HOWTO: Setup IIS 7.5 to use IPv6

I took the SANS 546 class today, and it got me thinking about setting up my server to respond to IPv6 hosts. Steps thus far are pretty straightforward:

  1. Get an account with a tunnel broker
  2. Configure your host
  3. Test connectivity
  4. Configure IIS
  5. Create AAAA record on your DNS provider
  6. Troubleshooting

Tunnel Broker Account

This is very easy and painless! There are several to choose from, but one that was mentioned by the lecturer was Hurricane Electric. Fill out the form and check your email for your password, the whole process takes about 1 minute. Once you login you will need to create your first tunnel:

  1. Login to http://www.tunnelbroker.net/ with your username and password
  2. Click “Create Regular Tunnel”
  3. IPv4 endpoint is your webserver
  4. They will find a tunnel closest to your IP
  5. Click “Create Tunnel”

Configure your host

See? Pretty painless, now that you have your tunnel up you will need to configure your host, since I’m working with Windows 2008 R2, there is actually a set of netsh commands you run. They are specific to your configuration and you can access them by clicking, “Example Configurations” tab on the Tunnel Details page. From the dropdown select your Operating System, and it will give you the commands you need to set it up.

Test connectivity

Once everything is configured the easiest way is attempt to access an IPv6 host:

Configure IIS

Configuring IIS is pretty simple as well, I found that I had some extra stuff that I didn’t think I should need to do though.

  • Open IIS Manager
  • Select the site you wish to enable IPv6 on
  • From the Action pane choose “Bindings…”
  • For basic web server
    • type = http
    • Ip address = ipv6 address
    • port = 80
    • host name = the name you want the server to respond to
  • Click Ok

Create AAAA record on your DNS provider

I use GoDaddy.com for my dns, so you will just need to go into total dns manager and add the AAAA entry. This entry will need to be the same as the host name you specified in your IIS bindings

Troubleshooting

  • The first thing you will want to do is make sure that you are able to ping your own ipv6 address
  • Then try pinging your ipv6 address remotely
  • Repeat these steps with the ipv6 hostname that you set in DNS.
  • It may also be a good idea to visit test-ipv6.com
    • If all those tests fail you may have other issues, that I can’t really help you with

What I found is I was able to ping my ipv6 address locally and remotely, my name ipv6.patton-tech.com resolved locally and remotely, but when pointing a browser at that URL nothing showed up. It was the end of the day when I got this setup, and I had done some of the above basic troubleshooting that all returned successful. This morning I began again I ran the following command:

netstat –s

The output from this command showed several failed attempts over IPv6, this seemed to increase each time I attempted to open the website (could have been coincidence). Since I saw there were failures on IPv6, the next thing I did was run this command:

netstat –an

This should show what addresses are listening on what ports, I saw my IPv4 addresses, but no IPv6. That’s when I started browsing the forums looking for something useful, and I didn’t find much. Most of what I found talked about making sure you didn’t choose the temporary IPv6 address, but since ours is assigned statically via netsh I don’t think that was the problem. Running the command:

netsh interface ipv6 show address

Shows that my interface was a tunnel interface, which makes sense, but that got me spun off into checking the firewall, which wasn’t the problem at all. Finally I found a forum post on iis.net that was close enough to my issue that I was able to resolve it. One of the posters suggested running this command:

netsh http show iplisten

Unlike the original poster I was able to see my IPv4 public address but not my IPv6 address. The suggestion was to remove all iplisten entries which would force iis to listen on all ip addresses. Since I have several services running and listening on port 80, I couldn’t do that. But the syntax of that command led me to TechNet for the proper syntax to add a listener:

netsh http add iplisten ipaddress=ipv6addy

I posted a question in the forums to ask if there is something I have done wrong, or if perhaps the default is to not add the listener but no answer yet. It seems to me that when I add a binding to iis, it should also allow the web server to listen on that address. I know there was nothing I had to do for IPv4, so it’s either a default (not likely) or the fact that this address is set statically (more likely).

Do you suffer from “Premature Installation”?

Or, “What’s in a name?”

Turns out a whole hell of a lot! First I need to thanks Nick for the awesome title, as he completely pinpointed my issue after I told him what happened! The last article I posted talked about our desire to move away from vanilla Windows 2008 and up to Windows 2008 R2. What should have been a pretty straightforward process got slightly mangled by two things. I forgot to rename the computer, and I moved to fast, hence the “Premature Installation!”

