Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract
This Understand and Troubleshoot Guide (UTG) enables you to learn technical concepts, functionality,
and troubleshooting methods for IP Address Management (IPAM) in Windows Server 8 Beta. This UTG
provides you with:
Technical concepts to help you successfully install, configure, and manage this feature.
Copyright information
This document is provided as-is. Information and views expressed in this document, including URL and other
Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or
connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product.
You may copy and use this document for your internal, reference purposes.
2012 Microsoft. All rights reserved.
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows
Server, and Windows Vista are trademarks of the Microsoft group of companies.
Table of Contents
Windows Server "8" Beta Understanding and Troubleshooting Guide: IPAM ............................................. 1
About The Understanding and Troubleshooting Guide ........................................................................................1
Introducing IPAM.......................................................................................................................................................1
What Is IPAM? .......................................................................................................................................................1
Purpose/Benefits ...................................................................................................................................................2
Functional Overview..............................................................................................................................................3
Technical Overview .............................................................................................................................................23
Installing and Provisioning IPAM .............................................................................................................................30
Deployment Considerations ................................................................................................................................30
Installation Process IPAM Server ......................................................................................................................31
Installation Process IPAM Client .......................................................................................................................35
IPAM Provisioning ...............................................................................................................................................36
Configuring and Managing IPAM .............................................................................................................................43
IPAM Initial Setup ................................................................................................................................................43
Address Space Management ...............................................................................................................................51
Troubleshooting IPAM .............................................................................................................................................81
Troubleshooting tools .........................................................................................................................................81
Common IPAM problems ....................................................................................................................................81
Appendix..................................................................................................................................................................82
Manual IPAM Provisioning Configuring Access Settings ..................................................................................82
GPO Based IPAM Provisioning GPO Setting Details..........................................................................................90
DRAFT V5.0
Introducing IPAM
Internet Protocol (IP) Address Management, which is a critical part of network
administration, has become increasingly challenging, as networks grow more dynamic and
complex. The need for centralized administration of addresses is increasing dramatically over
time as mobile computing, virtualization, and IP devices continue to consume more IP
addresses. The need for management tools has also increased with deployment and adoption
of new Internet Protocol version 6 (IPv6) networks, which have much larger address pools,
and a more complex 128-bit hexadecimal notation as compared with 32-bit dotted decimal
Internet Protocol version 4 (IPv4) addresses. The length and complexity of IPv6 addresses
makes continued tracking of them in a spreadsheet impractical.
Currently, third party vendors offer various software-based or appliance-bundled
management solution options in this space. However, the upfront overhead of procurement,
deployment and integration of such solutions remains a deterrent in their adoption. Most IT
administrators still typically track IP address allocation and utilization manually, using
spreadsheets or custom database applications. This can be very time consuming and resource
intensive, and is inherently prone to user error. Windows Server "8" Beta introduces a new
feature to meet the IP addressing and naming infrastructure management needs of network
and server administrators.
What Is IPAM?
Internet Protocol Address Management (IPAM) is a framework for discovering, utilization
monitoring, auditing, and managing the Internet Protocol (IP) address space in a network.
IPAM encompasses the administration and monitoring of Dynamic Host Configuration
Protocol (DHCP) and monitoring of Domain Name Service (DNS), which are the services that
assign and resolve IP addresses to devices in a TCP/IP network. IPAM in Windows Server "8"
Beta provides components for planning and allocating IP address space, static IP inventory
management, audit of configuration changes, monitoring and management of Microsoft DHCP
DRAFT V5.0
servers, monitoring of Microsoft DNS servers and DNS zones, and IP address usage tracking
and customized visualization.
Purpose/Benefits
The Windows Server "8" Beta IPAM feature provides a unified framework meet the following
administrative requirements of addressing and naming infrastructure for network and server
administration from a central console. IPAM provides the following benefits:
Static IP inventory management, lifetime management and DHCP and DNS record creation
and deletion
Flexible support for import of address space from spreadsheets and management tools
Periodic update support of address space from systems such as System Center Virtual
Machine Manager (SCVMM) and third party DHCP servers
Multi entity management and monitoring of DHCP services and DHCP scopes
Automatic server configuration data collection and dynamic address space discovery
Agentless management of roles with Group Policy Object (GPO) based automated
deployment
Remote administration support through Server Manager RSAT from both Windows Server
"8" Beta and Windows 8 Consumer Preview client builds
DRAFT V5.0
Functional Overview
Prerequisites
Windows Server "8" Beta IPAM is an integrated suite of IP addressing and naming solutions
aimed at helping network and system administrators to manage IP infrastructures across the
enterprise. IPAM scope selection across the managed server nodes is limited to a single
Active Directory (AD) forest, with appropriate trust relationship between the domains.
The IPAM server must be domain joined, and is reliant on a prerequisite functional network
infrastructure environment, including IPv4 and IPv6 network connectivity, in order to
integrate with existing DHCP, DNS, DC, and NPS installations across the AD forest.
Install the IPAM feature on an Active Directory domain member server intended as a singlepurpose server, and do not attempt to collocate other network infrastructure roles such as
DNS or DHCP on the same server. IPAM installation and provisioning is not supported on a
domain controller.
IPAM users must be logged in using a domain account with appropriate privileges.
The following are requirements for successful IPAM deployment.
Ensure that you have network connectivity. Enabling both IPv4 and IPv6 is
recommended. Discovering IPv6 address space and infrastructure will not be supported
unless IPv6 connectivity is enabled.
Ensure that you log on to the IPAM server using a domain account. Do not log on to the
IPAM server using the local Administrator or a local user account.
Ensure that you are a member of appropriate IPAM local security group (See the IPAM
Local Security Groups section of this guide) or if you are running as a member of the local
Administrators group then you must run elevated.
If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT,
then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in
addition to being a member of the appropriate IPAM security group (or local
Administrators group).
Configure network settings on the IPAM server so that it has access to at least one
authoritative domain controller for server discovery. Ensure that you have network
connectivity to all the server roles (DHCP, DNS, DC and NPS) that you intend to manage
through this IPAM instance.
For best performance, do not install any other server roles on the IPAM server.
IPAM installation on a DHCP server is not recommended. The IPAM server discovery
feature will not be able to discover DHCP roles if IPAM is running on a DHCP server.
DRAFT V5.0
Ensure that logging of account logon events is enabled on DC and NPS servers for the IP
Address Tracking feature of IPAM
RAM 4 GB or more
Ensure that network firewall ports and access settings are provisioned to enable IPAMs
access to workloads (DC, DNS, DHCP and NPS) across the managed roles in the AD forest.
For more information on IPAM provisioning and provisioning methods refer to the
Deployment Considerations section of this guide.
If using Group Policy based provisioning, ensure that the users marking servers as
managed/unmanaged in IPAM server inventory console either have domain administrator
privileges or have delegated rights to edit GPO security filter lists. For more information on
GPO delegation, refer to the Group Policy Based Provisioning section of this guide.
Ensure that data replication to all AD global catalog servers is functioning properly at
regular intervals. Stale global catalog data can cause problems with discovery of servers.
Functional Description
Windows Server "8" Beta IPAM consists of five primary modules, which provide the
management functionality. These modules include the following:
Event Catalog
IP address tracking
DRAFT V5.0
The server discovery component in Windows Server "8" Beta IPAM leverages your Active
Directory (AD) deployment to discover network infrastructure servers. IPAM facilitates
configuring the scope of server discovery by allowing you to select domains in the AD forest
through its Configure Server Discovery dialog. Discovery allows you to enumerate Microsoft
Windows DNS, DHCP and DC server role types that are available in either the entire AD forest
or a specified subset of domains within the forest. You can also manually add or delete
specific servers (Microsoft Windows DNS, DHCP, DC and NPS servers) to define a custom
scope of administrative control.
The IPAM server discovery and inventory feature also allows you to track granular IPAM
access status on servers. IPAM server inventory management also plays an important role in
managing the security filter list of IPAM GPOs, which are updated according to the
manageability status of the infrastructure servers in server inventory. The GPO updating
functionality is valid only if the Group Policy Based provisioning method has been selected
for IPAM. IPAM also tracks the status of data retrieval on managed servers.
IPAM can be used to discover and manage servers running Windows Server 2008 and above.
Note:
Configure scope of Server Discovery by selecting domains and server roles within each
domain to be discovered within Active Directory forest.
IPAM uses the following rules during server discovery on configured domains for selected
roles:
o
All domain controllers registered for the configured domains are discovered
All DNS servers registered as name servers for the domain zone and DNS suffixes
registered for the configured domains are discovered
All DHCP servers authorized for the configured domains that respond to the DHCP
server INFORM message are discovered. This feature allows IPAM to intelligently
discard any inactive DHCP servers that are listed as authorized in AD.
