Introduction to IPv6 on Windows Server 2022
IPv6 is the successor to IPv4, designed to address the exhaustion of 32-bit address space by providing a 128-bit address space capable of supporting approximately 3.4 × 10³⁸ unique addresses. Windows Server 2022 ships with full IPv6 support enabled by default, and Microsoft has been clear that IPv6 is the preferred protocol going forward. This tutorial walks through every aspect of IPv6 configuration on Windows Server 2022, from understanding address types to configuring dual-stack environments, DHCPv6, firewall rules, and tunneling mechanisms.
IPv6 Address Types Overview
Before configuring IPv6, it is essential to understand the three primary unicast address categories used in real-world deployments.
Global Unicast Addresses (GUA) are the IPv6 equivalent of public IPv4 addresses. They are globally routable and begin with the prefix 2000::/3, meaning the first three bits are 001. In practice, most ISP-assigned addresses begin with 2001:: or 2600:: and similar prefixes. A GUA looks like 2001:db8:abcd:1234::1/64.
Link-Local Addresses are automatically assigned to every IPv6-capable interface and are valid only on the local link (the directly connected segment). They always begin with fe80::/10 and are never routed beyond the local interface. Link-local addresses are mandatory for IPv6 operation; even if you disable all other IPv6 address assignment, every interface retains its link-local address. Windows derives the link-local address using the EUI-64 mechanism or a randomly generated interface identifier.
Unique Local Addresses (ULA) are the IPv6 equivalent of RFC1918 private IPv4 addresses. They use the prefix fc00::/7, and in practice the sub-range fd00::/8 is used for locally administered ULA space. ULA addresses are not routable on the public Internet but are routable within a site or organisation. A typical ULA looks like fd12:3456:789a:1::1/48.
Additional address types include anycast (same address assigned to multiple interfaces, packet delivered to nearest), multicast (ff00::/8), and the loopback address ::1.
Checking Existing IPv6 Configuration
The first step when working with IPv6 on Windows Server 2022 is to review the current state of all interfaces. PowerShell provides the most complete view.
Get-NetIPAddress -AddressFamily IPv6This command lists every IPv6 address on every interface, including the address family, prefix length, interface alias, interface index, address state (Preferred, Deprecated, Tentative), and the type (Unicast, Anycast, Multicast). To see only addresses in the Preferred state on a specific adapter, use:
Get-NetIPAddress -AddressFamily IPv6 -InterfaceAlias "Ethernet" -AddressState PreferredTo get a broader view of interface IPv6 settings including router discovery and DHCPv6 state:
Get-NetIPInterface -AddressFamily IPv6 | Select-Object InterfaceAlias, InterfaceIndex, Dhcp, RouterDiscovery, AdvertisedRouterLifetime, AutomaticMetricTo verify that the IPv6 stack itself is functional, ping the loopback address:
Test-NetConnection -ComputerName ::1 -InformationLevel DetailedConfiguring a Static IPv6 Address
To assign a static global unicast or unique local address to an interface, use New-NetIPAddress. First, determine the InterfaceIndex of the target adapter:
Get-NetAdapter | Select-Object Name, InterfaceIndex, StatusOnce you have the interface index (for example, 5 for the primary Ethernet adapter), assign a static IPv6 address with prefix length and default gateway:
New-NetIPAddress -InterfaceIndex 5 -AddressFamily IPv6 -IPAddress "2001:db8:1:1::10" -PrefixLength 64 -DefaultGateway "2001:db8:1:1::1"To remove an IPv6 address:
Remove-NetIPAddress -IPAddress "2001:db8:1:1::10" -Confirm:$falseTo modify an existing address (prefix length or policy), remove the old one and add the new one, since Set-NetIPAddress only allows modification of the PrefixOrigin and SuffixOrigin properties after assignment. You can update the default gateway separately:
Set-NetRoute -DestinationPrefix "::/0" -InterfaceIndex 5 -NextHop "2001:db8:1:1::1"To assign a ULA address alongside the global unicast address (dual address on same interface):
New-NetIPAddress -InterfaceIndex 5 -AddressFamily IPv6 -IPAddress "fd00:1234:abcd::10" -PrefixLength 64Configuring IPv6 DNS Server Addresses
Windows Server 2022 DNS clients support IPv6 resolver addresses natively. Use Set-DnsClientServerAddress to configure them. You can specify IPv6-only or a mix of IPv4 and IPv6 resolver addresses.
