Windows Server 2012 introduces a brand new feature that allows network administrators to aggregate multiple DNS and DHCP servers and manage them from a centralized location. Welcome to Internet Protocol Address Management (IPAM).
This article examines how IPAM works in Windows Server 2012 along with its benefits and limitations; we will walk through the step-by-step IPAM installation and configuration in a network environment where domain controllers, DNS and DHCP servers are already up and running.
The Need for IPAM
The more IP-enabled devices in a network, the greater the need for a system to document, manage, and monitor the IP address space that allows those devices to access network resources. Tracking IP addresses and DNS names throughout an enterprise network becomes a real challenge when several DNS and DHCP servers are involved across multiple locations. Third-party solutions to this issue have been around for quite a while but Windows Server 2012 is the first Microsoft server operating system that provides built-in IPAM functionality. However, IPAM is not enabled by default; it must be installed as a server feature using Server Manager, Windows PowerShell or the Deployment Image Servicing and Management (DISM) command-line tool.
The IPAM feature on Windows Server 2012 is a centralized tool from which a system administrator can discover, audit, monitor, and manage IPv4 and IPv6 addresses while maintaining a wide-ranging view of where IP addresses are used in the network. This is possible because IPAM supports the management and surveillance of DHCP and DNS servers while collecting information from domain controllers and network policy servers. That information feeds the Windows internal database and is critical for IPAM to function.
* IPv4 and IPv6 address space planning and provisioning.
* Managing DHCP and DNS records.
* IP address usage statistics and monitoring.
* DNS service zone monitoring.
* Tracking of IP addresses lease, release, and renewal.
* Tracking of logon and logoff events.
* Role-based access control.
* Allow remote management using the Remote Server Administration Tools (RSAT).
* IPAM stores three years of related network information, i.e. user logon and logoff, MAC addresses, IP address leases, etc. for up to 100,000 users.
* By enabling tracking and forecasting of the IP address space, the IPAM centralized console helps to optimize the IP address utilization and manage capacity planning for DNS and DHCP.
IPAM modular approach
IPAM installation automatically includes a server and a client component. The server side executes the data collection from DHCP, DNS, domain controllers and network policy servers. It also administers the Windows internal database and provides role based access control (RBAC). All the heavy lifting is done on the server side. The client software supplies the interface to interact with the IPAM server; it relies on Windows PowerShell and Windows Remote Management to perform DHCP configuration and DNS monitoring. It is possible to install the IPAM client separately.
The IPAM server runs four major modules to provide most of its functionality:
* IPAM discovery. This module uses active directory domain services (AD DS) to discover and enumerate Windows Server 2008 with SP2 or later servers running DNS, DHCP or AD DS. You can manually add or delete servers and define a custom scope within a domain or forest.
* IP address space management. The IPAM address space management (ASM) is used to view, monitor, and manage dynamic, static, public, and private IP addresses. It allows tracking IP addresses and displaying utilization trends, thus making it possible to have more accurate forecast, planning, accountability, and control of the IP address space. By using IPAM, it’s easier to detect overlapping IP address ranges across multiple DHCP servers, identify free IP addresses within a range, and perform routine tasks like creating DHCP reservations and DNS records.
* Multi-server management and monitoring. IPAM tracks the service status of the DNS and DHCP servers on the network. By aggregating multiple DHCP servers the multi-server management (MSM) module enables an administrator to perform editing and configuration of important properties on multiple DHCP servers and scopes. It also facilitates surveillance and tracking of DHCP service status and utilization of DHCP scopes. IPAM allows monitoring the condition of a DNS zone on multiple DNS servers by exposing the collected status of a zone across all authoritative DNS servers.
* Operational auditing and IP address tracking. Configuration problems can be avoided or minimized by
using theIPAM auditing tools. Administrators can gather, oversee and display details of configuration changes on DHCP servers that fall within an IPAM scope. IPAM can extract IP address lease tracking information from the DHCP servers lease logs as well as logon and logoff related events from domain controllers and network policy servers.
* The IPAM feature cannot be enabled on a domain controller.
* Windows Server 2012 IPAM supports only Windows internal database. Support for SQL databases has been added to Windows Server 2012 R2.
* IP address utilization trends are available only for IPv4 (No option for IPv6).
* IP address reclamation support is available only for IPv4 (No option for IPv6).
* IPAM does not support auditing of IPv6 address.
* IPAM cannot be configured to check for IP address consistency on network routers and switches.
* IPAM does not allow the configuration of a database purge policy. Data must be purged manually.
* IPAM does not support non-Microsoft network devices, operating systems, or services.
* An IPAM server can only operate within one active directory forest.
* IPAM servers do not share database information or interchange configuration information with one another.
IPAM implementation guidelines and requirements
* The IPAM feature must be enabled on a Windows Server 2012 computer that is a member of a domain.
* IPv6 must be enabled in order to manage IPv6 addresses.
* A domain account with proper privileges is needed to administer an IPAM Server.
* The enterprise and domain administrator accounts have unrestricted access to IPAM administration.
* When IPAM is enabled, several domain local IPAM security groups are created on the IPAM server.
