Windows Ipam

1.Windows Ip adres management #

IP address management (IPAM)

What is Ipam?

Internet Protocol address management (IPAM) is a method of tracking and modifying the information associated with a network’s Internet Protocol address (IP address) space. With IPAM, administrators can ensure that the inventory of assignable IP addresses remains current and sufficient.

Network administrators use IPAM to ascertain and update various details about their networks, such as:

  • How much free IP address space exists.
  • What subnets are in use, how large they are, and who uses them.
  • Permanent versus temporary status for each IP address.
  • Default routers that the various network devices use.
  • The host name associated with each IP address.
  • The specific hardware associated with each IP address.

What’s New in IPAM

Applies To: Windows Server 2012 R2

This topic describes the IP Address Management (IPAM) functionality that is new or changed in Windows Server 2012 R2 and Windows Server 2012.

IPAM provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network. You can monitor, audit, and manage servers running Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS).

What’s new in IPAM in Windows Server 2012 R2

In Windows Server 2012 R2, IPAM offers enhanced support in the following areas.

Feature/Functionality New or improved Description
Role-based access control New Role based access control enables you to customize the types of operations and access permissions for users and groups of users on specific objects.
Virtual address space management New IPAM streamlines management of physical and virtual IP address space in System Center Virtual Machine Manager.
Enhanced DHCP server management Improved Several new operations are available in IPAM to enhanced the monitoring and management of the DHCP Server service on the network.
External database support New In addition to Windows Internal Database (WID), IPAM also optionally supports the use of a Microsoft SQL database.
Upgrade and migration support New If you installed IPAM on Windows Server 2012, your data is maintained and migrated when you upgrade to Windows Server 2012 R2.
Enhanced Windows PowerShell support Improved Windows PowerShell support for IPAM is greatly enhanced to provide extensibility, integration, and automation support.

Role-based access control

Role-based access control provides you with the ability to customize roles, access scopes, and access policies. Thus, you have the ability to define and establish fine-grained control for users and groups, enabling them to perform a specific set of administrative operations on specific objects managed by IPAM.

Roles: A role is a collection of IPAM operations. You can associate a role with a user or group in Windows using an access policy. Eight built-in administrator roles are provided for convenience, but you can also create customized roles to meet your business requirements.

Access scopes: An access scope determines the objects that a user has access to. You can use access scopes to define administrative domains in IPAM. For example, you might create access scopes based on geographical location. By default, IPAM includes an access scope of Global. All other access scopes are subsets of the Global access scope. Users or groups that are assigned to the Global access scope have access to all objects in IPAM that are permitted by their assigned role.

Access Policies: An access policy combines a role with an access scope to assign permission to a user or group. For example, you might define an access policy for a user with a role of IP Block Admin and an access scope of Global\Asia. Therefore, this user will have permission to edit and delete IP address blocks that are associated to the Asia access scope. This user will not have permission to edit or delete any other IP address blocks in IPAM.

The following default access scope and roles are provided:

Type Name Description
Role DNS record administrator Manages DNS resource records
Role IP address record administrator Manages IP addresses but not IP address spaces, ranges, blocks, or subnets.
Role IPAM administrator Manages all settings and objects in IPAM
Role IPAM ASM administrator Completely manages IP addresses
Role IPAM DHCP administrator Completely manages DHCP servers
Role IPAM DHCP reservations administrator Manages DHCP reservations
Role IPAM DHCP scope administrator Manages DHCP scopes
Role IPAM MSM administrator Completely manages DHCP and DNS servers
Access scope Global By default, all objects in IPAM are included in the global access scope. All additional scopes that are configured are subsets of the global access scope.

Virtual address space management

IPAM offers a unified, centralized administrative experience for network administrators to manage IP address space on a corporate network and in Microsoft-powered cloud networks. IPAM enables network administrators to completely streamline the IP address space administration of both physical (fabric) and virtual networks. The integration between IPAM and System Center 2012 R2 Virtual Machine Manager provides end-to-end IP address space automation for Microsoft-powered cloud networks. IPAM integration with Virtual Machine Manager enables a single IPAM server to detect and prevent IP address space conflicts, duplicates, and overlaps across multiple instances of Virtual Machine Manager deployed in the large datacenter.

To view virtual address space in IPAM, click the new VIRTUALIZED ADDRESS SPACE node in the upper navigation pane of the IPAM console.

Enhanced DHCP server management

DHCP server management with IPAM is greatly enhanced in Windows Server 2012 R2, including multiple new operations for DHCP scope and DHCP servers, and views for the following objects:

  • DHCP failover
  • DHCP policies
  • DHCP superscopes
  • DHCP filters
  • DHCP reservations

External database support

During the IPAM provisioning process, you have the option of choosing a WID or Microsoft SQL Server for the IPAM database. With Microsoft SQL Server, the IPAM database can be collocated on the IPAM server, or it can be located on a remote computer. Support for SQL enables additional scalability, disaster recovery, and reporting scenarios.

Upgrade and migration support

The IPAM database can be migrated seamlessly when you upgrade from Windows Server 2012 to Windows Server 2012 R2.

Enhanced Windows PowerShell support

55 new Windows PowerShell cmdlets are available for IPAM in Windows Server 2012 R2. For more information, see IPAM Server Cmdlets in Windows PowerShell.

What’s new in IPAM in Windows Server 2012

In Windows Server 2012, IPAM offers the following enhanced support: The IPAM/DHCP Integration Module is now available on the Microsoft Script Center. This Windows PowerShell script imports DHCP leases and reservations into the IPAM database.

2.Planning and Design Ipam #

Plan and Design IPAM

Microsoft introduced the IP Address Management (IPAM) feature in Windows Server® 2012 with improvements in Windows Server® 2012 R2. For information about new features of IPAM in Windows Server 2012 R2, see What’s New in IPAM.

IPAM provides a built-in framework for discovering, monitoring, auditing, and managing IP address space and infrastructure servers on a corporate network.

IPAM is an agentless multi-server, multi-service management feature that leverages standard Windows remote management protocols to manage, monitor and collect data from IP address infrastructure servers. IPAM relies on a host of remote management technologies to provide full functionality. Communication with multiple network elements throughout the enterprise is required for data gathering and configuration management. Depending on the scope of managed elements, this communication may need to traverse multiple security boundaries or domains.

Note

IPAM must be installed on a domain member computer. You cannot install IPAM on a domain controller. If IPAM is installed on the same server with DHCP, then DHCP server discovery will be disabled.

An IPAM server provides support for a single Active Directory forest. Multi-forest topologies are not supported. Multiple IPAM servers can support a single domain, or a single IPAM server can support all domains in an Active Directory forest.

Deployment topologies

IPAM supports the following topologies for deployment in the enterprise:

  • Distributed: An IPAM server deployed at every site in the enterprise.
  • Centralized: One IPAM server in the enterprise.
  • Hybrid: A central IPAM server deployed with dedicated IPAM servers at each site.

The following diagram illustrates an example of the hybrid deployment model.

There is no automatic built-in communication or database sharing between different IPAM servers. If multiple IPAM servers are deployed, you can customize the scope of discovery for each IPAM server, or filter the list of managed servers.

If desired, you can leverage export and import functions in Windows PowerShell for IPAM to periodically update IP address range and address information between multiple IPAM servers.

You can also customize the role of different IPAM servers that are deployed. For example, a single IPAM server might be implemented to manage IP addressing for the entire enterprise. A different IPAM server might be used to monitor DNS zone health or configure DHCP scopes. Alternatively, you can limit the discovery and management scope to create a dedicated IPAM server that will perform all functions but only for a specific group of managed servers. The scope of management assigned to an IPAM server is flexible and can be updated if the need arises by adding or removing managed servers and domains.

Hardware and software requirements

IPAM Server must be installed on a computer running Windows Server® 2012 or a later operating system. IPAM Client must be installed on a computer running Windows Server 2012, Windows® 8, or a later operating system. To install IPAM Client on a computer running a client operating system, you must first install the Remote Server Administration Tools (RSAT). Each client operating system has its own version of RSAT, for example:

Active Directory: An IPAM server must be joined to a domain as a domain member server. Installation in a workgroup environment is not supported, and installation on a domain controller is not supported.

Network: An IPAM server requires a functional networking environment that includes IPv4 and IPv6 network connectivity to integrate with existing network services in the Active Directory forest. Server discovery requires that network settings on the IPAM server be configured to provide access to at least one domain controller and authoritative DNS server. Discovery of IPv6 address space requires that IPv6 is enabled on the IPAM server. The IPAM server must also have network connectivity to all servers that are marked as managed in the server inventory.

Other roles or features: An IPAM server is intended as a single-purpose server. It is not recommended to collocate other network infrastructure roles such as DNS or DHCP on the same server. IPAM installation is not supported on a domain controller, and discovery of DHCP servers will be disabled if you install IPAM on a server that is also running the DHCP Server service. The following features and tools are automatically installed when you install IPAM Server.

Feature or Tool Description
Remote Server Administration Tools DHCP and DNS Server Tools and IP Address Management (IPAM) Client provides for remotely managing DHCP, DNS and IPAM servers.
Windows Internal Database Windows Internal Database is a relational data store that can be used only by Windows roles and features.
Windows Process Activation Service Windows Process Activation Service generalizes the IIS process model, removing the dependency on HTTP.
Group Policy Management Group Policy Management is a scriptable Microsoft Management Console (MMC), providing a single administrative tool for managing Group Policy.
.NET Framework 4.5 Features .NET Framework 4.5 provides a programming model for building and running applications designed for several different platforms.

The following are the minimum and recommended hardware requirements for IPAM Server.

Component Requirement
Processor Minimum: 1.4 GHz (x64 processor)

Recommended: quad-core, 2.66 GHz or faster

Memory Minimum: 2 GB RAM

Recommended: 4 GB RAM or greater

Disk Space Minimum: 10 GB

Recommended: 80 GB or greater*

\*Use a fast storage device to host the IPAM database (on the root drive) to significantly improve IPAM performance.

Actual hardware requirements will vary based on the number of managed servers that are monitored and managed by the IPAM server.

IPAM specifications

IPAM Server has the following specifications:

  1. The scope of IPAM server discovery is limited to a single Active Directory forest. The forest itself may be comprised of a mix of trusted and untrusted domains.
  2. IPAM supports only Microsoft domain controllers, DHCP, DNS, and NPS servers running Windows Server® 2008 and above.
  3. DHCP operational event auditing is supported for DHCP servers running Windows Server® 2008 R2 and above.
  4. IPAM installation on a DHCP server is not recommended. The IPAM server discovery feature will not be able to discover DHCP roles if DHCP Server is installed on the same computer.
  5. IPAM supports only domain joined DHCP, DNS and NPS servers in a single Active Directory forest.
  6. IPAM does not support management and configuration of non-Microsoft network elements.
  7. IPAM does not support external databases. Only a Windows Internal Database is supported.
  8. A single IPAM server can support up to 150 DHCP servers and 500 DNS servers.
  9. A single IPAM server has been tested to support up to 6000 DHCP scopes and 150 DNS zones.
  10. IPAM stores 3 years of forensics data (IP address leases, host MAC addresses, user login/logoff information) for 100,000 users in a Windows Internal Database. There is no database purge policy provided, and the administrator must purge data manually as needed.
  11. IP address utilization trends are provided only for IPv4.
  12. IP address reclaiming support is provided only for IPv4.
  13. No special processing is done for IPv6 stateless address auto configuration private extensions.
  14. No special processing for virtualization technology or virtual machine migration.
  15. IPAM does not check for IP address consistency with routers and switches.
  16. IPAM does not support auditing of IPv6 stateless address auto configuration on an unmanaged machine to track the user.
  17. IPAM users must be logged in using domain credentials. Do not log sign in to the IPAM server using the local Administrator account or another local user account on the IPAM server.
  18. If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate local IPAM security group.
  19. If the Group Policy based provisioning method is used, users must have domain administrator privileges to mark servers as managed or unmanaged in the server inventory.

Capacity planning

When planning disk space requirements and determining the number of IPAM servers to use on your network, consider the following questions:

  1. How many IP address ranges will be managed by IPAM?
  2. How many DHCP-enabled devices are connected to the network?

If the number of IP address ranges that you plan to manage with IPAM is less than 20,000 each for IPv4 and IPv6, you can deploy a single IPAM server to manage your IP address space. This is assuming a typical IP address range prefix is /24 for IPv4 and /64 for IPv6.

However, you might wish to deploy more than one IPAM server to manage an expanding network. For example, if the organization has 30,000 IP address ranges and is increasing in size, you should deploy at least two IPAM servers. You might also plan to deploy more than one IPAM server if you will assign specific roles to different servers or you will deploy IPAM in a distributed or hybrid topology.

Planning disk capacity

IPAM uses several data collection tasks to gather data from managed servers. This data includes information such as DHCP scopes, DHCP scope utilization, DNS zones, DNS zone events, DHCP lease logs, IPAM and DHCP configuration events, and network authentication events. Data collection tasks run in background and regularly update the local IPAM database, increasing its size. The IPAM database is located on the system root drive (the operating system drive), therefore it is important to ensure enough disk space is available on the system root drive to accommodate this data.

Note

For purposes of planning disk capacity, a system lifetime of 5 years is assumed.

Disk space requirements for the IPAM database can be evaluated based on three categories of stored data:

  1. Base database size: This is the disk space required to hold IP address blocks, IP address ranges, IP address records, custom fields, DHCP configuration data, DHCP scopes, and other static managed server information. This type of data doesn’t increase over time; it grows only when more records are created in IPAM by administrators or if new managed servers are added. You should allocate 1.0 GB of free space on the root drive to accommodate this data.
  2. Utilization data: IPAM keeps a track of utilization for IP address blocks, IP address ranges and DHCP scopes by periodically sampling and storing utilization statistics for these items. Each sample is stored in the local IPAM database to enable graphical display of utilization trends. The amount of data collected and stored depends on the number of IP address ranges in the system. Monthly usage is about 1.0 GB of data for every 10,000 IP address ranges. There is no simple method for clearing or purging utilization data from the system. Therefore, you should plan disk space consumption for a period of 5 years or the anticipated system lifetime. For example, if your IPAM server will manage 2000 IP Address ranges for a period of 5 years, you must allocate 1*5*12 = 60 GB of disk space on the system root drive to accommodate utilization data.
# of IP Address Ranges Disk Space Required
10,000 or less 1 GB / month
10,001 to 20,000 2 GB / month
20,001 to 40,000 3 GB / month
  1. Event catalog data: IPAM collects DHCP lease logs, DHCP configuration events, IPAM configuration events, and authentication events from all managed NPS servers and domain controllers. Depending on the size of your network, this data can require several GB of disk space. The amount of disk space required for storing event catalog data depends upon frequency at which these events occur on the network. To calculate disk space requirements for event catalog data, you must estimate the number of events per month together with the length of time you wish to maintain these events in IPAM database. Approximately 0.6 GB of free disk space is required for one million events.

For example, on a network with 2500 users where each user has a laptop, a desktop, and a smart phone, you can allocate 4 IP addresses to each user: one IP address each for the desktop computer, one for the phone and two for the laptop (wired + wireless). This means you will have about 10,000 IP addresses to manage. Also, assuming that a DHCP lease on wireless interfaces will be renewed every 8 hours and every 4 days on wired interfaces, you can expect three lease events per day (24/8) for the wireless devices and one lease event on a wired interface in 4 days. Over a period of four days you can estimate a total of 2500*2*3*4 (wireless) + 2500*2*1*4 (wired) = 80,000 DHCP lease events corresponding to 80000*30/4 =600000 DHCP lease events per month.

Similarly, if you have 2500 users on the network, and expect each user to login, lock, and unlock their device 20 times per day, you can expect 2500*20*22 = 1100000 user authentication events per month (assuming 22 working days in month). This corresponds to 600000+1100000= 1700000 records per month. To retain data initially for six months, and then purge three month old data on a quarterly basis, the disk must be able to store 1700000*6 = 10200000 records, corresponding to 0.6*10200000/1000000= 6.12 GB of disk space.

Note

These calculations do not take into account DHCP and IPAM configuration change events, machine authentication events, and DHCP events such as granting and expiration of leases. These events do not typically impact disk space requirements. However, you can take these events into consideration if required.

To calculate overall disk space requirements, use the following formula:

Disk space = Base database size + Utilization data + Event catalog data

In the example used previously, a network with 2500 users will require 1 GB + 60 GB + 6.12 GB = 67.12 GP of free disk space for the IPAM database, storing utilization data for 5 years.

Organization Size Base Size Utilization Data Event Catalog Data Total
25,000 users 1 GB 60 GB 59 GB 120 GB
50,000 users 1 GB 60 GB 117 GB 178 GB
100,000 users 1 GB 60 GB 234 GB 295 GB

Assumptions:

  • 4 IP addresses are allocated per user.
  • All IP addresses are issued by managed DHCP servers. Half of the IP addresses are wireless with leases refreshing every 8 hours; the other half are wired interfaces with leases refreshing every 4 days.
  • Each user generates 20 domain controller authentication events and 1 NPS authentication event per working day.
  • Event catalog data is purged every three months. Data is initially collected for 6 months and then three month old data is purged quarterly.
  • There is an average of 22 working days per month.

Implement Your IPAM Design Plan

Applies To: Windows Server 2012 R2.

After you have decided on an IPAM design, the next step in implementing your design is to determine in what order each of the deployment tasks must be performed. This guide uses checklists to help you walk through the various server and application deployment tasks that are required to implement your design plan. As shown in the following illustration, parent and child checklists are used as necessary to represent the order in which tasks for a specific IPAM design must be performed. For IPAM, many of the tasks are similar across the three different design choices, and only differ in terms of server placement and management scope.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/jj878340.37a28761-7ab8-468b-b766-15c3cd2e1686%28ws.11%29.jpeg

This guide contains the following deployment tasks and checklists you can use to implement your organization’s IPAM design:

3.Ipam Archtecture #

IPAM Architecture

IPAM Architecture

Applies To: Windows Server 2012 R2, Windows Server 2012

An IPAM infrastructure includes the following primary components:

  • IPAM Client: A computer running Windows Server® 2012 or Windows® 8 or a later operating system.
  • IPAM Server: A computer running Windows Server 2012 or a later operating system.
  • Managed servers: Domain controllers, NPS, DNS, and DHCP servers running Windows Server® 2008 or later.

IPAM components and interactions are illustrated in the following figure.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/jj878342.9fff3691-6558-4c8d-a614-32fcff8b7a63%28ws.11%29.jpeg

Important

Role-based access control for IPAM in Windows Server 2012 R2 is enhanced, enabling you to configure custom administrator roles. The same local security groups are available; however you can also use the IPAM client console to create groups with specific access control settings. For more information, see Access Control.

See the following topics for more information about IPAM infrastructure components.

IPAM Client

An IPAM client computer is a computer running Windows Server 2012 or Windows 8 with the Remote Server Administration Tools (RSAT) for Windows 8 installed. If the computer is running Windows Server 2012, IPAM Client is automatically selected for installation under Features > Remote Server Administration Tools > Feature Administration Tools > IP Address Management (IPAM) Client when you install IPAM Server.

In its default configuration, IPAM Client is installed on the same computer with IPAM Server, however this is not required. You can also install the IPAM client on a computer running Windows 8 by installing the Remote Server Administration Tools (RSAT) for Windows 8(http://www.microsoft.com/download/details.aspx?id=28972). You can install the IPAM client on a computer running Windows 8.1 by installing the Remote Server Administration Tools (RSAT) for Windows 8.1 (http://www.microsoft.com/download/details.aspx?id=39296). You can also install the IPAM client on more than one computer. IPAM Server supports multiple concurrent connections from different IPAM Clients. A single IPAM Client can connect to one IPAM Server at a time.

Available IPAM installation options are summarized in the following table.

Operating system Configuration Available IPAM connections
Windows Server 2012 or Windows Server 2012 R2 IPAM Server + IPAM Client Connect to the local IPAM server or a remote IPAM server from the local client
Windows Server 2012 or Windows Server 2012 R2 IPAM Client only Connect to a remote IPAM server from the local client
Windows Server 2012 or Windows Server 2012 R2 IPAM Server only Connect to the local server from a remote client
Windows 8 or Windows 8.1 RSAT for Windows 8 or Windows 8.1 Connect to a remote IPAM server from the local client

Client communications

The IPAM client communicates with an IPAM server using the Windows Communication Foundation (WCF) protocol with TCP as the transport method. By default, TCP binding is performed on port 48885 on the IPAM server. If there is a port conflict, or there is a need to reconfigure the server port, the port number on the server can be configured using the Windows PowerShell cmdlets Get-IpamConfiguration and Set-IpamConfiguration. For more information about IPAM and Windows PowerShell, see Using Windows PowerShell with IPAM.

IPAM Server

An IPAM server is a domain member computer running Windows Server® 2012 or a later operating system. You cannot install IPAM Server on a domain controller, and it is not recommended to install IPAM Server on the same server with DHCP Server. For more information about specifications and requirements for IPAM Server, see IPAM Deployment Planning.

Server communications

The IPAM server uses Lightweight Directory Access Protocol (LDAP) to discover domains and DHCP servers in the Active Directory forest. The Session Message Block (SMB) protocol is used to retrieve IP address lease information from the audit log file on DHCP servers.

The IPAM server communicates with managed DHCP servers to get DHCP scope utilization, scope configuration, server configuration information, and DHCP operational events. Configuration information is acquired by Windows PowerShell for DHCP Server using [MS-DHCPM]. Specific communication ports must be enabled in Windows Firewall for this communication to be successful.

Note

For information about [MS-DHCPM] and other Microsoft protocol specifications, see the Technical Specification Cross-Reference Matrixon MSDN.

IPv4 and IPv6 address lease information is obtained from an audit log file on the DHCP server using SMB, and the IPAM server also regularly retrieves service status for DHCP and DNS servers using [MS-SCMR]. The IPAM server communicates with DNS servers to get server configuration and DNS zone settings with Windows PowerShell commands for DNS Server using [MS-DNSP], respectively.

The IPAM server communicates with domain controllers and NPS using [MS-EVEN6] to collect user and computer logon events that are generated when a network access request is authenticated.

Scheduled tasks

The IPAM server maintains a local database that is dynamically updated by regularly scheduled data collection tasks. These tasks run on the IPAM server at configurable intervals and communicate with managed servers (domain controllers, NPS, DNS, and DHCP servers) using an agentless architecture. IPAM scheduled data collection tasks are summarized below. These tasks can be viewed and modified in Task Scheduler by navigating to Microsoft > Windows > IPAM.

Task Name Description Default Frequency Duration
AddressExpiry Tracks IP address expiry state and logs notifications. 1 day Indefinite
AddressUtilization Collects IP address space usage data from DHCP servers to display current and historical utilization. 2 hours Indefinite
Audit Collects DHCP and IPAM server operational events. Also collects events from domain controllers, NPS, and DHCP servers for IP address tracking. 1 day Indefinite
ServerAvailability Collects service status information from DHCP and DNS servers. 15 minutes Indefinite
ServerConfiguration Collects configuration information from DHCP and DNS servers for display in IP address space and server management functions. 6 hours Indefinite
ServerDiscovery Automatically discovers the domain controllers, DHCP servers, and DNS servers in the domains you select. 1 day Indefinite
ServiceMonitoring Collects DNS zone status events from DNS servers. 30 minutes Indefinite

The IPAM database

Information in the IPAM database is regularly updated by data collection tasks, and can be modified by administrators. For example, when an administrator creates a custom logical group or assigns an expiration date to an IP address, this information is stored in the IPAM database and associated to specific managed servers.

The IPAM database leverages the Windows Internal Database (WID) feature, a relational data store that is automatically installed when you install IPAM Server. IPAM does not support the use of an external database. For more information about WID, see Windows Internal Database Overview.

Important

IPAM in Windows Server 2012 R2 introduced the option to specify a SQL database to store IPAM data. To use SQL, the database server must be running SQL Server 2008 R2 or later. When you use a SQL database with IPAM, this does not enable additional IPAM reporting features, such as those associated with SQL Server Reporting Services. The use of a SQL server database is only intended to provide the option of using your existing database infrastructure, which might include existing backup and failover capabilities.