Naming is important, there are some names you can change and some you can’t. How computers get names has also changed with 2008, it used to be that during installation you were prompted for a name, now you do that after. One of the things we found out was that a Domain Controller can have multiple names, while I don’t know how recent that change is, or isn’t it was new to us. Back to the naming process, while there’s nothing inherently wrong with a Domain Controller named WIN-LLF3467Q0, you would undoubtedly agree it doesn’t really roll off the tongue.

So that was the first problem, I installed Windows 2008 R2 without mishap, and Directory Services installed, and when I hopped over to the Domain Controller’s OU I noticed my problem. So the first thing I did was go to the above article and renamed my new Domain Controller, and this is where the second problem occurred.

Replication while speedy, it does take time, and the more things you have in your AD the longer it could potentially take. The end result of my fubar is that we wound up with no less than three different entries in DNS for the same server, only one of which was correct, and due to replication latency the name of the server in AD was completely wrong.

So I did what I imagine most people would do, and went to uninstall DS from the server and attempt to start over. But because things had gotten so trashed I was unable to uninstall DS, because the server name that I was on didn’t exist in AD, I really should have screenshot stuff but take my word, I was on dc1 and the error was dc1 didn’t exist…which was technically true. It was a crazy weird edge situation, you could actually connect to DC1 but you had to type it in manually in order to get there. At any rate I was unable to remove DS, so I turned off the computer and attempted to remove the computer account that was listed from the Domain.

The problem with that was in order to do it, you MUST be on a Domain Controller to remove a non-functional Domain Controller from the Domain. I’ve not found an article on TechNet that mentions that, but I’ve not looked in any great detail. This information was found on the TechNet Social site, after connective over RDP to the off-site Domain Controller I was able to remove the offending account.

So, in the future, remember to be patient and make sure you have a checklist!

  1. Install Windows OS
  2. Change the default name before network connectivity
  3. Make any needed changes
    1. Disable IPv6
    2. Apply 3rd party DNS Hotfix
  4. Install Directory Services
  5. Wait
  6. Wait
  7. Wait
  8. Verify successful replication

These are the steps I followed on my server rebuild yesterday, as well as the same instructions I followed when I migrated the second Domain Controller this morning.

Preparing to upgrade DC’s to Windows Server 2008 R2

We decided it was time to move to R2 on the domain controllers, while we’re at it we also moved up to Windows 2008 Functional. Sadly we can’t go to 2008r2 functional until our last 2008 DC goes out of warranty, in 2014! Oh well, maybe something will happen to it…

Fairly straightforward process

  1. Transfer FSMO roles
  2. Take a VM snapshot
  3. Perform the DCPromo
  4. Uninstall ADDS binaries
  5. Export Logs
  6. Reset computer account
  7. Install Windows 2008R2 Core

Well this morning Boe Prox posted a nice function to poshcode, Get-FSMORoleOwner. This function returns what server owns which roles and it was very helpful as I performed my transfers. Originally I had wanted to use Powershell to perform my transfers, but without ADWS the built-in ActiveDirectory module wouldn’t load. So I performed the transfers the old-fashioned way, using the MMC. After each transfer I would run Get-FSMORoleOwner to verify that the role had been moved. This all went without a hitch as expected, then came the Domain Functional Level.

No big surprises here, we did a little digging and found that moving to 2008 Functional level was equivalent to staying at 2003. There are a few new features in 2008, the most interesting one for me at least, is the Interactive Logging. Raising the functional level was a breeze, and all domain controllers reported the same level within minutes.

Since I’ve been moving away from VBscript and over to PowerShell I decided to take my VM snapshot using the PowerShellCLI from VMware.

New-Snapshot -Name Pre-Demotion -VM dc1 -Description “Snapshot prior to demoting.”

In order to backup all the logfiles I threw together a quick little function Backup-EventLogs. It takes the name of the computer and uses Get-WinEvent to get all the logs available. It then writes out each log where the RecordCount is greater than 0 to a csv file, using Export-CSV. Carson pointed out that it may have been easier to copy the log files over…ya, well…dammit I wouldn’t have gotten a nifty function out of it though!

Anyway, resetting and re-installing are fairly vanilla, and I’m pretty sure I covered standing up a core server somewhere before.

Thanks,