reasons why organization choose to enable or disable this and I won’t go into detail on whether or not you *should* disable IPv6…that’s not today’s focus.

Instead, we’re going to take a look at an issue that many organizations face (and might not know it).

This hinges on a couple of key points around disabling IPv6:

1. Don’t  unbind TCP/IPv6 from your Network Card. This can have some pretty interesting and unpredictable results since you are not actually disabling IPv6 from the networking stack…just turning it off for that adapter.

2. Do disable by using the DisabledComponents registry key. This key has a range of uses from completely disabling to just disabling specific components.

3. If you previously disabled IPv6 using the DisabledComponents registry value and you set the value to 0xffffffff…it needs to be fixed. Take a look at KB929852 and note that this value should actually be 0xff, but was incorrectly listed as 0xffffffff originally. This bad value can cause a startup delay on incorrectly configured systems and should be fixed.

 

If you originally deployed this with Group Policy Preferences or you have an existing solution to deploy registry values on demand, just update your existing solution. Similarly, if you have the 0xffffff value in your deployment image, fix this so new machines are not affected.

So, let’s assume you’re in the 3rd boat and, unfortunately, the bad value was manually deployed or in the original system image. In this scenario, you need a simple solution for updating your servers, clients, or both.

 

IPv6 Fixup using Group Policy Preferences

Here’s a quick example of a GPP-based fixup to resolve the incorrect DisabledComponents value data:

  1. Create a new GPO
  2. Edit the GPO and navigate to Computer Configuration>Preferences>Windows Settings>Registry
  3. Right-click > New Registry Item
  4. On the General tab:
    • Hive: HKEY_LOCAL_MACHINE
    • Key Path: SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters
    • Value Name: DisabledComponents
    • Value Type: REG_DWORD
    • Value data: FF
  5. On the Common tab:
    • Check Apply once and do not reapply (since you should only need to fix this once)
    • Click the Targeting button
  6. At the Targeting Editor:
    • Click New Item
    • Select Registry Match
    • Match type: Match value data
    • Value data match type: Substring match
    • Hive: HKEY_LOCAL_MACHINE
    • Key path: SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters
    • Value Name: DisabledComponents
    • Value Type: REG_DWORD
    • Value data: FFFFFFFF
  7. Edit the Security Filter on the GPO to only apply to a subset of test computers
    1. If successful, continue with broader deployment…either by increments or all systems.

 

With this simple GPP, the problem is fixed with a one-time action that will update the registry value data (to 0x000000ff), but only if the server/client has the bad registry value data (0xffffffff).

IMPORTANT: As with all changes to your production environment, you need to test. Ideally, test against a lab environment (DEV) , a subset of system (TEST), and then deploy to remaining systems in large groups (PROD).

 

For some further reading on IPv6, take a look at these:

IPv6 Survival Guide
http://social.technet.microsoft.com/wiki/contents/articles/1728.ipv6-survival-guide.aspx

Arguments against disabling IPv6
http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx

What is 2002:836b:0F1E::836b:0F1E and why am I seeing it?
http://blogs.technet.com/b/jlosey/archive/2012/02/23/what-is-2002-836b-0f1e-836b-0f1e-and-why-am-i-seeing-it.aspx

Why you should leave IPv6 alone
http://blogs.technet.com/b/jlosey/archive/2011/02/02/why-you-should-leave-ipv6-alone.aspx

Posted in Active Directory, Group Policy, Networking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: