70-642 - LLMNR and IPv4
Hi there,
I'm going through 70-642 and during one of the exercises I made a configuration 'error'.
So dcsrv1 had IPv4 enabled, netbios disabled, IPv6 disabled, filesharing enabled, network discovery disabled
and boston had IPv4 enabled, netbios disabled, IPv6 enabled, filesharing enabled, network discovery disabled.
Maybe worth to note, I'm using 2008 R2 as I had the media instead of 2008, but I doubt it should matter much. Besides then that according to the book IPv4 resolving through LLMNR should be disabled (that is, the book states it will broadcast, but by default
computers will not respond, 2008 R2 (perhaps 2008 with recent patches / service packs will too) seem to respond to the broadcasts).
What got me here?
pinging dcsrv1 from boston actually worked, pinging boston from dcsrv1 does not. This surprised me, big time. After fiddling for a while I found boston had IPv6 enabled, whilst dcsrv1 did not. I sniffed the traffic and sure enough LLMNR multicasts came from
boston. The IPv6 broadcasts oc didn't get a reply (IPv6 disabled on dcsrv1). But it then multicasted over IPv4 (224.0.0.252 as stated in the book). To my surprise there came the response with the IPv4 address for dcsrv1 from dcsrv1.
This raises a couple of questions:
1) Why does it use LLMNR in the first place? Network discovery is disabled, filesharing is enabled but the book clearly stated this is part of network discovery and I'm quite stumped it works thus.
2) Why does dcsrv1 reply to it at all? IPv6 is disabled... Since the book states it's only available when IPv6 is available, this is odd. dcsrv1 doesn't have IPv6 enabled and it responding to LLMNR (and thus having it active) surprises me. Disabling IPv6 should
disable LLMNR as well...
3) This is probably obvious, I take it the defaults for LLMNR have changed? Since the computers respond to IPv4 LLMNR requests...
May 15th, 2011 8:14am
Hello,
if you think errors are in the book please confirm with
http://support.microsoft.com/kb/953194 first.
IPv6 has nothing to do with ping, by default ICMP is disabled with the firewall so check the advanced firewall settings also.
See here about LLMNR resolution process "Host Startup and Name Resolution Processes":
http://technet.microsoft.com/en-us/library/bb878128.aspx
http://blogs.technet.com/b/networking/archive/2008/04/01/how-to-benefit-from-link-local-multicast-name-resolution.aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 15th, 2011 8:25am
No, I think windows is in error or something. The name resolution finds place when I ping the host by name, other than that, it's not relevant.
As Network discovery is disabled, LLMNR shouldn't work. Since IPv6 is disabled... it shouldn't work either :)
May 17th, 2011 2:20am
1) Why does it use LLMNR in the first place? Network discovery is disabled, filesharing is enabled but the book clearly stated this is part of network discovery and I'm quite stumped it works thus.
--- LLMNR can only be disabled via GP or registry key. See the following links for info and instructions
= by Group Policy
Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution = Enabled
see:
Microsoft Enterprise Networking Team : How to benefit from Link-Local Multicast Name Resolution.
by Registry (i.e. Windows Vista Premium):
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient\EnableMulticast = 0x0
-
http://blogs.technet.com/b/networking/archive/2008/04/01/how-to-benefit-from-link-local-multicast-name-resolution.aspx
2) Why does dcsrv1 reply to it at all? IPv6 is disabled... Since the book states it's only available when IPv6 is available, this is odd. dcsrv1 doesn't have IPv6 enabled and it responding to LLMNR (and thus having it active) surprises me. Disabling
IPv6 should disable LLMNR as well...
- Disabling iPv6 does not disable LLMNR. How you disabled IPV6 is also important. The the above link for further info.
3) This is probably obvious, I take it the defaults for LLMNR have changed? Since the computers respond to IPv4 LLMNR requests...
- The defaults have not changed.Ketan Thakkar | Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2011 10:03am
Had the same question and stumbled on this post. Do you have NBT (NetBIOS over TCP/IP) enabled? If so, your system may be using NetBIOS to resolve the address. You can test to see if LLMNR is used by disabling NetBIOS over TCP/IP.
June 19th, 2011 1:06pm
Hi,
no NetBIOS was disabled. I also used wireshark in my linux host (had the vm's running under vmware workstation on linux) and sniffed the traffic, which was clearly identified by Wireshark as LLMNR. This was also obvious by the address and such.
Probably a change in 2008 R2 vs 2008 (on which the book is). If you are going to do the exam, I have a huge warning for you. Whilst it's still called bla bla 2008 bla bla, you can be quite sure you won't receive a *single* question on 2008 (nor Vista). Did
the exam a couple of weeks ago, all questions where Windows 2008 R2 and Windows 7 (thank you Microsoft... especially since the title of the exam (nor it's number) hasn't changed and more shockingly the new course materials (at least not from MS Press) weren't
(either they are now or are shortly) even released...). Prepare for quite some questions on SSTP, Direct Access, Branchcache and from what I understood from some other people even RemoteFX (which was introduced in 2008 R2 SP1...). None of these are in the
official book I had (as stated the 2008 R2 books are on the way or are out currently).
Also, whilst the note in the book said you can be sure you won't receive any questions on the old private IPv6 addresses (that a deprecated), I suggest you don't take that advise. I had a q on IPv6 addressing and the only correct answer had the old IPv6
private range. The current IPv6 private address range was in there but had a /8 subnet mask, which makes it incorrect.
Still passed (barely had exactly the minimum) but wasn't pleasantly surprised... About half the q's weren't in books (the entire material not being covered). They are random though. One would expect an exam on 2008 R2 to be called bla bla 2008 R2 bla bla.
Changing exams w/o clear notification *and* available course material is a bad thing imho.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 5:30pm