Automated discovery of infrastructure servers and their configuration such as server roles,
OS version, IPv4 and IPv6 interface address, domain name, DNS suffix, GUID, active roles
Disjointed name space support. Separate fields showing the servers DNS suffix and domain
name are maintained by IPAM.
DRAFT V5.0
Managed IPAM periodic tasks will collect data from the active (checked) roles on
these servers. Inactive (unchecked) roles on these servers are ignored.
Unmanaged - IPAM periodic tasks will not collect data from these servers. IPAM
deletes all existing information pertaining to these servers from its database.
Unspecified - IPAM periodic tasks will not collect data from these servers. However,
IPAM retains all existing information pertaining to these servers in its database. Set
a server status as Unspecified in scenarios where the server is offline temporarily,
during temporary maintenance cycles for example.
Automatic organization of server inventory view into hierarchical view based on interface
address and manageability status of the server:
o
Level 3 IP Subnet (/16 for IPv4 and /48 for IPv6 based on primary interface
address)
Edit owner and description for servers, and add user-defined or built-in custom fields/tags
to servers
Built-in tracking of server data retrieval status such as In progress, Complete, Not started
Automatic IPAM access status tracking on servers. IPAM collects granular access status
from the servers listed in the server inventory as Allowed or Blocked. IPAM rolls up these
sub-statuses into overall IPAM access status. The recommended action field indicates the
required action for managed, unmanaged, unspecified servers as appropriate.
Integrated group policy provisioning mode support with automatic synchronization of the
IPAM GPO security filter list with the server inventory configuration. IPAM expects the user
to have appropriate GPO edit privileges while performing these operations for the
automatic GPO synchronization to be successful.
Note:
Note:
Auto-discovery of the NPS server role is not supported. These servers can be added using the
Add Server functionality
Removing a configured domain from Server Discovery scope does not automatically delete
the servers that are already discovered from that domain. If required, the corresponding
servers belonging to this domain can be manually deleted from the server inventory view.
DRAFT V5.0
providers. These public IPv4 addresses are allocated and assigned by Regional Internet
Registries (RIR) in response to requests from the organization, and are in critically short
supply. Monitoring the utilization and trends for these RIR blocks is of prime importance.
Hosted service providers need to associate specific IP address subnets or blocks of addresses
to specific customers, development communities, or business divisions by customized logical
grouping.
Enterprises with public-facing datacenter entry points need to manage multiple statically
assigned public IP addresses and subnets. Administrators of these networks require
utilization data to perform actions around address space management. These actions include
finding free IP addresses, tracking address state, tracking the address lifetime, synchronizing
DNS and DHCP records/reservations, balancing the address usage for optimal utilization of
the available subnets, preparing the subnets for new or changing network requirements, and
reclaiming addresses previously assigned but no longer deployed in the production
environment.
The IP address space console of IPAM provides administrators with IP address utilization
statistics and historical trend data to make informed planning decisions for dynamic, static
and virtual address spaces. IPAM periodic tasks automatically discover the dynamic address
space and utilization data as configured on the DHCP servers managed in IPAM. Leverage the
powerful import functionality of IPAM IP address space management to bring static and
virtual address spaces under IPAM central management.
The IPAM Address Space Management (ASM) console provides the ability to efficiently
monitor various dimensions of the managed IP address space, including method of
assignment (static or dynamic), address scope (public or private), and IP version (IPv4 or
IPv6). Using IPAM ASM, you can track IP address utilization, receive threshold-crossing status
from the console and events, or zoom in and out to display utilization trends. The IPAM ASM
tools address the end-to-end IP lifecycle management problem for the static IP address space
in a growing distributed environment by ensuring better planning, accountability, and
control. It further facilitates centralized management and monitoring of address space using
periodic import and update functionality to bring in virtual address spaces managed through
systems like System Center Virtual Machine Manager (SCVMM) or any third party DHCP
servers and virtual machine (VM) managers.
For efficient network resource planning, administrators need to be able to visualize IP
address attributes in logical groupings. The utilization monitoring views in IPAM allow you to
view the enterprise address space in more meaningful logical correlation based on specific
needs. Some examples of logical group views are delineation by divisions of the organization,
geographical regions, Regional Internet Registries, offices located across geographical
regions, and categories assigned to customers based on business profiles. Grouping of
addresses by attributes provides meaningful perspective to utilization monitoring.
DRAFT V5.0
IP addresses: are the leaf level entity under IP address ranges. IPAM enables end-toend life cycle management of IPv4 and IPv6 addresses, including record synchronization
with DHCP and DNS servers. IPAM automatically maps an address to the appropriate
range based on the start and end address of the range. An IP address is uniquely
identifiable by the value of mandatory Managed By Service and Service Instance
fields, that help IPAM to manage and maintain duplicate IP addresses from the same
console. These two fields are also used (and should identically match) while mapping
the IP address to the IP address range.
IP address ranges: are the next hierarchical level of IP address space entities after IP
address blocks. An IP range is conceptually an IP subnet marked by a start and end IP
address, and is typically a DHCP scope or a static IPv4 or IPv6 address range or address
pool used to assign addresses to hosts. IPAM enables you to centralize address ranges
that may span across many heterogeneous systems, such as across multiple DHCP
servers, VM managers, or legacy spreadsheets using IPAM import functionality through
UI or Windows PowerShell. An IP address range is uniquely identifiable by the value of
the mandatory Managed By Service and Service Instance fields, which help IPAM to
manage and maintain overlapping or duplicate IP address ranges from the same
console. Only one of multiple overlapping IP address ranges get mapped to the IP
address block. IPAM allows you to map any unmapped overlapping range to the
corresponding IP address block using the Map to Block action. The currently mapped
range will be unmapped because of this action.
DRAFT V5.0
IP Address
IP Address Range
Server
You can use custom field tagging for multi-valued custom fields for defining logical groups.
Logical groups enable you to visualize IP address ranges in a real-life business perspective
rather than a conventional hierarchy of IP subnets. You can customize these logical groups
and they can be hierarchical. Logical groups are defined by selecting the grouping criteria
from built-in or user-defined custom fields. IPAM supports multi-level hierarchy when
defining a logical group for IP address ranges. Similar custom logical groups can be created to
group IP addresses and managed servers. Entities that do not map to the first level criteria
defined for the logical group are displayed under the unmapped space in the group.
IPAM also rolls up utilization statistics and trends at the logical group level for IP address
ranges. Logical groups defined for IP address ranges are known as IP range groups. IPAM
supports simultaneous creation of multiple IP range groups based on different criteria. By
DRAFT V5.0
default, IPAM creates the built-in IP range group called Managed By, which groups IP
address range by the two-tier hierarchy of Managed by Service field followed by Service
Instance field. Built-in logical groups cannot be deleted, but the grouping criteria can be
edited.
IPAM supports only one logical group for IP addresses known as IP address inventory, which
is created by default. This built-in IP address logical group groups IP addresses by a single
hierarchy of device type field. Built-in logical groups cannot be deleted, but the grouping
criteria can be edited.
Utilization Monitoring
Utilization data maintained for IP address ranges, IP address blocks and IP range groups
within IPAM
User-configurable thresholds for percentage utilized field, used to mark entities as overutilized (above the configured threshold), under-utilized (below the configured threshold)
and optimally utilized (between over and under the utilization thresholds).
Visualization of utilization state of IP address range, IP address block and IP range group
from the console:
Over - Percentage utilized falls above configured over-utilized threshold
Optimal - Percentage utilized falls within configured over-utilized and underutilized threshold
Utilization threshold crossing events are logged by IPAM whenever an IP address range
changes its utilization state.
Utilization trend building and reporting for IPv4 address ranges, IPv4 address blocks and
IPv4 range groups.
Capability to zoom in and out of utilization trend window. While you may select from
standard trend periods of 1 day, 7 days, 1 month, 3 months, 6 months, 1 year, 2 years and 5
years, Custom start and end date configuration for viewing the utilization trend is also
supported.
Auto-discovery of dynamic IP address ranges and utilization data from DHCP scopes
configured on the managed Microsoft DHCP servers.
10
User defined Configured by the user agnostic of the IP addresses that map/donot-map to the IP range.
DRAFT V5.0
Assigned addresses The number of addresses between start IP address and end IP
Address of the block
Two additional utilization counters are supported for dynamic IPv6 address ranges
discovered from Microsoft DHCP servers. Together these counters add up to the total
number of utilized addresses for this range:
o
Utilization trend for an IPv4 address range is plotted for following line graphs:
o
Percentage utilized
Total addresses The number of addresses between start IP address and end IP
address of the block
Utilization trend for an IPv4 address block is plotted for following line graphs:
o
Percentage assigned
Percentage utilized
11
DRAFT V5.0
Utilization trend for an IPv4 range group is plotted for following line graphs:
o
Percentage utilized
Multiple consoles/views for organizing and visualizing address space to facilitate address
space monitoring, reporting and utilization data roll up.
