Scenario: Small Windows network with Forefront Threat Management Gateway 2010 as the only router. Using static IPv4 addresses for key infrastructure servers (DCs, DHCP, DNS, Hyper-V hosts, etc.) and DHCP for clients and development servers.

Installed and configured DHCPv6 for stateful address distribution after assigning unique local IPv6 addresses to key insfrastructure servers. (Note, unlike with private IPv4 addresses, to be fully RFC compliant, you cannot just make up a random unique local address prefix. You are supposed to use a specific algorithm to ensure your choice of IPv6 private addresses are unlikely to be duplicated on any other private network, to facilitate both VPN access and possibly mergers of two disparate networks in the future. See http://www.simpledns.com/private-ipv6.aspx for a nice implementation.)

Although my servers with statically assigned unique local addresses could ping each other over IPv6 and use nslookup for name resolution, my DHCPv6 clients could not. The clients did have the proper unique local addresses configured to be distributed by my DHCP servers, but they were missing a proper route table entry. Given that I do not have an IPv6-aware router on my network, and Forefront TMG is not and will not ever function as an IPv6-friendly router, some IPv6 configuration parameters were necessary on my DHCP servers. Found the following commands that would purportedly fix the problem.

netsh interface ipv6 set interface LAN advertise=en managed=en other=en (replace the red portion with the interface name for the NIC attached to the subnet where IP addresses are being distributed)

netsh interface ipv6 add route fde5:23ba:4545:4ccd::/64 LAN publish=yes (replace the red portions with the unique local address prefix you have chosen for your network and the appropriate interface name as described above)

The above guidance is echoed by Stoyan Chalakov at http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/3adb37e7-97b0-42a0-a5e6-6864bd0a2c85.

Unfortunately, all of this is wrong in situations where a network’s only router is a computer running Windows Server. Per Joseph Davies (Understanding IPv6, Third Edition, page 211), Windows Server (any variant) will not set the appropriate flag (Autonomous) to ever instruct DHCPv6 clients to set the appropriate interface prefix.

An IPv6 router running Windows cannot be configured to clear the Autonomous flag in Prefix Information options.

Joseph Davies elaborates on the effect of the above in the previous paragraph on page 211:

A key difference between DPCPv6 and DHCP for IPv4 is that IPv6 hosts do not automatically configure a directly attached subnet route for the 64-bit prefix of the IPv6 address assigned by the DHCPv6 server.

The net result in a Windows-only router environment is that without configuration of your individual DHCPv6 stateful configuration clients, they will never be able to properly communicate using their DHCPv6-assigned addresses.

😦

Note that if you execute the aforementioned command (repeated below) on each client, IPv6 works correctly with the DHCPv6-assigned stateful address.

netsh interface ipv6 add route fde5:23ba:4545:4ccd::/64 LAN publish=yes (replace the red portions with the unique local address prefix you have chosen for your network and the appropriate interface name)

So if you rely solely on Forefront TMG 2010 to act as a router for your network and want to use DHCPv6 stateful configuration, you’re not going to be successful without making manual adjustments to all of your clients. Although such adjustments could be incorporated into a login script or other centralized and “automatic” mechanism, your non-Windows but IPv6-capable clients will need manual intervention as well.