When the DA client has a native IPv6 address, I can't get DirectAccess working properly. The environment is:
- DA clients are Windows 8 or higher.
- DA server is Windows 20012R2 with the Intranet IPv4 and IPv6 enabled.
When the DA client has only an IPv4 address, everything is working great through IP-HTTPS. We do not use 6to4 or Teredo in that case.
What do I see:
- the DA client tries to contact the IPv6 address of the 6to4 adapter on the DA server. Even if there is a proper IPv6 route for the 6to4 prefix in the infrastructure between the DA client and the server, the DA server does not respond.
- the DA client fallbacks to IP-HTTPS. However the DA clients registers his external and IP-HTTPS IPv6 address in de Intranet DNS server. This is at least very confusing.
- in the Windows Firewall IPsec policies, I only see references to the Intranet IPv6 prefixes and the NAT64 prefix, nothing about the external IPv6 address of the DA server.
I've read a lot of articles, including http://www.ivonetworks.com/news/2011/11/client-side-ipv6-and-directaccess-dont-always-get-along/, but no one seems able to provide good guidance, although the scenario with client-side IPv6 is supported according to Microsoft.
Today, you can't longer say this is a corner case. Moreover, it is rather strange to put a workaround in place that dictates to unbind IPv6 on the client-side in order to get an IPv6 technology as DirectAcces working properly.
Note: some previous threads without good answers:
- https://social.technet.microsoft.com/Forums/en-US/e4bbb30e-161a-4847-918d-ba34934b4877/directaccess-double-dns-registration-issue-with-native-ipv6-client?forum=winserverNIS
Best Regards,
Stefaan