Sei sulla pagina 1di 97

Understand and Troubleshoot IP Address

Management (IPAM) in Windows Server "8" Beta


Microsoft Corporation
Published: February 2012

Abstract
This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality,
and troubleshooting methods for IP Address Management (IPAM) in Windows Server 8 Beta. This UTG
provides you with:

A technical overview and functional description of this feature.

Technical concepts to help you successfully install, configure, and manage this feature.

User Interface options and settings for configuration and management.

Relevant architecture of this feature, with dependencies, and technical implementation.

Primary troubleshooting tools and methods for this feature.

Copyright information
This document is provided as-is. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or
connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy and use this document for your internal, reference purposes.
2012 Microsoft. All rights reserved.
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows
Server, and Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

Table of Contents
Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM ............................................. 1
About The Understanding and Troubleshooting Guide ........................................................................................1
Introducing IPAM.......................................................................................................................................................1
What Is IPAM? .......................................................................................................................................................1
Purpose/Benefits ...................................................................................................................................................2
Functional Overview..............................................................................................................................................3
Technical Overview .............................................................................................................................................23
Installing and Provisioning IPAM .............................................................................................................................30
Deployment Considerations ................................................................................................................................30
Installation Process IPAM Server ......................................................................................................................31
Installation Process IPAM Client .......................................................................................................................35
IPAM Provisioning ...............................................................................................................................................36
Configuring and Managing IPAM .............................................................................................................................43
IPAM Initial Setup ................................................................................................................................................43
Address Space Management ...............................................................................................................................51
Troubleshooting IPAM .............................................................................................................................................81
Troubleshooting tools .........................................................................................................................................81
Common IPAM problems ....................................................................................................................................81
Appendix..................................................................................................................................................................82
Manual IPAM Provisioning Configuring Access Settings ..................................................................................82
GPO Based IPAM Provisioning GPO Setting Details..........................................................................................90

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Windows Server "8" Beta Understanding and


Troubleshooting Guide: IPAM
About The Understanding and Troubleshooting Guide
Understanding and Troubleshooting Guides enable you to learn about technical concepts,
functionality, and general troubleshooting methods for new Windows features and
enhancements. The Understanding and Troubleshooting Guide supports you in developing
understanding of key technical concepts, architecture, functionality, and troubleshooting
tools and techniques. This understanding will enable more successful testing and early
adoption experiences during the pre-release product evaluation phase, and will support early
ramp-up of help desk and technical support roles.

Introducing IPAM
Internet Protocol (IP) Address Management, which is a critical part of network
administration, has become increasingly challenging, as networks grow more dynamic and
complex. The need for centralized administration of addresses is increasing dramatically over
time as mobile computing, virtualization, and IP devices continue to consume more IP
addresses. The need for management tools has also increased with deployment and adoption
of new Internet Protocol version 6 (IPv6) networks, which have much larger address pools,
and a more complex 128-bit hexadecimal notation as compared with 32-bit dotted decimal
Internet Protocol version 4 (IPv4) addresses. The length and complexity of IPv6 addresses
makes continued tracking of them in a spreadsheet impractical.
Currently, third party vendors offer various software-based or appliance-bundled
management solution options in this space. However, the upfront overhead of procurement,
deployment and integration of such solutions remains a deterrent in their adoption. Most IT
administrators still typically track IP address allocation and utilization manually, using
spreadsheets or custom database applications. This can be very time consuming and resource
intensive, and is inherently prone to user error. Windows Server "8" Beta introduces a new
feature to meet the IP addressing and naming infrastructure management needs of network
and server administrators.

What Is IPAM?
Internet Protocol Address Management (IPAM) is a framework for discovering, utilization
monitoring, auditing, and managing the Internet Protocol (IP) address space in a network.
IPAM encompasses the administration and monitoring of Dynamic Host Configuration
Protocol (DHCP) and monitoring of Domain Name Service (DNS), which are the services that
assign and resolve IP addresses to devices in a TCP/IP network. IPAM in Windows Server "8"
Beta provides components for planning and allocating IP address space, static IP inventory
management, audit of configuration changes, monitoring and management of Microsoft DHCP

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

servers, monitoring of Microsoft DNS servers and DNS zones, and IP address usage tracking
and customized visualization.

Purpose/Benefits
The Windows Server "8" Beta IPAM feature provides a unified framework meet the following
administrative requirements of addressing and naming infrastructure for network and server
administration from a central console. IPAM provides the following benefits:

IPv4 and IPv6 address space planning and allocation

IP address space utilization statistics and trend monitoring

Static IP inventory management, lifetime management and DHCP and DNS record creation
and deletion

Flexible support for import of address space from spreadsheets and management tools

Periodic update support of address space from systems such as System Center Virtual
Machine Manager (SCVMM) and third party DHCP servers

Multi entity management and monitoring of DHCP services and DHCP scopes

Configuration change event auditing for DHCP and IPAM services

Service and zone monitoring of DNS services

IP address lease and logon event tracking

Automatic server role discovery, through Active Directory integration

Automatic server configuration data collection and dynamic address space discovery

Granular distribution of data collection tasks with configurable periodicity

Agentless management of roles with Group Policy Object (GPO) based automated
deployment

Extensive support for user-defined and built-in custom fields or tags

Organizing and visualizing of data into user-defined hierarchical logical groups

Advanced search and filter support

Reporting support through UI view and Windows PowerShell export functionality

Role based access control

Remote administration support through Server Manager RSAT from both Windows Server
"8" Beta and Windows 8 Consumer Preview client builds

Support for concurrent client sessions

Built-in relational database support leveraging Windows Internal Database (WID)

Support for backup, restore, and migration scenarios

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Functional Overview
Prerequisites
Windows Server "8" Beta IPAM is an integrated suite of IP addressing and naming solutions
aimed at helping network and system administrators to manage IP infrastructures across the
enterprise. IPAM scope selection across the managed server nodes is limited to a single
Active Directory (AD) forest, with appropriate trust relationship between the domains.
The IPAM server must be domain joined, and is reliant on a prerequisite functional network
infrastructure environment, including IPv4 and IPv6 network connectivity, in order to
integrate with existing DHCP, DNS, DC, and NPS installations across the AD forest.
Install the IPAM feature on an Active Directory domain member server intended as a singlepurpose server, and do not attempt to collocate other network infrastructure roles such as
DNS or DHCP on the same server. IPAM installation and provisioning is not supported on a
domain controller.
IPAM users must be logged in using a domain account with appropriate privileges.
The following are requirements for successful IPAM deployment.

Ensure that the IPAM server is domain-joined.

Ensure that you have network connectivity. Enabling both IPv4 and IPv6 is
recommended. Discovering IPv6 address space and infrastructure will not be supported
unless IPv6 connectivity is enabled.

Ensure that you log on to the IPAM server using a domain account. Do not log on to the
IPAM server using the local Administrator or a local user account.

Ensure that you are a member of appropriate IPAM local security group (See the IPAM
Local Security Groups section of this guide) or if you are running as a member of the local
Administrators group then you must run elevated.

If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT,
then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in
addition to being a member of the appropriate IPAM security group (or local
Administrators group).

Configure network settings on the IPAM server so that it has access to at least one
authoritative domain controller for server discovery. Ensure that you have network
connectivity to all the server roles (DHCP, DNS, DC and NPS) that you intend to manage
through this IPAM instance.

For best performance, do not install any other server roles on the IPAM server.

IPAM installation and provisioning on a DC is not supported

IPAM installation on a DHCP server is not recommended. The IPAM server discovery
feature will not be able to discover DHCP roles if IPAM is running on a DHCP server.

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Ensure that logging of account logon events is enabled on DC and NPS servers for the IP
Address Tracking feature of IPAM

Recommended server system requirements are as follows:


o

CPU - Dual Core Processor, 2.0 GHz or higher speed

OS Windows Server "8" Beta

RAM 4 GB or more

Hard Drive 80 GB or more

Ensure that network firewall ports and access settings are provisioned to enable IPAMs
access to workloads (DC, DNS, DHCP and NPS) across the managed roles in the AD forest.
For more information on IPAM provisioning and provisioning methods refer to the
Deployment Considerations section of this guide.

If using Group Policy based provisioning, ensure that the users marking servers as
managed/unmanaged in IPAM server inventory console either have domain administrator
privileges or have delegated rights to edit GPO security filter lists. For more information on
GPO delegation, refer to the Group Policy Based Provisioning section of this guide.

Ensure that data replication to all AD global catalog servers is functioning properly at
regular intervals. Stale global catalog data can cause problems with discovery of servers.

Functional Description
Windows Server "8" Beta IPAM consists of five primary modules, which provide the
management functionality. These modules include the following:

Server inventory management

IP address space management

Management and Monitoring of DHCP and DNS

Event Catalog

IP address tracking

Server Inventory Management


IPAM leverages Active Directory deployment to define the scope of the IP infrastructure
elements to be centrally managed via the IPAM console. IPAM auto-discovers the configured
server roles from the configured domains and allows you to centrally manage and configure
the servers. Discovery of DHCP prepares the environment to perform management and
utilization tracking of dynamic address space, multi-entity management for DHCP servers
and scopes, service monitoring of DHCP servers, audit of configuration changes to DHCP
servers and IP address usage tracking by collecting lease events from DHCP. Discovery of DNS
roles enables DNS zone monitoring and DNS service monitoring. Discovery of DC and NPS
servers is done to support the auditing of IP address usage with associated user logon events.

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

The server discovery component in Windows Server "8" Beta IPAM leverages your Active
Directory (AD) deployment to discover network infrastructure servers. IPAM facilitates
configuring the scope of server discovery by allowing you to select domains in the AD forest
through its Configure Server Discovery dialog. Discovery allows you to enumerate Microsoft
Windows DNS, DHCP and DC server role types that are available in either the entire AD forest
or a specified subset of domains within the forest. You can also manually add or delete
specific servers (Microsoft Windows DNS, DHCP, DC and NPS servers) to define a custom
scope of administrative control.
The IPAM server discovery and inventory feature also allows you to track granular IPAM
access status on servers. IPAM server inventory management also plays an important role in
managing the security filter list of IPAM GPOs, which are updated according to the
manageability status of the infrastructure servers in server inventory. The GPO updating
functionality is valid only if the Group Policy Based provisioning method has been selected
for IPAM. IPAM also tracks the status of data retrieval on managed servers.
IPAM can be used to discover and manage servers running Windows Server 2008 and above.
Note:

An overview of the IPAM server inventory functions is provided below:

Configure scope of Server Discovery by selecting domains and server roles within each
domain to be discovered within Active Directory forest.

IPAM uses the following rules during server discovery on configured domains for selected
roles:
o

All domain controllers registered for the configured domains are discovered

All DNS servers registered as name servers for the domain zone and DNS suffixes
registered for the configured domains are discovered

All DHCP servers authorized for the configured domains that respond to the DHCP
server INFORM message are discovered. This feature allows IPAM to intelligently
discard any inactive DHCP servers that are listed as authorized in AD.

Add-Remove-Edit servers (and server roles) manually outside of the auto-discovery


process

Automated discovery of infrastructure servers and their configuration such as server roles,
OS version, IPv4 and IPv6 interface address, domain name, DNS suffix, GUID, active roles

Periodic and on-demand refresh of server information across configured scope of


discovery

Disjointed name space support. Separate fields showing the servers DNS suffix and domain
name are maintained by IPAM.

Classify server manageability status as:

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Managed IPAM periodic tasks will collect data from the active (checked) roles on
these servers. Inactive (unchecked) roles on these servers are ignored.

Unmanaged - IPAM periodic tasks will not collect data from these servers. IPAM
deletes all existing information pertaining to these servers from its database.

Unspecified - IPAM periodic tasks will not collect data from these servers. However,
IPAM retains all existing information pertaining to these servers in its database. Set
a server status as Unspecified in scenarios where the server is offline temporarily,
during temporary maintenance cycles for example.

Granular control to configure individual server roles as active or inactive on a server

Automatic organization of server inventory view into hierarchical view based on interface
address and manageability status of the server:
o

Level 1 IPv4 and IPv6 (based on interface address)

Level 2 - Managed and Unmanaged

Level 3 IP Subnet (/16 for IPv4 and /48 for IPv6 based on primary interface
address)

Edit owner and description for servers, and add user-defined or built-in custom fields/tags
to servers

Built-in tracking of server data retrieval status such as In progress, Complete, Not started

Automatic IPAM access status tracking on servers. IPAM collects granular access status
from the servers listed in the server inventory as Allowed or Blocked. IPAM rolls up these
sub-statuses into overall IPAM access status. The recommended action field indicates the
required action for managed, unmanaged, unspecified servers as appropriate.

Integrated group policy provisioning mode support with automatic synchronization of the
IPAM GPO security filter list with the server inventory configuration. IPAM expects the user
to have appropriate GPO edit privileges while performing these operations for the
automatic GPO synchronization to be successful.

Note:

Note:

Auto-discovery of the NPS server role is not supported. These servers can be added using the
Add Server functionality
Removing a configured domain from Server Discovery scope does not automatically delete
the servers that are already discovered from that domain. If required, the corresponding
servers belonging to this domain can be manually deleted from the server inventory view.

IP Address Space Management


IP address space management provides administrators with the ability to manage, track,
audit, and report on the IPv4 and IPv6 address space of the enterprise or datacenter. A
primary consumer of public Internet-routable IPv4 addresses is cloud-based hosted service

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

providers. These public IPv4 addresses are allocated and assigned by Regional Internet
Registries (RIR) in response to requests from the organization, and are in critically short
supply. Monitoring the utilization and trends for these RIR blocks is of prime importance.
Hosted service providers need to associate specific IP address subnets or blocks of addresses
to specific customers, development communities, or business divisions by customized logical
grouping.
Enterprises with public-facing datacenter entry points need to manage multiple statically
assigned public IP addresses and subnets. Administrators of these networks require
utilization data to perform actions around address space management. These actions include
finding free IP addresses, tracking address state, tracking the address lifetime, synchronizing
DNS and DHCP records/reservations, balancing the address usage for optimal utilization of
the available subnets, preparing the subnets for new or changing network requirements, and
reclaiming addresses previously assigned but no longer deployed in the production
environment.
The IP address space console of IPAM provides administrators with IP address utilization
statistics and historical trend data to make informed planning decisions for dynamic, static
and virtual address spaces. IPAM periodic tasks automatically discover the dynamic address
space and utilization data as configured on the DHCP servers managed in IPAM. Leverage the
powerful import functionality of IPAM IP address space management to bring static and
virtual address spaces under IPAM central management.
The IPAM Address Space Management (ASM) console provides the ability to efficiently
monitor various dimensions of the managed IP address space, including method of
assignment (static or dynamic), address scope (public or private), and IP version (IPv4 or
IPv6). Using IPAM ASM, you can track IP address utilization, receive threshold-crossing status
from the console and events, or zoom in and out to display utilization trends. The IPAM ASM
tools address the end-to-end IP lifecycle management problem for the static IP address space
in a growing distributed environment by ensuring better planning, accountability, and
control. It further facilitates centralized management and monitoring of address space using
periodic import and update functionality to bring in virtual address spaces managed through
systems like System Center Virtual Machine Manager (SCVMM) or any third party DHCP
servers and virtual machine (VM) managers.
For efficient network resource planning, administrators need to be able to visualize IP
address attributes in logical groupings. The utilization monitoring views in IPAM allow you to
view the enterprise address space in more meaningful logical correlation based on specific
needs. Some examples of logical group views are delineation by divisions of the organization,
geographical regions, Regional Internet Registries, offices located across geographical
regions, and categories assigned to customers based on business profiles. Grouping of
addresses by attributes provides meaningful perspective to utilization monitoring.

Address Space Entities


The various entities recognized by IPAM address space function are defined below:

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

IP addresses: are the leaf level entity under IP address ranges. IPAM enables end-toend life cycle management of IPv4 and IPv6 addresses, including record synchronization
with DHCP and DNS servers. IPAM automatically maps an address to the appropriate
range based on the start and end address of the range. An IP address is uniquely
identifiable by the value of mandatory Managed By Service and Service Instance
fields, that help IPAM to manage and maintain duplicate IP addresses from the same
console. These two fields are also used (and should identically match) while mapping
the IP address to the IP address range.

IP address ranges: are the next hierarchical level of IP address space entities after IP
address blocks. An IP range is conceptually an IP subnet marked by a start and end IP
address, and is typically a DHCP scope or a static IPv4 or IPv6 address range or address
pool used to assign addresses to hosts. IPAM enables you to centralize address ranges
that may span across many heterogeneous systems, such as across multiple DHCP
servers, VM managers, or legacy spreadsheets using IPAM import functionality through
UI or Windows PowerShell. An IP address range is uniquely identifiable by the value of
the mandatory Managed By Service and Service Instance fields, which help IPAM to
manage and maintain overlapping or duplicate IP address ranges from the same
console. Only one of multiple overlapping IP address ranges get mapped to the IP
address block. IPAM allows you to map any unmapped overlapping range to the
corresponding IP address block using the Map to Block action. The currently mapped
range will be unmapped because of this action.

IP address blocks: are the highest-level entities of IP address space organization. An IP


block is conceptually an IP subnet marked by a start and end IP address, and is typically
assigned by various Regional Internet Registries (RIRs) to an organization. Network
administrators maintain the IP address block to carve out and allocate IP address
ranges to address allocation systems like DHCP. IPAM automatically arranges IPv4
address blocks into public and private address space and IPv6 addresses into unicast
global addresses. IP address blocks can be added, imported, edited, and deleted. If the
start and end IP address of a block lies within the start and end IP address of another
block, it is automatically arranged as a nested sub-block. IPAM automatically maps IP
address ranges to the appropriate IP address block based on the boundaries of the
range. This enables a hierarchically organized view of the IP address ranges and a multilevel hierarchy of IP address blocks. IPAM rolls up utilization statistics and trends at the
IP address block or IP address sub-block level based on the ranges that are contained in
the block.

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 1 IP Address, Block, and Range Entities

Custom Fields and Logical Groups


IPAM supports user defined extensible metadata that can be associated to IP address ranges,
IP addresses, and servers. You can create metadata with multiple value types such as
Country/Region or single value types, such as Building. IPAM supports multiple built-in
custom fields with built-in values, which you can further enhance to add new user-defined
values. Similarly, you can add new user-defined custom fields that can either be free-format
or enumerations (multi-value fields). User-defined, multi-value custom fields allow you to
defined associated value tags against them.
While you can delete or edit user-defined custom fields and values, you cannot edit or delete
built-in custom fields and values. You cannot delete any particular custom field or value while
it is assigned to any entity within the IPAM database.
IPAM allows you to define the logical grouping of entities, and visualize utilization of address
space based on these groups. Custom field and value tagging is supported for the following
entities in IPAM:

IP Address

IP Address Range

Server

You can use custom field tagging for multi-valued custom fields for defining logical groups.
Logical groups enable you to visualize IP address ranges in a real-life business perspective
rather than a conventional hierarchy of IP subnets. You can customize these logical groups
and they can be hierarchical. Logical groups are defined by selecting the grouping criteria
from built-in or user-defined custom fields. IPAM supports multi-level hierarchy when
defining a logical group for IP address ranges. Similar custom logical groups can be created to
group IP addresses and managed servers. Entities that do not map to the first level criteria
defined for the logical group are displayed under the unmapped space in the group.
IPAM also rolls up utilization statistics and trends at the logical group level for IP address
ranges. Logical groups defined for IP address ranges are known as IP range groups. IPAM
supports simultaneous creation of multiple IP range groups based on different criteria. By

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

default, IPAM creates the built-in IP range group called Managed By, which groups IP
address range by the two-tier hierarchy of Managed by Service field followed by Service
Instance field. Built-in logical groups cannot be deleted, but the grouping criteria can be
edited.
IPAM supports only one logical group for IP addresses known as IP address inventory, which
is created by default. This built-in IP address logical group groups IP addresses by a single
hierarchy of device type field. Built-in logical groups cannot be deleted, but the grouping
criteria can be edited.

Utilization Monitoring

Utilization data maintained for IP address ranges, IP address blocks and IP range groups
within IPAM

User-configurable thresholds for percentage utilized field, used to mark entities as overutilized (above the configured threshold), under-utilized (below the configured threshold)
and optimally utilized (between over and under the utilization thresholds).

Visualization of utilization state of IP address range, IP address block and IP range group
from the console:
Over - Percentage utilized falls above configured over-utilized threshold

Under - Percentage utilized falls below configured under-utilized threshold

Optimal - Percentage utilized falls within configured over-utilized and underutilized threshold

Utilization threshold crossing events are logged by IPAM whenever an IP address range
changes its utilization state.

Utilization trend building and reporting for IPv4 address ranges, IPv4 address blocks and
IPv4 range groups.

Capability to zoom in and out of utilization trend window. While you may select from
standard trend periods of 1 day, 7 days, 1 month, 3 months, 6 months, 1 year, 2 years and 5
years, Custom start and end date configuration for viewing the utilization trend is also
supported.

Auto-discovery of dynamic IP address ranges and utilization data from DHCP scopes
configured on the managed Microsoft DHCP servers.

The utilization calculation for utilized addresses be set to

10

Automatic Auto-calculation based on the IP addresses within IPAM database that


map to the IP range

User defined Configured by the user agnostic of the IP addresses that map/donot-map to the IP range.

Utilization statistics for an IP address range is available as following counters:

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Assigned addresses The number of addresses between start IP address and end IP
Address of the block

Utilized addresses The summation of assigned addresses counter of IP address


ranges that map to this block

Percentage utilized Utilized addresses as a percentage of assigned addresses

Two additional utilization counters are supported for dynamic IPv6 address ranges
discovered from Microsoft DHCP servers. Together these counters add up to the total
number of utilized addresses for this range:
o

DHCP stateless addresses Number of stateless address leases serviced by the


Microsoft DHCP range

DHCP stateful addresses Number of stateful address leases serviced by the


Microsoft DHCP range

Utilization trend for an IPv4 address range is plotted for following line graphs:
o

Percentage assigned (always 100%)

Percentage utilized

Utilization statistics for an IP address block is available as following counters:


o

Total addresses The number of addresses between start IP address and end IP
address of the block

Assigned addresses The summation of assigned addresses counters of IP address


ranges that map to this block

Utilized addresses The summation of Utilized addresses counters of IP address


ranges that map to this block

Percentage assigned Assigned addresses as a percentage of total addresses

Percentage utilized Utilized addresses as a percentage of total addresses

Utilization trend for an IPv4 address block is plotted for following line graphs:
o

Percentage total (always 100%)

Percentage assigned

Percentage utilized

Utilization statistics for an IP range group is available as following counters:


o

Assigned addresses The summation of assigned addresses counters of IP address


ranges that map to this group

Utilized addresses The summation of utilized addresses counters of IP address


ranges that map to this group

Percentage utilized Utilized addresses as a percentage of assigned addresses

11

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Utilization trend for an IPv4 range group is plotted for following line graphs:
o

Percentage assigned (always 100%)

Percentage utilized

IP address management features

Multiple consoles/views for organizing and visualizing address space to facilitate address
space monitoring, reporting and utilization data roll up.

Auto-discovery of DHCP scopes and scope utilization information. Auto-discovered DHCP


scopes appear as IP address ranges with Managed by Service set as MS DHCP and Service
Instance set as the name of DHCP server

Support for identifying and managing overlapping address spaces from a single console.
Overlaps and duplicates are identified and displayed in the UI

IPAM allows you to uniquely identify IP address ranges and IP addresses using the
Managed By Service and Service Instance fields that augment the key fields for these
entities. For example, all ranges discovered from managed DHCP servers are marked to be
Managed By Service set as MS DHCP and Service Instance set as the name of the DHCP
server.
o

Plan and allocate address space by carving out multi-level hierarchy of IP address blocks.
Visualize rolled up utilization trends and statistics for IP address blocks

Arrange address space into multi-level hierarchy of real-world custom group view.
Visualize rolled up utilization trends and statistics for group nodes.

Customizable inventory view for IP addresses

Support for detecting and visualizing stateless IPv6 address utilization information

Add/Edit/Delete IP Addresses, IP address range and IP address blocks

Detect and manage conflicts, overlaps, duplicates in address space across systems. Map
desired overlapping IP address range to the IP address block.

Use intuitive interface for import of address, range and block from spreadsheets and
databases

Find and allocate an available IP Address from a dynamic or static IP address range:
o

12

IP address blocks allow easy Auto discovery of DHCP scope and utilization
information from managed MS DHCP servers and visualizing them as IP address
ranges

For Microsoft DHCP ranges, IPAM queries the corresponding DHCP server in realtime to finding an available IP address. The logged in user must have at least DHCP
Users privileges on the DHCP server to complete this action. If the IP address found
is already reserved/allocated in the IPAM database, IPAM discards it and goes on to
find another available IP address.

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

For any other range, IPAM queries the local IPAM database to find an available IP
address.

Further validation of free IP address using ping expect no reply, and DNS lookup expect
no record found. Anomalies to the expected result are called out so that appropriate action
can be taken to synchronize the IPAM IP address inventory with the DNS records and
servers active on the network.

Allocate the free IP Address and maintain its state as active/inactive/reserved or any other
custom state value. Tag the assignment type of IP address as static/dynamic/VIP/auto.

Configure appropriate assignment date for the IP address

Assign and track IP address lifetime by assigning an expiry date to the IP address. By
default, the expiry date is not set and the address is assumed to be valid indefinitely.

Visualize addresses as not expired, expiry due, expired based on the configured expiry
date for the address and the system-wide configurable threshold for expiry log settings.
The IP address transitions to expiry due state x days before the configured expiry date,
where x is the expiry alert threshold.

Receive alerts on changing the expiry status of address is a configurable setting to receive
expiry alerts periodic or only on state changes.

Manage all DHCP reservations from a central console. Create/delete DHCP reservations for
IP addresses

Manage all DNS records from a central console. Create/delete DNS A/AAAA records for IP
addresses. Create/delete DNS PTR records for IP addresses

Build upon import and update functionality of IPAM to populate the IP Address inventory
view leveraging IPAM Windows PowerShell
o

Periodically import and update the IP address inventory from third party systems
like SCVMM or other virtual address management systems

Periodically import and update the IP address inventory from DHCP reservations
on Microsoft DHCP or third party DHCP servers

Periodically import and update the IP address inventory from DNS records on
Microsoft DHCP or third party DNS servers

Detect duplicate IP addresses. IPAM allows creation and management of duplicate IP


addresses (assuming your internal network has valid scenarios around maintaining
duplicate IPs)

Automatically map IP addresses to the corresponding IP range

Tag basic and custom configuration fields against IP addresses

Reclaim IP addresses from selected IP address ranges using the reclaim wizard

13

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Address Space Data Import


IPAM supports flexible schema for importing IP address, IP address range and IP address
block entries from a comma separated value (csv) file. The field names list in the header of
the csv file should match the IPAM field names corresponding to the entity being imported.
You can add new fields into IPAM using the custom field support. Column names can be
ordered in any way in the csv file.
IPAM supports the following two types of import

Regular import operation for IP addresses, IP address ranges and IP address blocks
new records are added and existing records are edited during this operation. This
Windows PowerShell cmdlet imports IP address range objects from the specified csv
file into the IPAM server. IPAM does not support import of IP address ranges whose
Managed By Service value is MS DHCP since this is reserved for DHCP scopes
automatically discovered by IPAM from the managed Microsoft DHCP servers.

