Why Netlogon send dns query ipv6

Question

I use https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-netlogon#admx-netlogon-netlogon-addresslookuponpingbehavior set parametr addresslookuponpingbehavior to 2. When I debug netlogon Nltest /DBFlag:2080FFFF I see in log

04/13 22:11:25 [MISC] [2036] NlQueryClientSiteFromAddressLookup: site lookup requested for CZC52220NH (CZC52220NH.domain.name) with lookup policy=0x2.
04/13 22:11:25 [MISC] [2036] NlQueryClientSiteViaDNS: querying IPV4=FALSE, IPV6=TRUE on CZC52220NH.domain.name.
04/13 22:11:25 [MISC] [2036] NlQueryClientSiteViaDNS: result: 0x251d from DnsQuery_W(DNS_TYPE_AAAA) on CZC52220NH.domain.name
04/13 22:11:25 [MISC] [2036] NlQueryClientSiteViaDNS: total of 0x0(0) DNS records found.
04/13 22:11:25 [MISC] [2036] NlQueryClientSiteViaDNS: returning 0x0.
04/13 22:11:25 [MISC] [2036] NlQueryClientSiteFromAddressLookup: result: 0x0 for CZC52220NH
04/13 22:11:25 [2036] RS: NO_CLIENT_SITE: CZC52220NH 11.0.3.243

Why ipv6 ? Help me set ipv4

Answer 1

• You are receiving this error because the ‘IP address lookup behaviour for DC locator ping’ is searching for IPv6 address on priority than the IPv4 adresses. Thus, you will have to disable the 'IPv6 (Internet Protocol version 6)' in the client system whose IP address DC tries to locate and lookup for in the DNS according to the configured option ‘2’. Once the IPv6 is disabled, then try enforcing the group policy once again by executing the command ‘gpupdate /force’ on the client system and restart the system, then try again.

To disable the IPv4 on a client system, follow the steps below according to in the screenshot: -

• Once done, then please check the ‘Active Directory Sites and Subnets’ management option in the Domain Controller and check whether the IP address range for the client system is defined in for the appropriate site of the Active Directory in that option. In AD Sites and Subnets console, the locations are added where ADC (Additional Domain Controller) is deployed and replication is happening amongst the DCs, also the subnets that include the domain joint client systems in those locations respectively are added and configured to the correct site so that when DNS records are synced and replicated on all the DCs and DNS servers, the correct IP address of the client is looked up.

To configure the AD Sites and Subnets correctly, kindly refer to the below documentation link: -

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/multisite/configure/step-2-configure-the-multisite-infrastructure

• Also, you can disable serving and looking up IPv6 addresses by referring to the details given in the below article and configuring the same on your DNS server: -

https://support.securly.com/hc/en-us/articles/360036617333-How-do-I-disable-IPv6-for-Windows-Server-DNS-

For configuring the policy to make use of IPv4 addresses only in the domain environment, kindly refer to the below documentation link that states the details to configure a group policy for this purpose: -

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows