February 16, 2015 at 09:06Configuring IPAM Step by Step
An integral part of network administration is the management of IP addresses. Prior to the release of Windows Server 2012, system administrators had to use tables, various third-party tools, and write custom scripts to comprehensively manage the entire space of IP addresses, as well as DNS and DHCP services. With the release of Windows Server 2012, the situation has changed - IPAM (IP Address Management) has appeared. To what IPAM is, as well as how to configure this service on your network will be this article.
As noted above, before the advent of IPAM, you had to use improvised tools to manage IP addresses on the network: from third-party tools to the address list in the Excel table. As a result, network administration productivity was falling, and costs were only increasing. Moreover, the available tools were suitable for solving the problem of managing network addresses in the short term. But the more the network grew and the longer they worked with it, the more laborious this task became.
With the release of Windows Server 2012, an internal tool for managing network IP addresses, IPAM, has appeared. IPAM (IP Address Management) is an IP address management service first introduced in Windows Server 2012 and Windows Server 2012 R2. In addition, IPAM change-improvements can be expected in Windows Server vNext. IPAM is a platform for discovering, monitoring, managing and auditing for the IP address space in an organization’s network.
Among the main features of IPAM are the following:
The main advantage of IPAM is that it provides a single console that provides configuration information for all DNS and DHCP services in the forest. Using this console, you can change the settings, for example, of one or several DHCP zones, which does not require the system administrator to write additional scripts or manually configure each DHCP server. Next we will see such a setting in the example.
But first, we’ll deploy the IPAM service and also see how it can be used to monitor DNS and DHCP services.
In order to start working with IPAM Server, you must install it - IPAM is not included in the set of services installed by default. There are two ways to install. You can use the following PowerShell command:
Install-WindowsFeature IPAM –IncludeManagementTools
You can also use the Install Roles and Server Components Wizard:
After the IPAM installation process is completed, you must prepare it for work. To do this, in Server Manager, select IPAM and then Provision the IPAM server:
You can choose between two methods of preparation: manually ( manual ) or based on group policies ( group policy based ) . What is the difference between these two methods?
Manual method for preparing an IPAM serverrecommended if the number of managed servers is small. If you choose this method of preparation, you should be prepared for the fact that you have to manually configure the access conditions for each of the managed servers. In addition, you will also have to manually delete the settings, in the event that you no longer need to manage this or that server. You can use group policies to apply the necessary settings to managed servers, even if you chose the manual preparation method, but all GPOs must be applied or deleted manually. Due to the fact that the manual method of preparing an IPAM server is more time-consuming and complicated, it is preferable to use the preparation method using group policies. IPAM
preparationServer using Group Policy is simpler and has a lower chance of errors. When using this method, GPOs are applied and deleted automatically on managed servers. This method is proposed to be used by default in the IPAM Preparation Wizard. You need to enter a prefix for the name of GPOs:
It is worth noting here that if you choose to prepare an IPAM server using group policies, you cannot change it to a manual preparation method. But in the opposite case, you can change the manual preparation method to preparation using group policies using the Windows PowerShell cmdlet:
Now back to the Preparation Wizard. Having chosen the preparation method using group policies, we get a message that the settings will be applied to managed servers using the following group policy objects:
In our case, GPOs will be named IPAM_DHCP, IPAM_DNS, and IPAM_DC_NPS, respectively. To complete the IPAM preparation, check that the information on the Summary tab is correct and click Apply. The preparation process will take some time. As a result, you will see a message stating that the IPAM preparation was completed successfully:
A message about the next steps is important here. GPOs have not been created; they will need to be created further using the PowerShell cmdlets:
It will be a bit later. In the meantime, go to Server Manager and configure server discovery:
In the window that appears, select the domain to be discovered. In our case, this is the root domain of mva.com. After adding this domain, you need to make sure that among the server roles there is a domain controller, DHCP and DNS server. Click OK.
Now let's start server discovery:
After completing the task. Go to Server Manager on the IPAM tab - SERVER INVERNTORY. You will see that for the dsc01 and DC servers, the “Management status” column will display the “Not defined” status, and the “Access status” column will display “Blocked”. You must grant IPAM permission to manage these servers using GPOs.
Now remember the next step that we were recommended to take after completing the IPAM preparation. We need to run Windows PowerShell with administrator privileges on the IPAM server and use the following cmdlet
Now Group Policy objects are created, which can be seen in the Group Policy Management snap-in:
Back to Server Manager. In the IPAM - SERVER INVENTORY tab, right-click on one of the servers and select Edit Server . In the window that appears, change the item “Management Status” to “Managed” and click OK. Repeat the same for the second server.
Now it is necessary that the Group Policy changes take effect on the DC and dsc01 servers. The fastest way is to use the following PowerShell cmdlet on each of the servers we need:
We will wait until the completion of this command on each of the servers. We will return to the IPAM server in Server Manager - IPAM - SERVER INVENTORY and update “IPv4”, as well as update the server access status by right-clicking on each and selecting “Refresh Server Access Status”. As a result, we should get the status “Unlocked” for our servers in the “IPAM Access Status” column.