Role-based access control

When you install IPAM, local security groups are created on the IPAM server to provide role-based access control for different sets of IPAM administrators and users. IPAM uses these role-based access controls to determine what information is displayed in the IPAM client console. For example, viewing of IP address lease data can be restricted to a specific set of administrators by adding their user account to the IPAM IP Audit Administrators or IPAM Administrators group.

The following local user groups are created when you install IPAM:

Group Name Description
IPAM Users IPAM Users is a local security group on an IPAM server that is created when you install the IPAM feature. Members of this group can view all information in server inventory, IP address space, and the monitor and manage IPAM console nodes. IPAM Users can view IPAM and DHCP operational events under in the Event Catalog node, but cannot view IP address tracking data.
IPAM MSM Administrators IPAM MSM Administrators is a local security group on an IPAM server that is created when you install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group, and can perform server monitoring and management tasks in addition to IPAM common management tasks.
IPAM ASM Administrators IPAM ASM Administrators is a local security group on an IPAM server that is created when you install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group, and can perform IP address space tasks in addition to IPAM common management tasks.
IPAM IP Audit Administrators IPAM IP Audit Administrators is a local security group on an IPAM server that is created when you install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group. They can view IP address tracking data and perform IPAM common management tasks.
IPAM Administrators IPAM Administrators is a local security group on an IPAM server that is created when you install the IPAM feature. Members of this group have privileges to view all IPAM data and perform all IPAM tasks.

Important

Role-based access control for IPAM in Windows Server 2012 R2 is enhanced, enabling you to configure custom administrator roles. The same local security groups that are listed in the previous table are available; however you can also use the IPAM client console to create groups with specific access control settings. For more information, see Access Control.

Managed servers

Managed servers must be running Windows Server 2008 or above.

The IPAM server communicates on a periodic basis with DHCP servers, DNS servers, domain controllers, and NPS using remote management technologies including: remote procedure call (RPC), Windows Management Instrumentation (WMI), Server Message Block (SMB) and Web Services for Management (WS-Management). This eliminates the need for deploying and maintaining dedicated management agents on each server, but requires that specific firewall ports be made available to the IPAM server.

4.Ipam instal checklist #

Checklist: Deploy IPAM Server

Task Reference
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Install the IPAM Server feature https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegInstall IPAM Server
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Configure the IPAM Database https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegConfigure the SQL Database for IPAM

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegSpecify the IPAM Database

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Provision the IPAM server https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegChoose an IPAM Provisioning Method
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Configure the scope of discovery https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegConfigure Server Discovery
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Start server discovery https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegDiscover Servers on the Network

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegManually Add a Server to Server Inventory

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Configure settings on managed servers https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegCreate IPAM Provisioning GPOs

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegManually Configure DHCP Access Settings

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegManually Configure DNS Access Settings

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegManually Configure DC and NPS Access Settings

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Select manageability status on managed servers https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegChoose Managed Servers
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Verify IPAM access to managed servers https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegVerify Managed Server Access
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/hh831741.a9fd26a4-0851-4b52-86ef-10da1dc944e6%28ws.11%29.jpeg Retrieve data from managed servers https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/dd807116.2b05dce3-938f-4168-9b8f-1f4398cbdb9b%28ws.11%29.jpegRetrieve Data from Managed Servers

5.Getting Started with IPAM #

PAM provides a dynamic view of your IP infrastructure, and the view is continually refreshed by periodic tasks that run on the IPAM server. IPAM also enables administrators to perform several configuration actions directly from the IPAM console.

IPAM is not enabled by default and must be installed as a server feature. You can install IPAM using the Add Roles and Features Wizard in Server Manager, or using Windows PowerShell. For example, to install an IPAM server, type the following command at an elevated Windows PowerShell prompt and press ENTER:

Copy

Install-WindowsFeature IPAM -IncludeManagementTools

Some restrictions apply to installing IPAM. Do not attempt to install IPAM without first reviewing detailed step by step guidance in the Deploy IPAM.

This topic summarizes how to begin using IPAM, and provides information about IPAM concepts and components.

The following table summarizes steps to begin using IPAM after it has been successfully installed:

# Step Summary More Information
1. Choose an IPAM server Connect to an IPAM server using the IPAM client console. The IPAM Client
2. Specify the IPAM database Use the IPAM provisioning wizard to specify SQL or Windows Internal Database for the IPAM database. This option is only available if the IPAM server is running Windows Server 2012 R2 or a later operating system. Specify the IPAM Database
3. Choose a provisioning method Use the IPAM provisioning wizard to select one of two provisioning methods: GPO-based (automatic) or manual. Provisioning IPAM
4. Configure the scope of discovery Choose one or more domains in the forest that contain servers you wish to manage with the selected IPAM server. Scope of discovery
5. Start server discovery Launch the server discovery task to retrieve a list of domain controllers, DNS servers, and DHCP servers from Active Directory. Discovering servers
6. Configure settings on managed servers Enable IPAM access by creating and applying GPOs to configure managed server settings, or configure settings manually. Configuring managed server access settings
7. Select manageability status on managed servers Choose servers and role services to manage from the list of discovered servers displayed in the server inventory. Select managed servers
8. Verify IPAM access Verify that the IPAM server has access to manage the selected services on managed servers. Verify managed server access
9. Retrieve data from managed servers Launch data collection tasks on the IPAM server to retrieve data from managed servers. Retrieve data
10. Visualize data Customize the IPAM client display to meet your needs. Using the IPAM Client Console

The relationship between different components of IPAM is illustrated below.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/jj878313.90fa181f-ce0d-4ced-b88f-1c758ccb1db4%28ws.11%29.jpeg

See the following topics for more information about IPAM components and processes:

The IPAM Client

The IPAM client console is integrated with Server Manager. IPAM Client is installed by default when you install IPAM Server on a computer running Windows Server® 2012. The client automatically connects to the local IPAM server after installation, but can also be used to manage a different IPAM server. You can also install IPAM Client on a computer running Windows® 8. For more information about requirements for installing IPAM Client, see IPAM Architecture.