Set-DnsClientServerAddress -InterfaceIndex 5 -ServerAddresses ("2001:db8:1:1::53", "2001:db8:2:2::53")To configure both IPv4 and IPv6 DNS servers on the same interface:
Set-DnsClientServerAddress -InterfaceIndex 5 -ServerAddresses ("192.168.1.1", "2001:db8:1:1::53")Verify DNS client settings:
Get-DnsClientServerAddress -InterfaceIndex 5 -AddressFamily IPv6If you are running Windows Server DNS Server role, ensure that the DNS server listens on IPv6 as well. In the DNS Manager console, right-click the server name, select Properties, and under the Interfaces tab verify that IPv6 addresses are listed. Alternatively, use dnscmd:
dnscmd /ResetListenAddressesThis forces DNS server to re-enumerate all interface addresses including newly added IPv6 addresses.
Creating IPv6 Firewall Rules
Windows Firewall with Advanced Security distinguishes between IPv4 and IPv6 using the -AddressFamily parameter. By default, many built-in rules apply to “Any” address family, which covers both. Creating explicit IPv6 rules allows more granular control.
To allow ICMPv6 (which is essential for IPv6 operation — it replaces ARP and is used for Neighbor Discovery, router advertisements, and path MTU discovery):
New-NetFirewallRule -DisplayName "Allow ICMPv6 Inbound" -Direction Inbound -Protocol ICMPv6 -AddressFamily IPv6 -Action Allow -Profile AnyTo allow inbound RDP over IPv6 only:
New-NetFirewallRule -DisplayName "Allow RDP IPv6" -Direction Inbound -Protocol TCP -LocalPort 3389 -AddressFamily IPv6 -Action Allow -Profile DomainTo block all inbound traffic on a specific IPv6 prefix except established connections:
New-NetFirewallRule -DisplayName "Block IPv6 Inbound External" -Direction Inbound -RemoteAddress "2001:db8::/32" -AddressFamily IPv6 -Action Block -Profile AnyTo list all current IPv6-specific firewall rules:
Get-NetFirewallRule | Where-Object { $_.AddressFamily -eq "IPv6" } | Select-Object DisplayName, Direction, Action, EnabledConfiguring DHCPv6 Server on Windows Server 2022
Windows Server DHCP Server role supports DHCPv6 for stateful address assignment. First, ensure the DHCP Server role is installed:
Install-WindowsFeature -Name DHCP -IncludeManagementToolsAdd a DHCPv6 scope. IPv6 scopes use a prefix instead of a range. The prefix must be a /64 (the standard DHCPv6 scope size):
Add-DhcpServerv6Scope -Name "IPv6 Scope 1" -Prefix "2001:db8:1:1::" -State ActiveConfigure DNS settings for the DHCPv6 scope:
Set-DhcpServerv6OptionValue -Prefix "2001:db8:1:1::" -OptionId 23 -Value "2001:db8:1:1::53"OptionId 23 is the DNS Recursive Name Server option in DHCPv6. To set the domain search list (option 24):
Set-DhcpServerv6OptionValue -Prefix "2001:db8:1:1::" -OptionId 24 -Value "corp.example.com"To create a DHCPv6 reservation for a specific client (identified by DUID):
Add-DhcpServerv6Reservation -Prefix "2001:db8:1:1::" -ClientDuid "00-01-00-01-26-9C-3E-4A-00-15-5D-00-01-01" -Iaid 234567890 -IPAddress "2001:db8:1:1::100" -Name "WebServer01"Note that DHCPv6 requires that router advertisements (RA) on the network indicate that managed (M flag) or other configuration (O flag) should be obtained from DHCPv6. These flags are set on the router/gateway, not on the DHCP server itself.