Now, let's go back to the IPAM - OVERVIEW tab and select “Retrieve data from managed servers” and wait for this task to complete:
The following data collection tasks will be automatically launched: AddressExpiry, AddressUtilication, Audit, ServerAvailability, ServiceMonitoring, ServerConfiguration.
At this stage, we completed the configuration of the IPAM server and then we will see how it can be used in work. As an example, consider infrastructure monitoring and management using IPAM.
IPAM allows you to automate and configure how often DHCP and DNS servers are monitored throughout the forest. It is also possible to manage several servers for applying settings automatically and periodically monitor DHCP and DNS servers in the AD forest. In addition, it is possible to manage multiple DHCP servers and area settings for distributed servers with just one click.
As an example, consider how you can monitor and manage DHCP and DNS servers using IPAM.
Open Server Manager on the IPAM - MONITOR AND MANAGE - DNS and DHCP Servers tab. Please note that in the “Server Type” field (1) you can select not only DNS and DHCP, but also sort only DNS or only DHCP. By choosing one of the servers, you can view the properties of this server, parameters and the event catalog (2):
Now, let's select DHCP in the Server Type field, and Scope Properties in the View field:
Right-click the MVA DHCP scope - scope 1 and select Duplicate DHCP Scope. In the appearing “Duplication of DHCP Scope” dialog box, change the value of the “Scope Name” field, and in the “General Properties” section, enter the following values:
As necessary, you can change other properties of the area. After all the necessary changes have been made, click OK and make sure that another area is now displayed in the list - MVA-scope2.
The same area will appear in the DHCP console on our DHCP server DSC01.
If you return to the IPAM server and select both DHCP areas, right-click on them, then you can change the settings for both areas.
Of course, using IPAM, you can monitor various types of events on DNS and DHCP servers, including data about both the servers themselves and the clients. To view audit logs and an event, in the IPAM navigation menu, select “Event Directory” (EVENT CATALOG). By default, IPAM Configuration Events is selected in the lower navigation area. You can select other events for viewing, as well as export them to a file for further viewing and analysis.
I hope the information in this article was useful to you!
As noted above, before the advent of IPAM, you had to use improvised tools to manage IP addresses on the network: from third-party tools to the address list in the Excel table. As a result, network administration productivity was falling, and costs were only increasing. Moreover, the available tools were suitable for solving the problem of managing network addresses in the short term. But the more the network grew and the longer they worked with it, the more laborious this task became.
With the release of Windows Server 2012, an internal tool for managing network IP addresses, IPAM, has appeared. IPAM (IP Address Management) is an IP address management service first introduced in Windows Server 2012 and Windows Server 2012 R2. In addition, IPAM change-improvements can be expected in Windows Server vNext. IPAM is a platform for discovering, monitoring, managing and auditing for the IP address space in an organization’s network.
Among the main features of IPAM are the following:
- Automatic IP Infrastructure Discovery
- Convenient and flexible means for displaying, managing and reporting IP address space
- Auditing DHCP and IPAM Service Configuration Changes
- Monitoring and managing DHCP and DNS services
- IP Lease Tracking
The main advantage of IPAM is that it provides a single console that provides configuration information for all DNS and DHCP services in the forest. Using this console, you can change the settings, for example, of one or several DHCP zones, which does not require the system administrator to write additional scripts or manually configure each DHCP server. Next we will see such a setting in the example.
But first, we’ll deploy the IPAM service and also see how it can be used to monitor DNS and DHCP services.
Deploy IPAM Server
In order to start working with IPAM Server, you must install it - IPAM is not included in the set of services installed by default. There are two ways to install. You can use the following PowerShell command:
Install-WindowsFeature IPAM –IncludeManagementTools
You can also use the Install Roles and Server Components Wizard:
After the IPAM installation process is completed, you must prepare it for work. To do this, in Server Manager, select IPAM and then Provision the IPAM server:
You can choose between two methods of preparation: manually ( manual ) or based on group policies ( group policy based ) . What is the difference between these two methods?