After installing IPAM Client, you must add at least one IPAM server to manage using Server Manager. You can view the IPAM client console by clicking IPAM in the Server Manager navigation pane. An IPAM client computer can connect to any IPAM server that is available in the pool of servers managed by the Server Manager console. You cannot connect to multiple IPAM servers simultaneously. To manage an IPAM server, click Connect to IPAM server in the IPAM console overview pane. When a successful connection is made, the fully qualified domain name (FQDN) of the IPAM server with the current domain and user ID is displayed in the IPAM OVERVIEW pane.

The IPAM client console provides administrators and users with multiple functions and custom views of IP address infrastructure services on the network. For more information about IPAM client console functionality, see Using the IPAM Client Console.

Provisioning IPAM

In IPAM, provisioning is the process of enabling required permissions, files shares, and access settings so that the IPAM server can monitor and manage IP infrastructure servers (called managed servers) on the network. Provisioning has two steps:

  1. Choose a provisioning method.
  2. Configure managed server access settings.

After choosing a provisioning method, you can begin discovering servers on the network. It is not required to configure managed server access settings prior to performing server discovery. However, you will not be able to monitor and manage servers until managed server access settings are applied. If you choose the automatic GPO-based provisioning method, you can create these GPOs immediately. No settings are applied until a server is assigned a status of managed and Group Policy is updated.

Choosing a provisioning method

To choose a provisioning method, click Provision the IPAM server in the IPAM console overview pane to launch the Provision IPAM wizard. The wizard allows you to choose either the manual or Group Policy based provisioning method. These provisioning methods are described below.

  1. Manual: The manual provisioning method is typically used when the number of managed servers is small. If you choose the manual provisioning method, access settings must be configured individually on each managed server. Settings must also be removed manually if the server becomes unmanaged. You can use Group Policy to apply settings to managed servers even if the manual provisioning method is chosen, but you must apply and remove GPOs manually.

The manual provisioning method is not preferred because it is more complex and less consistent than the Group Policy based method.

  1. Group Policy Based: The Group Policy based method is preferred because it is simpler and less prone to errors. If you choose the Group Policy based provisioning method, GPOs are applied automatically to servers when they are assigned a status of managed in the IPAM console. GPOs are also removed automatically if the status of a server changes from managed to unmanaged.

If you chose the Group Policy based method, you must also provide a GPO name prefix in the provisioning wizard. After providing a GPO name prefix, the wizard will display the GPO names that must be created in domains that will be managed by IPAM. The following role-based GPOs are required in each domain that contains managed servers. The wizard does not create these GPOs.

    • <GPO-prefix>_DHCP: This GPO is used to apply settings that allow IPAM to monitor, manage, and collect information from managed DHCP servers on the network.
    • <GPO-prefix>_DNS: This GPO is used to apply settings that allow IPAM to monitor and collect information from managed DNS servers on the network.
    • <GPO-prefix>_DC_NPS: This GPO is used to apply settings that allow IPAM to collect information from managed domain controllers and network policy servers (NPS) on the network for IP address tracking purposes.

Important

You cannot change the provisioning method for the current installation of IPAM Server after it has been selected. To change the provisioning method, you must uninstall and reinstall IPAM Server on the computer.

The following figure illustrates choices for applying settings to managed servers.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/jj878313.8b153fa7-9fd1-45d2-abe7-aabb0d9f3faf%28ws.11%29.jpeg

Configuring managed server access settings

The next step in IPAM provisioning is to configure group memberships, file shares, service access settings, and firewall ports on managed servers.

Depending on the provisioning method that was chosen, managed server access settings must either be configured individually on each managed server, or using IPAM provisioning Group Policy Objects (GPOs). The preferred method to create IPAM provisioning GPOs is with Windows PowerShell using the Invoke-IpamGpoProvisioning cmdlet. To create IPAM provisioning GPOs, you must have permission to configure Group Policy in the domain.

See the following example of how the Invoke-IpamGpoProvisioning cmdlet can be used to create IPAM provisioning GPOs. In this example, three GPOs are created (IPAM1_DHCP, IPAM1_DNS, IPAM1_DC_NPS) and linked to the contoso.com domain. These GPOs enable access for the server ipam1.contoso.com using the domain administrator account user1. Note: In this example, the hostname of the IPAM server is used as a GPO prefix, however this is not required.

Copy

Invoke-IpamGpoProvisioning –Domain contoso.com –GpoPrefixName IPAM1 –IpamServerFqdn ipam1.contoso.com –DelegatedGpoUser user1

For more information about IPAM Server Cmdlets in Windows PowerShell, see http://go.microsoft.com/fwlink/p/?linkid=262977.

The following table summarizes access settings that are enabled on managed servers when you apply IPAM provisioning GPOs. These settings must be configured manually on managed servers if IPAM provisioning GPOs are not used. Servers that will not be managed by IPAM do not require any configuration changes.

Managed Server Role IPAM Access Status Access Settings
DHCP DHCP RPC The computer account for the IPAM server must be a member of the DHCP Users security group.

The following firewall rules must be enabled:

  • DHCP Server (RPC-In)
  • DHCP Server (RPCSS-In)
DHCP DHCP audit share A network file share named Dhcpaudit must be created using the DHCP audit file folder, with Read access enabled for the computer account of the IPAM server.

The following firewall rules must be enabled:

  • File and Printer Sharing (NB-Session-In)
  • File and Printer Sharing (SMB-In)
DNS DNS RPC Read access for the computer account of the IPAM server must be added to DNS discretionary access control list (DACL).

The following firewall rules must be enabled:

  • DNS Service RPC
  • DNS Service RPC Endpoint Mapper
DHCP, DNS, domain controller, NPS Event log The computer account of the IPAM server must be a member of the Event Log Readers security group.

The computer account for the IPAM server must be granted read access in the ACL that is maintained by the following registry key on the DNS server: MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD. This only required on DNS servers.

The following firewall rules must be enabled:

  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)
DHCP, DNS DHCP and DNS service monitoring The following firewall rules must be enabled:

  • Remote Service Management (RPC)
  • Remote Service Management (RPC-EPMAP)

As previously described, IPAM GPOs are applied automatically when the Group Policy based provisioning method is chosen. However, if you have chosen the manual provisioning method, you can also create IPAM provisioning GPOs and apply these GPOs manually. This ensures that the settings applied to managed servers in the domain are consistent. To apply GPOs manually, add managed servers to security filtering for each GPO depending on the role services to be managed.