Support for identifying and managing overlapping address spaces from a single console.
Overlaps and duplicates are identified and displayed in the UI
IPAM allows you to uniquely identify IP address ranges and IP addresses using the
Managed By Service and Service Instance fields that augment the key fields for these
entities. For example, all ranges discovered from managed DHCP servers are marked to be
Managed By Service set as MS DHCP and Service Instance set as the name of the DHCP
server.
o
Plan and allocate address space by carving out multi-level hierarchy of IP address blocks.
Visualize rolled up utilization trends and statistics for IP address blocks
Arrange address space into multi-level hierarchy of real-world custom group view.
Visualize rolled up utilization trends and statistics for group nodes.
Support for detecting and visualizing stateless IPv6 address utilization information
Detect and manage conflicts, overlaps, duplicates in address space across systems. Map
desired overlapping IP address range to the IP address block.
Use intuitive interface for import of address, range and block from spreadsheets and
databases
Find and allocate an available IP Address from a dynamic or static IP address range:
o
12
IP address blocks allow easy Auto discovery of DHCP scope and utilization
information from managed MS DHCP servers and visualizing them as IP address
ranges
For Microsoft DHCP ranges, IPAM queries the corresponding DHCP server in realtime to finding an available IP address. The logged in user must have at least DHCP
Users privileges on the DHCP server to complete this action. If the IP address found
is already reserved/allocated in the IPAM database, IPAM discards it and goes on to
find another available IP address.
DRAFT V5.0
For any other range, IPAM queries the local IPAM database to find an available IP
address.
Further validation of free IP address using ping expect no reply, and DNS lookup expect
no record found. Anomalies to the expected result are called out so that appropriate action
can be taken to synchronize the IPAM IP address inventory with the DNS records and
servers active on the network.
Allocate the free IP Address and maintain its state as active/inactive/reserved or any other
custom state value. Tag the assignment type of IP address as static/dynamic/VIP/auto.
Assign and track IP address lifetime by assigning an expiry date to the IP address. By
default, the expiry date is not set and the address is assumed to be valid indefinitely.
Visualize addresses as not expired, expiry due, expired based on the configured expiry
date for the address and the system-wide configurable threshold for expiry log settings.
The IP address transitions to expiry due state x days before the configured expiry date,
where x is the expiry alert threshold.
Receive alerts on changing the expiry status of address is a configurable setting to receive
expiry alerts periodic or only on state changes.
Manage all DHCP reservations from a central console. Create/delete DHCP reservations for
IP addresses
Manage all DNS records from a central console. Create/delete DNS A/AAAA records for IP
addresses. Create/delete DNS PTR records for IP addresses
Build upon import and update functionality of IPAM to populate the IP Address inventory
view leveraging IPAM Windows PowerShell
o
Periodically import and update the IP address inventory from third party systems
like SCVMM or other virtual address management systems
Periodically import and update the IP address inventory from DHCP reservations
on Microsoft DHCP or third party DHCP servers
Periodically import and update the IP address inventory from DNS records on
Microsoft DHCP or third party DNS servers
Reclaim IP addresses from selected IP address ranges using the reclaim wizard
13
DRAFT V5.0
Regular import operation for IP addresses, IP address ranges and IP address blocks
new records are added and existing records are edited during this operation. This
Windows PowerShell cmdlet imports IP address range objects from the specified csv
file into the IPAM server. IPAM does not support import of IP address ranges whose
Managed By Service value is MS DHCP since this is reserved for DHCP scopes
automatically discovered by IPAM from the managed Microsoft DHCP servers.
Import and update operation for IP addresses belonging to the specified IP range
Along with adding new addresses and editing existing addresses as in the case of
regular IP address import, this operation deletes those addresses from IPAM which
map to the specified IP address range, but are not present in the csv being imported. A
typical scenario for this operation can be to periodically import and synchronize DHCP
lease or DNS record information from servers into IPAM.
Import and update operation for IP address ranges belonging to the specified Managed
By Service and Service Instance values Along with adding new ranges and editing
existing ranges as in the case of regular IP address range import, this operation deletes
those ranges from IPAM which have the same value of Managed By Service and
Service Instance fields but are not present in the csv being imported. IPAM provides
you the option of deleting the IP addresses mapping to the IP address ranges that are
deleted during this import operation. A typical scenario for this operation can be to
periodically import and synchronize IP pool or DHCP scope information from systems
like SCVMM and third party DHCP servers.
The UI import-export supports localized format while the Windows PowerShell importexport supports fixed English format for the csv field names and values. Interoperability
between both formats is supported. The general rules for Windows PowerShell importexport fixed schema is as follows:
1. Field names will be the same as English localized resource names of the corresponding
entries in IPAM. However, blank spaces in the field name will be omitted to comply with
the Windows PowerShell object header name convention. IP address import in fixed format
is identified by the presence of the mandatory field IPAddress in the csv file. Similarly, IP
address range import in fixed format is identified by the presence of the mandatory field
NetworkId in the csv file. The corresponding field names for localized English schema
import are IPAddress and Network respectively.
14
DRAFT V5.0
2. Enum value names will be same as English localized resource names of the corresponding
values in IPAM. Enum value in this context refers to built-in custom field values and built-in
enumeration field values such as utilization, expiry status, etc. Fixed format names for
values of built-in custom field Country is not supported and the input-output for this field
will always be localized.
IPAM generates an error csv file with details about records that failed to import along with
the reason for failure. By default, this error file is generated in the Documents folder of the
users profile.
The AddressFamily parameter specifies if the csv contains IPv4 or IPv6 records. Only one
address family can be specified at a time with this cmdlet, and the records in the csv should
match the specified AddressFamily. The Path parameter is used to specify the csv file
containing IP address range objects that need to be imported. The Force switch can be used
with the cmdlet to suppress the default confirmation text. The ErrorPath parameter
specifies the literal path (and not name) of the error csv file which will be created if one or
more records fail to import. The file name is generated automatically by IPAM for the error
csv file. The default value of ErrorPath is the Documents folder of the user.
The cmdlet supports two parameter sets. The default invocation of the cmdlet adds new IP
address range objects from the csv into IPAM and edits the existing address ranges with
updated information specified in the csv. The second parameter set can be used to
periodically import and update all IP address range objects that belong to the specified
unique combination of ManagedByService and ServiceInstance parameters. This
parameter set provides the option of deleting the IP addresses mapping to the IP address
ranges that are deleted during import by using the DeleteMappedAddresses switch.
Import and update of IP address ranges for the specified ManagedByService and
ServiceInstance will succeed if these values are present in IPAM at the time of import. The
parameters AddManagedByService and AddServiceInstance can be used to create the
specified ManagedByService and ServiceInstance values within IPAM at run time before
the import operation, if not already present in IPAM.
15
DRAFT V5.0
tasks uniformly across servers reduces both the effort involved as well as the probability of
error. Administrators can use the IPAM multi server management (MSM) view to easily edit
and configure key properties of multiple DHCP servers across the organization,
simultaneously. This functionality does not require installation of additional agents or
software on the target servers.
IPAM uses DHCP and DNS RPC for monitoring and management functionality. The logged in
user must have appropriate administrative privileges on the target server in order to perform
any configuration change on the target server using IPAM UI or by launching the MMC from
IPAM. The data collection and monitoring functions do not require any special privileges on
the target server for the logged in user.
Edit DHCP Server Properties - This allows setting a number of server properties of the
DHCP server
Edit DHCP Server Options - Allows addition, deletion or editing of options at the
servers level. Action can be performed on multiple DHCP servers simultaneously to
update multiple options across servers.
Create DHCP scope - Create a scope on a DHCP server, and set numerous scope
properties.
Configure predefined options and values - Create predefined options and set option
values. Select one or more servers and launch the action to configure predefined options
on multiple servers simultaneously
Configure User Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.
Create and edit new and existing user classes - Multi-select servers and launch the
action to configure user classes on multiple servers simultaneously.
Configure Vendor Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.
Launch MMC - Launch the MMC for the selected DHCP server
Retrieve server data - Multi-select servers and launch the action to retrieve server
data from the selected set of servers.
16
Launch MMC - Launch the MMC for the selected DNS server
DRAFT V5.0
Retrieve server data - Multi-select servers and launch the action to retrieve server
data from the selected set of servers.
Multi-Entity Management
A primary benefit of IPAM functionality is its ability to simultaneously manage multiple DHCP
servers or DHCP scopes spread across one or more DHCP servers. This significantly reduces
the administrative effort needed by eliminating repetitive steps and reducing the possibility
of error during these operations. Some of the advanced multi-edit constructs are explained
below:
Edit DHCP server properties like DNS update settings and DNS credentials on multiple
DHCP servers simultaneously
Edit DHCP scope properties such as DNS updates, lease duration, and advanced
properties on multiple DHCP scopes spread across multiple DHCP servers
simultaneously
Server Monitoring
The IPAM monitoring view provides the ability to view from a single console the status and
health of selected sets of Microsoft DNS and DHCP servers. The monitoring view of IPAM
displays the basic health of servers along with recent configuration events that occurred on
these servers. The monitoring view also provides the ability to organize the managed servers
into logical sever groups.