Manual method for preparing an IPAM serverrecommended if the number of managed servers is small. If you choose this method of preparation, you should be prepared for the fact that you have to manually configure the access conditions for each of the managed servers. In addition, you will also have to manually delete the settings, in the event that you no longer need to manage this or that server. You can use group policies to apply the necessary settings to managed servers, even if you chose the manual preparation method, but all GPOs must be applied or deleted manually. Due to the fact that the manual method of preparing an IPAM server is more time-consuming and complicated, it is preferable to use the preparation method using group policies. IPAM
preparationServer using Group Policy is simpler and has a lower chance of errors. When using this method, GPOs are applied and deleted automatically on managed servers. This method is proposed to be used by default in the IPAM Preparation Wizard. You need to enter a prefix for the name of GPOs:
It is worth noting here that if you choose to prepare an IPAM server using group policies, you cannot change it to a manual preparation method. But in the opposite case, you can change the manual preparation method to preparation using group policies using the Windows PowerShell cmdlet:
Set-IpamConfiguration
Now back to the Preparation Wizard. Having chosen the preparation method using group policies, we get a message that the settings will be applied to managed servers using the following group policy objects:
_DHCP: this GPO is used to apply settings by which IPAM can monitor, manage and collect information from managed DHCP servers on the network _DNS: this GPO is used to apply settings by which IPAM can monitor and collect information from managed DNS servers on the network _DC_NPS: this GPO is used to apply settings by which IPAM will be able to collect information from managed domain controllers and from Network Policy Servers (NPS) on the network for a DHCP server on the network to track IP addresses
In our case, GPOs will be named IPAM_DHCP, IPAM_DNS, and IPAM_DC_NPS, respectively. To complete the IPAM preparation, check that the information on the Summary tab is correct and click Apply. The preparation process will take some time. As a result, you will see a message stating that the IPAM preparation was completed successfully:
A message about the next steps is important here. GPOs have not been created; they will need to be created further using the PowerShell cmdlets:
Invoke-IpamGpoProvisioning
It will be a bit later. In the meantime, go to Server Manager and configure server discovery:
In the window that appears, select the domain to be discovered. In our case, this is the root domain of mva.com. After adding this domain, you need to make sure that among the server roles there is a domain controller, DHCP and DNS server. Click OK.
Now let's start server discovery:
After completing the task. Go to Server Manager on the IPAM tab - SERVER INVERNTORY. You will see that for the dsc01 and DC servers, the “Management status” column will display the “Not defined” status, and the “Access status” column will display “Blocked”. You must grant IPAM permission to manage these servers using GPOs.
Now remember the next step that we were recommended to take after completing the IPAM preparation. We need to run Windows PowerShell with administrator privileges on the IPAM server and use the following cmdlet
Invoke-IpamGpoProvisioning –Domain mva.com –GpoPrefixName IPAM –DelegatedGpoUser Administrator –IpamServerFqdn ipam.mva.com
Now Group Policy objects are created, which can be seen in the Group Policy Management snap-in:
Back to Server Manager. In the IPAM - SERVER INVENTORY tab, right-click on one of the servers and select Edit Server . In the window that appears, change the item “Management Status” to “Managed” and click OK. Repeat the same for the second server.
Now it is necessary that the Group Policy changes take effect on the DC and dsc01 servers. The fastest way is to use the following PowerShell cmdlet on each of the servers we need:
gpupdate /force
We will wait until the completion of this command on each of the servers. We will return to the IPAM server in Server Manager - IPAM - SERVER INVENTORY and update “IPv4”, as well as update the server access status by right-clicking on each and selecting “Refresh Server Access Status”. As a result, we should get the status “Unlocked” for our servers in the “IPAM Access Status” column.
Now, let's go back to the IPAM - OVERVIEW tab and select “Retrieve data from managed servers” and wait for this task to complete:
The following data collection tasks will be automatically launched: AddressExpiry, AddressUtilication, Audit, ServerAvailability, ServiceMonitoring, ServerConfiguration.
At this stage, we completed the configuration of the IPAM server and then we will see how it can be used in work. As an example, consider infrastructure monitoring and management using IPAM.
Infrastructure monitoring and management
IPAM allows you to automate and configure how often DHCP and DNS servers are monitored throughout the forest. It is also possible to manage several servers for applying settings automatically and periodically monitor DHCP and DNS servers in the AD forest. In addition, it is possible to manage multiple DHCP servers and area settings for distributed servers with just one click.
As an example, consider how you can monitor and manage DHCP and DNS servers using IPAM.
Open Server Manager on the IPAM - MONITOR AND MANAGE - DNS and DHCP Servers tab. Please note that in the “Server Type” field (1) you can select not only DNS and DHCP, but also sort only DNS or only DHCP. By choosing one of the servers, you can view the properties of this server, parameters and the event catalog (2):
Now, let's select DHCP in the Server Type field, and Scope Properties in the View field:
Right-click the MVA DHCP scope - scope 1 and select Duplicate DHCP Scope. In the appearing “Duplication of DHCP Scope” dialog box, change the value of the “Scope Name” field, and in the “General Properties” section, enter the following values:
- Starting IP Address: 192.168.1.1
- Final IP Address: 192.168.1.254
- Subnet Mask: 255.255.255.0
As necessary, you can change other properties of the area. After all the necessary changes have been made, click OK and make sure that another area is now displayed in the list - MVA-scope2.
The same area will appear in the DHCP console on our DHCP server DSC01.
If you return to the IPAM server and select both DHCP areas, right-click on them, then you can change the settings for both areas.
Of course, using IPAM, you can monitor various types of events on DNS and DHCP servers, including data about both the servers themselves and the clients. To view audit logs and an event, in the IPAM navigation menu, select “Event Directory” (EVENT CATALOG). By default, IPAM Configuration Events is selected in the lower navigation area. You can select other events for viewing, as well as export them to a file for further viewing and analysis.
I hope the information in this article was useful to you!
useful links
- Try Azure for free for 30 days!
- Learn Microsoft Virtual Academy courses
- Download a trial version of Windows Server 2012 R2
- Download Free or Trial Visual Studio