Getting your Active Directory ready for Windows 7, Part 5
Change is upon us. Where many Active Directory administrators have stuck with Windows XP, because no valid alternatives (Windows Vista, *nix) were available, now the business wants to upgrade to Windows 7.
Whatever the business reasons behind Windows 7, as an Active Directory administrator a couple of key elements should stand out. We’ve already covered some Group Policy, BitLocker, DirectAccess and Activation stuff in Part 1 , Part 2, Part 3 and Part 4 of this series. Now, it’s time for a little straightforward network configuration, due to the fact that Windows 7 comes equipped with a new network stack (when compared to Windows XP) and, for instance, by default has IPv6 enabled.
Active Directory can help with configuring these networking settings.
Next Generation IP Stack
The Next Generation IP Stack is part of what Microsoft calls the "Scalable Network Initiative". Introduced with Windows Vista, Microsoft’s 'Next Generation IP Stack' optimizes networking between hosts running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
In the past, when introducing these Operating Systems in a Windows 2000 Server-based or Windows Server 2003-based network, several complaints were heard. These complaints focused on networking delays, network unresponsiveness and low network throughput speeds.. In many environments, the IP configuration was tweaked down, ensuring network access without delays. The commands to disable Receive-Side Scaling, Chimney Offloading and Receive Windows Auto-Tuning for all networking connections were described in my blog post on Backward Compatible Networking with Server Core.
Windows 2000 Server, Windows Server 2003, 100Mb/s networks
In environments with 100Mb/s networking and Windows 2000 Server or Windows Server 2003-based server functionality, I recommend disabling the Receive-Side Scaling, Chimney Offloading and Receive Windows Auto-Tuning functionality by running the following three commands:
netsh interface tcp set global rss=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global autotuning=disabled
can easily be configured (for an Organizational Unit containing computer accounts for hosts running Windows 7) using Group Policy Preferences. Of course, after changing anything on your sample Windows 7 deployment box, examine the outcome of your changes on network speeds and responsiveness. When you observe negative impact, undo your changes, by running the above command lines but replacing disabled with enabled.
Windows Server 2008 (R2), 1000Mb/s networks
For environments with Windows Server 2008 and/or Windows Server 2008 R2 File Servers and Domain Controllers and/or SMB/CIFS storage supporting the above functionality and 1000Mb/s networking speeds, I recommend leaving the default network stack optimizations in place.
- Microsoft Windows Server 2008 (R2)-based DHCPv6 server
- Group Policy Preferences to correct the way interface identifiers are created
Besides using the default configuration for Windows Vista and Windows 7 installations, it is recommended to leave IPv6 on for these Operating Systems. Be default these Operating Systems come equipped with a IPv4/IPv6 dual stack, allowing concurrent IPv4 and IPv6 traffic from and to these boxes. IPv6 in these operating systems isn’t shocking, since by default good old IPv4 is also enabled and bound, but IPv6 comes with a couple of implications.
Stateless Address Auto Configuration vs. DHCPv6
Without a DHCPv6 server on the network, Windows 7 will use an automatically configured stateless IPv6 address. This process is called Stateless Address Auto Configuration (SLAAC). While these addresses allow IPv6-enabled devices to communicate, it will not allow communication with the outside world. You can gain more control over stateless auto configuration settings using DHCPv6 to assign IPv6 network addresses statefully.
DHCPv6 is available in Windows Server 2008 and Windows Server 2008 R2. Although IPv6 is available for Windows Server 2003 as an optional update, the update does not include DHCPv6 functionality. If you want to use DHCPv6, you will need to implement at least one (Windows Server 2008-based or Windows Server 2008 R2-based) DHCPv6 Server.
I recommend strongly to implement a DHCPv6 server. With IPv6 enabled (default) in your Windows Vista or Windows 7 clients, implementing a DHCPv6 server is a good security measure. Attack vectors on SLAAC-configured IPv6-capable Operating Systems have been made publicly available earlier this month.
One of the benefits of a Microsoft networking environment with Active Directory is authorized DHCP servers. Without the consent of a domain admin, no user can run a Windows-based DHCP server on the network. The list of authorized DHCP servers is stored in Active Directory as the multi-value DhcpServers attribute of the object, named CN=DhcpRoot,CN=NetServices,CN=Services,CN=Configuration,DC=DomainName,DC=tld, where Domainname is the DNS Domain Name and tld is the DNS Top Level Domain of your Active Directory.
To avoid these kinds of attacks and mitigate the risk of man in the middle attacks through rogue DHCPv6 servers, as an alternative to implementing an authorized DHCPv6 server, you can also disable Router Discovery on the IPv6 interfaces of your computers, using the following commandline in a startup script or Group Policy Preference:
netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled
Interface Identifiers (RFC4941)
According to Scott Hogg on Network World, Microsoft got the implementation of RFC 4941 wrong, which messes up how interface identifier should be created. This might cause networking issues with legacy non-RFC4941 network appliances. You can force Windows 7 to use the correct method by issuing the following command:
netsh interface ipv6 set global randomizeidentifiers=disabled
The above command can easily be configured (for an Organizational Unit containing computer accounts for hosts running Windows 7) using Group Policy Preferences.
Optional: disabling IPv6
If, for any (good) reason you want to disable the automatically configured IPv6 settings on your clients, you can do so with Group Policies. Note however, that Windows 7 was sufficiently tested not to cause trouble when IPv6 is left untouched. (with the exception of the Interface Identifier trouble in combination with certain legacy networking equipment, as noted above)
You can disable IPv6 using Group Policy, by following the steps, outlined in Microsoft Knowledgebase Article 929852 (How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008).