Note:
The custom field tagging can only be done for DHCP servers from the Monitor and Manage
console by invoking the Edit DHCP Server Properties dialog. Both DHCP and DNS servers
can be configured with custom field values from the Server Inventory view using Edit
Server dialog.
Basic configuration settings are displayed in the view and in the preview panes in the server
monitoring view. For DHCP servers, the server view enables tracking of various server
settings, server options, number of scopes, and number of active leases, that are configured
on the server. For DNS servers, the view enables tracking of all zones configured on the
17
DRAFT V5.0
server along with details of the zone type. The view also allows you to see the total number of
zones configured on the server, as well as overall zone health status as derived from the zone
status of individual zones on the server.
IPAM also facilitates periodic service monitoring of DHCP and DNS service status from a
central console. The service status is appropriately displayed as Running, Stopped, or
Paused for each managed server in the DHCP and DNS Servers view.
If the server role is running and IPAM still shows the availability state as Not Reachable,
ensure that
IPAM machine SID (or IPAMUG SID for GPO provisioning) is added to the service ACL
IPAM displays a list of all forward lookup zones that are hosted by managed DNS
servers with their overall status based on status from all the servers hosting that
zone, as well as duration that the zone has been in that state. The zone status for
all servers is shown as OK if the zone is being serviced by each of the
Authoritative servers. The zone status for all servers is shown as Warning, if
one or more authoritative servers is not servicing the zone. The zone status for
all servers of the zone is shown as Error if none of the authoritative servers are
servicing the zone. An authoritative server is considered to be servicing the zone
if the zone status of the zone on that server and the server availability state of
the server are not in red state.
IPAM also displays a list of all authoritative servers for that zone in the preview
pane along with the zone type and zone health status information.
18
DRAFT V5.0
IPv4 Reverse Lookup node - IPAM enables the user to visualize all IPv4 reverse lookup
zones configured on the managed DNS server. A list of all authoritative servers hosting
the selected reverse lookup zone is presented in the preview pane.
IPv6 Reverse Lookup node - IPAM enables the user to visualize all IPv6 reverse lookup
zones configured on the managed DNS server. A list of all authoritative servers hosting
the selected reverse lookup zone is presented in the preview pane.
IPAM does not support reverse lookup zone health monitoring.
Note:
Event Catalog
In a distributed network with multiple DHCP servers, the task of monitoring configuration
changes across the infrastructure can be challenging. Individual servers log configuration
events in their log channel which roll over periodically and are difficult to query and track
centrally.
IPAM event catalog provides a centralized repository to audit all configuration changes
performed on DHCP servers managed from a single IPAM management console. Another
console in event catalog gathers all of the configuration events from the IPAM configuration
event channel.
These configuration event catalogs provide the ability to view, query and generate reports of
the consolidated configuration changes, along with details specific to each record. IPAM audit
tools enable monitoring for any potential misconfiguration of the IP infrastructure by
leveraging network audit logs for tracking and reporting of any administrative actions
required. The advanced query and filtering support from IPAM enables tracking of Service
Level Agreements (SLAs) based on time, administrator identity, server name and additional
detail from a single console.
The IP address management audit specifically provides for:
Periodic and on-demand configuration event data collection from DHCP and IPAM
servers.
Event ID
Time of event
19
DRAFT V5.0
In addition to the event parameters listed above, IPAM provides advanced query
constructs within the event Description field for filtering DHCP configuration events
such as scope id, scope name, option id, option name, and reservation address.
Event ID
Time of event
In addition to the event parameters listed above, IPAM provides advanced query
constructs within the event Description field for filtering IPAM configuration events
such as network id, IP address, group name, and custom field name.
Data purge facility for event catalog database tables to clean up disk space (after backup
if intended). You can select the time window before which data must be purged and the
data type (IPAM configuration, DHCP configuration, IP address tracking). It is advisable
to schedule the data purge operation in the night or at the time when IPAM activity is
low.
IP Address Tracking
In certain network forensics scenarios, it is useful to establish a trail of the computers or
devices used by a user within a specific time. In an environment where IP addresses are
dynamically assigned using DHCP, the IP addresses assigned to devices on a network are
temporary and can change over time. IP addresses do not necessarily uniquely identify a
computer or device. A host name assigned to a computer or device can also change, and
cannot be relied upon for unique device or computer identification. Establishing a
comprehensive record or trail of the computers or devices used by a user within a specific
period, complete with IP address, host name, and MAC (Media Access Control)/DUID (DHCP
Unique Identifier) address of a computer or device may be difficult or impossible if based
solely on IP lease events.
A DC or NPS server logs events for user and machine authentication, which also identify the
IP address from which an authentication request was received. An intelligent audit system
that collects and maintains a historical trail of IP address lease events from the DHCP server
and authentication events from DC and NPS servers can help administrators to track and
associate IP addresses with the users and devices in their environment.
20
DRAFT V5.0
The IP address tracking feature of IPAM enables you to select a search criteria, such as IP
address, client ID (MAC/DUID), host name or user name, and specify a query time interval in
terms of start and end date and time. IPAM intelligently correlates results from the repository
of DHCP leases and DC/NPS logon events based on advanced algorithms to provide the
results. This enables you to search events for a given time frame and obtain results mapping a
user account to particular devices identified by the IP address, MAC address, and/or host
name.
The IP address tracking feature collects the following events to build the search database:
DHCP lease events: new lease, renew lease and lease expiry events from the DHCP audit
log of the managed DHCP servers
Windows security event ID 4768- Kerberos authentication ticket (TGT) was requested
from domain controllers
Windows security event ID 672 - An authentication service (AS) ticket was successfully
issued and validated from NPS servers
The IP address tracking feature enables two query modes over the specified time:
Note:
Exclude co-related logon and lease events - All direct matches to the search criteria
between the specified search start time and end time from the DHCP lease logs collected
in the IPAM database are returned. This mode is supported for all search pivots except
User Name.
Include co-related logon and lease events - All the co-related lease and logon logs
based on intelligent processing are returned along with the direct search matches on
the specified search criteria are returned. This mode is supported for all searches.
The events displayed in the query result are +/- 5 minutes from the search period specified.
This is done to accommodate server time lags or discrepancies between IPAM and
managed servers. The timestamp of events collected from managed DHCP, DC and NPS
servers is stored in UTC in the IPAM database. The timestamp on the events mined as the
result of the search operation is displayed in the context of the time and time zone
configured on the IPAM client.
The advanced co-relation logic used by IPAM is comprised of three main steps briefly
explained below:
Step 1: Finding all DHCP lease events based on direct match
For user name based search, IPAM finds the co-related host names based on logon events and
then uses the host name to determine the valid DHCP lease events to be used for further corelation.
Step 2: Deriving DHCP lease chunks for the specified search interval
Using the various new lease, release, and/or expire lease events determined for the specific
IP address, different distinct lease period start and end values can be ascertained. Such
different lease periods are referred to as lease chunks. Each ascertained lease chunk will
21
DRAFT V5.0
have an IP address, MAC address and host name associated with it, picked up from the DHCP
lease event logs.
Step 3: Obtain co-related events for each of the derived lease chunks For each of the ascertained lease chunks, a query is then made of the authentication events
collected in the data store to find events that match common elements, which could be one or
more of the IP address, MAC address, or host name within the specified lease chunk. Using
multiple different common elements for the search returns additional correlated information.
Advanced UI features
Group navigation control - Divides the data into major functional areas followed by
entities/views. The lower navigation tree further arranges the entities into appropriate
pivots such as subnets or logical groups.
View switcher on management list To toggle the view between associated entities, for
example Servers and Scopes or Address Range and Blocks.
Customize the default view - Add or remove columns of your choice in the default view
displayed. All built-in and user-defined basic and custom fields are available for selection in
the view.
Group by functionality Select to group the view using the selected criteria
Support for free format query on all fields Start typing any value in the search pane to
return the matching string search results filtered from the displayed rows
Advanced query/filtering support Use multiple criteria to create advanced queries. Select
between advanced comparison constructs for each query criteria. Save the query along
with customized view and reload it later.
Dedicated event catalog monitoring for each address space entity, servers, scopes and zone,
in the preview pane for each row selected
Limitations
The Windows Server "8" Beta IPAM implementation does not provide a global solution for
every possible management scenario. Notable limitations are listed below.
22
Supports only Microsoft DHCP, DNS, DC, and NPS servers running Windows Server 2008
and above
IPAM supports only domain joined DHCP, DNS and NPS servers.
