How to Configure IPv6 on Windows Server 2025

How to Configure IPv6 on Windows Server 2025

IPv6 is no longer a future consideration — it is the present reality of modern networking. Windows Server 2025 ships with full IPv6 support enabled by default, and Microsoft strongly recommends keeping it active rather than disabling it, as many Windows components and features rely on the protocol internally. This tutorial walks you through every aspect of IPv6 configuration on Windows Server 2025: verifying the current binding state, assigning static addresses, setting up a DHCPv6 scope, registering DNS AAAA records, testing connectivity, creating firewall rules, and understanding when disabling IPv6 is appropriate. Whether you are preparing for a dual-stack enterprise deployment or simply auditing an existing server, this guide gives you the PowerShell commands and GUI steps needed to manage IPv6 with confidence.

Prerequisites

• Windows Server 2025 (Standard or Datacenter edition) installed and activated
• Administrator or Domain Admin credentials on the target server
• An understanding of basic IPv6 addressing (prefix notation, link-local addresses, global unicast ranges)
• If configuring DHCPv6: DHCP Server role already installed (Install-WindowsFeature DHCP -IncludeManagementTools)
• If registering DNS AAAA records: DNS Server role installed and a forward lookup zone already created
• PowerShell 7.x or Windows PowerShell 5.1 running as Administrator

Step 1 — Verify the Current IPv6 Binding State

Before making any changes, confirm whether IPv6 is bound to each network adapter. The Get-NetAdapterBinding cmdlet shows all protocol bindings across all adapters. Filter it to the IPv6 component (ms_tcpip6) to get a clean picture.

# List IPv6 binding state for every adapter
Get-NetAdapterBinding -Name * | Where-Object ComponentID -eq ms_tcpip6 |
    Select-Object Name, DisplayName, Enabled | Format-Table -AutoSize

A value of True in the Enabled column means IPv6 is active on that adapter. If you have a dedicated management NIC, you may see multiple rows. You can also inspect the full IPv6 configuration — including any auto-assigned link-local and SLAAC addresses — with:

# Show all IPv6 addresses currently on the server
Get-NetIPAddress -AddressFamily IPv6 | Format-Table InterfaceAlias, IPAddress, PrefixLength, Type -AutoSize

Link-local addresses (beginning with fe80::) are assigned automatically and require no configuration. Global unicast addresses (such as those in the 2001::/32 documentation range) must be assigned manually or via DHCPv6/SLAAC from a router.

Step 2 — Assign a Static IPv6 Address

Static IPv6 assignment is common for servers hosting DNS, Active Directory, or other infrastructure services where address stability is required. Use New-NetIPAddress to set the address, prefix length, and default gateway in a single command.

# Assign a static IPv6 address to the primary Ethernet adapter
New-NetIPAddress `
    -InterfaceAlias "Ethernet" `
    -IPAddress "2001:db8::10" `
    -PrefixLength 64 `
    -DefaultGateway "2001:db8::1"

# Assign IPv6 DNS servers
Set-DnsClientServerAddress `
    -InterfaceAlias "Ethernet" `
    -ServerAddresses ("2001:db8::53", "2001:db8::54")

Note that 2001:db8::/32 is the IANA-reserved documentation range and must not be used in production. Replace these addresses with your actual assigned Global Unicast Addresses (GUAs) from your ISP or internal IPAM system. To verify the assignment:

# Confirm the new address is present and preferred
Get-NetIPAddress -InterfaceAlias "Ethernet" -AddressFamily IPv6 |
    Select-Object IPAddress, PrefixLength, AddressState

The AddressState should show Preferred within a few seconds. If it shows Tentative, duplicate address detection (DAD) is still running — wait and re-query.

Step 3 — Configure a DHCPv6 Scope

If you prefer dynamic IPv6 addressing across your network, configure a DHCPv6 scope on your Windows Server 2025 DHCP server. DHCPv6 requires a scope in the DHCP Manager console or via PowerShell.

# Create a new DHCPv6 scope
Add-DhcpServerv6Scope `
    -Name "IPv6 Production Scope" `
    -Prefix "2001:db8::" `
    -State Active

# Set DNS server options for the scope
Set-DhcpServerv6OptionValue `
    -Prefix "2001:db8::" `
    -OptionId 23 `
    -Value "2001:db8::53","2001:db8::54"

# Set the domain search list
Set-DhcpServerv6OptionValue `
    -Prefix "2001:db8::" `
    -OptionId 24 `
    -Value "corp.example.com"

To exclude a range of addresses from the scope (such as statically assigned server addresses), use:

# Exclude the first 20 addresses for static assignment
Add-DhcpServerv6ExclusionRange `
    -Prefix "2001:db8::" `
    -StartRange "2001:db8::1" `
    -EndRange "2001:db8::20"

Open DHCP Manager (dhcpmgmt.msc), expand your server, expand IPv6, and confirm the new scope appears with a green up-arrow indicating it is active.

Step 4 — Register DNS AAAA Records

DNS AAAA records map a hostname to an IPv6 address. Add them on your Windows Server DNS using the Add-DnsServerResourceRecord cmdlet.