* The IPAM security groups are configured with the required permissions to access or manage different IPAM functionalities. These groups may be used to delegate tasks and responsibilities to other users.
* Microsoft recommends IPAM to be a single purpose server. It discourages the installation of other roles such as DNS or DHCP on the IPAM server.
To demonstrate the installation and configuration, I have three main Windows 2012 Servers: DC-DNS1 is a domain controller with the DNS server role installed. DHCP1 is the DHCP server in the network, and a server conveniently named IPAM-Server that will be running the IPAM Server and client components. DHCP1 and the IPAM-Server are members of the lanztek.com domain. We will review four main phases of the IPAM installation and configuration process.
Phase 1 – Installing the IPAM feature
- On IPAM-Server, in the Server Manager Dashboard, click Add roles and features.
- In the Add Roles and Features Wizard, click Next.
- On the Select installation type page, click Next.
- On the Select destination server page, click Next.
- On the Select server roles page, click Next.
- On the Select features page, select the IP Address Management (IPAM) Server check box.
- In the Add features that are required for IP Address Management (IPAM) Server popup, click Add Features, and then click Next.
- On the Confirm installation selections page, click Install.
- That completes the IPAM feature installation.
Phase 2 – Configure IPAM–related GPOs
Now that we have the IPAM feature installed on this server, our next step is to configure the IPAM related Group Policy Objects (GPO) that are necessary to work with the managed servers on the network.
- On the IPAM-Server, in the Server Manager Navigation pane, click IPAM.
- In the IPAM Overview pane, click Connect to IPAM server, Connected to
IPAM-SERVER.LANZTEK.COM, and then click OK.
- Click Provision the IPAM server, and then click Next
- On the Select provisioning method page, ensure that the Group Policy Based method is selected, in the GPO name prefix box, type IPAM, and then click Next.
- On the Confirm the Settings page, click Apply and wait until provisioning is completed.
Phase 3 – Configure IP management server discovery
Once provisioning is successfully completed, we move to configure and activate server discovery to allow IPAM to find the DNS and DHCP servers that we want to centrally manage.
- On the IPAM Overview pane, click Configure server discovery.
- In the Configure Server Discovery settings dialog box, click Add, and then click OK.
- In the IPAM Overview pane, click Start server discovery.
- The discovery may take several minutes, the yellow bar indicates when it is done.
Phase 4 – Configure managed servers
Now we are ready to work with DNS and DHCP servers discovered by IPAM on the execution of phase 3.
- In the IPAM Overview pane, click Select or add servers to manage and verify IPAM access.
- Notice that the IPAM Access Status is blocked. At this point the IPAM server has not yet been granted permission to manage these servers via Group Policy.
- On the taskbar, right-click the Windows PowerShell icon, right-click Windows PowerShell, and then click Run as Administrator.
- At the Windows PowerShell prompt, run the following command. Type Y, when you are prompted to confirm the action.
- Once the command is complete, we can go back to Server Manager and in the details pane, right-click DC-DNS1, and then click Edit Server. In the Add or Edit Server dialog box, set the Manageability status to Managed, and then click OK.
- Switch to DC-DNS1, on the taskbar, click the Windows PowerShell icon, and at a Windows PowerShell prompt, type Gpupdate /force, and then press Enter.
- Switch back to the IPAM-Server. In Server Manager, in the IPAM console, right-click DC-DNS1, and then click Refresh Server Access Status.
- Repeat steps 5 and 6 to unblock the DHCP1 server.
- In the IPAM Overview pane, click Retrieve data from managed servers. This task may take several minutes to finish.
Phases 1 through 4 are necessary to install and configure IPAM to operate in our domain environment. After IPAM successfully retrieves the data from the managed servers we can use the IPAM centralized console to manage our DHCP and DNS servers. Below is an example of how to configure a DHCP scope from IPAM.
Configure and verify a new DHCP scope with IPAM
- On the IPAM-Server, in the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers.
- In the details pane, right-click the instance of DHCP1.lanztek.com that contains the DHCP server role, and then click Create DHCP Scope.
- In the Create DHCP Scope dialog box, complete the Scope configuration as shown below.
- On the IPAM-Server, in the IPAM navigation pane, under MONITOR AND MANAGE, click DNS and DHCP Servers. Right-click DHCP1 and select Launch MMC.
- Notice that the scope has been created.
Many other DHCP and DNS related tasks can be executed from the IPAM server. IPAM relies on the task scheduler to periodically gather information from DNS, DHCP, domain controllers and network policy servers. An administrator can also retrieve data at any time from these servers by exercising the Retrieve All Server Data option. It is important to note that IPAM is an agentless technology that does not install any special software on other computers. Instead, it uses Windows Remote Management to communicate, manage, monitor and collect data from the managed servers.
In this article we explored the IPAM implementation on Windows Server 2012, including its main components, requirements, benefits and limitations. The installation and configuration was covered through four key phases that comprised of installing IPAM, configuring IPAM-related GPOs, configuring IP management server discovery and configuring managed server. IPAM is a very valuable feature in large networks where it can be used to reduce the complexity of managing multiple DNS and DHCP servers across the enterprise.
This article was originally published by Intense School.