DRAFT V5.0
The IPAM provisioning method cannot be modified after completion of the provisioning
wizard
The only management features supported for DNS are DNS A/AAAA and PTR record
creation and deletion.
DNS management features beyond creation and deletion of A/AAAA and PTR records are
not supported. You can launch the DNS MMC from within the IPAM console to initiate these
operations.
Automatic DHCP lease enumeration is not supported by the IPAM data collection tasks.
Automatic DNS record enumeration is not supported. You can enable this scenario by
building upon IPAM periodic address import features available from IPAM Windows
PowerShell cmdlets.
Technical Overview
IPAM Architecture
IPAM is comprised of two main modules, which are available as two Server Manager features:
IPAM Server This feature provides the IPAM backend, which implements periodic data
collection tasks to gather configuration and event information from managed servers. It
also manages the relational database hosted in the Windows Internal Database (WID)
and the Windows Communication Foundation (WCF) server endpoint, which enables
remote management of the IPAM server, provides the IPAM Windows PowerShell
module, and implements role based access control.
IPAM Client This feature includes the IPAM client UI component that interacts with the
IPAM server to perform remote management using the WCF. The IPAM client also
directly invokes the relevant Windows PowerShell interfaces to interact with DHCP
server for configuration tasks, with DNS server for record management, and with group
policy for security filter list synchronization.
The IPAM client UI communicates with the IPAM server to perform remote management. This
is done using the WCF with TCP as the transport. Specifically, the NetTcpBinding is used. See
WCFBinding-MSDN for more detail on the various bindings and their capabilities. The TCP
binding is performed on port 48885 on the IPAM server. This port number falls into the
Registered Ports range of IANA but is not currently assigned. The default port choice is not
23
DRAFT V5.0
made from the ephemeral port range, as this server-side functionality that the socket is
listening for traffic at all times once the server feature is enabled.
When there is a port conflict or there is a need to reconfigure the server port, the port
number on the server can be configured. Prior to connecting to the IPAM server, the client UI
queries the configured server port by using a Windows PowerShell cmdlet provided by IPAM.
This leverages Windows PowerShell remoting. Windows PowerShell remoting is built on the
WinRM layer, which is enabled by default. IPAM Windows PowerShell cmdlets getipamconfiguration and set-ipamconfiguration can be leveraged to get and set the WCF
communication port respectively.
The figure below illustrates high level IPAM architecture.
IPAM also allows you to specify the group policy objects to manage the DHCP/DNS/NPS/DC
server configuration for use with IPAM during setup. These group policy objects must be
created in advance for each server role (DHCP, DNS, DC/NPS). The security filtering lists for
these group policy objects will be updated when the servers are enabled or disabled for
management through the IPAM console.
The IPAM server communicates with all the managed DHCP servers to get the DHCP scope
utilization for both IPv4 and IPv6 (stateless as well as stateful), server configuration and
scope configuration using DHCP Windows PowerShell commands. The DHCP Windows
PowerShell commands use Microsoft Dynamic Host Configuration Protocol (DHCP) Server
Management Protocol Specification [MS-DHCPM] to communicate with the DHCP server.
24
DRAFT V5.0
The DHCP address lease information is available in an audit log file on the DHCP server. The
IPAM server retrieves the address audit text file (for both IPv4 as well as IPv6) using the SMB
protocol. This text file is parsed to get the address assignment information. The address audit
text file for IPv6 clients (stateful and stateless) is available only in Windows Server "8" Beta
DHCP servers. The DHCP server generates events for auditing the configuration changes. The
IPAM server reads the configuration changes from the DHCP server event log and EventLog
Remoting Protocol Version 6.0 Specification [MS-EVEN6] is used for reading these events.
The IPAM server also retrieves the service status of the DHCP/DNS servers using the Service
Control Manager Remote Protocol Specification [MS-SCMR] protocol.
The IPAM server communicates with DNS servers to get the server configuration and DNS
zone settings. The DNS Windows PowerShell commands use Domain Name Service (DNS)
Server Management Protocol Specification [MS-DNSP] to communicate with the DNS server.
The IPAM server communicates with DCs to get the logon events. Whenever a user
authenticates with DC, a logon event is generated and the IPAM server collects these events
for audit trail analysis. The remote event collection uses [MS-EVEN6]. In order to discover the
DHCP servers, the IPAM server reads the DHCP server list stored in the DHCPServers group
contained in the NetServices container
(CN=NetServices,CN=Services,CN=Configuration,DC=domain,DC=com) in AD. The IPAM
server reads the DHCPServers group using the LDAP protocol. LDAP is also used to query the
list of domains. This list of domains is used for discovering the DNS servers.
The IPAM server communicates with NPS server to get the authentication events. Whenever
NPS authenticates a user, it generates an authentication event. The IPAM server collects these
events for audit trail analysis. The remote event collection uses [MS-EVEN6].
The following table lists the different interactions between the IPAM system and other
servers.
Managed Role
From IPAM
component
Protocol
Comments
DHCP
IPAM Server
MS-DHCPM/MSEVEN6 /MS-SMB
/MS-SCMR
DHCP
IPAM Client
MS-DHCPM
25
26
DRAFT V5.0
DHCP address
audit file
(IPv4/IPv6)
IPAM Server
MSSMB
DNS
IPAM Server
MS-DNSP/[MSEVEN6]
DNS
IPAM Client
MS-DNSP
AD
IPAM Server
RFC2251/MSEVEN6
NPS
IPAM Server
MS-EVEN6
DC
IPAM Client
MS-GPOL
DC
IPAM Client
RFC2251/LDAP
IPAM Server
IPAM Client
[MS-PSRP]
DRAFT V5.0
Description
IPAM Users
IPAM Administrators
Note:
In order to perform the Find Available IP task of IPAM address space management on a
DHCP range, the user must additionally have DHCP Users privileges on the relevant DHCP
server. Only IPAM Administrators can perform the Purge Event Catalog Data task. IPAM IP
Audit Administrators do not have this privilege. IPAM MSM Administrators can edit IP
address range information for MS DHCP ranges in the IP Address Space console.
27
DRAFT V5.0
AddressUtilization - Collects IP address space usage data from DHCP servers for display
of current and historical utilization.
Audit - Collects DHCP and IPAM server operational events. Also collects events from
domain controllers, NPS, and DHCP servers for IP address tracking.
ServerAvailability - Collects service status information from DHCP and DNS servers.
All Windows tasks required for IPAM services need to present credentials to the managed
node for authentication before accessing protected data and logs from server roles. For
example, accessing event logs on the managed server nodes requires that the IPAM tasks
authenticate under the context of a member of the Event Log Reader security group on the
target node. All IPAM tasks launch under the Network Service account, which presents the
local computers credentials to remote servers.
During installation, IPAM tasks are added with the following default frequency of execution,
which can be modified from the Task Scheduler from the path Task Scheduler Library ->
Microsoft -> Windows -> IPAM
Task Name
Frequency
For Duration
ServerDiscovery
1 Day
Indefinitely
AddressUtilization
2 Hours
Indefinitely
Audit
1 Day
Indefinitely
ServerConfiguration
6 Hours
Indefinitely
ServerAvailability
15 Minutes
Indefinitely
ServiceMonitoring
30 Minutes
Indefinitely
AddressExpiry
1 Day
Indefinitely
Apart from periodic data gathering IPAM also supports on-demand data refresh from all the
servers in its scope or only from a subset of servers in context of the selected entity for which
data retrieval has been triggered. IPAM further supports on demand data refresh for specific
functional areas such as address space or event catalog. The following on-demand data
retrieval actions are supported by IPAM:
28
DRAFT V5.0
Action Name
Type
Scope
Launch Point
Start
Discovery
NonContextual
Manage Menu
ServerDiscovery
Retrieve All
Server Data
NonContextual
Manage Menu
OR Tasks
Menu in Server
Inventory view
Refresh
Server Access
Status
Contextual
Selected server(s)
Right click
menu on
(multi)selecting
servers in the
Server
Inventory view
Retrieve All
Server Data
Contextual
Selected server(s)
Right click
menu on
(multi)selecting
managed
servers in the
Server
Inventory view
Retrieve
Address Space
Data
NonContextual
Tasks Menu in
IP Address
Space view
ServerConfiguration,
AddressUtilization,
AddressExpiry, Audit
Retrieve
Address Space
Data
Contextual
(Multi)Selected IPAM
ranges (and associated
DHCP servers)
Right click
menu on
(multi)selecting
ranges in the IP
Address Space
view
ServerConfiguration,
AddressUtilization,
AddressExpiry, Audit
Retrieve
Server Data
NonContextual
Tasks Menu in
Monitor and
Manage view
ServerConfiguration,
ServerAvailability,
ServiceMonitoring,
Audit
Retrieve
Server Data
Contextual
(Multi)Selected servers
(or servers associated
with (multi) selected
scopes or zones)
Right click
menu on
(multi)selecting
servers, scopes
or zones in the
Monitor and
Manage view
ServerConfiguration,
ServerAvailability,
ServiceMonitoring,
Audit
Retrieve Audit
Data
NonContextual
Tasks Menu in
Event Catalog
view
Audit
29
DRAFT V5.0
IPAM does not support multi-forest topology. All domains in a single Active Directory forest
can be managed.
Hybrid: Central IPAM server deployed alongside dedicated IPAM servers per site
Note:
If required, you can leverage the IPAM Windows PowerShell based export-import
mechanism to periodically update IPAM range and address information between multiple
IPAM instances running across the enterprise.
You can choose to limit the IPAM scope, depending on the deployment. A single IPAM server
may be implemented to manage IP addressing for the entire enterprise. Alternately, an IPAM
server may be deployed at every geographical site in the enterprise, or in each child domain
in the AD forest. If multiple IPAM servers are used, you can limit the server discovery and
management scope of each to include only infrastructure servers managed by the individual
IPAM installations.
The IPAM server manages and monitors the DHCP and DNS servers within the site or child
domain, and collects the forensics information from DHCP, DC and NPS servers. IPAM
correlates and stores the collected information in the IPAM servers local database using
Windows Internal Database (WID).
30
DRAFT V5.0
Note:
You cannot install the IPAM server feature on an Active Directory domain controller.
Installing IPAM on a physical server with co-located DHCP server role is not
recommended. This negatively impacts the DHCP server discovery function of IPAM.
Installation UI/Wizard
In Server Manager, Dashboard, click Add roles and features.
31
DRAFT V5.0
Click through the Add roles and features wizard screens to select Role or Feature Based
Install and the target server. On the Select Features screen, select IP Address Management
(IPAM) Server. Click Add Features when prompted.
IPAM installation ensures that all IPAM dependencies are also installed at the time of
installation. IPAM Installation is not successful unless all the dependent modules are first
installed. Installation dependencies include the following:
Feature or Tool
Description
32
DRAFT V5.0
Feature or Tool
Description
The IPAM dependency list dialog allows you to select the installation of IPAM client along
with installation of the IPAM server feature using the checkbox Include management tools
(if applicable). By default, IPAM client is pre-selected for installation along with IPAM
server.
After selecting Install in the wizard, installation progress is shown until the feature is
installed successfully.
33
DRAFT V5.0
Verifying Installation
When the Add Features wizard completes, it will display a message indicating that the
installation succeeded. IPAM server can now be managed using local or remote instance of
IPAM client UI.
Uninstalling/Disabling
The Windows Server "8" Beta IPAM feature integrates with the Server Manager console for
installation and uninstallation. The console eases the task of managing and securing multiple
server roles through the Remove Roles and Features Wizard. The IPAM uninstallation
process ensures that all IPAM dependencies are removed, and that all IPAM local security
groups and scheduled tasks are deleted. Uninstallation also ensures that the IPAM database is
detached from WID and all the database data and schema files are deleted.
34
DRAFT V5.0
35
DRAFT V5.0
In order for the IPAM client to connect to an IPAM server, you must ensure that the target
IPAM server is added to the Server Manager purview using the Add Servers wizard launched
from the Manage menu. If both IPAM client and IPAM server are running on the same server,
then by default the IPAM UI connects to the local IPAM server instance.
Note:
A domain user connecting to the IPAM server from a remote IPAM client must be a member
of the WinRMRemoteWMIUsers__ group on the IPAM server, in addition to being a
member of the appropriate IPAM security group. IPAM client is an integrated component
with the Server Manager RSAT. Server Manager RSAT is also available for download and
installation on a Windows 8 Consumer Preview client machine. The IPAM node will appear in
the Server Manager navigation tree by default on the Windows 8 Consumer Preview client
RSAT.
IPAM Provisioning
IPAM installation sets up various periodic data collection tasks to collect relevant data from
managed DNS, DHCP, DC and NPS servers to enable address space management, multi-server
management and monitoring and event catalog scenarios. All IPAM tasks launch under the
Network Service account, which presents the local computers credentials to remote servers.
To accomplish this, administrators must enable read access and security permissions for the
required resources over managed servers for the IPAM servers computer account. Further
the relevant firewall ports need to be configured on these managed servers.
Note:
36
The term IPAM scope in this context and throughout this document refers to the IP network
elements (DHCP/DNS/NPS/DC servers within the forest) which are discovered or added, and
activated for various IPAM services. In other words these are the Managed server roles
DRAFT V5.0
within IPAM.
Access Setting
FW Rule
Membership of DHCP
Users security group
Remote Service
Management (RPC)
Remote Service
Management (RPCEPMAP)
DHCP
DNS
37
Role Type
DRAFT V5.0
Access Setting
FW Rule
Remote Service
Management (RPC)
Remote Service
Management (RPCEPMAP)
Membership of Event Log
Readers security group
DC/NPS
IPAM (local
server)
N/A
Note:
For DNS servers co-located with a DC, the RPC read access can be enabled by adding the
IPAM machine account to the domain wide DNS ACL. This setting needs to be propagated
only once for the entire domain and not for every individual DNS server.
Note:
For access to local event logs on the IPAM server to enable the IPAM Configuration Events
cataloguing, the Network Service account is automatically added to the IPAM servers Event
Log Readers group at the time of IPAM installation and provisioning.
DHCP
38
DRAFT V5.0
Role Type
DNS
DC/NPS
The following recommended actions are tracked by IPAM server inventory view related to access
settings:
Recommended Action
Scenario
Server manageability status is Managed
and overall IPAM access status is
Allowed
No action required
No action required
Note:
Action Required
The following access sub-statuses are not tracked by IPAM server inventory view in Windows
Server "8"Beta.
-
39
DRAFT V5.0
Additional Considerations
The IPAM server must collect DHCP lease events and DC/NPS logon events to enable IP
address tracking functionality. This section explains some of the deployment related details
to consider on the target DHCP, DC and NPS servers from which IPAM collects this
information.
DHCP audit file is generated by default in the %windir%\system32\dhcp folder, but the path
can be changed by editing IPv4 and IPv6 properties (Properties -> Advanced -> Audit log file
path setting). For IP addressing to work, the IPv4 and IPv6 audit log file path should both be
set to a common folder location. Ensure that the DHCP audit log file size is appropriately
configured to hold audit events for the entire day on the DHCP server.
Similarly, for DC and NPS servers, enable the required events for logging. The security log
settings determine enabling/disabling of these events. The relevant setting to enable logging
of these events is available under group policy (Computer Configuration -> Windows Settings
-> Security Settings -> Local Policies -> Audit Policy -> Audit Account Logon Events). For a
heavily loaded DC, ensure that the periodicity of IPAM AuditTask is less than the time
window in which the security logs on DC and NPS servers roll over.
Provisioning Methods
IPAM allows users to choose between manual or GPO based configuration of these access
settings on managed servers. Given the fair amount of administrative complexity in
configuring these settings, IPAM recommends using GPO based mechanism to automatically
provision IPAM access settings. Using GPOs for IPAM access provisioning also enables
ongoing automatic maintenance of these settings and adjustments to the changing needs and
alterations made to the IPAM scope.
40
To append and not replace any custom setting on the DNS and DHCP service ACL
To append and not replace any custom setting on the DNS event log CustomSD registry
entry
DRAFT V5.0
To ensure that the read access for the dhcpaudit share is enabled only for IPAM and not
for Everyone
To ensure that any localized string name for the DHCP Users group would be
automatically taken care of while adding the IPAM account
More Information:
For details of GPO settings created by IPAM, refer to the GPO settings detail section
of the Appendix to this guide:
GPO Based IPAM Provisioning - GPO Setting Details
Note:
The IPAM GPO based access provisioning is done by creating a universal group in the
domain and adding the IPAM machine account to this universal group. All the access
propagation by the GPO is done for the group and not for the specific IPAM machine
account.
The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies in the
specified domain for provisioning required access the server roles managed by IPAM.
GpoPrefixName provided here should be the same as the prefix configured in the IPAM
provisioning wizard. The three GPOs are created with the suffix '_DHCP', '_DNS' and '_DC_NPS'
appended to the GpoPrefixName. These suffixes signify the three different types of access
settings that are propagated depending on the type of server role managed by IPAM.
For example, if the group policy name prefix is IPAMGPO, then the cmdlet will create the
following three GPOs in the specified domain.
IPAMGPO_DHCP
IPAMGPO_DNS
IPAMGPO_DC_NPS
The access settings propagated by these GPOs are required by the periodic IPAM data
collection tasks that run under the Network Service account. Access settings are propagated
for the IPAM server machine account, since that is the credential presented by Network
Service to access remote resources. By default, IPAM uses the IPAM server FQDN of the local
machine from where the cmdlet is run. If required, you can explicitly specify the FQDN name
of the IPAM server using the IpamServerFqdn parameter.
