ADSelfService Plus in a mixed IPV4/IPV6 Environment (with solution)

ADSelfService Plus in a mixed IPV4/IPV6 Environment (with solution)

Seems that while the version 6.0 Build 6013 and older versions of the AD SelfService Plus program (ADSP) only works with IPv4, and it flat out will not work at all in a mixed IPv4/IPv6 environment.

With many networks n the mixed environment now, the Self Service program doesn’t seem to be a viable option, as it just flat out will not communicate over the network.  Hopefully in a near future release the IPv6 network will be implemented into the program. Meanwhile, I’ve found a solution for the mixed IPv6/IPv4 environment.

It all has to do with IP prefixes, and the default prefix policies in the Windows 8 operating system and newer. Apparently, the ADSP program only deals with the first prefix policy right after the link local policy. To see the policy precedent list on a Windows 10 computer, open an administrative command prompt and enter “netsh interface ipv6 show prefixpolicies”. You’ll get a list or policies listed in priority order, as below.

Precedence        Label     Prefix

----------                 -----       --------------------------------

        50                   0            ::1/128 

        40                 1             ::/0

        35                   4            ::ffff:0:0/96

        30                   2            2002::/16

         5                    5            2001::/32

         3                   13            fc00::/7

         1                   11           fec0::/10

         1                   12           3ffe::/16

         1                   3             ::/96

 The type of address each prefix policy represents is indicated below.

 Precedence        Label     Prefix

----------                 -----       --------------------------------

        50                   0            ::1/128                  (Loopback)

        40                 1             ::/0                         (IPv6 Address)

        35                   4            ::ffff:0:0/96         (IPv4 Address)

        30                   2            2002::/16             (6to4 tunnel address)

         5                    5            2001::/32             (Toredo address)

         3                   13            fc00::/7                (IPv6 Unique Local Address)

         1                   11           fec0::/10              (IPv6 Unique Local Address [depreciated])

         1                   12           3ffe::/16              (6bone [testbed])

         1                   3             ::/96                       (IPv4 compatible[depreciated])

 As you can see, an IPv6 address has a higher precedent than an IPv4 address. It appears the ADSP program will only attempt communications using the highest network communication policy in that list. Note that the first policy with the highest precedence of 50 is the loopback address. Therefore, it’s not the highest network communication policy. The IPv6 address mask is the highest network communication policy.

 If we give the IPv4 address mask higher precedence, then the ADSP program will work just fine. Note that this has to be done on all computers in the network that will utilize this program, including the computer the ADSP server software is installed on.

 One needs to be careful with changing the policy preference order, as it’s perfectly possible that this could cause issues with other programs, with the most common issue being slower network performance.

 To change the policy preference for the IPv4 protocol so it has a higher precedence than IPv6, enter the following command in an administrative command prompt.

 netsh interface ipv6 set prefixpolicy ::ffff:0:0/96 46 4

Now list the policies again with:

netsh interface ipv6 show prefixpolicies

Now you see the IPv4 policy is listed with a precedence of 46 and appears before the IPv6 policies. This setting will remain persistent when set from a login with admin credentials using an administrative command prompt.

 

If in testing this creates issues for other programs and you need to set it back to the original precedence, simply re-enter the netsh command changing the “46” back to its original precedence of “35”.

The netsh command can also be run across a network using Group Policy to implement an admin level task in Task Scheduler that runs once, then deletes itself. If you do this, then it’s important to run the netsh command in powershell. The command line would be:

Powershell -command “netsh interface ipv6 set prefixpolicy ::ffff:0:0/96 46 4”

 Set the task to run at a specified time. Any other option such as “at logon” causes all other prefix policies to be removed.