Import and update operation for IP addresses belonging to the specified IP range
Along with adding new addresses and editing existing addresses as in the case of
regular IP address import, this operation deletes those addresses from IPAM which
map to the specified IP address range, but are not present in the csv being imported. A
typical scenario for this operation can be to periodically import and synchronize DHCP
lease or DNS record information from servers into IPAM.

Import and update operation for IP address ranges belonging to the specified Managed
By Service and Service Instance values Along with adding new ranges and editing
existing ranges as in the case of regular IP address range import, this operation deletes
those ranges from IPAM which have the same value of Managed By Service and
Service Instance fields but are not present in the csv being imported. IPAM provides
you the option of deleting the IP addresses mapping to the IP address ranges that are
deleted during this import operation. A typical scenario for this operation can be to
periodically import and synchronize IP pool or DHCP scope information from systems
like SCVMM and third party DHCP servers.

The UI import-export supports localized format while the Windows PowerShell importexport supports fixed English format for the csv field names and values. Interoperability
between both formats is supported. The general rules for Windows PowerShell importexport fixed schema is as follows:
1. Field names will be the same as English localized resource names of the corresponding
entries in IPAM. However, blank spaces in the field name will be omitted to comply with
the Windows PowerShell object header name convention. IP address import in fixed format
is identified by the presence of the mandatory field IPAddress in the csv file. Similarly, IP
address range import in fixed format is identified by the presence of the mandatory field
NetworkId in the csv file. The corresponding field names for localized English schema
import are IPAddress and Network respectively.

14

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

2. Enum value names will be same as English localized resource names of the corresponding
values in IPAM. Enum value in this context refers to built-in custom field values and built-in
enumeration field values such as utilization, expiry status, etc. Fixed format names for
values of built-in custom field Country is not supported and the input-output for this field
will always be localized.
IPAM generates an error csv file with details about records that failed to import along with
the reason for failure. By default, this error file is generated in the Documents folder of the
users profile.

Windows PowerShell support for IP range import


IPAM supports the following Windows PowerShell cmdlets for range import:
Import-NamsRange [-Path] <string> [-AddressFamily] <string> [-ErrorPath
<string>] [-Force]
Import-NamsRange [-Path] <string> [-AddressFamily] <string> [-ManagedByService]
<string> [-ServiceInstance] <string> [-AddManagedByService] [AddServiceInstance] [-DeleteMappedAddresses] [-ErrorPath <string>] [-Force]

The AddressFamily parameter specifies if the csv contains IPv4 or IPv6 records. Only one
address family can be specified at a time with this cmdlet, and the records in the csv should
match the specified AddressFamily. The Path parameter is used to specify the csv file
containing IP address range objects that need to be imported. The Force switch can be used
with the cmdlet to suppress the default confirmation text. The ErrorPath parameter
specifies the literal path (and not name) of the error csv file which will be created if one or
more records fail to import. The file name is generated automatically by IPAM for the error
csv file. The default value of ErrorPath is the Documents folder of the user.
The cmdlet supports two parameter sets. The default invocation of the cmdlet adds new IP
address range objects from the csv into IPAM and edits the existing address ranges with
updated information specified in the csv. The second parameter set can be used to
periodically import and update all IP address range objects that belong to the specified
unique combination of ManagedByService and ServiceInstance parameters. This
parameter set provides the option of deleting the IP addresses mapping to the IP address
ranges that are deleted during import by using the DeleteMappedAddresses switch.
Import and update of IP address ranges for the specified ManagedByService and
ServiceInstance will succeed if these values are present in IPAM at the time of import. The
parameters AddManagedByService and AddServiceInstance can be used to create the
specified ManagedByService and ServiceInstance values within IPAM at run time before
the import operation, if not already present in IPAM.

Management and Monitoring of DHCP and DNS


IPAM enables administrators to monitor hundreds of DNS and DHCP servers spread across
various regions from a centralized console. Administrative tasks are frequently repetitive,
such as altering a scope option setting on multiple DHCP scopes. The ability to execute such

15

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

tasks uniformly across servers reduces both the effort involved as well as the probability of
error. Administrators can use the IPAM multi server management (MSM) view to easily edit
and configure key properties of multiple DHCP servers across the organization,
simultaneously. This functionality does not require installation of additional agents or
software on the target servers.
IPAM uses DHCP and DNS RPC for monitoring and management functionality. The logged in
user must have appropriate administrative privileges on the target server in order to perform
any configuration change on the target server using IPAM UI or by launching the MMC from
IPAM. The data collection and monitoring functions do not require any special privileges on
the target server for the logged in user.

DHCP Server Management


IPAM allows managing multiple DHCP servers from a central console. The following actions
are available for DHCP servers:

Edit DHCP Server Properties - This allows setting a number of server properties of the
DHCP server

Edit DHCP Server Options - Allows addition, deletion or editing of options at the
servers level. Action can be performed on multiple DHCP servers simultaneously to
update multiple options across servers.

Create DHCP scope - Create a scope on a DHCP server, and set numerous scope
properties.

Configure predefined options and values - Create predefined options and set option
values. Select one or more servers and launch the action to configure predefined options
on multiple servers simultaneously

Configure User Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.

Create and edit new and existing user classes - Multi-select servers and launch the
action to configure user classes on multiple servers simultaneously.

Configure Vendor Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.

Launch MMC - Launch the MMC for the selected DHCP server

Retrieve server data - Multi-select servers and launch the action to retrieve server
data from the selected set of servers.

DNS Server Management


IPAM allows launching MMC for DNS servers from a central console. The actions that can be
performed on DNS servers are as below:

16

Launch MMC - Launch the MMC for the selected DNS server

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Retrieve server data - Multi-select servers and launch the action to retrieve server
data from the selected set of servers.

Multi-Entity Management
A primary benefit of IPAM functionality is its ability to simultaneously manage multiple DHCP
servers or DHCP scopes spread across one or more DHCP servers. This significantly reduces
the administrative effort needed by eliminating repetitive steps and reducing the possibility
of error during these operations. Some of the advanced multi-edit constructs are explained
below:

Create/Overwrite/Delete User Class on multiple DHCP servers simultaneously

Create/Overwrite/Delete Vendor Class on multiple DHCP servers simultaneously

Add/Edit/Delete Predefined Options and Values on multiple DHCP servers


simultaneously

Edit DHCP server properties like DNS update settings and DNS credentials on multiple
DHCP servers simultaneously

Add/Overwrite/Delete/FindAndReplace multiple DHCP options across multiple DHCP


servers simultaneously

Edit DHCP scope properties such as DNS updates, lease duration, and advanced
properties on multiple DHCP scopes spread across multiple DHCP servers
simultaneously

Add/Overwrite/Delete/FindAndReplace multiple DHCP options on multiple DHCP


scopes spread across multiple DHCP servers simultaneously

Activate/Deactivate multiple DHCP scopes spread across multiple DHCP servers


simultaneously

Server Monitoring
The IPAM monitoring view provides the ability to view from a single console the status and
health of selected sets of Microsoft DNS and DHCP servers. The monitoring view of IPAM
displays the basic health of servers along with recent configuration events that occurred on
these servers. The monitoring view also provides the ability to organize the managed servers
into logical sever groups.

Note:

The custom field tagging can only be done for DHCP servers from the Monitor and Manage
console by invoking the Edit DHCP Server Properties dialog. Both DHCP and DNS servers
can be configured with custom field values from the Server Inventory view using Edit
Server dialog.

Basic configuration settings are displayed in the view and in the preview panes in the server
monitoring view. For DHCP servers, the server view enables tracking of various server
settings, server options, number of scopes, and number of active leases, that are configured
on the server. For DNS servers, the view enables tracking of all zones configured on the

17

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

server along with details of the zone type. The view also allows you to see the total number of
zones configured on the server, as well as overall zone health status as derived from the zone
status of individual zones on the server.
IPAM also facilitates periodic service monitoring of DHCP and DNS service status from a
central console. The service status is appropriately displayed as Running, Stopped, or
Paused for each managed server in the DHCP and DNS Servers view.
If the server role is running and IPAM still shows the availability state as Not Reachable,
ensure that

The service is running on the managed server as expected

There is proper network connectivity to the managed server

Remote service management firewall ports are open

IPAM machine SID (or IPAMUG SID for GPO provisioning) is added to the service ACL

DNS zone monitoring


IPAM enables DNS zone monitoring for DNS forward and reverse lookup zones. The zone
status is derived by IPAM based on zone events.

Forward Lookup node


o

IPAM displays a list of all forward lookup zones that are hosted by managed DNS
servers with their overall status based on status from all the servers hosting that
zone, as well as duration that the zone has been in that state. The zone status for
all servers is shown as OK if the zone is being serviced by each of the
Authoritative servers. The zone status for all servers is shown as Warning, if
one or more authoritative servers is not servicing the zone. The zone status for
all servers of the zone is shown as Error if none of the authoritative servers are
servicing the zone. An authoritative server is considered to be servicing the zone
if the zone status of the zone on that server and the server availability state of
the server are not in red state.

IPAM also displays a list of all authoritative servers for that zone in the preview
pane along with the zone type and zone health status information.

DNS zone node


o

18

IPAM enables automatic hierarchical navigation of forward lookup zones. For


the zone selected on the navigation tree, all DNS servers hosting the zone are
displayed. IPAM displays the zone status on that server and the status duration.
Other details such as zone type, server availability, and IP address are displayed.
IPAM also provides a catalog of all zone events from the server to assist with
troubleshooting.

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

IPv4 Reverse Lookup node - IPAM enables the user to visualize all IPv4 reverse lookup
zones configured on the managed DNS server. A list of all authoritative servers hosting
the selected reverse lookup zone is presented in the preview pane.

IPv6 Reverse Lookup node - IPAM enables the user to visualize all IPv6 reverse lookup
zones configured on the managed DNS server. A list of all authoritative servers hosting
the selected reverse lookup zone is presented in the preview pane.
IPAM does not support reverse lookup zone health monitoring.

Note:

Event Catalog
In a distributed network with multiple DHCP servers, the task of monitoring configuration
changes across the infrastructure can be challenging. Individual servers log configuration
events in their log channel which roll over periodically and are difficult to query and track
centrally.
IPAM event catalog provides a centralized repository to audit all configuration changes
performed on DHCP servers managed from a single IPAM management console. Another
console in event catalog gathers all of the configuration events from the IPAM configuration
event channel.
These configuration event catalogs provide the ability to view, query and generate reports of
the consolidated configuration changes, along with details specific to each record. IPAM audit
tools enable monitoring for any potential misconfiguration of the IP infrastructure by
leveraging network audit logs for tracking and reporting of any administrative actions
required. The advanced query and filtering support from IPAM enables tracking of Service
Level Agreements (SLAs) based on time, administrator identity, server name and additional
detail from a single console.
The IP address management audit specifically provides for:

Periodic and on-demand configuration event data collection from DHCP and IPAM
servers.

Enterprise wide view of all configuration changes on DHCP servers made by


administrators with the following details
o

Event ID

Time of event

DHCP server name (from where the event is collected)

User name (who made the change)

Domain name of the user

Description of the event

19

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

In addition to the event parameters listed above, IPAM provides advanced query
constructs within the event Description field for filtering DHCP configuration events
such as scope id, scope name, option id, option name, and reservation address.

Enterprise wide view of all configuration changes on IPAM servers made by


administrators with the following details
o

Event ID

Time of event

User name (who made the change)

Domain name of the user

Description of the event

Task category (server discovery, address space management, etc.)

Keywords (server, IPv4-range, etc.)

Opcode (add, delete, etc.)

In addition to the event parameters listed above, IPAM provides advanced query
constructs within the event Description field for filtering IPAM configuration events
such as network id, IP address, group name, and custom field name.

Data purge facility for event catalog database tables to clean up disk space (after backup
if intended). You can select the time window before which data must be purged and the
data type (IPAM configuration, DHCP configuration, IP address tracking). It is advisable
to schedule the data purge operation in the night or at the time when IPAM activity is
low.

IP Address Tracking
In certain network forensics scenarios, it is useful to establish a trail of the computers or
devices used by a user within a specific time. In an environment where IP addresses are
dynamically assigned using DHCP, the IP addresses assigned to devices on a network are
temporary and can change over time. IP addresses do not necessarily uniquely identify a
computer or device. A host name assigned to a computer or device can also change, and
cannot be relied upon for unique device or computer identification. Establishing a
comprehensive record or trail of the computers or devices used by a user within a specific
period, complete with IP address, host name, and MAC (Media Access Control)/DUID (DHCP
Unique Identifier) address of a computer or device may be difficult or impossible if based
solely on IP lease events.
A DC or NPS server logs events for user and machine authentication, which also identify the
IP address from which an authentication request was received. An intelligent audit system
that collects and maintains a historical trail of IP address lease events from the DHCP server
and authentication events from DC and NPS servers can help administrators to track and
associate IP addresses with the users and devices in their environment.

20

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

The IP address tracking feature of IPAM enables you to select a search criteria, such as IP
address, client ID (MAC/DUID), host name or user name, and specify a query time interval in
terms of start and end date and time. IPAM intelligently correlates results from the repository
of DHCP leases and DC/NPS logon events based on advanced algorithms to provide the
results. This enables you to search events for a given time frame and obtain results mapping a
user account to particular devices identified by the IP address, MAC address, and/or host
name.
The IP address tracking feature collects the following events to build the search database:

DHCP lease events: new lease, renew lease and lease expiry events from the DHCP audit
log of the managed DHCP servers

Windows security event ID 4768- Kerberos authentication ticket (TGT) was requested
from domain controllers

Windows security event ID 672 - An authentication service (AS) ticket was successfully
issued and validated from NPS servers

The IP address tracking feature enables two query modes over the specified time:

Note:

Exclude co-related logon and lease events - All direct matches to the search criteria
between the specified search start time and end time from the DHCP lease logs collected
in the IPAM database are returned. This mode is supported for all search pivots except
User Name.
Include co-related logon and lease events - All the co-related lease and logon logs
based on intelligent processing are returned along with the direct search matches on
the specified search criteria are returned. This mode is supported for all searches.
The events displayed in the query result are +/- 5 minutes from the search period specified.
This is done to accommodate server time lags or discrepancies between IPAM and
managed servers. The timestamp of events collected from managed DHCP, DC and NPS
servers is stored in UTC in the IPAM database. The timestamp on the events mined as the
result of the search operation is displayed in the context of the time and time zone
configured on the IPAM client.