41
DRAFT V5.0
The cmdlet creates a universal group named IPAMUG in the specified domain (if not already
present), and adds the computer account of specified IpamServerFqdn to it. Access setting
propagation by IPAM GPOs are done for the universal group IPAMUG. The cmdlet also
modifies the domain wide DNS ACL to enable DNS RPC access for IPAM.
IPAM auto-detects the available DC in order to invoke the GPO related operations. The GPO
objects created by this cmdlet can be returned using the PassThru switch.
When a server role is marked as managed IPAM automatically adds it to the appropriate
IPAM GPOs based on the active roles on this server.
When a server role is marked as inactive (unchecked) from a managed server, IPAM
automatically deletes it from the appropriate IPAM GPO.
Note:
42
IPAM considers GPO update failures during server edit operation due to GPO not existing,
insufficient privileges, or any other issue, as non-blocking. In other words, server edit
operation will continue irrespective of any failures encountered during GPO update. A
detailed report of the failures will be presented, and can be used to manually edit the IPAM
GPOs. Newly discovered IPAM roles on managed servers (in periodic server discovery cycle)
are marked as Managed. However, since the IPAM task does not have GPO editing privileges,
these roles will not be automatically added in the relevant IPAM GPO. You must add such
roles manually to the relevant IPAM GPO. A critical event is logged in IPAM administrative
DRAFT V5.0
Manual Provisioning
It is possible to bypass the wizard-based automated deployment and set a custom scope for
IPAM management. To deploy a limited pilot implementation of IPAM, you can manually add
administrators and server computer accounts to appropriate predefined AD security groups,
and configure firewall rules to allow communication to a set of manually selected and
configured network nodes.
More Information:
For details of enabling IPAM access settings on managed roles manually, refer to the
Manual IPAM Provisioning section of the Appendix to this guide:
Manual IPAM Provisioning - Configuring Access Settings
43
DRAFT V5.0
Note:
Remote IPAM servers must be added to the Server Manager purview using the Add Servers
dialog available in the Manage menu, before they are listed in the Connect dialog.
Note:
The logged in user must have Administrator privileges (running elevated) in order to
complete IPAM provisioning.
The IPAM provisioning wizard prompts you to select between manual and group policy based
provisioning methods. Once the provisioning wizard is complete, this setting cannot be
changed. For more information on IPAM provisioning methods refer to the corresponding
section in this guide.
44
DRAFT V5.0
If Manual deployment is selected, the IPAM wizard does not take any action to deploy
settings, and the administrator can consult the help files and IPAM deployment guide to
determine necessary settings to apply manually.
If Group Policy Based deployment is selected, supply the unique GPO prefix name for this
IPAM instance. The IPAM wizard does not take any action to actually create the group policies,
and you can use the IPAM Windows PowerShell cmdlet Invoke-IpamGpoProvisioning to
create the group policies. The GPO prefix name selected in this step must be as the one
specified as GpoPrefixName parameter with the GPO creation cmdlet.
Important:
The provisioning method selected is simply committed in the IPAM database in this step. The
IPAM provisioning wizard does not perform any corresponding action such as creating the
group policy objects or provisioning the servers.
Once the IPAM provisioning wizard successfully completes, the IPAM database and security
groups are in place. You can add the required users to the IPAM security groups based on
their roles. For more information on IPAM security groups, refer to the relevant section in
this guide.
Configure Discovery
Next, click configure server discovery to launch the Configure Discovery settings wizard. Use
the discovery settings wizard to add all domains in the forest on which you intend to run
discovery. You must add each domain to the list explicitly, even if the forest root domain has
been selected. For each domain added to the scope of discovery, you can select which type of
45
DRAFT V5.0
servers to discover. By default, domain controller, DHCP server, and DNS server check boxes are
all selected.
46
DRAFT V5.0
Servers are arranged under IPv4 or IPv6 nodes based on their network interface address. It is
possible that the same server may appear in both IPv4 and IPv6 node, if it has two types of IP
addresses.
Add Server
Use the Add or Edit Server dialog to set the manageability status to Managed for servers
that you intend to manage via IPAM. Servers (and their corresponding roles) can also be
added manually into the IPAM management span. This is especially useful for adding NPS
47
DRAFT V5.0
servers (required for IP Address tracking feature), which cannot be auto-discovered by IPAM.
In order to add a server manually, right click on IPv4/IPv6/Managed servers/Unmanaged
servers on the left navigation tree to trigger the Add server dialog.
48
DRAFT V5.0
Manual provisioning
For manual provisioning, ensure that the required access settings are appropriately
configured on the target server manually.
49
DRAFT V5.0
Verify Access
Verify that IPAM access status is listed as unblocked indicating that manual or GPO based
provisioning is successfully complete.
For the IPAM access status value to be allowed, all of the access sub-states shown in the
details pane should be marked as allowed. These access states are:
50
DRAFT V5.0
IP Address Blocks
A user can view the IP address blocks, IP address ranges or IP addresses in this view by
selecting the appropriate view in the current view combo box. This view allows you to
visualize the address space by automatically segregating the IP address ranges, IP address
blocks and IP addresses into private address and public address categories for IPv4 address
and global and unicast categories for IPv6 addresses.
51
DRAFT V5.0
52
DRAFT V5.0
Adding an IP Address
To Add an IPv4 IP address, right click on the IPv4 node and select Add IP Address. Similarly,
to add an IPv6 address, right click on the IPv6 node and select Add IP Address. To view the
IP addresses, switch to IP address view by selecting IP Addresses from the current view
combo box.
53
DRAFT V5.0
view by clicking on the current view combo box and then clicking on the range in which you
are interested. Similarly, you can view the utilization statistics of an IP block. IPAM
automatically calculates the utilization statistics of an IP address block by rolling up the
utilization statistics of the IP address ranges mapped to it.
You can view the utilization trend of an IP address range by first clicking on the IP address
range, clicking on the utilization trend tab, and then selecting the appropriate time window
for generating the trend graph. You can view the utilization trend graph of an IP address
block by clicking on the block, and then clicking on the utilization trend tab.
54
DRAFT V5.0
IP Address Inventory
In this view, you can see a list of all IP addresses available in the system, along with their
device names, device types, etc. You can choose to selectively view IP address with a
particular device type by clicking on the appropriate device type node in the navigation pane.
For example, to view IP addresses belonging to firewalls, you can click on the firewall node
and the view will be populated with IP addresses with device type set as firewall. You can
create a DNS record or DHCP reservation for an IP address by right clicking on the IP address
and selecting Create DHCP Reservation or Create DNS Host Record.
55
DRAFT V5.0
56
DRAFT V5.0
57
DRAFT V5.0
IPAM auto-populates the discovered DNS zones and the corresponding primary DNS servers
in the IP address dialog. All the relevant reverse lookup zones to which the address can map
along with the corresponding primary DNS servers are also made available for easy selection
and configuration. A DNS record can only be created or deleted against the DNS server being
managed by this instance of IPAM.
58
DRAFT V5.0
Clicking OK merely creates a record in IPAM, and a DHCP reservation or DNS record is not
automatically created during the IP address add or edit operation. You must explicitly invoke
the create or delete operation as intended after providing all the values. You may select
multiple IP addresses at a time to simultaneously synchronize add/delete of any of these
records. The success/failure of this operation can be tracked by status fields maintained for
the IP address.
59
DRAFT V5.0
60
DRAFT V5.0
61
DRAFT V5.0
62
DRAFT V5.0
63
DRAFT V5.0
64
DRAFT V5.0
65
DRAFT V5.0
Import Data
IPAM allows you to export out the IP address block, IP address range, and IP address records
in comma separated value (csv) format. You can import the IP address block, IP address
range, and IP address records from csv files. The names of column in the csv file from which
data is being imported must be same as the name of columns on IPAM views. For example, if
the csv file contains IP address block records, then the column names in the csv file must be
the same as column names in IP address blocks view of IPAM.
To import data, click the tasks menu and select Import IP Address Block, Import IP
Address Range, or Import IP Addresses based on the type of data contained in csv file. Once
the file is selected, the import process begins and displays a progress bar.
IPAM supports periodic import and update operations for IP address ranges belonging to the
specified Managed By Service and Service Instance values. Along with adding new ranges
and editing existing ranges as in the case of regular IP address range import, this operation
also deletes those ranges from IPAM which have the same value of Managed By Service and
Service Instance fields but are not present in the csv being imported. IPAM provides the
option of deleting the IP addresses mapping to the IP address ranges that are deleted during
this import operation. The dialog can be launched from the tasks menu in the IP address
space console.
