Failover Clustering and IPv6 in Windows Server 2012 R2

Failover Clustering and IPv6 in Windows Server 2012 R2

Rate This
  • Comments 5

In this blog, I will discuss some common questions pertaining to IPv6 and Windows Server 2012 R2 Failover Clusters.

What network protocol does Failover Clustering default to?

If both IPv4 and IPv6 are enabled (which is the default configuration), IPv6 will be always used by clustering. The key take away is that it is not required to configure IPv4 when the IPv6 stack is enabled and you can go as far as to unbind IPv4. Additionally, you can use link-local (fe80) IPv6 address for your internal cluster traffic so IPv6 can be used for clustering even if you don’t use IPv6 for your public facing interfaces. Note that you can only have one cluster network using IPv6 link-local (fe80) addresses in your cluster. All networks that have IPv6 also have an IPv6 link-local address which is ignored if any IPv4 or other IPv6 prefix is present.

Should IPv6 be disabled for Failover Clustering?

The recommendation for Failover Clustering and Windows in general, starting in 2008 RTM, is to not disable IPv6 for your Failover Clusters. The majority of the internal testing for Failover Clustering is done with IPv6 enabled. Therefore, having IPv6 enabled will result in the safest configuration for your production deployment.

Will Failover Clustering cease to work if IPv6 is disabled?

A common misconception is that Failover Clustering will cease to work if IPv6 is disabled. This is incorrect. The Failover Clustering release criterion includes functional validation in an IPv4-only environment.

How does Failover Clustering handle IPv6 being disabled?

There are two levels at which IPv6 can be disabled:

1)      At the adapter level: This is done by unbinding the IPv6 stack by launching ncpa.cpl and unchecking “Internet Protocol Version 6 (TCP/IPv6)”. 

Failover Clustering behavior: NetFT, the virtual cluster adapter, will still tunnel traffic using IPv6 over IPv4.

2)      At the registry level: This can be done using the following steps:

  1. Launch regedit.exe
  2. Navigating to the HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet > services >TCPIP6 > Parameters key.
  3. Right clicking Parameters in the left sidebar and choosing New->DWORD (32 bit) Value and creating an entry DisabledComponents with value FFFFFFFF.
  4. Restarting your computer to disable IPv6

Failover Clustering behavior: This is the only scenario where NetFT traffic will be sent entirely over IPv4. It is to be noted that this is not recommended and not the mainstream tested code path. 

Any gotchas with using Symantec Endpoint Protection and Failover Clustering?

A default Symantec Endpoint Protection (SEP) firewall policy has rules to Block IPv6 communication and IPv6 over IPv4 communication, which conflicts with the Failover Clustering communication over IPv6 or IPv6 over IPv4. Currently Symantec Endpoint Protection Firewall doesn't support IPv6. This is also indicated in the guidance from Symantec here. The default Firewall policies in SEP Manager is shown below:

It is therefore recommended that if SEP is used on a Failover Cluster, the rules indicated above blocking IPv6 and IPv6 over IPv4 traffic be disabled. Also, refer to the following article - About Windows and Symantec firewalls

Do Failover Clusters support static IPv6 addresses?

The Failover Cluster Manager and clustering in general is streamlined for the most common case (in which customers do not use static IPv6 address). Networks are configured automatically, in that the cluster will automatically generate IPv6 addresses for the IPv6 Address resources on your networks. If you prefer to select your own statically assigned IPv6 addresses, you can reconfigure the IPv6 Address resources using PowerShell as follows (it cannot be specified when the cluster is created):

Open a Windows PowerShell® console as an Administrator and do the following:

1)  Create a new IPv6 Cluster IP Resource

Add-ClusterResource -Name "IPv6 Cluster Address" -ResourceType "IPv6 Address" -Group "Cluster Group"

2)  Set the properties for the newly created IP Address resource

Get-ClusterResource "IPv6 Cluster Address" | Set-ClusterParameter –Multiple @{"Network"="Cluster Network 1"; "Address"= "2001:489828:4::";"PrefixLength"=64}

3)  Stop the netname which corresponds to this static IPv6 address

Stop-ClusterResource "Cluster Name"

4)  Create a dependency between the netname and the static IPv6 address

Set-ClusterResourceDependency "Cluster Name" "[Ipv6 Cluster Address]"

You might consider having an OR dependency with between the netname and, the static IPv6 and IPv4 addresses as follows:

Set-ClusterResourceDependency "Cluster Name" "[Ipv6 Cluster Address] or [Ipv4 Cluster Address]"

5)  Restart the netname

Start-ClusterResource "Cluster Name"

 

For name resolution, if you prefer not to use dynamic DNS, you can configure DNS mappings for the address automatically generated by the cluster, or you can configure DNS mappings for your static address. Also note that, Cluster IPv6 Address resources do not support DHCPv6.

 

Thanks!

Subhasish Bhattacharya                                                                                                               

Program Manager                                                                                          

Clustering & High Availability                                                                                      

Microsoft           

Leave a Comment
  • Please add 8 and 1 and type the answer here:
  • Post
  • That is certainly a good reference ! Thanks to the Team !

  • If you do elect to statically assign addresses for the cluster and prevent the cluster from updating in DNS there a way to suppress the warning in the logs that the cluster couldn't update DNS?

  • In WS2012 R2, your option is to uncheck the "Register this connection's address in DNS" option for the adapter". You'd have to do this on all nodes in the cluster. So ncpa.cpl -> Properties for adapter -> Advanced TCP/IP Settings -> DNS -> Uncheck "Register this connection's address in DNS". We are aware of this issue and will make the end to end experience better in vNext...

  • You wrote:

    " .... for the most common case (in which customers do not use static IPv6 address)."

    Are you really sure about this? Here is one customer ... and we decided to turn of SLAAC in our datacenter / server environment. Another story is office, mobile equipment. Ok.

    But in datacenter (and failover clusters are usually located in a datacenter :-)) I want static addresses.

    So I already changed the automatically generated IPv6 address of the cluster to static. And I have to use powershell (or the good, old cluster.exe ... it should live long and prosper!!!) to add new static addresses and the related network names.

    I am sorry, but I doubt that the "most common case" out there is to have automatically generated IPv6 addresses!

    Best regards,

    Kalle

  • Thanks for taking the time to give us feedback Kalle! This is the kind of input which helps us determine what features make the cut for vNext.

    In this context what would be useful to you? Being able to configure static IPv6 addresses end-to-end through Failover Cluster Manager? Support for IPv6 static addresses through New-Cluster? Anything else?

Page 1 of 1 (5 items)