The advanced co-relation logic used by IPAM is comprised of three main steps briefly
explained below:
Step 1: Finding all DHCP lease events based on direct match
For user name based search, IPAM finds the co-related host names based on logon events and
then uses the host name to determine the valid DHCP lease events to be used for further corelation.
Step 2: Deriving DHCP lease chunks for the specified search interval
Using the various new lease, release, and/or expire lease events determined for the specific
IP address, different distinct lease period start and end values can be ascertained. Such
different lease periods are referred to as lease chunks. Each ascertained lease chunk will

21

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

have an IP address, MAC address and host name associated with it, picked up from the DHCP
lease event logs.
Step 3: Obtain co-related events for each of the derived lease chunks For each of the ascertained lease chunks, a query is then made of the authentication events
collected in the data store to find events that match common elements, which could be one or
more of the IP address, MAC address, or host name within the specified lease chunk. Using
multiple different common elements for the search returns additional correlated information.

Advanced UI features

Group navigation control - Divides the data into major functional areas followed by
entities/views. The lower navigation tree further arranges the entities into appropriate
pivots such as subnets or logical groups.

View switcher on management list To toggle the view between associated entities, for
example Servers and Scopes or Address Range and Blocks.

Customize the default view - Add or remove columns of your choice in the default view
displayed. All built-in and user-defined basic and custom fields are available for selection in
the view.

Group by functionality Select to group the view using the selected criteria

Ordering Order the displayed rows based on any field.

Support for free format query on all fields Start typing any value in the search pane to
return the matching string search results filtered from the displayed rows

Advanced query/filtering support Use multiple criteria to create advanced queries. Select
between advanced comparison constructs for each query criteria. Save the query along
with customized view and reload it later.

Export filtered records into csv reports

Dedicated event catalog monitoring for each address space entity, servers, scopes and zone,
in the preview pane for each row selected

Limitations
The Windows Server "8" Beta IPAM implementation does not provide a global solution for
every possible management scenario. Notable limitations are listed below.

22

Supports only Microsoft DHCP, DNS, DC, and NPS servers running Windows Server 2008
and above

IPAM supports only domain joined DHCP, DNS and NPS servers.

Supports management of DHCP and DNS servers in a single AD forest

Supports only Windows Internal Database, and no external database is supported

IP address utilization trend is provided only for IPv4

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

IP address reclaim support is provided only for IPv4

The IPAM provisioning method cannot be modified after completion of the provisioning
wizard

The only management features supported for DNS are DNS A/AAAA and PTR record
creation and deletion.

Limited support for Windows PowerShell - only a subset of functionality is enabled


through the Windows PowerShell interface.

Advanced DHCP management features such as failover management, Policy Based


Assignment (PBA) management, and backup and restore are not supported. You can launch
the DHCP MMC from within the IPAM console to initiate these operations.

DNS management features beyond creation and deletion of A/AAAA and PTR records are
not supported. You can launch the DNS MMC from within the IPAM console to initiate these
operations.

Automatic DHCP lease enumeration is not supported by the IPAM data collection tasks.

Automatic DNS record enumeration is not supported. You can enable this scenario by
building upon IPAM periodic address import features available from IPAM Windows
PowerShell cmdlets.

Granular delegated administration is not supported by IPAM.

Technical Overview
IPAM Architecture
IPAM is comprised of two main modules, which are available as two Server Manager features:

IPAM Server This feature provides the IPAM backend, which implements periodic data
collection tasks to gather configuration and event information from managed servers. It
also manages the relational database hosted in the Windows Internal Database (WID)
and the Windows Communication Foundation (WCF) server endpoint, which enables
remote management of the IPAM server, provides the IPAM Windows PowerShell
module, and implements role based access control.

IPAM Client This feature includes the IPAM client UI component that interacts with the
IPAM server to perform remote management using the WCF. The IPAM client also
directly invokes the relevant Windows PowerShell interfaces to interact with DHCP
server for configuration tasks, with DNS server for record management, and with group
policy for security filter list synchronization.

The IPAM client UI communicates with the IPAM server to perform remote management. This
is done using the WCF with TCP as the transport. Specifically, the NetTcpBinding is used. See
WCFBinding-MSDN for more detail on the various bindings and their capabilities. The TCP
binding is performed on port 48885 on the IPAM server. This port number falls into the
Registered Ports range of IANA but is not currently assigned. The default port choice is not
23

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

made from the ephemeral port range, as this server-side functionality that the socket is
listening for traffic at all times once the server feature is enabled.
When there is a port conflict or there is a need to reconfigure the server port, the port
number on the server can be configured. Prior to connecting to the IPAM server, the client UI
queries the configured server port by using a Windows PowerShell cmdlet provided by IPAM.
This leverages Windows PowerShell remoting. Windows PowerShell remoting is built on the
WinRM layer, which is enabled by default. IPAM Windows PowerShell cmdlets getipamconfiguration and set-ipamconfiguration can be leveraged to get and set the WCF
communication port respectively.
The figure below illustrates high level IPAM architecture.

Figure 2 IPAM High Level Architecture

IPAM also allows you to specify the group policy objects to manage the DHCP/DNS/NPS/DC
server configuration for use with IPAM during setup. These group policy objects must be
created in advance for each server role (DHCP, DNS, DC/NPS). The security filtering lists for
these group policy objects will be updated when the servers are enabled or disabled for
management through the IPAM console.
The IPAM server communicates with all the managed DHCP servers to get the DHCP scope
utilization for both IPv4 and IPv6 (stateless as well as stateful), server configuration and
scope configuration using DHCP Windows PowerShell commands. The DHCP Windows
PowerShell commands use Microsoft Dynamic Host Configuration Protocol (DHCP) Server
Management Protocol Specification [MS-DHCPM] to communicate with the DHCP server.

24

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

The DHCP address lease information is available in an audit log file on the DHCP server. The
IPAM server retrieves the address audit text file (for both IPv4 as well as IPv6) using the SMB
protocol. This text file is parsed to get the address assignment information. The address audit
text file for IPv6 clients (stateful and stateless) is available only in Windows Server "8" Beta
DHCP servers. The DHCP server generates events for auditing the configuration changes. The
IPAM server reads the configuration changes from the DHCP server event log and EventLog
Remoting Protocol Version 6.0 Specification [MS-EVEN6] is used for reading these events.
The IPAM server also retrieves the service status of the DHCP/DNS servers using the Service
Control Manager Remote Protocol Specification [MS-SCMR] protocol.
The IPAM server communicates with DNS servers to get the server configuration and DNS
zone settings. The DNS Windows PowerShell commands use Domain Name Service (DNS)
Server Management Protocol Specification [MS-DNSP] to communicate with the DNS server.
The IPAM server communicates with DCs to get the logon events. Whenever a user
authenticates with DC, a logon event is generated and the IPAM server collects these events
for audit trail analysis. The remote event collection uses [MS-EVEN6]. In order to discover the
DHCP servers, the IPAM server reads the DHCP server list stored in the DHCPServers group
contained in the NetServices container
(CN=NetServices,CN=Services,CN=Configuration,DC=domain,DC=com) in AD. The IPAM
server reads the DHCPServers group using the LDAP protocol. LDAP is also used to query the
list of domains. This list of domains is used for discovering the DNS servers.
The IPAM server communicates with NPS server to get the authentication events. Whenever
NPS authenticates a user, it generates an authentication event. The IPAM server collects these
events for audit trail analysis. The remote event collection uses [MS-EVEN6].
The following table lists the different interactions between the IPAM system and other
servers.

Managed Role

From IPAM
component

Protocol

Comments

DHCP

IPAM Server

MS-DHCPM/MSEVEN6 /MS-SMB
/MS-SCMR

IPAM server interacts with


DHCP server to perform IP
address utilization, DHCP
server configuration
retrieval, DHCP server
monitoring and IP address
audit trail data.

DHCP

IPAM Client

MS-DHCPM

IPAM Client uses MSDHCPM (used by Windows


PowerShell provider) to
remotely manage the DHCP
servers.

25

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

26

DRAFT V5.0

DHCP address
audit file
(IPv4/IPv6)

IPAM Server

MSSMB

DHCP address lease


information is stored in a
file and IPAM retrieves this
file. This qualifies as a new
file format protocol.

DNS

IPAM Server

MS-DNSP/[MSEVEN6]

IPAM server interacts with


DNS server to perform DNS
server configuration
retrieval, DNS server
monitoring.

DNS

IPAM Client

MS-DNSP

IPAM client uses MS-DNSP


(used by Windows
PowerShell provider) to
remotely manage DNS
servers.

AD

IPAM Server

RFC2251/MSEVEN6

IPAM server interacts with


AD server to perform
discovery of DHCP and DNS
server and IP address audit
trail data.

NPS

IPAM Server

MS-EVEN6

IPAM server interacts with


NPS server to perform IP
address audit trail data.

DC

IPAM Client

MS-GPOL

IPAM client uses the MSGPOL to configure the


administrator specified
group policy object with the
list of servers that are
enabled for management
through IPAM.

DC

IPAM Client

RFC2251/LDAP

Used to retrieve server


information from the
machine object in AD (such
as machine GUID, OS
installed etc.)

IPAM Server

IPAM Client

[MS-PSRP]

Used to query the serverport configuration from the


IPAM server using the
Windows PowerShell
cmdlet for the same.

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

IPAM Local Security Groups


IPAM setup creates appropriate security groups to isolate and restrict the permissions
available to different sets of IPAM administrators and users. The installation process creates
local security groups on the IPAM server, which provide permissions required for
administering and using the multiple services employed by IPAM. For example, IP lease audit
collection could be restricted to a specific set of administrators only. It is possible to display
MSM configuration data to all DHCP Users, while MSM configuration rollout itself may be
restricted to only a relevant subset of administrative accounts.
IPAM installation automatically creates the following local user groups:
Group Name

Description

IPAM Users

Members of this group can view all information in server


inventory, IP address space, and server management consoles
of IPAM. They can view IPAM and DHCP server operational
events, but cannot view IP address tracking information.

IPAM MSM Administrators

Members of this group have all the privileges of IPAM User


group and can perform IPAM common management tasks as
well as server management tasks.

IPAM ASM Administrators

Members of this group have all the privileges of IPAM User


group and can perform IPAM common management tasks as
well as server management tasks.

IPAM IP Audit Administrators

Members of this group have all the privileges of IPAM User


group and can view IP address tracking information.

IPAM Administrators

Members of this group have privileges to view all IPAM


information and perform all IPAM tasks.

Note:

In order to perform the Find Available IP task of IPAM address space management on a
DHCP range, the user must additionally have DHCP Users privileges on the relevant DHCP
server. Only IPAM Administrators can perform the Purge Event Catalog Data task. IPAM IP
Audit Administrators do not have this privilege. IPAM MSM Administrators can edit IP
address range information for MS DHCP ranges in the IP Address Space console.

IPAM Tasks and Service Account


IPAM schedules the following tasks to retrieve data from managed servers:

27

DRAFT V5.0

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

ServerDiscovery - Automatically discovers domain controllers, DHCP servers and DNS


servers in the domains you select.

ServerConfiguration - Collects configuration information from DHCP and DNS servers


for display in IP address space and server management functions.

AddressUtilization - Collects IP address space usage data from DHCP servers for display
of current and historical utilization.

Audit - Collects DHCP and IPAM server operational events. Also collects events from
domain controllers, NPS, and DHCP servers for IP address tracking.

ServerAvailability - Collects service status information from DHCP and DNS servers.

ServiceMonitoring Collects DNS zone status events from DNS servers.

AddressExpiry Tracks IP address expiry state and logs notifications.

