Answers to UAG SP1 DirectAccess Contest 1–Round 2/Quiz 3 and Contest 2 Round 1/Quiz 3
Now for the moment you’ve all been waiting for – the answers to UAG SP1 DirectAccess Contest 1–Round 2/Quiz 2 and Contest 2 Round 1/Quiz 2!
Last week’s quiz was a bit different with some practical problem solving scenarios based on screenshots. Let’s see how you did:
Review the information in figure 1. (UAG1 is the UAG DirectAccess server and DC1 is on the intranet)
From the information provided to you in Figure 1, which of the following answers is most likely? (choose 1 answer)
A. The Teredo server was moved off the UAG DirectAccess server
B. The 6to4 relay router was moved off the UAG DirectAccess server
C. The NAT64/DNS64 service was moved off the UAG DirectAccess server
D. The ISATAP Router was moved off the UAG DirectAccess server
The answer to question 1 is D.
To be better understand the scenario, the figure below shows the network diagram for the test environment from which this screenshot was taken.
If you look at the screenshot we have three pieces of information we can use to determine the answer.
The first piece of information is the ping uag1 result. This returns a native IPv6 address assigned to the UAG DirectAccess server. In typical scenarios, when you ping the UAG server you will either see an ISATAP address returned, of if you’re using an IPv4 only network with the help of NAT64/DNS64, then you would see an IPv4 address. This indicates that the UAG DirectAccess server has a native IPv6 address assigned to its internal interface and is not using ISATAP to communicate with the internal network.
The second piece of information from from ping dc1. The ICMP Echo Reply is returned from an ISATAP address, indicating that ISATAP is being used on the internal network.
The third piece of information we have comes from tracert –d dc1. You’ll notice that the second hop returns an address on the same network ID as the IP address returned from the ping uag1. The last hop is to DC1, which is on an ISATAP subnet.
When you put these three pieces of information together, the best conclusion that you can draw is that there is a network device between the UAG DirectAccess server that is routing native IPv6 packets to an ISATAP enabled subnet. This device is an ISATAP router, which you can see in the network diagram as ISATAP1. Normally, the UAG DirectAccess server hosts the ISATAP server role – but in this scenario, the ISATAP router was moved to a separate machine.
Note that this network diagram is part of a larger network diagram that describes how to configure a multi-site UAG DirectAccess solution using ISATAP routers and a single ISATAP cloud for the intranet. I hope to be able to complete the documentation on that scenario soon and will post it here.
Review the information in figure 2. (UAG1 is the UAG DirectAccess server and DC1 is on the intranet) (choose 1 answer)
From the information provided to you in Figure 2, what is the most likely roll for the machine with the IP address 2002:836b:4:8000:0:5efe:10.0.0.20 ?
A. ISATAP router
B. Windows Server 2008 R2 IPv6 RRAS router
C. IP-HTTPS relay
D. Teredo relay
The answer to question 2 is A.
Again, we have three pieces of information that we can work with to solve the problem.
The first piece of information comes from the ipconfig output. Here we can see the IPv4 and IPv6 addressing assigned to this computer – which is DC1 because we recognize the ISATAP address from the previous question. We also see a default gateway assigned to the ISATAP adapter, which is a link-local ISATAP address assigned to the machine with the IPv4 address 10.0.0.20. This indicates that 10.0.0.20 must be an ISATAP gateway (router).
The second piece of information comes ping uag1. Like in the first question, we see that UAG1 resolves to a native IPv6 address, which is consistent with the UAG DirectAccess server being assigned a native IPv6 on its internal interface and not using ISATAP itself.
The third piece of information comes from a tracert –d client1. The first hop address is the ISATAP assigned address to the machine that is assigned as the default gateway for the ISATAP adapter on DC1. The second hop comes from the native IPv6 addresses assigned to the internal interface of the UAG DirectAccess server. The third hop comes from a machine that is assigned an Teredo address, which you might not know since you don’t know the IP addressing on the external interface of the UAG DirectAccess server, but you do recognize that it is a native IPv6 address that is on a different network ID as the internal interface of the UAG DirectAccess server.
When we put these three pieces of information together it becomes clear that in order for DC1 to ping CLIENT1, it must travel over an ISATAP subnet, to an ISATAP router, which forwards the IPv6 packet over the native IPv6 subnet to the internal interface of the UAG DirectAccess server, which then routes the connection to the IP-HTTPS enabled DirectAccess client on the Internet.
Why is the first “quartet” for CLIENT1 different than the other IPv6 addresses on the network? (choose one answer)
A. CLIENT1 is on a different ISATAP subnet
B. CLIENT1 is on the Internet and has registered its IP-HTTPS address
C. CLIENT1 is located behind a web proxy and has registered its 6to4 address
D. CLIENT1 is located behind a NAT device and has registered its Teredo address
The answer to question 3 is D.
Answer A is incorrect because CLIENT1 is not assigned an ISATAP address. For more information on ISATAP addressing, see http://technet.microsoft.com/en-us/library/bb727021.aspx
Answer B is incorrect because CLIENT1 is “on the Internet” which implies that the machine is assigned a public IP address. When the machine is assigned a public IP address, it will register its 6to4 address. In addition, IP-HTTPS clients’ IPv6 address always start with 2002:
Answer C is incorrect because CLIENT1 is located behind a web proxy – which means that only IP-HTTPS is available to client and not 6to4.
Answer D is correct because CLIENT1 is located behind a NAT device and Teredo is used preferentially when the DirectAccess client is located behind a NAT device.
Wow! That was a good one – everyone did great and it shows that our DirectAccess contestants are pretty sharp when it come to IPv6. That’s a good thing, because I think that 2011 is going to be the Year of IPv6 given that we’ll run out of IPv4 allocations very soon.
Next Thursday I’ll post the last quiz in Content 1 and announce the winner! To make it even more interesting – I’m going to include FIVE questions. That will make it possible for anyone to get in the last jump to take home a winner for this round.
So set yourself up a reminder to check for the quiz on Friday January 28, 2011.
See you then!
Principal Knowledge Engineer, Microsoft DAIP iX/Forefront iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Visit the TechNet forums to discuss all your UAG DirectAccess issues http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads
Stay up-to-date with “just in time” UAG DirectAccess information on the TechNet wiki http://social.technet.microsoft.com/wiki/tags/DirectAccess/default.aspx