Windows Server update on IPv6-only network

I only found some discussion from 2012-2013 on this issue, stating that on IPv6 only system:

Windows Update worked fine.

Converting to Microsoft Update did not.

Windows Activation does not work - cannot find the DNS entry for whatever system it uses. Biggest showstopper I think, as it requires v4 address, NAT64, or a phone call.

Time synchronization by default uses time.windows.com - NOT IPv6-enabled. Had to point this at another resource ( I chose X.pool.ntp.org and had no issues)

I find it both interesting and funny that (many) microsoft.com and windows.com URLs don't work with IPv6 - yet both Bing.com and Xbox.com have IPv6 capability enabled.

So I did some digging. Situation today, in 2017:

• URL's that are needed by the Microsoft Update without WSUS:

  • windowsupdate.microsoft.com doesn't have AAAA, not working.
  • update.microsoft.com doesn't have AAAA, not working.
  • windowsupdate.com not in use, no A / AAAA.
  • download.windowsupdate.com has (via CNAMEs) AAAA, answers (only) HTTP on IPv6. OK!
  • download.microsoft.com has HTTP/HTTPS on IPv6 (302 redirect to www). OK!
  • test.stats.update.microsoft.com doesn't have AAAA, not working.
  • Testing for wildcard subdomains is a bit impossible, so I'll leave it here.

• Microsoft Activation uses www.microsoft.com, port 80/443: has AAAA, answers HTTP(S). OK!

• NTP time.windows.com, still no IPv6, change to an IPv6 Time Server like 2.pool.ntp.org.

So it seems like the situation has't change much, at least not for all Microsoft services.

However, TechNet article IPv6 Support in Microsoft Products and Services claims that Windows Update has full IPv6 support and leads us to Connecting with IPv6 in Windows 8 blog post, that has more information:

Windows Update is a critical service providing ongoing support and updates to millions of users every day. More and more PCs are going to be connected to mobile broadband networks, where IPv6-only is a popular configuration. We have to make sure that downloads are reliably available to you on those networks.

For this reason the Windows Update service now supports both IPv6 and IPv4. Windows Update utilizes CDNs for worldwide distribution of updates and we are partnering with them to enable IPv6 support. Windows 8 will use IPv6, if available, to download Windows Updates so that users always get the best possible connectivity when downloading updates.

As

• Windows Update SHOULD work on IPv6
• you didn't mention how you have tested your IPv6 setup and
• we do know that some of the *.microsoft.com sites answers HTTP(S) on IPv6,

you should try to visit the working sites above from the server.

For further diagnostics on the problem:

• See if you have route: tracert -6 download.windowsupdate.com
• The previous command also already gave you a hint, if you don't have working DNS on IPv6. In that condition tracert -6 2001:14b8:1800:300::3eb7:aa1a (or find the current AAAA on another computer with working DNS).
• Try the same test on download.microsoft.com / its (current) AAAA 2a02:26f0:103:19d::e59

If you don't have working routing on your IPv6, e.g. if your IPv6 is only local setup, you could configure NAT64 and DNS64 with Forefront Unified Access Gateway (UAG) DirectAccess. It has been there since Windows Server 2012 and remains essentially unchanged through 2012 R2 to 2016.

Or... simply enable IPv4. You probably have capability, if you haven't yet declared IPv4 historic.

Assuming that Windows has hardcoded hostnames for update, but no hardcoded IP-addresses, you can use the DNS cache to figure out which hostnames are being looked up.

1. ipconfig /flushdns
2. Attempt Windows update
3. ipconfig /displaydns

On a fresh Hyper-V Server 2016, it only listed one name: ctldl.windowsupdate.com, which is a subdomain of one of the required hosts that Esa Jokinen refers to in the accepted answer. Today in 2017 this is a CNAME to Akamai, but it only returns an IPv4 address, no IPv6. This means that Windows Update won't work on an IPv6-only connection, but it should work with NAT64 (it does for me).