After you have chosen a provisioning method, you can configure the scope of discovery and begin adding servers to manage with IPAM.

Server discovery

Server discovery has two steps:

  1. Define the scope of discovery.
  2. Discover servers on the network.

Scope of discovery

IPAM leverages Active Directory to define the scope of servers to be managed. To begin discovering servers, click Configure server discovery in the IPAM client console and choose at least one domain in the forest to discover. To choose a domain, select it from the drop-down list and then click Add.

In each domain chosen, specify the type of servers to discover. By default, domain controllers, DHCP servers, and DNS servers are discovered. In the following example, the root domain has been chosen with all managed server roles enabled for discovery.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/jj878313.b32cf7a3-4f0d-419c-8b60-85f651f023fa%28ws.11%29.jpeg

When you have completed adding domains and server roles to discover, click OK. The number of domains selected will be displayed in the IPAM console. You can add or remove domains from the scope of discovery at any time.

Discovering servers

To discover server roles, the server must be running Windows Server 2008 or later. To begin discovering servers on the network, click Start server discovery to launch the IPAM ServerDiscovery task. You can also click Manage on the Server Manager menu, and then click Start Server Discovery. This task runs automatically at a specified interval, and can also be started on-demand. For more information about IPAM tasks, see Scheduled tasks.

When the discovery task completes, click Select or add servers to manage and verify IPAM access to view the current list of servers in the IPAM server inventory. The following sections discuss how IPAM discovers different server roles on the network.

Domain controllers

Domain controllers are discovered in the domains you specify by querying Active Directory. If a domain controller is not discovered, verify that it is found in Active Directory. The following is an example query that displays a list of domain controllers running Windows Server 2008 or later. Replace contoso.com with the domain that is being discovered.

Copy

Get-ADDomainController -Filter {OperatingSystemVersion –ge “6.0”} -Server contoso.com

DHCP servers

IPAM discovers DHCP servers that are authorized in the Active Directory domains you specify and that respond to a DHCPInform message.

Important

If the DHCP server role is installed on the same server with IPAM, DHCP servers will not be discovered on the network.

To discover DHCP servers, the IPAM server reads the DHCP server list stored in the DHCPServers group found in the NetServices container (CN=NetServices,CN=Services,CN=Configuration,DC=domain,DC=com) in Active Directory. If a DHCP server is not discovered, verify that it is found in Active Directory and that the DHCP service is responding to requests. The following is an example query for DHCP servers that are authorized in Active Directory for the contoso.com domain.

Copy

Get-DhcpServerInDC | where-object {$_.dnsname –match “contoso.com”}

DNS servers

IPAM discovers authoritative DNS servers in the domains you specify by issuing a DNS query to the default DNS server configured on the IPAM server’s network interface. If a DNS server is not discovered, verify that it is found in DNS. The following is an example query for authoritative DNS servers in the contoso.com domain.

Copy

nslookup –q=ns contoso.com

DNS servers must be authoritative and have a name server (NS) record present in the domain zone. Caching-only DNS servers are not discovered and cannot be managed with IPAM. Also note that if a DNS server is not running on a domain controller, additional procedures are required to enable monitoring and management access by the IPAM server. See Verify managed server access for more information.

NPS servers

NPS servers are not automatically discovered by IPAM. However, you can add NPS servers to the server inventory by clicking TASKS and then clicking Add Server. In the Add or Edit Server dialog box, type the fully qualified domain name next to Server name, click Verify, select NPS server, choose the Manageability status and then click OK.

When you add a server manually to the server inventory, IPAM verifies that the server name exists in DNS, and that the IP address does not conflict with an existing server in the inventory.

Select managed servers

After auto-discovering or manually adding servers to the server inventory, you must choose whether or not they will be managed by the IPAM server.

Clicking Select or add servers to manage and verify IPAM access will display the current server inventory. To specify manageability status, right-click one or more servers in the inventory and then click Edit Server. The Add or Edit Server dialog box is displayed. Press and hold SHIFT or CTRL to select multiple servers.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/jj878313.96c66efa-2e4b-4dff-92d9-b5a7d76f8d14%28ws.11%29.jpeg

You can choose the following settings next to Manageability status:

  1. Unspecified. This is the default setting and is intended to be temporary. Servers that are Unspecified typically do not have access settings applied. IPAM will not attempt to collect data from these servers, but retains information about the server in its database. You can use this setting when a server is offline temporarily, such as during a maintenance cycle.
  2. Unmanaged. Choose this setting if a server will not be monitored and managed by the current IPAM server. Servers that are Unmanaged typically do not have access settings applied. IPAM does not attempt to collect data from these servers, and data from these servers is not maintained in the IPAM database.
  3. Managed. Choose this setting if the server will be monitored and managed by the current IPAM server. Servers that are Managed typically have access settings applied, or will have access settings applied in the future. IPAM attempts to collect data from these servers periodically based on the server roles that are selected, and maintains historical data for managed servers in the IPAM database.

If you are using the manual provisioning method, permissions and settings that enable access by the IPAM server can be applied to managed servers either before or after you choose their manageability status. If you are using the automatic GPO-based provisioning method, settings will be dynamically applied or removed depending on the manageability status you select.

After you have chosen the servers that will be managed by IPAM, the next step is to verify that these managed server have the correct access settings applied to allow the IPAM server permission to monitor and manage the server roles you have selected.

Verify managed server access

Access status is summarized in the IPAM Access Status column in server inventory. Possible values are:

  1. Not checked: This status is displayed if a server is recently added or edited. This access status will be displayed until the ServerDiscoverytask is run and the server inventory view is refreshed. To run the ServerDiscovery task, select one or more servers in the server inventory, right-click, and then click Refresh Server Access Status.
  2. Unblocked: In order for access status to be unblocked, access to all settings required for the all roles selected next to Server type must be unblocked.
  3. Blocked: This status indicates that one or more access settings are blocked. If some, but not all, access settings are unblocked, access status will be blocked.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/images/jj878313.56de4bb9-907b-43d4-8f4c-d86a3ae8b042%28ws.11%29.jpeg

To view the current status of all access settings, click a server in the server inventory view and review the information on the Details tab.