# Add an AAAA record for a server named "webserver01" in the corp.example.com zone
Add-DnsServerResourceRecord `
    -ZoneName "corp.example.com" `
    -AAAA `
    -Name "webserver01" `
    -IPv6Address "2001:db8::10"

# Verify the record was created
Get-DnsServerResourceRecord `
    -ZoneName "corp.example.com" `
    -Name "webserver01" `
    -RRType AAAA

If your server should also respond to the zone apex (e.g., example.com itself), use -Name "@". For reverse DNS lookups over IPv6, create a PTR record in the corresponding ip6.arpa reverse lookup zone:

# Add a PTR record for the IPv6 address
Add-DnsServerResourceRecord `
    -ZoneName "0.0.0.0.8.b.d.1.0.0.2.ip6.arpa" `
    -PTR `
    -Name "0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0" `
    -PtrDomainName "webserver01.corp.example.com."

Step 5 — Test IPv6 Connectivity

After configuration, validate end-to-end connectivity using both the classic ping command (with the -6 flag to force IPv6) and the modern Test-NetConnection cmdlet.

# Ping the default gateway over IPv6
ping -6 2001:db8::1

# Test connectivity to a remote host with port checking
Test-NetConnection -ComputerName "2001:db8::10" -Port 443

# Test DNS resolution for an AAAA record
Resolve-DnsName -Name "webserver01.corp.example.com" -Type AAAA

# Trace the IPv6 route to a destination
Test-NetConnection -ComputerName "2001:db8::10" -TraceRoute

Use netsh interface ipv6 show route to inspect the IPv6 routing table if connectivity fails. Check that the default route (::/0) via your gateway is present.

Step 6 — Create IPv6 Firewall Rules

Windows Defender Firewall applies separately to IPv4 and IPv6 traffic. Use New-NetFirewallRule with ::/0 as the remote address to target all IPv6 sources.

# Allow inbound HTTPS from any IPv6 source
New-NetFirewallRule `
    -DisplayName "Allow HTTPS Inbound IPv6" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 443 `
    -RemoteAddress "::/0" `
    -Action Allow `
    -Profile Any

# Allow inbound ICMPv6 (required for neighbor discovery and path MTU)
New-NetFirewallRule `
    -DisplayName "Allow ICMPv6 Inbound" `
    -Direction Inbound `
    -Protocol ICMPv6 `
    -RemoteAddress "::/0" `
    -Action Allow `
    -Profile Any

# Block inbound Telnet from IPv6 (port 23)
New-NetFirewallRule `
    -DisplayName "Block Telnet Inbound IPv6" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 23 `
    -RemoteAddress "::/0" `
    -Action Block `
    -Profile Any

# Verify the new rules
Get-NetFirewallRule | Where-Object DisplayName -like "*IPv6*" |
    Select-Object DisplayName, Direction, Action, Enabled

Do not block ICMPv6 wholesale — unlike IPv4, IPv6 relies on ICMPv6 for neighbor discovery, router solicitation, and path MTU discovery. Blocking it will cause connectivity failures that are difficult to diagnose.

Step 7 — Disable IPv6 on a Specific Adapter (If Required)

Microsoft recommends against disabling IPv6 system-wide, but there are legitimate cases where you need to remove it from a specific adapter — for example, a storage network that carries only iSCSI traffic. Use Disable-NetAdapterBinding for this targeted approach.

# Disable IPv6 on the iSCSI storage adapter only
Disable-NetAdapterBinding -Name "iSCSI" -ComponentID ms_tcpip6

# Confirm IPv6 is disabled on that adapter
Get-NetAdapterBinding -Name "iSCSI" |
    Where-Object ComponentID -eq ms_tcpip6 |
    Select-Object Name, Enabled

If you genuinely need to disable IPv6 globally across all adapters and the loopback interface, use the registry approach:

# Disable IPv6 globally via registry (requires reboot)
Set-ItemProperty `
    -Path "HKLM:SYSTEMCurrentControlSetServicesTcpip6Parameters" `
    -Name "DisabledComponents" `
    -Value 0xFF `
    -Type DWord

# Reboot to apply the change
Restart-Computer -Force

Setting DisabledComponents to 0xFF disables all IPv6 components. Setting it to 0x20 disables IPv6 on all non-loopback adapters while preserving it on loopback. Always test thoroughly, as features like DirectAccess, Windows Clustering, and some Hyper-V networking capabilities depend on IPv6.

Conclusion

Windows Server 2025 treats IPv6 as a first-class citizen, and your network configurations should reflect that reality. By following this guide, you have verified the IPv6 binding state across all adapters, assigned static global unicast addresses, provisioned a DHCPv6 scope for dynamic clients, registered AAAA records in DNS, validated connectivity with PowerShell testing tools, created precise firewall rules targeting IPv6 traffic, and learned how to surgically disable IPv6 on specific adapters when needed. As ISPs increasingly allocate IPv6 prefixes by default and enterprise networks migrate to dual-stack or IPv6-only designs, these skills will be foundational to operating Windows Server infrastructure. Keep ICMPv6 open, document your address plan in IPAM, and audit AAAA records alongside A records in every DNS review cycle.