66
DRAFT V5.0
IPAM also supports periodic import and update operations for IP addresses belonging to the
specified IP address range. Along with adding new addresses and editing existing addresses
as in the case of regular IP address import, this operation deletes those addresses from IPAM
that map to the specified IP address range, but are not present in the csv being imported.
Launch the dialog by right clicking on the relevant IP address range in the UI.
Export Data
To export out data from IPAM views, navigate to the appropriate view, clicks the Tasks menu
and select Export. You may filter out the required subset of records to be imported by
running basic or advanced queries before export.
67
DRAFT V5.0
68
DRAFT V5.0
Configuration Monitoring
The details view shows the server properties of the server selected. In case of DHCP servers,
server options and DHCP events are shown. In case of DNS servers, the zones on the server
and the DNS zone events are shown.
69
DRAFT V5.0
Edit DHCP Server Properties - This allows setting a number of server properties of the
DHCP server
Edit DHCP Server Options - Allows addition, deletion or editing of options at the
servers level. Action can be performed on multiple DHCP servers simultaneously to
update multiple options across servers.
70
Create DHCP scope - Create a scope on a DHCP server, and set numerous scope
properties.
DRAFT V5.0
Configure predefined option and values - Create predefined options and set option
value. Select one or more servers and launch the action to configure predefined options
on multiple servers simultaneously
Configure User Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.
71
DRAFT V5.0
Create and edit new and existing user classes - Multi-select servers and launch the
action to configure user classes on multiple servers simultaneously.
Configure Vendor Class - Multi-select servers and launch the action to configure user
classes on multiple servers simultaneously.
Launch MMC - Launch the MMC for the selected DHCP server
Retrieve server data - Multi-select servers and launch the action to retrieve server data
from the selected set of servers.
Launch MMC - Launch the MMC for the selected DNS server
Retrieve server data - Multi-select servers and launch the action to retrieve server data
from the selected set of servers.
DHCP Scopes
In this view you can see all the DHCP scopes configured on all the DHCP servers being
managed by IPAM. The utilization of each scope is shown in this view along with key
properties and options configured on the scope. You can view all IPv4 or all IPv6 scopes or
only scopes that lie within a specific IP address block.
72
DRAFT V5.0
Edit a DHCP scope - This allows setting a number of scope properties of the DHCP
server. Action can be performed on multiple DHCP scopes across servers
simultaneously.
73
DRAFT V5.0
Duplicate DHCP scope - Allows using a scope as a template to create another scope with
an identical set of properties. These properties can also be selectively edited before the
new scope is created. This is performed as a single operation.
74
DRAFT V5.0
To navigate to any zone, use the navigation pane to view the health status of the zone on each
of the authoritative servers. In case of an error in the zone, the event catalog displays the
specific event that is causing the error. Right-click on the authoritative server to launch the
MMC and investigate further to fix the cause of the problem. The server properties and the
other zones hosted by the server are shown in the details pane.
Server Groups
IPAM allows servers to be tagged with custom fields. Servers so tagged can be auto-arranged
in hierarchical logical groups. Creation of custom fields is described in section titled Creating
75
DRAFT V5.0
a Custom field. Servers can be tagged with custom fields from the Custom Configurations
page or the Add or Edit Server dialog described in the section Server Inventory
Management.
A logical group for servers can be created by right-clicking the IPv4 or IPv6 node and
selecting Add Server Group
76
DRAFT V5.0
IPAM Configuration
To track the configuration changes at the IPAM server, click on IPAM Configuration Events.
View all the configuration changes that have occurred on the IPAM server along with the user
name of the person who changed the configuration. You can choose to filter out the events
based on user name or other filter criteria like time of the event, or operational code.
77
DRAFT V5.0
78
DRAFT V5.0
IP Address Tracking
IP address tracking feature of IPAM enables you to track the IP address and user activity on
the network. Begin the trail by selecting a time window and using an IP address, client ID
(MAC), hostname or username as query criteria. For example, to start tracking an IP address,
click By IP Address, select a time window, and enter the IP address.
The query will return all the DHCP lease events gathered from managed DHCP servers that
match the given IP address. You can include or exclude the correlated user and computer
logon events collected from managed DCs and NPS servers. For detail on how IPAM
correlates the DHCP lease events with user and computer logon events, refer to IP Address
Tracking in the Functional Description section of this guide.
79
DRAFT V5.0
Database Purging
IPAM supports on-demand purging of configuration event log and IP address tracking related
records. You can select the time window before which data must be purged and the data type
(IPAM configuration, DHCP configuration, IP address tracking). It is advisable that data purge
operation should be initiated during the night or at a time when IPAM activity is low. IPAM
recommends a moving window of historical event log data for only last 6 months for best
performance and disk space utilization.
80
DRAFT V5.0
Troubleshooting IPAM
Troubleshooting tools
Event Logging
IPAM logs events under multiple channels in Event Viewer under the path Application and
Services Logs > Microsoft > Windows > IPAM. The channels are as follows:
Admin channel:
Unexpected errors arising from either from a user action or a periodic task are logged
here.
ConfigurationChange channel:
This captures events related to configuration changes made to the IPAM server
Operational channel:
This channel captures informational events and can give greater insight to the health
and operations of the various IPAM tasks. Logging on this channel is Disabled by
default.
Events in IPAMs admin channel and the operational channel can also be viewed from the
IPAM server within Server Managers Dashboard view.
Provisioning issues
IPAM Access status shows as blocked for a server or unable to fetch data
In the server inventory view details pane, check that the access status is unblocked or Not
applicable for each of the following fields:
o DHCP RPC Access Status
o DNS RPC Access Status
o DHCP Audit Share Access Status
81
DRAFT V5.0
Discovery issues
A DNS server not co-located with a DC, is not being discovered
Ensure that the DNS server is registered as a name server for the domain zone and the DNS
suffix is registered for the configured domain.
Ensure that the DHCP server is authorized for the configured domains and responds to the
DHCP server INFORM message and the message is reaching IPAM
Ensure that there is no network connectivity issue between the IPAM server and the target
server
Open DNS MMC / DHCP MMC to the target DNS / DHCP server and ensure that the service is
running.
Check that the service read access status has been provisioned. Refer to the section Manual
IPAM Provisioning Configuring Access Settings on how to do this.
Appendix
Manual IPAM Provisioning Configuring Access Settings
Configuration required at DHCP servers
Steps described below should be repeated at each DHCP server expected to be managed
through IPAM
More Information:
82
DRAFT V5.0
2. Add the IPAM server computer account to the DHCP Users local security group on the
DHCP servers.
3. Update DHCP service access settings.
a. Get the IPAM computer account SID - From the domain controller, launch
Windows PowerShell and type Get-ADComputer <IPAM server name>. In
the example below the name of the IPAM server is S4-IPAM
a. Add the IPAM SID to the DHCP service read access status
83
DRAFT V5.0
New permissions added are show highlighted in yellow above. Note that the permissions are
added to the DACL (starting from D: ) and not the SACL (starting from S:)
4. Unblock the inbound traffic on DHCP RPC Firewall ports by enabling following inbound
firewall rules
a.
b.
5. Unblock the inbound traffic on Remote Service Management Firewall ports by enabling
following inbound firewall rules
a. Remote Service Management (RPC)
b. Remote Service Management (RPC-EPMAP)
6. Unblocking the inbound File and Printer Sharing Firewall ports to enable sharing of
DHCP audit logs by enabling following inbound firewall rules:-
84
DRAFT V5.0
85
DRAFT V5.0
d. Click OK, type the name of the IPAM server (IPAM01 in this example), and click
OK.
e. Verify that the IPAM server is configured with Allow for Read access. See below.
86
DRAFT V5.0
4. Get the IPAM computer account SID - From the domain controller, launch Windows
PowerShell and type Get-ADComputer <IPAM server name>. In the example below,
the name of the IPAM server is S4-IPAM
5. Add the IPAM SID to the appropriate registry entry to get access to DNS zone event
logs.
a.
c. Add the IPAM SID at the end of this registry entry. Type (A;;0x1;;; and then
paste the IPAM SID (obtained through Windows PowerShell in step 4 above the text string that you copied from the Windows PowerShell prompt). Enter
closed parentheses to complete the value data. In the example above (A;;0x1;;;
S-1-5-21-1793763811-3486041751-3179139019-1609) will be added to the
87
DRAFT V5.0
registry. Note that the permissions are added to the DACL (starting from D: )
and not the SACL (staring from S:)
6. Add the IPAM SID to the DNS service read access status
a.
Find the string corresponding to the current permissions using sc sdshow dns
New permissions added are show highlighted in yellow above. Note that the
permissions are added to the DACL (starting from D: ) and not the SACL
(staring from S:)
88
DRAFT V5.0
b.
2. Add the IPAM Server computer account to the Event Log Readers domain security group on
the domain controller and NPS servers.
89
DRAFT V5.0
90
DRAFT V5.0
91
DRAFT V5.0
92
DRAFT V5.0
93