What is the proper way to configure Active Directory and Domain Controllers when only a dynamic (not static) IPv6 prefix is available?

active-directory best-practices ipv6 small-business pfsense

I never received an answer on this and couldn't find anything else on the Intertubes, so I figured I would answer this myself with my own setup/experience.

ISP: Comcast with a delegated prefix via DHCPv6
Router: pfSense 2.3.3

The WAN interface of the router is configured for DHCPv6 with a prefix hint of /56. (Your hint may need to be different based on your CPE and location.)

The LAN interface is set to "track" the WAN interface.

You will need to insure you have a firewall rule configured to allow IPv6 traffic on your LAN interface.

The DHCPv6 server on pfSense is not enabled, nor do I have one anywhere else on the network.

The Router Advertisements on the LAN interface are configured for "Unmanaged", and the only other option I have filled in is the "Domain search list".

On the DNS Resolver, I have Domain Overrides configured for my AD domain using the internal IPv4 addresses of my DCs.

On my internal DNS servers, I created a reverse zone for the IPv6 network that is assigned to my LAN interface. (This works, but I have to keep an eye on it, in case the prefix delegation ever changes.)

The end result of all this…

Windows computers assign themselves IPv6 address based on the RAs from the router. However, because Windows does not support RFC6106, it only obtains DNS addresses from DHCPv4. This is actually a good thing in this case, since the IPv6 prefix is not static and might change without notice, therefore changing the IPv6 address of the DNS servers.

Windows computers also register there AAAA and PTR records for their IPv6 address.

What happens when the prefix changes?

Not much, existing connections continue to function using the "depreciated" prefix, and new connections are created with the new prefix.

I think I am breaking a "Best Practice" by not assigning static v6 addresses to my DC/DNS servers, but it seems to work just fine. (Would love some input on this.)

The only thing I have to do manually when the prefix changes, is create the corresponding reverse lookup zone in DNS. (I should probably write a PS script to do that for me.)

If Comcast offered static prefixes, that would make things a bit cleaner.

Related

DNS issues after KB3200970 and KB3202790 updates installed
ReFS / storage spaces drive being dropped under heavy load
ESXi 6.5 server (no vSphere) sched.mem.min error related to PCI passthrough
Cannot delete Linux directory - infinite recursion
Export VM from Hyper-v as OVF
CIFS VFS: BAD_NETWORK_NAME on Linux
how can i modify max memory-limit in php.ini in docker container
How can I block Java updates, network-wide?
How can you debug a Data Input Method script in Cacti?
Howto WCF Service HTTPS Binding and Endpoint Configuration in IIS with Load Balancer?
Configuration management: Cross-machine dependencies
Windows 7 TCP Listen Ports