All Windows tasks required for IPAM services need to present credentials to the managed
node for authentication before accessing protected data and logs from server roles. For
example, accessing event logs on the managed server nodes requires that the IPAM tasks
authenticate under the context of a member of the Event Log Reader security group on the
target node. All IPAM tasks launch under the Network Service account, which presents the
local computers credentials to remote servers.
During installation, IPAM tasks are added with the following default frequency of execution,
which can be modified from the Task Scheduler from the path Task Scheduler Library ->
Microsoft -> Windows -> IPAM
Task Name

Frequency

For Duration

ServerDiscovery

1 Day

Indefinitely

AddressUtilization

2 Hours

Indefinitely

Audit

1 Day

Indefinitely

ServerConfiguration

6 Hours

Indefinitely

ServerAvailability

15 Minutes

Indefinitely

ServiceMonitoring

30 Minutes

Indefinitely

AddressExpiry

1 Day

Indefinitely

Apart from periodic data gathering IPAM also supports on-demand data refresh from all the
servers in its scope or only from a subset of servers in context of the selected entity for which
data retrieval has been triggered. IPAM further supports on demand data refresh for specific
functional areas such as address space or event catalog. The following on-demand data
retrieval actions are supported by IPAM:

28

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Action Name

Type

Scope

Launch Point

Periodic Tasks Run

Start
Discovery

NonContextual

Across all configured


domains

Manage Menu

ServerDiscovery

Retrieve All
Server Data

NonContextual

All servers (and server


roles) managed by IPAM

Manage Menu
OR Tasks
Menu in Server
Inventory view

All tasks except


Discovery

Refresh
Server Access
Status

Contextual

Selected server(s)

Right click
menu on
(multi)selecting
servers in the
Server
Inventory view

Discovery task for


access status(es)
check

Retrieve All
Server Data

Contextual

Selected server(s)

Right click
menu on
(multi)selecting
managed
servers in the
Server
Inventory view

All tasks except


Discovery

Retrieve
Address Space
Data

NonContextual

All DHCP servers


managed by IPAM

Tasks Menu in
IP Address
Space view

ServerConfiguration,
AddressUtilization,
AddressExpiry, Audit

Retrieve
Address Space
Data

Contextual

(Multi)Selected IPAM
ranges (and associated
DHCP servers)

Right click
menu on
(multi)selecting
ranges in the IP
Address Space
view

ServerConfiguration,
AddressUtilization,
AddressExpiry, Audit

Retrieve
Server Data

NonContextual

All DHCP and DNS


servers managed by
IPAM

Tasks Menu in
Monitor and
Manage view

ServerConfiguration,
ServerAvailability,
ServiceMonitoring,
Audit

Retrieve
Server Data

Contextual

(Multi)Selected servers
(or servers associated
with (multi) selected
scopes or zones)

Right click
menu on
(multi)selecting
servers, scopes
or zones in the
Monitor and
Manage view

ServerConfiguration,
ServerAvailability,
ServiceMonitoring,
Audit

Retrieve Audit
Data

NonContextual

All DHCP, DC and NPS


servers managed by
IPAM

Tasks Menu in
Event Catalog
view

Audit

29

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Installing and Provisioning IPAM


Deployment Considerations
IPAM is an agentless multi-server, multi-service management feature and leverages standard
Windows remote management protocols to manage, monitor and collect data from the
distributed servers in the enterprise. IPAM must be installed on a domain member computer.
IPAM relies on a host of remote management technologies to provide full functionality.
Various IPAM modules need to communicate with multiple network elements throughout the
enterprise for data gathering and configuration management. Depending on the scope of
managed elements, this communication may need to traverse multiple security boundaries or
domains.
Important:

IPAM does not support multi-forest topology. All domains in a single Active Directory forest
can be managed.

IPAM supports the following topologies for deployment in an enterprise:

Distributed: An IPAM server deployed at every site in an enterprise

Centralized: One IPAM server in an enterprise

Hybrid: Central IPAM server deployed alongside dedicated IPAM servers per site

There is no automatic built-in communication or database sharing between different IPAM


servers in the enterprise. If multiple IPAM servers are deployed, you can customize the scope
of discovery for each IPAM server, or filter the list of managed servers.

Note:

If required, you can leverage the IPAM Windows PowerShell based export-import
mechanism to periodically update IPAM range and address information between multiple
IPAM instances running across the enterprise.

You can choose to limit the IPAM scope, depending on the deployment. A single IPAM server
may be implemented to manage IP addressing for the entire enterprise. Alternately, an IPAM
server may be deployed at every geographical site in the enterprise, or in each child domain
in the AD forest. If multiple IPAM servers are used, you can limit the server discovery and
management scope of each to include only infrastructure servers managed by the individual
IPAM installations.
The IPAM server manages and monitors the DHCP and DNS servers within the site or child
domain, and collects the forensics information from DHCP, DC and NPS servers. IPAM
correlates and stores the collected information in the IPAM servers local database using
Windows Internal Database (WID).

30

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 3 IPAM Multi-Site Hybrid Deployment Model

Installation Process IPAM Server


The Windows Server "8" Beta IPAM feature integrates with the Server Manager console for
installation and uninstallation. The Server Manager console eases the task of managing and
securing multiple server roles through the Add Roles and Features Wizard.

Note:

You cannot install the IPAM server feature on an Active Directory domain controller.
Installing IPAM on a physical server with co-located DHCP server role is not
recommended. This negatively impacts the DHCP server discovery function of IPAM.

Installation UI/Wizard
In Server Manager, Dashboard, click Add roles and features.

31

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 4 Server Manager Dashboard

Click through the Add roles and features wizard screens to select Role or Feature Based
Install and the target server. On the Select Features screen, select IP Address Management
(IPAM) Server. Click Add Features when prompted.

Figure 5 Add Roles and Features Wizard IPAM Server Selection

IPAM installation ensures that all IPAM dependencies are also installed at the time of
installation. IPAM Installation is not successful unless all the dependent modules are first
installed. Installation dependencies include the following:
Feature or Tool

Description

Remote Server Administration


Tools

DHCP and DNS Server Tools provides for remotely


managing DHCP and DNS servers.

Windows Internal Database

Windows Internal Database is a relational data store that


can be used only by Windows roles and features.

32

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Feature or Tool

Description

Windows Process Activation


Service

Windows Process Activation Service generalizes the IIS


process model, removing the dependency on HTTP.

Group Policy Management

Group Policy Management is a scriptable Microsoft


Management Console (MMC), providing a single
administrative tool for managing Group Policy.

.NET Framework 4.5 Features

.NET Framework 4.5 provides a programming model for


building and running applications designed for several
different platforms.

IPAM Client (optional)

For managing any local or remote IPAM server.

The IPAM dependency list dialog allows you to select the installation of IPAM client along
with installation of the IPAM server feature using the checkbox Include management tools
(if applicable). By default, IPAM client is pre-selected for installation along with IPAM
server.
After selecting Install in the wizard, installation progress is shown until the feature is
installed successfully.

Figure 6 Installation Progress

33

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Verifying Installation
When the Add Features wizard completes, it will display a message indicating that the
installation succeeded. IPAM server can now be managed using local or remote instance of
IPAM client UI.

Figure 7 Successful Installation Confirmation

Uninstalling/Disabling
The Windows Server "8" Beta IPAM feature integrates with the Server Manager console for
installation and uninstallation. The console eases the task of managing and securing multiple
server roles through the Remove Roles and Features Wizard. The IPAM uninstallation
process ensures that all IPAM dependencies are removed, and that all IPAM local security
groups and scheduled tasks are deleted. Uninstallation also ensures that the IPAM database is
detached from WID and all the database data and schema files are deleted.

34

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 8 Remove Roles and Features Wizard

Installation Process IPAM Client


Although the IPAM client feature is automatically installed on a Windows Server "8" Beta
server, along with installation of the IPAM Server feature, this component can also be
installed or uninstalled on its own. Click through the Add roles and features wizard screens to
select Role or Feature Based Install and the target server. On the Select Features screen,
select Remote Server Administration Tools -> Feature Administration Tools -> IP
Address Management (IPAM) Client. Click Add Features when prompted.

35

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 9 Add Roles and Features Wizard IPAM Client Selection

In order for the IPAM client to connect to an IPAM server, you must ensure that the target
IPAM server is added to the Server Manager purview using the Add Servers wizard launched
from the Manage menu. If both IPAM client and IPAM server are running on the same server,
then by default the IPAM UI connects to the local IPAM server instance.

Note:

A domain user connecting to the IPAM server from a remote IPAM client must be a member
of the WinRMRemoteWMIUsers__ group on the IPAM server, in addition to being a
member of the appropriate IPAM security group. IPAM client is an integrated component
with the Server Manager RSAT. Server Manager RSAT is also available for download and
installation on a Windows 8 Consumer Preview client machine. The IPAM node will appear in
the Server Manager navigation tree by default on the Windows 8 Consumer Preview client
RSAT.

IPAM Provisioning
IPAM installation sets up various periodic data collection tasks to collect relevant data from
managed DNS, DHCP, DC and NPS servers to enable address space management, multi-server
management and monitoring and event catalog scenarios. All IPAM tasks launch under the
Network Service account, which presents the local computers credentials to remote servers.
To accomplish this, administrators must enable read access and security permissions for the
required resources over managed servers for the IPAM servers computer account. Further
the relevant firewall ports need to be configured on these managed servers.

Note:

36

The term IPAM scope in this context and throughout this document refers to the IP network
elements (DHCP/DNS/NPS/DC servers within the forest) which are discovered or added, and
activated for various IPAM services. In other words these are the Managed server roles

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

within IPAM.

IPAM Access Settings


The following table provides a mapping of the IPAM functionality and managed server role
type to access setting and FW rule required by IPAM periodic tasks:
Role Type

Access Setting

FW Rule

Associated IPAM functionality

Membership of DHCP
Users security group

DHCP Server (RPC-In)

DHCP address space, settings


and utilization data collection

Read access in the DHCP


Server service ACL

Remote Service
Management (RPC)

DHCP Server (RPCSS-In)

DHCP Service monitoring

Remote Service
Management (RPCEPMAP)

DHCP

Membership of Event Log


Readers security group

Remote Event Log


Management (RPC)

DHCP configuration event


monitoring

Remote Event Log


Management (RPCEPMAP)

DNS

Creation of Network share


dhcpaudit of the DHCP
audit file location (default
location for logs is
%windir%\system32\dhcp
) and read access on the
same

File and Printer Sharing


(NB-Session-In)

Read access in the domain


wide DNS ACL* (for DC colocated DNS servers)
OR
Membership of local
Administrators group on
DNS server (for DNS
servers not co-located
with DC)

DNS Service RPC

Membership of Event Log


Readers security group

Remote Event Log


Management (RPC)

Read access in the ACL


stored in the DNS
CustomSD registry key

Remote Event Log


Management (RPCEPMAP)

DHCP lease event collection for


IP address tracking

File and Printer Sharing


(SMB-In)

DNS Service RPC


Endpoint Mapper

DNS zone configuration


collection

DNS zone event collection for


DNS zone monitoring

37

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

Role Type

DRAFT V5.0

Access Setting

FW Rule

Associated IPAM functionality

Read access in the DNS


Server service ACL

Remote Service
Management (RPC)

DNS service monitoring

Remote Service
Management (RPCEPMAP)
Membership of Event Log
Readers security group
DC/NPS

IPAM (local
server)

Remote Event Log


Management (RPC)

Logon event collection for IP


address tracking

Remote Event Log


Management (RPCEPMAP)
Membership of Event Log
Readers security group

N/A

IPAM configuration event


monitoring

Note:

For DNS servers co-located with a DC, the RPC read access can be enabled by adding the
IPAM machine account to the domain wide DNS ACL. This setting needs to be propagated
only once for the entire domain and not for every individual DNS server.

Note:

For access to local event logs on the IPAM server to enable the IPAM Configuration Events
cataloguing, the Network Service account is automatically added to the IPAM servers Event
Log Readers group at the time of IPAM installation and provisioning.

IPAM Access Monitoring


IPAM access monitoring tracks the provisioning state of the following statuses on the server
roles, which are displayed in the details pane of the IPAM server inventory view:
Role Type

DHCP

38

Access Setting Tracked by Server


Discovery

Access tracking fields name in


Server Inventory view

Membership of DHCP Users security


group and corresponding remote
management firewall rules enablement

DHCP RPC Access Status

Membership of Event Log Readers


security group and corresponding remote
management firewall rules enablement

Event Log Access Status

Creation and read access of Network


share dhcpaudit of the folder where
DHCP audit files are located and remote
file transfer firewall rules enablement

DHCP Audit Share Access Status

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Role Type

Access Setting Tracked by Server


Discovery

DNS

DC/NPS

Access tracking fields name in


Server Inventory view

Read access in the domain wide DNS ACL


and corresponding remote management
firewall rules enablement

DNS RPC Access Status

Membership of Event Log Readers


security group and corresponding remote
management firewall rules enablement

Event Log Access Status

Membership of Event Log Readers


security group and corresponding
remote management firewall rules
enablement

Event Log Access Status

The following recommended actions are tracked by IPAM server inventory view related to access
settings:
Recommended Action

Scenario
Server manageability status is Managed
and overall IPAM access status is
Allowed

No action required

IPAM access Unblocked

Server manageability status is


Unmanaged and overall IPAM access
status is Blocked

No action required

Server manageability status is


Managed but overall IPAM access
status is Blocked

Refer to sub-access status


listed in the Details pane and
provision the required access
setting

Server manageability status is


Unmanaged but overall IPAM access
status is Allowed

Refer to sub-access status


listed in the Details pane and
un-provision the read access
for IPAM

Server manageability status is


Unspecified

Set server manageability


status to Managed or
Unmanaged

IPAM access Blocked

Unblock IPAM access

Block IPAM access

Set manageability status

Note:

Action Required

The following access sub-statuses are not tracked by IPAM server inventory view in Windows
Server "8"Beta.
-

DNS zone event access

DHCP server service access

DNS server service

39

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Additional Considerations
The IPAM server must collect DHCP lease events and DC/NPS logon events to enable IP
address tracking functionality. This section explains some of the deployment related details
to consider on the target DHCP, DC and NPS servers from which IPAM collects this
information.
DHCP audit file is generated by default in the %windir%\system32\dhcp folder, but the path
can be changed by editing IPv4 and IPv6 properties (Properties -> Advanced -> Audit log file
path setting). For IP addressing to work, the IPv4 and IPv6 audit log file path should both be
set to a common folder location. Ensure that the DHCP audit log file size is appropriately
configured to hold audit events for the entire day on the DHCP server.
Similarly, for DC and NPS servers, enable the required events for logging. The security log
settings determine enabling/disabling of these events. The relevant setting to enable logging
of these events is available under group policy (Computer Configuration -> Windows Settings
-> Security Settings -> Local Policies -> Audit Policy -> Audit Account Logon Events). For a
heavily loaded DC, ensure that the periodicity of IPAM AuditTask is less than the time
window in which the security logs on DC and NPS servers roll over.

Provisioning Methods
IPAM allows users to choose between manual or GPO based configuration of these access
settings on managed servers. Given the fair amount of administrative complexity in
configuring these settings, IPAM recommends using GPO based mechanism to automatically
provision IPAM access settings. Using GPOs for IPAM access provisioning also enables
ongoing automatic maintenance of these settings and adjustments to the changing needs and
alterations made to the IPAM scope.