Adding IPv6 Static Routes
To add a static IPv6 route, use New-NetRoute with the IPv6 destination prefix:
New-NetRoute -DestinationPrefix "2001:db8:2::/48" -InterfaceIndex 5 -NextHop "2001:db8:1:1::1" -RouteMetric 10To add a default IPv6 route (equivalent to 0.0.0.0/0 in IPv4):
New-NetRoute -DestinationPrefix "::/0" -InterfaceIndex 5 -NextHop "2001:db8:1:1::1"To view the IPv6 routing table:
Get-NetRoute -AddressFamily IPv6 | Sort-Object RouteMetric | Format-Table DestinationPrefix, NextHop, RouteMetric, InterfaceAliasTo test reachability over a specific route:
Test-NetConnection -ComputerName "2001:db8:2::1" -TraceRouteDual Stack: IPv4 and IPv6 Coexistence
Windows Server 2022 operates in dual-stack mode by default, meaning both IPv4 and IPv6 are active simultaneously on the same interfaces. No special configuration is required to enable dual-stack. The Windows TCP/IP stack uses a prefix policy table to determine address selection preference. To view the prefix policy table:
netsh interface ipv6 show prefixpoliciesBy default, IPv6 is preferred over IPv4 when both are available. To temporarily prefer IPv4 for a specific application scenario without disabling IPv6:
netsh interface ipv6 set prefixpolicy ::ffff:0:0/96 50 4
netsh interface ipv6 set prefixpolicy ::/0 40 1In enterprise deployments, it is common to assign both a static IPv4 and a static IPv6 address to server interfaces. This ensures backward compatibility with IPv4-only clients while enabling IPv6 communication with modern systems.
Disabling IPv6 on Specific Adapters
While Microsoft recommends leaving IPv6 enabled, there are scenarios (such as legacy application compatibility testing or specific security baselines) where you may need to disable IPv6 on particular adapters. To disable IPv6 binding on a single adapter:
Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6To re-enable it:
Enable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6To check whether IPv6 is bound on all adapters:
Get-NetAdapterBinding -ComponentID ms_tcpip6 | Select-Object Name, EnabledTo disable IPv6 globally via the registry (this is a broader approach and affects all adapters including loopback):
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpip6Parameters" -Name "DisabledComponents" -Value 0xFF -Type DWordA value of 0xFF disables all IPv6 components. A reboot is required for the registry change to take effect. A value of 0x20 disables all tunnel interfaces while keeping native IPv6 active.
IPv6 Tunneling: 6to4, Teredo, and ISATAP
IPv6 transition mechanisms allow IPv6 traffic to be encapsulated in IPv4 packets to traverse IPv4-only infrastructure. Windows Server 2022 supports several tunneling technologies.
6to4 automatically tunnels IPv6 over IPv4 infrastructure. It uses the 2002::/16 prefix and embeds the public IPv4 address in the IPv6 address. 6to4 requires a public IPv4 address. It is typically used when a host has a public IPv4 address and needs connectivity to IPv6-only resources. Check 6to4 tunnel interface status:
Get-NetIPInterface -InterfaceAlias "6TO4 Adapter"Teredo provides IPv6 connectivity to hosts behind IPv4 NAT. It uses addresses in the 2001::/32 range and works by encapsulating IPv6 in UDP over IPv4. Teredo is designed for client-side use and is typically not required on servers with public IP addresses. Check Teredo state:
netsh interface teredo show stateTo disable Teredo (recommended on servers where it is not needed):
netsh interface teredo set state disabledISATAP (Intra-Site Automatic Tunnel Addressing Protocol) is designed for intra-site communication over IPv4 infrastructure. It uses the ::0:5efe:a.b.c.d format for IPv6 addresses where a.b.c.d is the host’s IPv4 address. ISATAP is useful in enterprise environments transitioning to IPv6 where not all internal infrastructure is IPv6-ready. Configure an ISATAP tunnel:
netsh interface isatap set router "10.0.0.1"
netsh interface isatap set state enabledCheck ISATAP router and state:
netsh interface isatap show state
netsh interface isatap show routerIn modern environments, native dual-stack deployment is strongly preferred over any tunneling mechanism. Tunneling adds complexity, can cause performance issues, and in the case of Teredo, potential security concerns. Disable all tunneling interfaces on production servers unless specifically required:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesTcpip6Parameters" -Name "DisabledComponents" -Value 0x20 -Type DWordThis registry value of 0x20 disables all tunnel interfaces while preserving native IPv6 functionality, which is the recommended configuration for Windows Server 2022 in production environments.
Verifying End-to-End IPv6 Connectivity
After configuring IPv6, verify connectivity at multiple layers. First, confirm the local address is in the Preferred state:
Get-NetIPAddress -AddressFamily IPv6 -AddressState Preferred | Format-Table IPAddress, PrefixLength, InterfaceAliasPing the default gateway over IPv6:
ping -6 2001:db8:1:1::1Test DNS resolution over IPv6:
Resolve-DnsName -Name "ipv6.google.com" -Type AAAA -Server "2001:db8:1:1::53"Trace the IPv6 path to a remote host:
tracert -6 2001:4860:4860::8888With these steps completed, Windows Server 2022 is fully configured for IPv6 in a dual-stack environment, ready for both internal and external IPv6 communication.