Tip

If access status is applied using GPOs, you might need to wait for Group Policy to be updated, or you can update Group Policy immediately using gpupdate. Verify that the appropriate GPOs are applied by typing gpresult /r at an elevated command prompt.

If managed server access settings have been recently applied, run the ServerDiscovery task and refresh the server inventory view. You can also wait for the view to refresh automatically.

The Details View displays additional information about IPAM access status that specifically applies to the managed server roles that are selected, including:

Status Possible values
Manageability Status Managed, Unmanaged, Unspecified
IPAM Access Status Unblocked, Blocked, Not checked
Recommended Action IPAM Access Unblocked, Unblock IPAM Access, Set Manageability Status
DHCP RPC Access Status Unblocked, Blocked, Not applicable, Not checked
DHCP Audit Share Access Status Unblocked, Blocked, Not applicable, Not checked
DNS RPC Access Status Unblocked, Blocked, Not applicable, Not checked
Event Log Access Status Unblocked, Blocked, Not applicable, Not checked

The IPAM access status for a managed server is a summary of all the applicable role-based access statuses displayed. For example, if the server type is [DNS, DHCP], and DHCP access status is unblocked but DNS access status is blocked, then the overall IPAM access status will be blocked. To determine why the IPAM access status is blocked, it is important to review information in the details view to determine the specific type of access that is blocked.

Verifying managed DHCP servers

DHCP service access settings require that the IPAM server is added to the DHCP Users security group. This is done automatically if you are using the Group Policy based provisioning method. However, since permissions for this group are applied when the DHCP Server service starts, you must restart the DHCP service if the server running IPAM does not already have this permission.

Note

IPAM operational event logging is not supported on DHCP servers running Windows Server 2008. In the server inventory view, these servers will display a status of Blocked. However, you can still create and edit scopes and server options on DHCP servers running Windows Server 2008.

Verifying managed DNS servers

To enable IPAM access to managed DNS servers, read access for the computer account of the IPAM server must be added to DNS discretionary access control list (DACL). However, the DACL is only applicable to Active Directory-integrated DNS servers. Therefore, you cannot perform this procedure if the DNS server is not also a domain controller. In order for IPAM to manage the DNS Server service when it is not running on a domain controller, you must add the computer account of the IPAM server to the local administrators group on the DNS server. If the IPAM server is not a member of local administrators on the DNS server, then DNS RPC access will be blocked.

Retrieve data

Data needs to be collected from managed servers before you can begin visualizing this information. Data collection tasks run automatically on the IPAM server at regular intervals. For more information about these tasks, see IPAM Architecture.

You can also choose to run all IPAM data collection tasks on all managed servers immediately. To run these tasks, click Retrieve data from managed servers in the IPAM overview pane. To run all data collection tasks only on selected servers, select the servers from the server inventory view, right-click, and then click Retrieve All Server Data.

6.Ipam Quick config #

Ipam Quick setup.

Step 1 – Installation

IPAM can be installed in two ways: using Windows Powershell or by accessing the Roles and Features section from Server Manager Console:

add roles and features wizard

With Windows PowerShell this operation can be performed much faster by executing the following command:

Install-WindowsFeature IPAM –IncludeManagementTools

Step 2 – Provisioning

Once the installation has been successfully completed, open the Server Manger Console and navigate to the IPAM section. Here you will discover all available IPAM server tasks:

ipam server tasks

Select the second option, Provision the IPAM, to start the IPAM configuration wizard. In this section is where the IPAM databasesecurity groupstasks and folders are created.

Step 3 – Provisioning Method

You must configure how the IPAM server interacts with network servers, there are two options available: manually or by using GPOs. Simply put, by selecting the first option, an administrator would have to configure security groups, firewall rules and network shares manually on each machine. This method is really not recommend since it adds a lot of extra configurations and increases the overall complexity of the IPAM deployment.

The second option is much easier to implement since it uses Group Policy Objects to configure all IPAM managed servers. Unless you simply cannot you use the second option, you should always use GPOs to configure servers managed by IPAM. Note that you have to specify a prefix that will be set to the IPAM GPOs:

ipam provisioning methods

Once the wizard has been successfully completed, three Group Policy Objects will be created: one for DNS servers, one for DHCP servers and one for Domain Controllers.

Step 4 – Configure Server Discovery

Select the third task from the IPAM console to configure server discovery. This is where we specify what servers should be discovered by our IPAM machine. You will need to select and add domains to discover. By default, all three types of servers are selected: DNSDHCP and Domain Controllers. You can change the discovery options by selecting only desired types of servers:

configure server discovery

Step 5 – Start Discovery

Once this section has been covered, select the 4th task to start the server discovery procedure:

start server discovery task

If you receive an error stating that discovered machines were blocked, you need to execute the following Powershell command to create the GPOs that later will be assigned to your machines:

Invoke-IpamGpoProvisioning -Domain ppscu.com -GpoPrefixName IPAMPPSCU

invoke ipamgpoprovisioning

Step 6 – Verify GPOs

You can now verify the GPOs in the Group Policy Management Console. Connect to the blocked machine and execute gpupdate /force to propagate the newly created GPOs.

For each machine you will have to change its manageability status to managed, you can do so if you right click on the blocked machine and select edit server:

add or edit server for ipam

The machine should change its IPAM Access status to Unblocked.

Step 7 – Import Data

Now that the server has been added to IPAM, you can retrieve and import its data to the IPAM server if you right click on the machine and select Retrieve All Server Data. You can also execute the 6th available task from the IPAM console to retrieve data from managed servers:

ipam server inventory

That’s about it for the configuration part of an IPAM server. We’ve covered the most important steps that you need to take in order to successfully deploy IPAM within your enterprise. If you have followed these steps precisely, you should have installed and configured an IPAM machine with at least one discovered host. Note that same principles are applied when used in a large organization with multiple hosts. I want to further discuss about other aspects of this technology so stay tuned for the following article in which we’ll mostly talk about IPAM IP address spaces.

Help Guide Powered by Documentor
Suggest Edit