Group Policy Based Provisioning


IPAM allows automated discovery of the required server roles across domains within the
forest. The IPAM setup process automatically defines and sets required remote management
permissions to enable administrative actions performed by IPAM tasks by applying relevant
pre-staged Group Policy Objects. After the initial configuration is completed, IPAM setup
processes regular updates so that the environment remains current across any incremental
scope changes.
For DHCP and DNS servers, IPAM GPOs are configured using a combination of standard GPO
settings and custom script that is maintained in the SYSVOL share. There were multiple
reasons to use the custom script for propagating some of the settings versus using the
standard GPO settings. These reasons are provided below:

40

To append and not replace any custom setting on the DNS and DHCP service ACL

To append and not replace any custom setting on the DNS event log CustomSD registry
entry

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

To configure the dhcpaudit network share on any non-default location configured on


the DHCP server

To ensure that the read access for the dhcpaudit share is enabled only for IPAM and not
for Everyone

To ensure that any localized string name for the DHCP Users group would be
automatically taken care of while adding the IPAM account

More Information:

For details of GPO settings created by IPAM, refer to the GPO settings detail section
of the Appendix to this guide:
GPO Based IPAM Provisioning - GPO Setting Details

Note:

The IPAM GPO based access provisioning is done by creating a universal group in the
domain and adding the IPAM machine account to this universal group. All the access
propagation by the GPO is done for the group and not for the specific IPAM machine
account.

Creating Group Policy Objects


IPAM provides a Windows PowerShell cmdlet, - Invoke-IpamGpoProvisioning, to automate the
creation of IPAM GPOs.
Invoke-IpamGpoProvisioning [-Domain] <string> [-GpoPrefixName] <string> [IpamServerFqdn <string>] [-User <string[]>][-Group <string[]>] [-PassThru] [Force] [-WhatIf] [-Confirm] [<CommonParameters>]

The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies in the
specified domain for provisioning required access the server roles managed by IPAM.
GpoPrefixName provided here should be the same as the prefix configured in the IPAM
provisioning wizard. The three GPOs are created with the suffix '_DHCP', '_DNS' and '_DC_NPS'
appended to the GpoPrefixName. These suffixes signify the three different types of access
settings that are propagated depending on the type of server role managed by IPAM.
For example, if the group policy name prefix is IPAMGPO, then the cmdlet will create the
following three GPOs in the specified domain.

IPAMGPO_DHCP

IPAMGPO_DNS

IPAMGPO_DC_NPS

The access settings propagated by these GPOs are required by the periodic IPAM data
collection tasks that run under the Network Service account. Access settings are propagated
for the IPAM server machine account, since that is the credential presented by Network
Service to access remote resources. By default, IPAM uses the IPAM server FQDN of the local
machine from where the cmdlet is run. If required, you can explicitly specify the FQDN name
of the IPAM server using the IpamServerFqdn parameter.

41

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

The cmdlet creates a universal group named IPAMUG in the specified domain (if not already
present), and adds the computer account of specified IpamServerFqdn to it. Access setting
propagation by IPAM GPOs are done for the universal group IPAMUG. The cmdlet also
modifies the domain wide DNS ACL to enable DNS RPC access for IPAM.
IPAM auto-detects the available DC in order to invoke the GPO related operations. The GPO
objects created by this cmdlet can be returned using the PassThru switch.

Delegate IPAM GPOs


After creation of IPAM GPOs, it is feasible to delegate subsequent GPO edit privileges to the
appropriate IPAM administrators (who are not domain or enterprise administrators) by
using the parameters User or Group available with the Invoke-IpamGpoProvisioning
cmdlet. This delegation will be required when you select the servers to be managed within
the IPAM console, and IPAM automatically attempts to add them in the appropriate GPOs
using the logged in user credentials. IPAM recommends creating a domain level group
IPAMGPOAdmins and delegating the GPO edit privileges to that group using the Group
parameter, as opposed to adding an individual user list for delegation.

Adding Managed Servers to GPO


At the time of creation of GPOs, the security filter list of IPAM GPOs is empty. When the
manageability status of a server is edited in IPAM server inventory view, IPAM automatically
adds or removes the server in the appropriate GPO security filter list. Managed servers are
added to the GPO security filtering and unmanaged servers are deleted. IPAM GPO editing
privileges can be delegated to IPAM administrators who are not domain or enterprise
administrators, using User and Group parameters in Invoke-IpamGpoProvisioning cmdlet.
IPAM follows the logic below to update the GPO security filter list:

When a server role is marked as managed IPAM automatically adds it to the appropriate
IPAM GPOs based on the active roles on this server.

When a server is marked as unmanaged IPAM automatically deletes it from the


appropriate IPAM GPOs based on the active roles on this server.

When a server role is marked as active (checked) on a managed server, IPAM


automatically adds it to the appropriate IPAM GPO.

When a server role is marked as inactive (unchecked) from a managed server, IPAM
automatically deletes it from the appropriate IPAM GPO.

Note:

42

IPAM considers GPO update failures during server edit operation due to GPO not existing,
insufficient privileges, or any other issue, as non-blocking. In other words, server edit
operation will continue irrespective of any failures encountered during GPO update. A
detailed report of the failures will be presented, and can be used to manually edit the IPAM
GPOs. Newly discovered IPAM roles on managed servers (in periodic server discovery cycle)
are marked as Managed. However, since the IPAM task does not have GPO editing privileges,
these roles will not be automatically added in the relevant IPAM GPO. You must add such
roles manually to the relevant IPAM GPO. A critical event is logged in IPAM administrative

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

channel to allow you to easily track this scenario if it occurs.

Manual Provisioning
It is possible to bypass the wizard-based automated deployment and set a custom scope for
IPAM management. To deploy a limited pilot implementation of IPAM, you can manually add
administrators and server computer accounts to appropriate predefined AD security groups,
and configure firewall rules to allow communication to a set of manually selected and
configured network nodes.
More Information:

For details of enabling IPAM access settings on managed roles manually, refer to the
Manual IPAM Provisioning section of the Appendix to this guide:
Manual IPAM Provisioning - Configuring Access Settings

Configuring and Managing IPAM


IPAM Initial Setup
The IPAM overview page on IPAM Client UI navigates the user across six basic steps required
to complete initial setup for an IPAM Server:
1. Connect to an IPAM server
2. Provision the IPAM server
3. Configure server discovery
4. Start server discovery
5. Select or add servers to manage and verify IPAM access
6. Retrieve data from managed servers

Connect to IPAM Server


IPAM enables connecting to a remote or local IPAM server using the first step listed in
sequence on the IPAM Overview page. By default, the IPAM Client UI automatically connects
to the local instance of IPAM server (if running). The Connect to IPAM Server dialog allows
the user to select from the local and remote IPAM server instances detected by Server
Manager from the pool of servers being managed.

43

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 10 Select IPAM server to connect IPAM client

Note:

Remote IPAM servers must be added to the Server Manager purview using the Add Servers
dialog available in the Manage menu, before they are listed in the Connect dialog.

IPAM Provisioning Wizard


The IPAM provisioning wizard needs to be completed one time on every IPAM server. The
IPAM provisioning stage sets up IPAM security groups and IPAM database.

Note:

The logged in user must have Administrator privileges (running elevated) in order to
complete IPAM provisioning.

The IPAM provisioning wizard prompts you to select between manual and group policy based
provisioning methods. Once the provisioning wizard is complete, this setting cannot be
changed. For more information on IPAM provisioning methods refer to the corresponding
section in this guide.

44

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 11 Provision IPAM Wizard Select Provisioning Method

If Manual deployment is selected, the IPAM wizard does not take any action to deploy
settings, and the administrator can consult the help files and IPAM deployment guide to
determine necessary settings to apply manually.
If Group Policy Based deployment is selected, supply the unique GPO prefix name for this
IPAM instance. The IPAM wizard does not take any action to actually create the group policies,
and you can use the IPAM Windows PowerShell cmdlet Invoke-IpamGpoProvisioning to
create the group policies. The GPO prefix name selected in this step must be as the one
specified as GpoPrefixName parameter with the GPO creation cmdlet.
Important:

The provisioning method selected is simply committed in the IPAM database in this step. The
IPAM provisioning wizard does not perform any corresponding action such as creating the
group policy objects or provisioning the servers.

Once the IPAM provisioning wizard successfully completes, the IPAM database and security
groups are in place. You can add the required users to the IPAM security groups based on
their roles. For more information on IPAM security groups, refer to the relevant section in
this guide.

Configure Discovery
Next, click configure server discovery to launch the Configure Discovery settings wizard. Use
the discovery settings wizard to add all domains in the forest on which you intend to run
discovery. You must add each domain to the list explicitly, even if the forest root domain has
been selected. For each domain added to the scope of discovery, you can select which type of

45

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

servers to discover. By default, domain controller, DHCP server, and DNS server check boxes are
all selected.

Figure 12 Configure Server Discovery

Create IPAM GPOs


Although there is no strict ordering in terms of when IPAM group policies should be created,
IPAM recommends that at the time of adding any domain into the server discovery
configuration, the corresponding group policies objects should also be created using the
Windows PowerShell cmdlet Invoke-IpamGpoProvisioning. Domain administrator
privileges are required to create IPAM GPOs and the IPAM GPO edit privileges should be
delegated to appropriate IPAM administrators who do not have domain or enterprise
administrator privileges.

Start server discovery


The Discovery task runs periodically and uses these settings to discovery the specified server
roles running on the selected domains. The default periodicity of the discovery task is set as
one day and is user configurable from the task scheduler. User can also start server discovery
on demand by clicking on Start Server Discovery from the Overview page or by clicking
Start Discovery from the global action Manage from any other page.

46

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 13 Start Server Discovery

Select or add servers to manage and verify IPAM access


Once the discovery process completes, the discovered servers are listed in the Server
Inventory view of the IPAM management console. The action column initially displays each
discovered server manageability status as Unspecified until an administrator classifies the
server as managed or unmanaged.

Figure 14 Discovered Servers View

Servers are arranged under IPv4 or IPv6 nodes based on their network interface address. It is
possible that the same server may appear in both IPv4 and IPv6 node, if it has two types of IP
addresses.

Add Server
Use the Add or Edit Server dialog to set the manageability status to Managed for servers
that you intend to manage via IPAM. Servers (and their corresponding roles) can also be
added manually into the IPAM management span. This is especially useful for adding NPS

47

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

servers (required for IP Address tracking feature), which cannot be auto-discovered by IPAM.
In order to add a server manually, right click on IPv4/IPv6/Managed servers/Unmanaged
servers on the left navigation tree to trigger the Add server dialog.

Figure 15 Add or Edit Server Dialog

Set Server as Managed


You can select one or more servers to be marked as managed from the discovered set of
servers. Right-click on the server to display the server menu and select Edit server action.

Figure 16 Edit Server Task

48

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Verify IPAM Access


Discovered or added servers are shown along with their Server Type and IPAM Access
Status. Server type refers to the workloads (DHCP/DC/DNS) running on the server and IPAM
access status refers of the status of IPAM specific management settings which are required to
be configured on these servers.

GPO based provisioning


As the servers are set to be managed in IPAM, the server is added to the security filtering for
relevant GPOs based on the roles that are active on the server. Ensure that the GPOs are
created on the domain in advance, and the logged in user has the permissions to edit the GPO
at the time of marking server as managed. If for some reason the server fails to get added to
the GPO, the edit operation is not aborted and you must manually add the server to the
required GPO. IPAM recommends multi-editing all the relevant servers simultaneously to
mark their status as managed, in order to optimize the number of GPO updates done by IPAM.
Once the server is added the appropriate GPOs either wait for automatic periodic policy
update to take place or run GPUpdate /Force on the target managed servers. This should
enable the required access settings propagated by the standard GPO settings. For DHCP and
DNS servers, IPAM installs a scheduled task to execute a custom Windows PowerShell script
in order to propagate the access settings. Ensure that the task is successfully completed on
the target server.

Manual provisioning
For manual provisioning, ensure that the required access settings are appropriately
configured on the target server manually.

Refresh Access Status


The typical refresh period of the server access status as checked by the ServerDiscovery
task is one day. For the initial setup, IPAM recommends to multi-select all managed servers,
right click and select Refresh Server Access Status task to trigger on-demand refresh.
Running server discovery again will also update the IPAM access status.

Figure 17 Refresh Server Access Status

49

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Verify Access
Verify that IPAM access status is listed as unblocked indicating that manual or GPO based
provisioning is successfully complete.

Figure 18 IPAM Access Unblocked

For the IPAM access status value to be allowed, all of the access sub-states shown in the
details pane should be marked as allowed. These access states are:

DNS RPC access status

DHCP RPC access status

Event log access status

DHCP audit share access status

Troubleshooting Access Issues


If any of the access sub-states for managed server roles is showing in the Blocked state, check
that the corresponding setting is enabled on the target server. For details of access setting to
sub-state mapping refer to the IPAM Access Monitoring section in this guide. For GPO based
provisioning, the GPResult command line tool can be used to troubleshoot group policy update
issues. The provisioning task setup by IPAM DHCP and DNS GPOs creates a troubleshooting log
in the location %windir%\temp named IpamDhcpLog.txt and IpamDnsLog.txt respectively.

Retrieve data from managed servers


Multiple IPAM tasks run periodically to collect data from the set of servers marked as
Managed. The default period of collection depends upon the data being collected and varies
from 15 minutes to 6 hours. This interval of collection is configurable from the task scheduler.
Data can also be retrieved on demand. In order to retrieve data from all managed server, the
Retrieve All Server Data action can be invoked from the global management menu.
This completes the initial setup of IPAM for DHCP, DNS, DC and NPS server management and
monitoring across various consoles on the UI.

Server Inventory Management


From the Server Inventory view, right click on one or more servers to take an action on only
the selected servers.

50

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 19 Server Inventory Management

The available actions are:


Edit Server: Edit manageability status of the server and roles on the servers.
Retrieve All Server Data: Retrieve data for all selected roles on the selected server.
Refresh Server Access Status: Refresh Server Access Status for the selected servers
only
Delete: Remove a server from the inventory view, along with all its data.

Address Space Management


The IPAM address space management (ASM) feature provides the ability to efficiently view,
monitor, and manage IP address space on the network. ASM supports IPv4 public and private
addresses and IPv6 global and unicast addresses. Searching and sorting of IP addresses, IP
address ranges and IP address blocks can be based on built-in fields or user defined custom
fields, such as region, Regional Internet Registries (RIR), device type, or customer name. You
can track IP address utilization and threshold-crossing status, or display utilization trends.
IPAM ASM feature address the IP address space management problem in a growing
distributed environment by ensuring better planning, accountability, and control. IPAM also
enables you to detect overlapping IP address ranges defined on different DHCP servers, find
free IP addresses within a range, create DHCP reservations, and create DNS records.

IP Address Blocks
A user can view the IP address blocks, IP address ranges or IP addresses in this view by
selecting the appropriate view in the current view combo box. This view allows you to
visualize the address space by automatically segregating the IP address ranges, IP address
blocks and IP addresses into private address and public address categories for IPv4 address
and global and unicast categories for IPv6 addresses.

51

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 20 IP Address Blocks

Adding an IP Address Block


To create an IPv4 IP address block, right click the IPv4 node and select Add IP Address
Block. Similarly, to add an IPv6 IP address block, right click on the IPv6 node and select Add
IP Address Block. Based on the network ID, IPAM can automatically group smaller subblocks under larger IP Address blocks, forming a hierarchy of blocks. This hierarchy is
presented in the navigation pane in a tree view, and clicking on each IP address block or subblock allows you to view IP address ranges or IP addresses mapped to that block.

52

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 21 Add IP Address Block

Adding an IP Address Range


To add an IPv4 IP address range, right click on the IPv4 node and select Add IP Address
Range. Similarly, add a new IPv6 IP address range by right clicking on the IPv6 node and
selecting Add IP Address Range. To view the ranges, select IP address ranges from the
current view combo box. IPAM can also automatically enumerate scopes from managed DHCP
servers and these scopes will appear as dynamic ranges in ASM views. However, these
dynamic ranges are not editable. For dynamic ranges, you must edit the corresponding
scopes through MSM views.

Adding an IP Address
To Add an IPv4 IP address, right click on the IPv4 node and select Add IP Address. Similarly,
to add an IPv6 address, right click on the IPv6 node and select Add IP Address. To view the
IP addresses, switch to IP address view by selecting IP Addresses from the current view
combo box.

Viewing the utilization statistics and utilization trend


You can view the utilization statistics, such as percent utilization and total number of
addresses of an IP address block or IP address range in the Configuration Details panel. To
view the utilization statistics of an IP address range, you must first switch to IP address range

53

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

view by clicking on the current view combo box and then clicking on the range in which you
are interested. Similarly, you can view the utilization statistics of an IP block. IPAM
automatically calculates the utilization statistics of an IP address block by rolling up the
utilization statistics of the IP address ranges mapped to it.
You can view the utilization trend of an IP address range by first clicking on the IP address
range, clicking on the utilization trend tab, and then selecting the appropriate time window
for generating the trend graph. You can view the utilization trend graph of an IP address
block by clicking on the block, and then clicking on the utilization trend tab.

Figure 22 Utilization Statistics and Trend

Configuring utilization threshold


You can configure the over- and under-utilized threshold values by selecting IPAM Settings > Configure Utilization Threshold from the Manage menu. The threshold determines the
value of utilization state of IP address ranges, IP adddress blocks and IP range groups.

54

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 23 Configure Utilization Threshold

IP Address Inventory
In this view, you can see a list of all IP addresses available in the system, along with their
device names, device types, etc. You can choose to selectively view IP address with a
particular device type by clicking on the appropriate device type node in the navigation pane.
For example, to view IP addresses belonging to firewalls, you can click on the firewall node
and the view will be populated with IP addresses with device type set as firewall. You can
create a DNS record or DHCP reservation for an IP address by right clicking on the IP address
and selecting Create DHCP Reservation or Create DNS Host Record.

55

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 24 IP Address Inventory

Finding a Free IP Address


To find a free IP address from an IP address range, right click on the range and select Find
and Allocate Available IP Address. This will launch the Find and Allocate Available IP
Address dialog. IPAM will automatically select an available IP address from the selected
range, ping it, and check whether a DNS record exists for the IP address. You can chose to
allocate the IP address or click Find Next to find the next available IP address. Once you have
found an available IP address, fill in the parameters such as Expiry Date, Device type, Device
Name, and then click OK to create an IP address record in IPAM.
Provide the DNS server and DHCP server information for the IP address by clicking on DHCP
reservation and DNS record tabs in the dialog. Clicking OK merely creates a record in IPAM,
and a DHCP reservation or DNS record is not automatically created.

56

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 25 Find an Available Address

Configure expiry alert threshold


User may change the system-wide expiry alert threshold by selecting IP Address Expiry Log
Settings dialog from the Tasks menu.

Figure 26 Expiry Alert Threshold

57

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Synchronizing DHCP and DNS records


IPAM allows you to fill optional DHCP reservation parameters and DNS record information
for the IP address on the Add/Edit IP address dialog by clicking on DHCP reservation and
DNS record tabs respectively.
IPAM auto-populates the relevant DHCP servers against the reservation server name based
on the discovered scopes to which the IP address can map. A reservation can only be created
or deleted against the DHCP server being managed by this instance of IPAM.

Figure 27 Reservation Synchronization

IPAM auto-populates the discovered DNS zones and the corresponding primary DNS servers
in the IP address dialog. All the relevant reverse lookup zones to which the address can map
along with the corresponding primary DNS servers are also made available for easy selection
and configuration. A DNS record can only be created or deleted against the DNS server being
managed by this instance of IPAM.

58

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 28 DNS Record

Clicking OK merely creates a record in IPAM, and a DHCP reservation or DNS record is not
automatically created during the IP address add or edit operation. You must explicitly invoke
the create or delete operation as intended after providing all the values. You may select
multiple IP addresses at a time to simultaneously synchronize add/delete of any of these
records. The success/failure of this operation can be tracked by status fields maintained for
the IP address.

59

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 29 Create or Delete DHCP and DNS Records

IP Address Range Groups


In this view, you can visualize and organize IP address range by logical groups based on user
defined business logic. For example, you can choose to visualize and organize IP address
range based on what geographical location or business unit they are serving. You can create a
logical group based on country and business unit and apply the appropriate custom field
value to IP address ranges for country and business unit custom fields. You will then be able
to view the IP address ranges serving a particular business unit in a particular country by
clicking on appropriate logical group node in navigation pane.

Creating a Custom field


To create a custom field, click on Manage menu and select IPAM Settings. Click the
Configure Custom Fields link to open Configure Custom Fields dialog. Specify a name for
the new custom field and type of the custom field. In case of a multi-valued custom field you
can specify the various values that the custom field can take.

60

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 30 Configure Custom Fields

Applying a Custom Field to an IP Address Range


To apply a custom field to an IP address range, right click on an IP address range and select
Edit IP Address Range. You can apply a custom field to more than once IP address range
simultaneously by selecting multiple IP address ranges and right clicking followed by
selecting Edit IP Address Range. You can then click on custom configuration pane in the
dialog to apply custom fields to the IP address ranges.

61

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 31 Multiple IP Address Selection

62

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 32 Edit IP Address Range

63

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Creating an IP Address Range Logical Group


To Create an IP address range group, right click on the IPv4 node and select Add IP Address
Range Group. Specify what custom fields should be used to group the IP address ranges
together. Specify several groups by criteria, which will be applied one after another when
IPAM organizes the IP address ranges into IP address range groups. For example, you may
choose to first group the IP address ranges by country and then by business unit. Once the IP
address range group is created, it will appear in the navigation pane. You can then click on
any node of the group to select the IP address ranges that fulfill the grouping criteria.

Figure 33 Add IP Address Range Group

64

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 34 View Address Range Groups

65

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Import Data
IPAM allows you to export out the IP address block, IP address range, and IP address records
in comma separated value (csv) format. You can import the IP address block, IP address
range, and IP address records from csv files. The names of column in the csv file from which
data is being imported must be same as the name of columns on IPAM views. For example, if
the csv file contains IP address block records, then the column names in the csv file must be
the same as column names in IP address blocks view of IPAM.
To import data, click the tasks menu and select Import IP Address Block, Import IP
Address Range, or Import IP Addresses based on the type of data contained in csv file. Once
the file is selected, the import process begins and displays a progress bar.

Figure 35 Import Data

IPAM supports periodic import and update operations for IP address ranges belonging to the
specified Managed By Service and Service Instance values. Along with adding new ranges
and editing existing ranges as in the case of regular IP address range import, this operation
also deletes those ranges from IPAM which have the same value of Managed By Service and
Service Instance fields but are not present in the csv being imported. IPAM provides the
option of deleting the IP addresses mapping to the IP address ranges that are deleted during
this import operation. The dialog can be launched from the tasks menu in the IP address
space console.

66

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 36 Periodic Address Range Import Settings

IPAM also supports periodic import and update operations for IP addresses belonging to the
specified IP address range. Along with adding new addresses and editing existing addresses
as in the case of regular IP address import, this operation deletes those addresses from IPAM
that map to the specified IP address range, but are not present in the csv being imported.
Launch the dialog by right clicking on the relevant IP address range in the UI.

Figure 37 Import IP Address Inventory

Export Data
To export out data from IPAM views, navigate to the appropriate view, clicks the Tasks menu
and select Export. You may filter out the required subset of records to be imported by
running basic or advanced queries before export.

67

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 38 Export Data

68

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Monitor and Manage DNS and DHCP Servers


From the DNS and DHCP Servers view, you can view and monitor the health and
configurations of all the DNS and DHCP server roles being managed by IPAM.

Service Health Monitoring


The Server Availability state, Duration in current state and Last Refreshed fields
together show the state of the server at time of last poll and the duration it has been
continuously in that state.
From this view you can use the Server Type drop box to view only DNS or DHCP server roles
or use the navigation pane to view servers with network interfaces in the same /16 subnet
for IPv4 and /48 subnet for IPv6.

Figure 39 DNS and DHCP Servers

Configuration Monitoring
The details view shows the server properties of the server selected. In case of DHCP servers,
server options and DHCP events are shown. In case of DNS servers, the zones on the server
and the DNS zone events are shown.

DHCP Server Management


Right clicking on a server from this view shows the list of actions that can be performed on
the server. The list of actions available is specific to the server role selected. The actions that
can be performed on DHCP servers are as follows:

69

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Edit DHCP Server Properties - This allows setting a number of server properties of the
DHCP server

Figure 40 Edit DHCP Server Properties

Edit DHCP Server Options - Allows addition, deletion or editing of options at the
servers level. Action can be performed on multiple DHCP servers simultaneously to
update multiple options across servers.

Figure 41 Edit DHCP Server Options

70

Create DHCP scope - Create a scope on a DHCP server, and set numerous scope
properties.

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 42 Create DHCP Scope

Configure predefined option and values - Create predefined options and set option
value. Select one or more servers and launch the action to configure predefined options
on multiple servers simultaneously

Figure 43 Configure Predefined Options

Configure User Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.

71

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 44 Configure User Classes

Create and edit new and existing user classes - Multi-select servers and launch the
action to configure user classes on multiple servers simultaneously.

Configure Vendor Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.

Launch MMC - Launch the MMC for the selected DHCP server

Retrieve server data - Multi-select servers and launch the action to retrieve server data
from the selected set of servers.

DNS Server Management


The actions that can be performed on DNS servers are the following:

Launch MMC - Launch the MMC for the selected DNS server

Retrieve server data - Multi-select servers and launch the action to retrieve server data
from the selected set of servers.

DHCP Scopes
In this view you can see all the DHCP scopes configured on all the DHCP servers being
managed by IPAM. The utilization of each scope is shown in this view along with key
properties and options configured on the scope. You can view all IPv4 or all IPv6 scopes or
only scopes that lie within a specific IP address block.

72

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 45 DHCP Scopes View

The actions that can be performed on DHCP scopes are as follows:

Edit a DHCP scope - This allows setting a number of scope properties of the DHCP
server. Action can be performed on multiple DHCP scopes across servers
simultaneously.

73

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 46 Edit DHCP Scope Options

Duplicate DHCP scope - Allows using a scope as a template to create another scope with
an identical set of properties. These properties can also be selectively edited before the
new scope is created. This is performed as a single operation.

Activate / Deactivate DHCP scope - Activate or deactivate a scope. Action can be


performed on multiple DHCP scopes across servers simultaneously.

Delete - Delete the selected scope(s).

DNS Zone Monitoring


This view shows all the forward lookup and reverse lookup zones on all the DNS servers
being managed by IPAM.
For the forward lookup zones, IPAM also displays all the servers hosting the zone and the
aggregate health of the zone across all these servers and the zone properties.

74

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 47 DNS Zone Monitoring

To navigate to any zone, use the navigation pane to view the health status of the zone on each
of the authoritative servers. In case of an error in the zone, the event catalog displays the
specific event that is causing the error. Right-click on the authoritative server to launch the
MMC and investigate further to fix the cause of the problem. The server properties and the
other zones hosted by the server are shown in the details pane.

Figure 48 Launch MMC

Server Groups
IPAM allows servers to be tagged with custom fields. Servers so tagged can be auto-arranged
in hierarchical logical groups. Creation of custom fields is described in section titled Creating

75

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

a Custom field. Servers can be tagged with custom fields from the Custom Configurations
page or the Add or Edit Server dialog described in the section Server Inventory
Management.

Figure 49 Assigning Custom Fields to Servers

A logical group for servers can be created by right-clicking the IPv4 or IPv6 node and
selecting Add Server Group

76

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 50 Add Server Group

Event Catalog Management


IPAM allows you to keep a track of the configuration changes at managed DHCP servers as
well as the IPAM server itself. In addition, IPAM allows you to track IP address and user
activity on the network through the IP address tracking feature.

IPAM Configuration
To track the configuration changes at the IPAM server, click on IPAM Configuration Events.
View all the configuration changes that have occurred on the IPAM server along with the user
name of the person who changed the configuration. You can choose to filter out the events
based on user name or other filter criteria like time of the event, or operational code.

77

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 51 IPAM Configuration Events

DHCP Configuration Events


View the configuration changes at managed DHCP servers by clicking on the DHCP
Configuration Events node.

78

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Figure 52 DHCP Configuration Events

IP Address Tracking
IP address tracking feature of IPAM enables you to track the IP address and user activity on
the network. Begin the trail by selecting a time window and using an IP address, client ID
(MAC), hostname or username as query criteria. For example, to start tracking an IP address,
click By IP Address, select a time window, and enter the IP address.
The query will return all the DHCP lease events gathered from managed DHCP servers that
match the given IP address. You can include or exclude the correlated user and computer
logon events collected from managed DCs and NPS servers. For detail on how IPAM
correlates the DHCP lease events with user and computer logon events, refer to IP Address
Tracking in the Functional Description section of this guide.

79

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

Figure 53 IP Address Tracking

Database Purging
IPAM supports on-demand purging of configuration event log and IP address tracking related
records. You can select the time window before which data must be purged and the data type
(IPAM configuration, DHCP configuration, IP address tracking). It is advisable that data purge
operation should be initiated during the night or at a time when IPAM activity is low. IPAM
recommends a moving window of historical event log data for only last 6 months for best
performance and disk space utilization.

Figure 54 Purge Audit Data

80

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Troubleshooting IPAM
Troubleshooting tools
Event Logging
IPAM logs events under multiple channels in Event Viewer under the path Application and
Services Logs > Microsoft > Windows > IPAM. The channels are as follows:

Admin channel:
Unexpected errors arising from either from a user action or a periodic task are logged
here.

ConfigurationChange channel:
This captures events related to configuration changes made to the IPAM server

Operational channel:
This channel captures informational events and can give greater insight to the health
and operations of the various IPAM tasks. Logging on this channel is Disabled by
default.

Analytic channel and the Debug channel


These channels are Disabled and hidden by default. To view these logs, right click on
the IPAM node in Event Viewer and select View > Show Analytic and debug logs.
Events in these channels are targeted for debugging purposes only.

Events in IPAMs admin channel and the operational channel can also be viewed from the
IPAM server within Server Managers Dashboard view.

Common IPAM problems


Connection issues
Unable to connect to IPAM server

Ensure the WID service is running on the IPAM server.


Ensure the Windows Process Activation service is running.

Provisioning issues
IPAM Access status shows as blocked for a server or unable to fetch data

In the server inventory view details pane, check that the access status is unblocked or Not
applicable for each of the following fields:
o DHCP RPC Access Status
o DNS RPC Access Status
o DHCP Audit Share Access Status

81

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

o Event Log Access Status


If any access status is listed as Blocked, check that the firewall rules for the target server
have been set as per IPAM Access Settings.
Check that the servers have been correctly provisioned. Refer to the section Manual IPAM
Provisioning Configuring Access Settings.

Discovery issues
A DNS server not co-located with a DC, is not being discovered

Ensure that the DNS server is registered as a name server for the domain zone and the DNS
suffix is registered for the configured domain.

A DHCP server is not being discovered

Ensure that the DHCP server is authorized for the configured domains and responds to the
DHCP server INFORM message and the message is reaching IPAM

Monitoring and Management Issues


Server Availability state is showing Not Reachable

Ensure that there is no network connectivity issue between the IPAM server and the target
server

Open DNS MMC / DHCP MMC to the target DNS / DHCP server and ensure that the service is
running.

Check that the service read access status has been provisioned. Refer to the section Manual
IPAM Provisioning Configuring Access Settings on how to do this.

Appendix
Manual IPAM Provisioning Configuring Access Settings
Configuration required at DHCP servers
Steps described below should be repeated at each DHCP server expected to be managed
through IPAM
More Information:

For more information on configuring firewall rules, see:


Windows Firewall and IPsec Policy Deployment Step-by-Step Guide

1. Create a Network file share to the directory %windir%\System32\dhcp by the share


name DHCPAudit and allow read-only access to the IPAM server computer account on
this share.

82

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

2. Add the IPAM server computer account to the DHCP Users local security group on the
DHCP servers.
3. Update DHCP service access settings.
a. Get the IPAM computer account SID - From the domain controller, launch
Windows PowerShell and type Get-ADComputer <IPAM server name>. In
the example below the name of the IPAM server is S4-IPAM

a. Add the IPAM SID to the DHCP service read access status

83

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

i. Find the string corresponding to the current permissions using sc


sdshow dhcpserver

ii. Create the string corresponding to the new permissions to be added by


typing (A;;CCLCSWLOCRRC;;; followed by the IPAM SID followed by a
closed parenthesis. In the example above (A;;CCLCSWLOCRRC;;;S-1-521-1793763811-3486041751-3179139019-1609) is the string
corresponding to the additional permissions that needs to be set.
iii. Update permissions by adding the new permission string to the current
permissions using sc sdset dhcpserver

New permissions added are show highlighted in yellow above. Note that the permissions are
added to the DACL (starting from D: ) and not the SACL (starting from S:)
4. Unblock the inbound traffic on DHCP RPC Firewall ports by enabling following inbound
firewall rules
a.

DHCP Server (RPC-In)

b.

DHCP Server (RPCSS-In)

5. Unblock the inbound traffic on Remote Service Management Firewall ports by enabling
following inbound firewall rules
a. Remote Service Management (RPC)
b. Remote Service Management (RPC-EPMAP)
6. Unblocking the inbound File and Printer Sharing Firewall ports to enable sharing of
DHCP audit logs by enabling following inbound firewall rules:-

84

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

a. File and Printer Sharing (SMB-In)


b. File and Printer Sharing (NB-Session-In)
7. Enable Remote Event Log Management RPC access by enabling the following inbound
firewall rules
a. Remote Event Log Management (RPC)
b. Remote Event Log (RPC-EPMAP)
8. Add the IPAM server computer account to the Event Log Readers local security group
on the DHCP servers.

Configuration required at DNS servers


1. Enable DNS RPC access by enabling the following inbound firewall rules
a. DNS Service (RPC)
b. DNS Service (RPC Endpoint Mapper)
2. Enable remote management access by enabling following inbound firewall rules
a. Remote Service Management (RPC)
b. Remote Service Management (RPC-EPMAP)
3. Configure the Discretionary Access Control List (DACL) This setting is required once
per domain and not per DNS server for DC co-located DNS servers. For non-DC-colocated DNS servers, alternately add the IPAM computer account to the local
Administrators group on each standalone DNS server.
a. On the domain controller, from the Start screen, type dnsmgmt.msc, and press
ENTER. The DNS Manager console will open.
b. Right-click on the server and then click Properties.
c. Click the Security tab, click Add, click Object Types, and select Computers.

85

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

d. Click OK, type the name of the IPAM server (IPAM01 in this example), and click
OK.
e. Verify that the IPAM server is configured with Allow for Read access. See below.

86

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

4. Get the IPAM computer account SID - From the domain controller, launch Windows
PowerShell and type Get-ADComputer <IPAM server name>. In the example below,
the name of the IPAM server is S4-IPAM

5. Add the IPAM SID to the appropriate registry entry to get access to DNS zone event
logs.
a.

Open regedit and navigate to


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\D
NS Server.

b. Click CustomSD and then modify the setting. See below.

c. Add the IPAM SID at the end of this registry entry. Type (A;;0x1;;; and then
paste the IPAM SID (obtained through Windows PowerShell in step 4 above the text string that you copied from the Windows PowerShell prompt). Enter
closed parentheses to complete the value data. In the example above (A;;0x1;;;
S-1-5-21-1793763811-3486041751-3179139019-1609) will be added to the

87

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

DRAFT V5.0

registry. Note that the permissions are added to the DACL (starting from D: )
and not the SACL (staring from S:)

6. Add the IPAM SID to the DNS service read access status
a.

Find the string corresponding to the current permissions using sc sdshow dns

b. Create the string corresponding to the new permissions to be added by typing


(A;;CCLCSWLOCRRC;;; followed by the IPAM SID (obtained through Windows
PowerShell in step 4 above - the text string that you copied from the Windows
PowerShell prompt) followed by a closed parenthesis. In the example above
(A;;CCLCSWLOCRRC;;;S-1-5-21-1793763811-3486041751-3179139019-1609)
is the string corresponding to the additional permissions that needs to be set.
c. Update permissions by adding the new permission string to the current
permissions using sc sdset dns

New permissions added are show highlighted in yellow above. Note that the
permissions are added to the DACL (starting from D: ) and not the SACL
(staring from S:)

88

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Configuration required at DC/NPS servers


Steps described below should be repeated at each Domain Controller expected to be managed
through IPAM
1. Enable Remote Event Log Management RPC access by enabling following inbound Firewall
rules
a.

Remote Event Log Management (RPC)

b.

Remote Event Log Management (RPC-EPMAP)

2. Add the IPAM Server computer account to the Event Log Readers domain security group on
the domain controller and NPS servers.

89

DRAFT V5.0

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

GPO Based IPAM Provisioning GPO Setting Details


IPAM DHCP GPO Settings
Standard GPO Settings

90

Provisioning PS Script Settings

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

Standard GPO Settings

Provisioning PS Script Settings

Add the IPAMUG account SID to the Event Log Readers


security group

Enable DHCP RPC access by unblocking the following


inbound DHCP Management Windows Firewall ports

Read the localized name of the


DHCP Users group and add
IPAMUG account SID to this
localized group name.

Read the configured location of the


DHCP audit log file generation and
create a network file share to this
directory by the name of dhcpaudit
and enable read access for IPAMUG
SID on the network share

Read the current service ACL


settings for dhcpserver service and
add read access for IPAMUG
account SID in the DACL

Generate trace logs in the file


%windir%\temp\ipamdhcplog.txt
on the target server

Enable Remote Management RPC access by unblocking


the following inbound Remote Service Management
Windows Firewall ports

Remote Service Management RPC and RPCEPMAP

Enable Audit File access by unblocking the following


inbound File and Printer Sharing Windows Firewall
ports

DHCP Server Management RPC-In and RPCSSIn

File and Printer Sharing SMB-In and NBSession-In

Enable Remote Event Log Management RPC access by


unblocking the following inbound Windows Firewall
ports

Remote Event Log Management RPC and RPCEPMAP

Setup an advanced scheduled task


IpamDhcpProvisioning under the path Task Scheduler
Library -> Microsoft. The task will get trigged upon
gpupdate to execute the Ipam provisioning script
IpamProvisioning.ps1 - from the GPO startup script
location in the SYSVOL folder.

Use item-level targeting setup a basic scheduled task


IpamDhcpProvisioning for Windows 2008 servers under
the path Task Scheduler Library -> Microsoft.. The task
will tigger every 60 minute to execute the bat file
IpamProvisioning.bat from the GPO startup script
location in the SYSVOL folder. The bat file does the
following:

copies the IpamProvisioning.ps1 to the


%windir%\temp folder on the target server,

installs Windows PowerShell,

saves executionpolicy on the target servers


and sets executionpolicy to unrestricted,

executes the PS script for provisioning and

restores the original executionpolicy.

91

DRAFT V5.0

Understanding and Troubleshooting Guide


Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM

IPAM DNS GPO Settings


Standard GPO Settings

Provisioning PS Script Settings

Add the IPAMUG account SID to the Event Log Readers


security group

Enable DNS RPC access by unblocking the following


inbound DHCP Management Windows Firewall ports

Read the current ACL setting in the


CustomSD item in the registry key
HKLM:\System\CurrentControlSet\
Services\EventLog\DNS Server and
add read access for IPAMUG
account SID in the DACL

Read the current service ACL


settings for dnsserver service and
add read access for IPAMUG
account SID in the DACL

Generate trace logs in the file


%windir%\temp\ipamdnslog.txt on
the target server

Enable Remote Management RPC access by unblocking


the following inbound Remote Service Management
Windows Firewall ports

DNS RPC and DNS RPC EPMAP

Remote Service Management RPC and RPCEPMAP

Enable Remote Event Log Management RPC access by


unblocking the following inbound Windows Firewall
ports

Remote Event Log Management RPC and RPCEPMAP

Setup an advanced scheduled task


IpamDnsProvisioning under the path Task Scheduler
Library -> Microsoft. The task will get trigged upon
gpupdate to execute the Ipam provisioning script
IpamProvisioning.ps1 - from the GPO startup script
location in the SYSVOL folder.

Use item-level targeting setup a basic scheduled task


IpamDnsProvisioning for Windows 2008 servers under
the path Task Scheduler Library -> Microsoft. The task
will tigger every 60 minute to execute the bat file
IpamProvisioning.bat from the GPO startup script
location in the SYSVOL folder. The bat file does the
following:

92

copies the IpamProvisioning.ps1 to the


%windir%\temp folder on the target server,

installs Windows PowerShell,

saves executionpolicy on the target servers


and sets executionpolicy to unrestricted,

executes the PS script for provisioning and

restores the original executionpolicy.

2012 Microsoft Corporation. All rights reserved.

DRAFT V5.0

Understand and Troubleshoot IP Address Management (IPAM) in

Windows Server "8" Beta

IPAM DC/NPS GPO Settings


Standard GPO Settings

Add the IPAMUG account SID to the Event Log Readers


security group

Enable Remote Management RPC access by unblocking


the following inbound Remote Service Management
Windows Firewall ports

Provisioning PS Script Settings


N/A

Remote Service Management RPC and RPCEPMAP

Enable Remote Event Log Management RPC access by


unblocking the following inbound Windows Firewall
ports

Remote Event Log Management RPC and RPCEPMAP

93

Potrebbero piacerti anche